Tenable AWS Best Practice Audit

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: Tenable AWS Best Practice Audit

Updated: 1/13/2020

Authority: TNS

Plugin: amazon_aws

Revision: 1.32

Estimated Item Count: 205

Audit Changelog

 
Revision 1.32

Jan 13, 2020

Miscellaneous
  • Audit deprecated.
  • Metadata updated.
Revision 1.31

Oct 14, 2019

Informational Update
  • IAM: GetAccountSummary - 'Groups'
  • IAM: GetAccountSummary - 'GroupsQuota <= 100'
  • IAM: GetAccountSummary - 'Roles'
  • IAM: GetAccountSummary - 'RolesQuota'
  • IAM: GetAccountSummary - 'Users'
  • IAM: GetAccountSummary - 'UsersQuota'
Revision 1.30

Oct 2, 2019

Functional Update
  • MONITORING: metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs - 'alarm exists'
  • MONITORING: metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs - 'metric filter exists'
  • MONITORING: metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs - 'subscription exists'
Revision 1.29

Feb 15, 2019

Miscellaneous
  • See also link updated.
Revision 1.28

Jan 29, 2019

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.27

Dec 12, 2018

Informational Update
  • Bootstrapping
  • Building Threat Protection Layers
  • CLOUDTRAIL: CloudTrail logs are not publicly accessible - 'Review S3 Buckets
  • Conclusion
  • Controlling Security for Public AMIs
  • Creating Custom AMIs
  • Cross-Account Access
  • Decommission Data and Media Securely
  • Define and Categorize Assets on AWS
  • Design Your ISMS to Protect Your Assets on AWS
  • EC2: DescribeAccountAttributes - 'supported platforms'
  • EC2: DescribeAddresses - 'Review list of interface assignments and private IPs'
  • EC2: DescribeAddresses - 'Review list of public IPs'
  • EC2: DescribeAvailabilityZones: 'Avalable availability zones list'
  • EC2: DescribeCustomerGateways - 'Review list of customer gateways'
  • EC2: DescribeDhcpOptions - 'DHCP DNS Servers'
  • EC2: DescribeDhcpOptions - 'DHCP domains'
  • EC2: DescribeInstanceStatus - 'Review instances with impaired system status'
  • EC2: DescribeInstanceStatus - 'Review instances with impared instance status'
  • EC2: DescribeInstanceStatus - 'Review instances with insufficient-data instance status'
  • EC2: DescribeInstanceStatus - 'Review instances with insufficient-data system status'
  • EC2: DescribeInstanceStatus - 'Review pending instances'
  • EC2: DescribeInstanceStatus - 'Review shutting down instances'
  • EC2: DescribeInstanceStatus - 'Review status of instances'
  • EC2: DescribeInstanceStatus - 'Review stopped instances'
  • EC2: DescribeInstanceStatus - 'Review terminated instances'
  • EC2: DescribeInstances - 'Review list of current VPCs and their platforms'
  • EC2: DescribeInstances - 'Review list of current VPCs and their status'
  • EC2: DescribeInstances - 'Verify the architecture of instances'
  • EC2: DescribeInstances - 'Verify the private IP addresses of instances'
  • EC2: DescribeInstances - 'Verify the public IP addresses of instances'
  • EC2: DescribeInstances - 'Verify the root device of instances'
  • EC2: DescribeInstances - 'Verify the security group of instances in the VPC'
  • EC2: DescribeInternetGateways - 'Review list of internet gateways'
  • EC2: DescribeKeyPairs - 'Key names currently in use'
  • EC2: DescribeNetworkAcls - 'Review list of network ACLs'
  • EC2: DescribePlacementGroups - 'Placement groups currently in use'
  • EC2: DescribePlacementGroups - 'Placement groups deleted or deleting'
  • EC2: DescribePlacementGroups - 'Placement groups pending'
  • EC2: DescribeRegions - 'Regions that are currently available'
  • EC2: DescribeRouteTables - 'Review manually added routes'
