This workflow sends a report of SQS Queues which does not have tags established by their organisations. Which tags are missing can be found in the report generated.

This workflow sends a report of ECR Repositories which does not have tags established by their organisations. Which tags are missing can be found in the report generated.

This workflow sends a report of Neptune DB clusters which does not have tags established by their organisations. Which tags are missing can be found in the report generated.

This workflow sends a report of EMR clusters which does not have tags established by their organisations. Which tags are missing can be found in the report generated.

This workflow sends a report of DynamoDB Tables which does not have tags established by their organisations. Which tags are missing can be found in the report generated.

This workflow sends a report of kinesis streams which does not have tags established by their organisations. Which tags are missing can be found in the report generated.

This workflow sends a report of cloud front distributions which does not have tags established by their organisations. Which tags are missing can be found in the report generated.

This workflow sends a report of ELB's which does not have tags established by their organisations. Which tags are missing can be found in the report generated.

Sends a report for your AWS ALB's if Web application firewall is not enabled for them. Enabling WAF add more security to your AWS resources.

Sends a report if RDS DB (aurora, mySql, mariaDb) instances in your AWS account are using default ports(3306). Running your database instances on default ports represent a potential security concern.

Sends report if total number of SQS queues in your AWS account exceeds the limit.

This workflow sends a report for SQS queues if their sever side encryption is not enabled. Amazon Simple Queue Service (SQS) queues are protecting the contents of their messages using Server-Side Encryption (SSE). It is highly recommended to implement encryption in order to make the contents of these messages unavailable to unauthorized or anonymous users.

This workflow sends a report for SQS queues which are publicly accessible. Allowing anonymous users to have access to your SQS queues can lead to unauthorized actions such as intercepting, deleting and sending queue messages.

This workflow sends a report for SQS queues that are not encrypted with KMS CMK keys. By using your own KMS CMK keys , you obtain full control over who can use the CMK keys and access the data encrypted within queue messages.

This workflow sends a report for SQS queues that are not encrypted with KMS CMK keys. By using your own KMS CMK keys , you obtain full control over who can use the CMK keys and access the data encrypted within queue messages.

This workflow sends a report for SQS queues that are not encrypted with KMS CMK keys. By using your own KMS CMK keys , you obtain full control over who can use the CMK keys and access the data encrypted within queue messages.

This template sends a report of SQS queues if access to unauthorized cross account entities are allowed. Allowing untrustworthy cross account access to your SQS queues can lead to unauthorized actions such as intercepting, deleting or sending queue messages without permission.

This template sends a report of SQS queues if access to unauthorized cross account entities are allowed. Allowing untrustworthy cross account access to your SQS queues can lead to unauthorized actions such as intercepting, deleting or sending queue messages without permission.

This template sends a report of SQS queues if access to unauthorized cross account entities are allowed. Allowing untrustworthy cross account access to your SQS queues can lead to unauthorized actions such as intercepting, deleting or sending queue messages without permission.

Sends a report if cloudwatch log exports is not enabled for your RDS DB instances. By publishing database logs to Amazon CloudWatch, you can build richer and more seamless interactions with your database instance logs using AWS services.

Sends a report if your AWS elasticSearch cluster is using default AWS key instead of KMS Customer Master Keys (CMKs) for encryption. When you use your own KMS Customer Master Keys you have full control over who can use these keys to access the clusters data.

Sends a report if AWS elasticSearch domains are publicly accessible. Allowing public access to your ES domains is not recommended and is considered bad practice.

Sends a report if your AWS elasticSearch domains are not running in VPC. AWS VPCs are for better flexibility and control over the clusters access and security. AWS Elasticsearch domains that reside within a VPC have an extra layer of security when compared to ES domains that use public endpoints.

Sends a report if node to node encryption is not enabled for your AWS elasticSearch domains. ElasticSearch node-to-node encryption capability provides the additional layer of security by implementing Transport Layer Security (TLS) for all communications between the nodes provisioned within the cluster.

