Best practice rules for Amazon EC2
Amazon Elastic Cloud Compute (EC2) provides on demand compute capacity that can be tailored to meet your specific system requirements. EC2 servers can be configured and launched in a matter of minutes, allowing customers to scale up and down as usage requirements change.
- AMI Naming Conventions
Follow proper naming conventions for Amazon Machine Images.
- AWS AMI Encryption
Ensure that your existing AMIs are encrypted to meet security and compliance requirements.
- Account Instance Limit
Ensure that your AWS account has not reached the limit set for the number of EC2 instances.
- Allowed AMIs Feature in Use
Ensure that Allowed AMIs feature is enabled in Amazon EC2.
- App-Tier EC2 Instance Using IAM Roles
Ensure that your app-tier EC2 instances are using IAM roles to grant permissions to applications running on these instances.
- App-Tier Publicly Shared AMI
Ensure app-tier AMIs aren't publicly shared to avoid exposing sensitive data.
- Approved/Golden AMIs
Ensure that all EC2 instances are launched from your approved AMIs.
- Blocklisted AMIs
Ensure no EC2 instance is launched from any blocklisted AMIs
- Default Security Group Unrestricted
Ensure the default security group of every VPC restricts all traffic.
- Default Security Groups In Use
Ensure default security groups aren't in use. Instead create unique security groups to better adhere to the principle of least privilege.
- Descriptions for Security Group Rules
Ensure AWS EC2 security group rules have descriptive text for organization and documentation.
- Desired Instance Type(s)
Ensure that your Amazon EC2 instances are of a given instance type (e.g., c5.large).
- Disable Public IP Address Assignment for EC2 Instances
Ensure that Amazon EC2 instances are not using public IP addresses.
- EC2 AMI Too Old
Ensure EC2 Amazon Machine Images (AMIs) aren't too old
- EC2 Hibernation
Enable hibernation as an additional stop behavior for your EC2 instances backed by Amazon EBS in order to reduce the time it takes for these instances to return to service at restart.
- EC2 Instance Dedicated Tenancy
Ensure that dedicated EC2 instances are regularly reviewed.
- EC2 Instance Detailed Monitoring
Ensure that detailed monitoring is enabled for the AWS EC2 instances that you need to monitor closely.
- EC2 Instance Generation
Ensure you always use the latest generation of EC2 instances to get better performance with lower cost.
- EC2 Instance In VPC
Ensure EC2 instances are launched using the EC2-VPC platform instead of EC2-Classic outdated platform.
- EC2 Instance Naming Conventions
Follow proper naming conventions for EC2 instances.
- EC2 Instance Not In Public Subnet
Ensure that no backend EC2 instances are provisioned in public subnets.
- EC2 Instance Scheduled Events
Identify any AWS EC2 instances that have scheduled events and take action to resolve them.
- EC2 Instance Security Group Rules Counts
Determine if there is a large number of security group rules applied to an instance.
- EC2 Instance Tenancy
Ensure that EC2 instances have desired tenancy for compliance and regulatory requirements.
- EC2 Instance Termination Protection
Ensure termination protection safety feature is enabled for ec2 instances that aren't part of ASGs
- EC2 Instance Too Old
Ensure EC2 instances aren't too old.
- EC2 Instance Using IAM Roles
Ensure that IAM roles are used to grant EC2 instances access to AWS resources.
- EC2 Instances Scanned by Amazon Inspector Classic
Ensure that all Amazon EC2 instances are successfully scanned by an Inspector Classic assessment run.
- EC2 Instances with Multiple Elastic Network Interfaces
Ensure that Amazon EC2 instances are not using multiple ENIs.
- EC2 Instances with Public IP Addresses or Available in Public Subnets
Ensure no backend EC2 instances are running in public subnets or having public IP addresses.
- EC2 Instances with Unapproved Instance Types
Ensure there are no Amazon EC2 instances with unapproved instance types.
- EC2 Reserved Instance Coverage
Ensure that your Amazon EC2 usage is covered by EC2 reservations in order to optimize costs.
- EC2 Security Group Port Range
Ensure there are no EC2 security groups that open range of ports to allow incoming traffic.
- EC2-Classic Elastic IP Address Limit (Deprecated)
Determine if the number of allocated EC2-Classic EIPs per region is close to Elastic IP Address Limit.
- EC2-VPC Elastic IP Address Limit
Determine if the number of allocated EC2-VPC EIPs per region is close to Elastic IP Address Limit.
- Enable Capacity Rebalancing
Ensure that Capacity Rebalancing is enabled for your Amazon Auto Scaling Groups.
- Idle EC2 Instance
Identify any Amazon EC2 instances that appear to be idle and stop or terminate them to help lower the cost of your monthly AWS bill.
- Instance In Auto Scaling Group
Ensure every EC2 instance is launched inside an Auto Scaling Group (ASG) in order to follow AWS reliability and security best practices.
- Overutilized AWS EC2 Instances
Identify any Amazon EC2 instances that appear to be overutilized and upgrade (resize) them in order to help your EC2-hosted applications to handle better the workload and improve the response time.
- Publicly Shared AMI
Ensure that your AMIs are not accessible to all AWS cloud accounts.
- Require IMDSv2 for EC2 Instances
Ensure that IMDSv2 is enforced for all your Amazon EC2 instances.