  • EC2: DescribeRouteTables - 'Review routes defined for VPCs'
  • EC2: DescribeSecurityGroups - 'Review security groups'
  • EC2: DescribeSubnets - 'Available IP Addresses'
  • EC2: DescribeSubnets - 'Current subnet list'
  • EC2: DescribeSubnets - 'Default subnets'
  • EC2: DescribeSubnets - 'Pending subnets'
  • EC2: DescribeSubnets - 'Subnets which map public IP'
  • EC2: DescribeSubnets - 'Subnets with no available IP addresses'
  • EC2: DescribeVolumes - 'Attached volumes'
  • EC2: DescribeVolumes - 'Current available volume list'
  • EC2: DescribeVolumes - 'Current in-use volume list'
  • EC2: DescribeVolumes - 'Current volume sizes'
  • EC2: DescribeVpcs - 'Review the current VPC list'
  • EC2: DescribeVpnConnections - 'Review deleted VPN connections'
  • EC2: DescribeVpnConnections - 'Review existing VPN connections'
  • EC2: DescribeVpnConnections - 'Review pending VPN connections'
  • EC2: DescribeVpnGateways - 'Review list of VPN Gateway attachments'
  • EC2: DescribeVpnGateways - 'Review list of VPN Gateways'
  • IAM Roles for Amazon EC2
  • IAM: GetAccountSummary - 'Groups'
  • IAM: GetAccountSummary - 'MFADevicesInUse'
  • IAM: GetAccountSummary - 'Roles'
  • IAM: GetAccountSummary - 'RolesQuota'
  • IAM: GetAccountSummary - 'ServerCertificates'
  • IAM: GetAccountSummary - 'ServerCertificatesQuota'
  • IAM: GetAccountSummary - 'SigningCertificatesPerUserQuota'
  • IAM: GetAccountSummary - 'Unused MFA devices'
  • IAM: GetAccountSummary - 'Users'
  • IAM: GetAccountSummary - 'UsersQuota'
  • IAM: GetGroup - 'Admin group membership should be reviewed'
  • IAM: GetGroup - 'Group membership should be reviewed'
  • IAM: ListGroupPolicies - 'Review policies assigned to groups'
  • IAM: ListGroups - 'Review current group list'
  • IAM: ListRoles - 'Review roles'
  • IAM: ListServerCertificates - 'Verify certificate names and upload dates'
  • IAM: ListUsers - 'Review current user list'
  • IAM: ListUsers - 'Review user paths'
  • IAM: User Accounts - 'Access Key 1'
  • IAM: User Accounts - 'Access Key 2'
  • IAM: root account - 'Root Account - Access Key 1'
  • IAM: root account - 'Root Account - Access Key 2'
  • Identity Federation
  • Logging Faults
  • MFA for API calls
  • MONITORING: Verify subscribers to each SNS topic
  • Managing Application and Administrative Access to AWS Public Cloud Services
  • Managing Logs for Critical Transactions
  • Managing Metrics and Improvement
  • Managing OS-level Access to Amazon EC2 Instances
  • Managing Patches
  • Mitigating Compromise and Abuse
  • Mitigating and Protecting Against DoS & DDoS Attacks
  • Protecting Data at Rest on Amazon DynamoDB
  • Protecting Data at Rest on Amazon EMR
  • Protecting Data at Rest on Amazon Glacier
  • Protecting Data at Rest on Amazon RDS
  • Protecting Data at Rest on Amazon S3
  • Protecting Data in Transit to Amazon DynamoDB
  • Protecting Data in Transit to Amazon EMR
  • Protecting Data in Transit to Amazon RDS
  • Protecting Data in Transit to Amazon S3
  • Protecting Data in Transit when Managing AWS Services
  • Protecting Log Information
  • Protecting Your System from Malware
  • Resource Access Authorization
  • Secure Your Operating Systems and Applications
  • Shared Responsibility Model for Abstracted Services
  • Shared Responsibility Model for Container Services
  • Shared Responsibility Model for Infrastructure Services
  • Test Security
  • Understanding the AWS Secure Global Infrastructure
  • Using Additional Application Security Practices
  • Using Change Management Logs
  • Using the AWS Trusted Advisor Tool
Miscellaneous
  • Metadata updated.
  • References updated.