Sends a report if encryption at rest is not enabled for your AWS elasticSearch domains. Encryption of data at rest helps prevent unauthorized users from reading sensitive information available on your ES domains (clusters) and their storage systems.

Setting limits for the type of AWS ElasticSearch instances will help you address internal compliance requirements and prevent unexpected charges on your AWS bill. Ensure that your existing AWS instances and dedicated master have the desired type established by your organization based on the caching workload required.

This workflow sends a report of ElasticSearch domains which does not have tags established by their organisations. Which tags are missing can be found in the report generated

This workflow sends a report of ElastiCache clusters which does not have tags established by their organisations. Which tags are missing can be found in the report generated

This workflow sends a report of Redshift clusters which does not have tags established by their organisations. Which tags are missing can be found in the report generated.

This workflow sends a report of EC2 instances which does not have tags established by their organisations. Which tags are missing can be found in the report generated.

This workflow sends a report of RDS instances which does not have tags established by their organisations. Which tags are missing can be found in the report generated.

Sends a report if RDS databases are using "awsuser" as master username. "Awsuser" is the Amazon's example (default) for the RDS database master username, many AWS customers will use this username for their RDS databases in production which can lead to malicious activities.

Send a report if total number of AWS RDS instances reaches threshold limit. Setting limits for the maximum number of RDS instances provisioned within your AWS account will help you to manage better your database compute resources, prevent unexpected charges on your AWS bill

Sends a report of AWS RDS DB instances which are not encrypted. Having encryption enabled for your RDS DB instances will help you to protect your data from unauthorized access, automated backups, Read Replicas, and snapshots, become all encrypted.

Sends a report of AWS ElasticSearch domains which allows access to unauthorized cross users. Allowing untrustworthy cross account access to your AWS ES clusters can lead to unauthorized actions such as uploading, downloading and deleting documents without permission.

Sends a report of Elastic Search domains if the total number of instances reach the threshold limit(10). Monitoring and configuring limits for the maximum number of Elasticsearch (ES) instances provisioned within your AWS account will help you to manage better your Elasticsearch compute resources.

Sends a report of ElastiCache cluster which does not have InTransit and At rest encryption enabled. Data encryption helps prevent unauthorized users from reading sensitive data available on your Redis clusters and their associated cache storage systems.

Sends a report of total number of ElastiCache cluster, if the ElastiCache limit quota(threshold 5) defined for your AWS account is reached. Setting limits for the maximum number of ElastiCache cluster nodes provisioned within your AWS account will help you to better manage your ElastiCache compute resources and prevent unexpected charges on your AWS bill.

Sends a report of ElastiCache memcached cluster running on default port. Running your AWS ElastiCache clusters on the default port(ii.e. 11211) rises a potential security concern. Changing the default port to other ports adds an extra security layer to your AWS elasticache memcached clusters.

Sends a report of your AWS elastiCache redis clusters which are running on default port(i.e. 6379). Running your AWS ElastiCache clusters on the default port represent a potential security concern. Chaging the default ports will add an extra layer of security to your Redis cluster.

Send a report having information of which cloudwatch alarms are missing in your AWS EC2 instances.

Send a report having information of which cloudwatch alarms are missing in your AWS RDS DB instances .

Send a report having information of which cloudwatch alarms are missing in your AWS elasticSearch domains.

Send a report having information of which cloudwatch alarms are missing in your AWS ElastiCache clusters .

Send report of RDS instances provisioned in your AWS account, which does not have the desired instance type established by your organization. Restricting the type of Amazon RDS instances will help you address internal compliance requirements and also helps to save some extra cost.

Identify any reserved RDS recent purchases and send a report of it. Checking your RDS Reserved Instances on a regular basis helps you to detect and cancel any unwanted purchases placed within your AWS account and avoid unexpected charges on your AWS monthly bill.

Indentify any pending Reserved RDS instances and a send a report of it. Using RDS Reserved Instances over On-Demand Instances can save up to 70% when used in steady state (i.e. heavy utilization), therefore in order to receive this discount benefit you need to make sure that all your RDS database reservation purchases have been successfully completed.

