AWS Best Practices

24 Times Used
22 MAY 2019
Send report of AWS ElastiCache clusters if it is provisioned within EC2 classic platform

Amazon ElastiCache clusters using EC2-VPC platform instead of EC2-Classic can bring multiple advantages such as better flexibility and control over the cache clusters security, availability, traffic routing and more. This template ensure that your ElastiCache clusters are provisioned within the AWS EC2-VPC platform or not.

View Template
Update your Amazon ElastiCache Memcached cluster to stable latest engine version

Using ElastiCache clusters with the latest version of memcached cache engine you will benefit from new features and enhancements, better performance, better memory management, bug fixes and security patches. In order to adhere to AWS best practices, update your Amazon ElastiCache memcached cluster to stable latest engine version.

View Template
Update your Amazon ElastiCache Redis cluster to stable latest engine version

Using ElastiCache clusters with the latest version of Redis cache engine you will benefit from new features and enhancements, better performance, better memory management, bug fixes and security patches. In order to adhere to AWS best practices, update your Amazon ElastiCache Redis cluster to stable latest engine version.

View Template
Send Report of unencrypted AWS ElastiCache Redis Cluster.

AWS ElastiCache Redis clusters are encrypted in order to meet security and compliance requirements. Data encryption helps prevent unauthorized users from reading sensitive data available on your Redis clusters and their associated cache storage systems. It is highly recommended to implement encryption in order to protect it from unauthorized access and fulfill compliance requirements for data-at-rest and in-transit encryption within your organization.

View Template
Send report of security group which allows FTP( TCP port 20 and 21) access from public IP.

It is AWS best practice to remove entries in security group which allows FTP access from public IP to reduce possibility of breach. Allowing unrestricted FTP access can increase threats such as brute-force attacks, FTP bounce attacks, spoofing attacks and packet capture.

View Template
Send report of Security Groups which allow CIFS (TCP 445) on public IP.

It is AWS best practice to remove entries in security group which allows CIFS access from public IP to reduce possibility of breach. Allowing unrestricted CIFS access can increase threats such as man-in-the-middle attacks (MITM), Denial of Service (DoS) attacks or the Windows Null Session Exploit.

View Template
Send report of security group which allows DNS(TCP port 53 and UDP port 53 ) access from public IP.

It is AWS best practice to remove entries in security group which allows DNS access from public IP to reduce possibility of breach. Allowing unrestricted DNS access can increase threats such as Denial of Service (DoS) attacks or Distributed Denial of Service (DDoS) attacks.

View Template
Remove entries in Security Groups which allow CIFS (TCP 445) on public IP.

It is AWS best practice to remove entries in security group which allows CIFS access from public IP to reduce possibility of breach. Allowing unrestricted CIFS access can increase threats such as man-in-the-middle attacks (MITM), Denial of Service (DoS) attacks or the Windows Null Session Exploit.

View Template
Remove entries in security group which allows Elastic Search(TCP port 9200) access from public IP.

It is AWS best practice to remove entries in security group which allows Elastic Search access from public IP to reduce possibility of breach. Allowing unrestricted Elastic Search access can increase threats like hacking, denial-of-service (DoS) attacks and loss of data.

View Template
Remove entries in security group which allows DNS(TCP port 53 and UDP port 53 ) access from public IP.

It is AWS best practice to remove entries in security group which allows DNS access from public IP to reduce possibility of breach. Allowing unrestricted DNS access can increase threats such as Denial of Service (DoS) attacks or Distributed Denial of Service (DDoS) attacks.

View Template
Notifies if the Amazon CloudWatch default event bus created within your account allows unknown cross-account event delivery.

An AWS CloudWatch event bus is a feature that facilitates AWS accounts to share events with each other.Amazon CloudWatch event buses are configured to allow access only to friendly AWS accounts in order to prevent unauthorized users from sharing their CloudWatch events. This is AWS best Paractice to notifiy if the Amazon CloudWatch default event bus created within your account allows unknown cross-account event delivery.

View Template
Notify if Cloudwatch event bus allows access to everyone(*).

An AWS CloudWatch default event bus is a feature that facilitates AWS accounts to share events with each other. This is template notify if your CloudWatch default event bus available within your AWS account allows access to everyone (*). This is AWS best practice to allow only the authorized users to send their events data by managing the permissions defined for the default event bus.

