Scribd Logo
Upload

Welcome to Scribd!

  • Extra Checks in Prowler

    Uploaded by

    maham sabir
    217 views2 pages

    Original Title

    Extra checks in prowler

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    217 views2 pages

    Extra Checks in Prowler

    Uploaded by

    maham sabir

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    7.

    1 [extra71] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS b
    7.3 [extra73] Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)
    7.4 [extra74] Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmar
    7.5 [extra75] Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)
    7.6 [extra76] Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)
    7.7 [extra77] Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)
    7.8 [extra78] Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)
    7.9 [extra79] Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)
    7.11 [extra711] Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)
    7.12 [extra712] Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)
    7.14 [extra714] Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)
    7.15 [extra715] Check if Amazon Elasticsearch Service (ES) domains have logging enabled
    7.16 [extra716] Check if Amazon Elasticsearch Service (ES) domains are set as Public or if it has open policy access
    7.17 [extra717] Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)
    7.18 [extra718] Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)
    7.19 [extra719] Check if Route53 public hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS be
    7.20 [extra720] Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of C
    7.21 [extra721] Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)
    7.22 [extra722] Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)
    7.24 [extra724] Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchm
    7.25 [extra725] Check if S3 buckets have Object-level logging enabled in CloudTrail (Not Scored) (Not part of CIS benchmark)
    7.26 [extra726] Check Trusted Advisor for errors and warnings (Not Scored) (Not part of CIS benchmark)
    7.27 [extra727] Check if SQS queues have policy set as Public (Not Scored) (Not part of CIS benchmark)
    7.28 [extra728] Check if SQS queues have Server Side Encryption enabled (Not Scored) (Not part of CIS benchmark)
    7.30 [extra730] Check if ACM Certificates are about to expire in 7 days or less (Not Scored) (Not part of CIS benchmark)
    7.31 [extra731] Check if SNS topics have policy set as Public (Not Scored) (Not part of CIS benchmark)
    7.32 [extra732] Check if Geo restrictions are enabled in CloudFront distributions (Not Scored) (Not part of CIS benchmark)
    7.33 [extra733] Check if there are SAML Providers then STS can be used (Not Scored) (Not part of CIS benchmark)
    7.34 [extra734] Check if S3 buckets have default encryption (SSE) enabled or use a bucket policy to enforce it (Not Scored) (No
    7.35 [extra735] Check if RDS instances storage is encrypted (Not Scored) (Not part of CIS benchmark)
    7.36 [extra736] Check exposed KMS keys (Not Scored) (Not part of CIS benchmark)
    7.37 [extra737] Check KMS keys with key rotation disabled (Not Scored) (Not part of CIS benchmark)
    7.38 [extra738] Check if CloudFront distributions are set to HTTPS (Not Scored) (Not part of CIS benchmark)
    7.39 [extra739] Check if RDS instances have backup enabled (Not Scored) (Not part of CIS benchmark)
    7.40 [extra740] Check if EBS snapshots are encrypted (Not Scored) (Not part of CIS benchmark)
    7.41 [extra741] Find secrets in EC2 User Data (Not Scored) (Not part of CIS benchmark)
    7.42 [extra742] Find secrets in CloudFormation outputs (Not Scored) (Not part of CIS benchmark)
    7.43 [extra743] Check if API Gateway has client certificate enabled to access your backend endpoint (Not Scored) (Not part of
    7.44 [extra744] Check if API Gateway has a WAF ACL attached (Not Scored) (Not part of CIS benchmark)
    7.45 [extra745] Check if API Gateway endpoint is public or private (Not Scored) (Not part of CIS benchmark)
    7.46 [extra746] Check if API Gateway has configured authorizers (Not Scored) (Not part of CIS benchmark)