- Reserved Instance Expiration
Ensure that Amazon EC2 Reserved Instances (RI) are renewed before expiration.
- Reserved Instance Lease Expiration In The Next 30 Days
Ensure Amazon EC2 Reserved Instances (RI) are renewed before expiration.
- Reserved Instance Lease Expiration In The Next 7 Days
Ensure Amazon EC2 Reserved Instances (RI) are renewed before expiration.
- Reserved Instance Payment Pending Purchases
Ensure that none of your Amazon EC2 Reserved Instance purchases are pending.
- Reserved Instance Purchase State
Ensure that none of your Amazon EC2 Reserved Instance purchases have been failed.
- Review Reserved Instance Purchases
Ensure that Reserved Instance purchases are regularly reviewed for cost optimization (informational).
- Security Group Excessive Counts
Determine if there is an excessive number of security groups per region
- Security Group Large Counts
Determine if there is a large number of security groups per region
- Security Group Name Prefixed With 'launch-wizard'
Ensure no Amazon EC2 security group name is prefixed with 'launch-wizard'.
- Security Group Naming Conventions
Follow proper naming conventions for security groups
- Security Group Rules Counts
Determine if there is a large number of rules in a security group.
- SecurityGroup RFC 1918
Ensure no Amazon EC2 security group contains RFC 1918 CIDRs.
- Unassociated IP Addresses
Identify and remove any unassociated Elastic IP (EIP) and Carrier IP addresses for cost optimization.
- Underutilized EC2 Instance
Identify underutilized EC2 instances and downsize them in order to optimize your AWS costs
- Unrestricted CIFS Access
Ensure that no security group allows unrestricted inbound access on TCP port 445 (Common Internet File System – CIFS).
- Unrestricted DNS Access
Ensure that no security group allows unrestricted inbound access on TCP and UDP port 53 (Domain Name System – DNS).
- Unrestricted FTP Access
Ensure that no security group allows unrestricted inbound access on TCP ports 20 and 21 (File Transfer Protocol – FTP).
- Unrestricted HTTP Access
Ensure no security group allows unrestricted inbound access to TCP port 80 (HTTP).
- Unrestricted HTTPS Access
Ensure no security group allows unrestricted inbound access to TCP port 443 (HTTPS).
- Unrestricted ICMP Access
Ensure no security group allows unrestricted inbound access to ICMP.
- Unrestricted MSSQL Database Access
Ensure that no security group allows unrestricted inbound access on TCP port 1433 (Microsoft SQL Server – MSSQL).
- Unrestricted Memcached Access
Ensure that no security group allows unrestricted inbound access on TCP/UDP port 11211 (Memcached).
- Unrestricted MongoDB Access
Ensure no security group allows unrestricted ingress access to MongoDB port 27017
- Unrestricted MySQL Database Access
Ensure that no security group allows unrestricted inbound access on TCP port 3306 (MySQL/Aurora).
- Unrestricted NetBIOS Access
Ensure that no security group allows unrestricted inbound access on TCP port 139 and UDP ports 137 and 138 (NetBIOS).
- Unrestricted OpenSearch Access
Ensure no security group allows unrestricted inbound access to TCP port 9200 (OpenSearch).
- Unrestricted Oracle Database Access
Ensure that no security group allows unrestricted inbound access on TCP port 1521 (Oracle RDS).
- Unrestricted Outbound Access
Ensure that no Amazon EC2 security group allows unrestricted outbound access.
- Unrestricted PostgreSQL Database Access
Ensure that no security group allows unrestricted inbound access on TCP port 5432 (PostgreSQL).
- Unrestricted RDP Access
Ensure that no security group allows unrestricted inbound access on TCP port 3389 (Remote Desktop Protocol – RDP).
- Unrestricted RPC Access
Ensure that no security group allows unrestricted inbound access on TCP port 135 (RPC).
- Unrestricted Redis Cache Access
Ensure that no security group allows unrestricted inbound access on TCP port 6379 (Redis).
- Unrestricted SMTP Access
Ensure that no security group allows unrestricted inbound access on TCP port 25 (Simple Mail Transfer Protocol - SMTP).
- Unrestricted SSH Access
Ensure that no security group allows unrestricted inbound access on TCP port 22 (Secure Shell – SSH).
- Unrestricted Security Group Ingress on Uncommon Ports
Ensure no Amazon EC2 security groups allow unrestricted inbound access.
- Unrestricted Telnet Access
Ensure that no security group allows unrestricted inbound access on TCP port 23 (Telnet).
- Unused AWS EC2 Key Pairs
Ensure unused AWS EC2 key pairs are decommissioned to follow AWS security best practices.
- Unused Amazon Machine Images
Identify and remove unused Amazon Machine Images (AMIs) to optimize your AWS costs.
- Unused EC2 Reserved Instances
Ensure that your Amazon EC2 Reserved Instances are being fully utilized.
- Unused Elastic Network Interfaces
Identify and delete any unused Elastic Network Interfaces
- Web-Tier EC2 Instance Using IAM Roles
Ensure web-tier IAM instance roles are used for AWS resource access from instances.
- Web-Tier Publicly Shared AMI
Ensure web-tier AMIs aren't publicly shared to avoid exposing sensitive data.
- vCPU-Based EC2 Instance Limit
Ensure that your EC2 instances do not reach the limit set by AWS for the number of vCPUs.