View Template
Send report of AWS ASG which does not have multiple AZ

Notifies that whether your Amazon Auto Scaling Groups (ASGs) span across multiple Availability Zones (AZs) within an AWS region. This is AWS best practice to expand the availability of your auto-scaled applications. When hosting your AWS ASGs within a multi-AZ environment, if one AZ becomes unhealthy or unavailable, the Auto Scaling Group launches new EC2 instances in an unaffected Availability Zone, enhancing the availability and reliability of the ASG.

View Template
Send report of Security Groups which allows RDP (TCP port 3389) access from public IP.

It is AWS best practice to get aware of Security Groups which allows RDP access from public IP to reduce possibility of breach. Allowing unrestricted RDP access can increase threats like hacking, denial-of-service (DoS) attacks and loss of data.

View Template
Send report of Security Groups which allows Oracle DB(TCP port 1521 ) access from public IP.

It is AWS best practice to get aware of Security Groups which allows Oracle DB access from public IP to reduce possibility of breach. Allowing unrestricted Oracle access can increase threats like hacking, denial-of-service (DoS) attacks and loss of data.

View Template
Send Report of Security Groups which allows MySQL(TCP port 3306 ) access from public IP.

It is AWS best practice to get aware of Security Groups which allows MySQL access from public IP to reduce possibility of breach. Allowing unrestricted MySQL access can increase threats like hacking, denial-of-service (DoS) attacks and loss of data.

View Template
Send report of Security Groups which allows MSSQL(TCP port 1433) access from public IP.

It is AWS best practice to get aware of Security Groups which allows MSSQL access from public IP to reduce possibility of breach. Allowing unrestricted MSSQL access can increase threats like hacking, denial-of-service (DoS) attacks and loss of data.

View Template
Send report of Security Groups which allow https access on public IP

It is AWS best practice to get aware of Security Groups which allows HTTPS access from public IP to reduce possibility of breach. Allowing unrestricted HTTPs access can increase threats like hacking, denial-of-service (DoS) attacks and loss of data.

View Template
Send report of Security Groups which allows Netbios(TCP port 139 and UDP ports 137, 138 ) access from public IP.

It is AWS best practice to get aware of Security Groups which allows Netbios access from public IP to reduce possibility of breach. Allowing unrestricted Netbios access can increase threats like man-in-the-middle attacks (MITM), Denial of Service (DoS) attacks or BadTunnel exploits.

View Template
Send report of Security Groups which allows SMTP (TCP port 25 ) access from public IP.

It is AWS best practice to get aware of Security Groups which allows SMTP access from public IP to reduce possibility of breach. Allowing unrestricted SMTP access can increase threats like hacking, spamming, Shellshock attacks, denial-of-service (DoS) attacks.

View Template
Send report of Security Groups which allows RPC (TCP port 135 ) access from public IP.

It is AWS best practice to get aware of Security Groups which allows RPC access from public IP to reduce possibility of breach. Allowing unrestricted RPC access can increase threats like hacking, denial-of-service (DoS) attacks and loss of data.

View Template
Send report of Security Groups which allows PostGreSql DB(TCP port 5432 ) access from public IP.

It is AWS best practice to get aware of Security Groups which allows PostGreSQL DB access from public IP to reduce possibility of breach. Allowing unrestricted PostGreSQL access can increase threats like hacking, denial-of-service (DoS) attacks and loss of data.

View Template
Send report of Security Groups which allows MongoDB(TCP port 27017) access from public IP.

It is AWS best practice to remove entries in Security Groups which allows MongoDB access from public IP to reduce possibility of breach. Allowing unrestricted MongoDB access can increase threats like hacking, denial-of-service (DoS) attacks and loss of data.

View Template
Send report of security groups that allow http access from public IP.

It is AWS best practice to get aware of security groups which allows HTTP access from public IP to reduce possibility of breach. Allowing unrestricted HTTP access can increase threats like hacking, denial-of-service (DoS) attacks and loss of data.

View Template
Remove entries in security group which allows Netbios(TCP port 139 and UDP ports 137, 138 ) access from public IP.