Indentify any failed Reserved RDS instances and a send a report of it. Using RDS Reserved Instances over On-Demand Instances can save up to 70% when used in steady state (i.e. heavy utilization), therefore in order to receive this discount benefit you need to make sure that all your RDS database reservation purchases have been successfully completed.

Send report of all the elasticSearch domains without a cloudwatch alarm attached to them.

Send report for all the EC2 Instances without a cloudwatch alarm attached to them.

Send a report of ElastiCache clusters without a cloudwatch alarm attached to them.

This workflow send report of all the EC2 instances which are idle from the past 7 days and are launched before 7 days. Instance is identified as idle if its CPU Utilization is less than 2% and Network In/Out is less than 5MB. You can also give other configurations for this workflow.

By checking your EC2 RI purchases on a regular basis you can detect and cancel any unwanted purchases placed within your AWS account and avoid unexpected charges on your AWS bill. By checking your EC2 RI purchases on a regular basis you can detect and cancel any unwanted purchases placed within your AWS account and avoid unexpected charges on your AWS bill.

A failed AWS EC2 RI is an unsuccessful reservation that received the "payment-failed" status during the purchase process. Reserved Instances represent a good strategy to cut down on AWS EC2 costs but to fully receive the discount benefit you need to make sure that all your EC2 reservation purchases have been successfully completed.

EC2 Reserved Instances represent an efficient strategy to cut down on AWS costs. However, to receive the billing discount benefit promoted by Amazon, you need to make sure that all your EC2 reservation purchases have been fully processed. Identify any pending Amazon EC2 Reserved Instance (RI) purchases available within your AWS account.

Checking your ElastiCache Reserved Cache Nodes on a regular basis you can detect and cancel any unwanted purchases placed within your AWS account and avoid unexpected charges on your AWS monthly bill. Ensure that all Amazon ElastiCache Reserved Cache Node (RCN) purchases are reviewed every 7 days.

By verifying your Elasticsearch Reserved Instance purchases on a regular basis you can detect and cancel any unwanted purchases placed accidentally or intentionally within your AWS account in order to avoid unexpected charges on your AWS bill.

A failed AWS ES RI is an unsuccessful reservation that receives the "payment-failed" status during the purchasing process. Elasticsearch Reserved Instances can provide significant cost savings (up to 52% discount). However, to receive the discount benefit you need to make sure that all your AWS ES reservation purchases have been successfully completed.

A failed ElastiCache RCN is an unsuccessful reservation that received the "payment-failed" status during the purchase process. The cost savings when using ElastiCache Reserved Cache Nodes over standard On-Demand Cache Nodes are up to 70% when used in steady state, therefore in order to receive this discount benefit you need to make sure that all your ElastiCache reservation purchases have been successfully completed.

A payment-pending ElastiCache RCN purchase is a reservation purchase that can`t be fully processed due to issues with the payment method utilized The cost savings when using ElastiCache Reserved Cache Nodes over standard On-Demand Cache Nodes are up to 70% when used in steady state, therefore in order to receive this discount benefit you need to make sure that all your ElastiCache reservation purchases have been fully processed.

A pending AWS Elasticsearch Reserved Instance is an incomplete reservation that receives the "payment-pending" status during the purchasing process due to issues with the payment method. Using Reserved Instances is one of the best cost optimization strategies when working with AWS Elasticsearch service. To fully receive the discount benefit, make sure that all your Elasticsearch reservation purchases have been fully processed.

Setting limits for the type of AWS ElastiCache cluster nodes will help you address internal compliance requirements and prevent unexpected charges on your AWS bill. Ensure that your existing AWS ElastiCache cluster nodes have the desired type established by your organization based on the caching workload required.

It is AWS best practice to remove entries in security group which allows Elastic Search access from public IP to reduce possibility of breach. Allowing unrestricted Elastic Search access can increase threats like hacking, denial-of-service (DoS) attacks and loss of data.

Sends a report with all the RDS DBInstances without a cloudwatch alarm attached to them.

This template generates a weekly report of public RDS Instances, establishing AWS security of your sensitive data.