Kawach Support

IAM

IAM - Enable User MFA Ensures that multi-factor authentication is enabled for IAM users to enhance account security.
IAM - Enforce Key Rotation Ensures that IAM access keys are rotated regularly to reduce the risk of credential compromise.
IAM - Enforce Active Key Limit Limits the number of active access keys per IAM user to minimize security risks.
IAM - Disable Unused User Credentials Identifies and disables unused IAM credentials to enhance account security.
IAM - Enforce Group Permission Ensures that permissions are assigned through IAM groups instead of directly to users.
IAM - Enforce Password Length Ensures that IAM password policies enforce a strong minimum password length.
IAM - Prohibit Password Reuse Prevents IAM users from reusing previous passwords to strengthen account security.
IAM - Check Root Access Keys Existence Ensures that root account access keys do not exist to prevent unauthorized usage.
IAM - Enable Root MFA Ensures that multi-factor authentication is enabled for the AWS root account.
IAM - Establish Support Role Ensures that a dedicated IAM role is created to securely manage AWS Support access.
IAM - Enable Key Rotation Ensures that access keys are automatically rotated to maintain strong security practices.
Purge Expired Certificates Identifies and removes expired SSL/TLS certificates stored in AWS IAM to maintain secure communications.

Storage

EC2 Volume – Enable EBS Volume Backup Ensures that Amazon EBS volumes are regularly backed up to prevent data loss and support disaster recovery.
EC2 Volume – Enable EBS Encryption Ensures that Amazon EBS volumes are encrypted to protect data at rest and meet security best practices.
EFS – Enable EFS Storage Backup Ensures that Amazon EFS file systems are backed up to safeguard critical data and enable recovery.
S3 Bucket – Enable S3 Bucket Versioning Enables versioning on S3 buckets to preserve, retrieve, and restore previous versions of objects.
S3 Bucket – Enable S3 Bucket Encryption Ensures that server-side encryption is enabled on S3 buckets to secure data at rest.
S3 Bucket – Block S3 Bucket Public Access Ensures that public access to S3 buckets is blocked to protect sensitive data from unauthorized exposure.
RDS DB Instance – Encryption of Storage Ensures that RDS storage is encrypted to protect sensitive data at rest.
RDS DB Instance – Enable Deletion Protection Prevents accidental deletion of RDS instances by enabling deletion protection.
RDS DB Instance – Enable Auto Minor Version Upgrade Ensures that RDS instances automatically receive minor engine updates for improved security and stability.
DynamoDB Table – Enable Table Encryption Ensures that DynamoDB tables are encrypted to secure sensitive data at rest.
DynamoDB Table – Enable Table Point In Time Recovery Enables point-in-time recovery for DynamoDB tables to restore data in case of accidental modifications or deletions.
DynamoDB Table – Enable Table Deletion Protection Prevents accidental deletion of DynamoDB tables by enabling deletion protection.

Monitoring

EC2 Instance – Monitor CPU Utilization Monitors EC2 CPU utilization to ensure optimal performance and timely resource scaling.
ECS Service – Monitor CPU Utilization Monitors CPU utilization of ECS services to maintain application performance and efficiency.
ECS Service – Monitor Memory Utilization Tracks memory usage of ECS services to prevent resource exhaustion and ensure stability.
RDS DB Instance – Monitor Free Storage Space Monitors available storage on RDS instances to prevent service disruptions due to low disk space.
RDS DB Instance – Monitor CPU Utilization Tracks CPU utilization of RDS instances to ensure optimal database performance.
SQS Queue – Monitor Message Age Monitors the age of messages in SQS queues to identify processing delays and bottlenecks.
SQS Queue – Monitor Message Visibility Tracks message visibility metrics to ensure efficient processing and prevent duplicate consumption.
DynamoDB Table – Monitor Table Read Capacity Monitors read capacity utilization to ensure optimal performance and prevent throttling.
DynamoDB Table – Monitor Table Write Capacity Tracks write capacity utilization to maintain performance and avoid throttling.
DynamoDB Table – Monitor Table Latency Monitors DynamoDB latency to ensure fast and reliable database performance.

Logging

Enable CloudTrail Ensures that AWS CloudTrail is enabled to log and monitor account activity for auditing and compliance.
Encrypt CloudTrail Logs Ensures that CloudTrail logs are encrypted to protect sensitive audit data.
EC2 VPC – Ensure Flow Logs are Enabled Ensures that VPC Flow Logs are enabled to capture network traffic for monitoring and security analysis.

Networking

RDS DB Instance – Block Public Access Prevents RDS instances from being publicly accessible to reduce the risk of unauthorized access.

Compute

EC2 Instance – Enable Deletion Protection Prevents accidental termination of EC2 instances by enabling deletion protection.
ECS Service – Enable Auto Scaling Ensures that ECS services have auto scaling enabled to handle workload fluctuations and maintain high availability.

Security

Enable AWS Security Hub Ensures that AWS Security Hub is enabled to centralize and manage security findings.
Enable GuardDuty Ensures that Amazon GuardDuty is enabled to detect threats and continuously monitor AWS environments.

Checks for AWS

IAM

Storage

Monitoring

Logging

Networking

Compute

Security