It is AWS best practice to remove entries in security group which allows Netbios access from public IP to reduce possibility of breach. Allowing unrestricted Netbios access can increase threats like man-in-the-middle attacks (MITM), Denial of Service (DoS) attacks or BadTunnel exploits.

View Template
Remove entries in security group which allows SMTP (TCP port 25 ) access from public IP.

It is AWS best practice to remove entries in security group which allows SMTP access from public IP to reduce possibility of breach. Allowing unrestricted SMTP access can increase threats like hacking, spamming, Shellshock attacks, denial-of-service (DoS) attacks.

View Template
Remove entries in security group which allows RPC (TCP port 135 ) access from public IP.

It is AWS best practice to remove entries in security group which allows RPC access from public IP to reduce possibility of breach. Allowing unrestricted RPC access can increase threats like hacking, denial-of-service (DoS) attacks and loss of data.

View Template
Remove entries in security group which allows RDP (TCP port 3389) access from public IP.

It is AWS best practice to remove entries in security group which allows RDP access from public IP to reduce possibility of breach. Allowing unrestricted RDP access can increase threats like hacking, denial-of-service (DoS) attacks and loss of data.

View Template
Remove entries in security group which allows PostGreSql DB(TCP port 5432 ) access from public IP.

It is AWS best practice to remove entries in security group which allows PostGreSQL DB access from public IP to reduce possibility of breach. Allowing unrestricted PostGreSQL access can increase threats like hacking, denial-of-service (DoS) attacks and loss of data.

View Template
Remove entries in security group which allows Oracle DB(TCP port 1521 ) access from public IP.

It is AWS best practice to remove entries in security group which allows Oracle DB access from public IP to reduce possibility of breach. Allowing unrestricted Oracle access can increase threats like hacking, denial-of-service (DoS) attacks and loss of data.

View Template
Remove entries in security group which allows MySQL(TCP port 3306 ) access from public IP.

It is AWS best practice to remove entries in security group which allows MySQL access from public IP to reduce possibility of breach. Allowing unrestricted MySQL access can increase threats like hacking, denial-of-service (DoS) attacks and loss of data.

View Template
Remove entries in security group which allows MSSQL(TCP port 1433) access from public IP.

It is AWS best practice to remove entries in security group which allows MSSQL access from public IP to reduce possibility of breach. Allowing unrestricted MSSQL access can increase threats like hacking, denial-of-service (DoS) attacks and loss of data.

View Template
Remove entries in security group which allows MongoDB(TCP port 27017) access from public IP.

It is AWS best practice to remove entries in security group which allows MongoDB access from public IP to reduce possibility of breach. Allowing unrestricted MongoDB access can increase threats like hacking, denial-of-service (DoS) attacks and loss of data.

View Template
Remove entries in Security Group which allow http access on public ip

It is AWS best practice to remove entries in security group which allows HTTP from public ip to reduce possibility of breach.Allowing unrestricted HTTP access can increase opportunities for malicious activity such as hacking, denial-of-service (DoS) attacks and loss of data.

View Template
Send a report of all instances which are not part of an Auto-Scaling Group (ASG)

It is an AWS best practice to launch every EC2 machine in an AWS Auto Scaling Group to achieve zero downtime. This workflow sends a report of instances not launched in an auto-scaling group.

View Template
Send report of EC2 Instances older than 150 days

It is an AWS best practice to stop and relaunch your old EC2 instances, so that they are reallocated to updated and more reliable hardware. Instances older than 150 days are recommended to be updated.

View Template
Send report of EC2 Instances which are using IAM access keys

It is an AWS best practice to use IAM Roles over IAM Access Keys to sign AWS API requests, as Roles provide more flexibility to manage permissions. This workflow sends a report of EC2 instances which are not using IAM Roles.

View Template
Notify if AWS CloudTrail is not Enabled

AWS CloudTrail can help you achieve compliance and improve security by logging API calls and changes to your cloud resources.

View Template
Prevent duplicate entries in AWS CloudTrail logs

In order to prevent duplicate records in log occurrences for global AWS services such as IAM, STS or Cloudfront, ensure that only one trail in a multi-region logging setup has the 'Include Global Services' function enabled.

View Template
Send report of security groups with empty descriptions

It is an AWS best practice to give a description for your security groups. It helps in quickly getting more insight into the configuration of your security group. You should define the purpose and identity of the IP address to each rule. This workflow sends a report of security groups which do not have descriptions to any of the rules.