    7.47 [extra747] Check if RDS instances is integrated with CloudWatch Logs (Not Scored) (Not part of CIS benchmark)
    7.49 [extra749] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Oracle ports 1521 or 2483 (Not Scored) (Not
    7.50 [extra750] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MySQL port 3306 (Not Scored) (Not part of C
    7.51 [extra751] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Postgres port 5432 (Not Scored) (Not part of
    7.52 [extra752] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Redis port 6379 (Not Scored) (Not part of CIS
    7.53 [extra753] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018 (Not Score
    7.54 [extra754] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199 or 9160 or 8888 (Not S
    7.55 [extra755] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211 (Not Scored) (Not pa
    7.57 [extra757] Check EC2 Instances older than 6 months (Not Scored) (Not part of CIS benchmark)
    7.58 [extra758] Check EC2 Instances older than 12 months (Not Scored) (Not part of CIS benchmark)
    7.62 [extra762] Find obsolete Lambda runtimes (Not Scored) (Not part of CIS benchmark)
    7.63 [extra763] Check if S3 buckets have object versioning enabled (Not Scored) (Not part of CIS benchmark)
    7.65 [extra765] Check if ECR image scan on push is enabled (Not Scored) (Not part of CIS benchmark)
    7.67 [extra767] Check if CloudFront distributions have Field Level Encryption enabled (Not Scored) (Not part of CIS benchmark
    7.68 [extra768] Find secrets in ECS task definitions variables (Not Scored) (Not part of CIS benchmark)
    7.69 [extra769] Check if IAM Access Analyzer is enabled and its findings (Not Scored) (Not part of CIS benchmark)
    7.70 [extra770] Check for internet facing EC2 instances with Instance Profiles attached (Not Scored) (Not part of CIS benchma
    7.71 [extra771] Check if S3 buckets have policies which allow WRITE access (Not Scored) (Not part of CIS benchmark)
    7.72 [extra772] Check if elastic IPs are unused (Not Scored) (Not part of CIS benchmark)
    7.73 [extra773] Check if CloudFront distributions are using WAF (Not Scored) (Not part of CIS benchmark)
    7.74 [extra774] Ensure credentials unused for 30 days or greater are disabled
    7.75 [extra775] Find secrets in EC2 Auto Scaling Launch Configuration (Not Scored) (Not part of CIS benchmark)
    7.76 [extra776] Check if ECR image scan found vulnerabilities in the newest image version (Not Scored) (Not part of CIS bench
    7.77 [extra777] Find VPC security groups with many ingress or egress rules (Not Scored) (Not part of CIS benchmark)
    7.78 [extra778] Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) (Not Scored) (Not part of CIS
    7.79 [extra779] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports
    7.80 [extra780] Check if Amazon Elasticsearch Service (ES) domains has Amazon Cognito authentication for Kibana enabled
    7.83 [extra783] Check if Amazon Elasticsearch Service (ES) domains has enforce HTTPS enabled
    7.84 [extra784] Check if Amazon Elasticsearch Service (ES) domains internal user database enabled
    7.85 [extra785] Check if Amazon Elasticsearch Service (ES) domains have updates available
    7.87 [extra787] Check connection and authentication for Internet exposed Elasticsearch/Kibana ports
    7.88 [extra788] Check connection and authentication for Internet exposed Amazon Elasticsearch Service (ES) domains
    7.91 [extra791] Check if CloudFront distributions are using deprecated SSL protocols
    7.92 [extra792] Check if Elastic Load Balancers have insecure SSL ciphers (Not Scored) (Not part of CIS benchmark)
    7.93 [extra793] Check if Elastic Load Balancers have SSL listeners (Not Scored) (Not part of CIS benchmark)
    7.94 [extra794] Ensure EKS Control Plane Audit Logging is enabled for all log types
    7.95 [extra795] Ensure EKS Clusters are created with Private Endpoint Enabled and Public Access Disabled
    7.96 [extra796] Restrict Access to the EKS Control Plane Endpoint
    7.97 [extra797] Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs)
    7.99 [extra799] Check if Security Hub is enabled and its standard subscriptions
    7.100 [extra7100] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)

    You might also like