View Template
Enable S3 log file validation for AWS CloudTrail

This feature will enable you to verify the integrity of your CloudTrail log files and determine whether the files have been changed after they have been delivered to the selected S3 bucket. The validation of log file integrity uses industry-standard algorithms such as SHA-256 which makes it impossible to change files without detection.

View Template
CloudTrail multi-region logging

Global tracking of your AWS API Calls will assist you to better manage your AWS account and your infrastructure security.

View Template
Enables Automated Backup for redshift cluster if not already enabled

It is AWS best practice to enable automated backups for your Redshift cluster so that in case of unexpected failures data can be recovered

View Template
Enable version upgrade for redshift cluster if not already enabled

This workflow enables Version Upgrade feature on your Redshift cluster. AWS Redshift engine upgrades will occur automatically so the data warehouse service engine can get the newest features, bug fixes or the latest security patches released.

View Template
Ensure all your AWS AMIs are private

AWS AMIS created by you might contain sensitive information like your application or its data that should not be exposed outside your organisation. This workflow modifies AMI access from public to private.

View Template
Release unattached Elastic IPs to save cost

If an Elastic IP (EIP) address within your account is not associated with a running EC2 instance or an Elastic Network Interface (ENI) AWS charges you with a small amount. You should release any unused EIPs in order to save cost.

View Template
Notify if any of your AMIs are not encrypted

It is an AWS best practice to enable data encryption in order to prevent it from unauthorised personnel. AMI encryption is managed by AWS Key Management Service (KMS).

View Template
Notify If any EC2 instance in your account is not Launched using approved/golden AMIs

It is an AWS best practice to launch EC2 machine from an approved/golden AMI. Approved AMI is an image of an EC2 Instance containing all the necessary software and settings configured for your application; which helps in scaling, and quick & secure deployment.

View Template
Remove unused Amazon Elastic Network Interfaces (ENI)

It is an AWS best practice to remove unused ENIs as there is service limit set by AWS. Keeping a lot of unused ENIs can exhaust the resource limit and will prevent the launching of new EC2 machines.

View Template
Remove unused EC2 key pairs

It is an AWS best practice to remove all unused EC2 key pairs from your account. It provides security to your EC2 machines by restricting access to individuals who are no longer part of your organization but still have old key value pairs with them.

View Template
Ensure Redshift cluster is not publicly accessible

It is an AWS best practice to keep your Redshift clusters private for security reasons. If your cluster is public, any machine on the internet can establish a connection to it which can lead to SQL injection or DDoS attack.

View Template
Enable global service events tracking in AWS CloudTrail

With API tracking for global services, such as IAM, STS and CloudFront, you can have complete visibility over all of your AWS infrastructure. Having CloudTrail logging enabled for regional and global AWS services will assist you to ensure compliance and troubleshoot operational or safety issues within your AWS account.

View Template
Ensure AWS CloudTrail logging for global events is enabled

With API tracking for global services, such as IAM, STS and CloudFront, you can have complete visibility over all of your AWS infrastructure. Having CloudTrail logging enabled for regional and global AWS services will assist you to ensure compliance and troubleshoot operational or safety issues within your AWS account.

View Template
Notify if any AWS AMIs are publicly shared

AWS AMIS created by you might contain sensitive information like your application or its data that should not be exposed outside your organisation. This workflow notifies if any of the AWS AMIs are publicly shared.

View Template
Identify Auto Scaling Groups without cooldown periods

Identify Auto Scaling Groups that are not using appropriate cooldown periods, every hour. This helps you to ensure that one scaling event is not initiated before the effects of another are evident.

View Template
Activate all features of organisation using service control policies (SCPs)

Ensure that all features within your Amazon organizations are enabled to gain full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies.

View Template
Use AWS Organisations

Ensure that Amazon Organizations must be in use to gain oversight on the usage of AWS services across multiple AWS accounts

View Template
Expired ACM Certificates

Having expired ACM certificates lying around is not a AWS best practice and can potentially affect your application, in case they are picked during deployment.

View Template
AWS Automation Builder by TotalCloud - The easiest and fastest way to automate AWS | Product Hunt Embed