The Aqua Cloud CloudFormation Scanner supports many of the most popular AWS services, including: EC2, S3, KMS, IAM, and many others. The scanner looks for many common security issues, including:


The test AWS::AutoScaling::AutoScalingGroup, ensures:

  • Autoscaling group is being launched in EC2 Classic. Only VPC should be used.


The test AWS::AutoScaling::LaunchConfiguration, ensures:

  • Launch configuration may associate a public IP address with instances. To prevent public exposure, ensure this value is set to false unless the instance requires public access.
  • Launch configuration does not associate a public IP address with instances.
  • Launch configuration inline EBS block device uses encryption.
  • Launch configuration does not specify inline block device mappings.
  • Launch configuration specifies an AWS key pair. Alternate SSH methods may not be as secure.


The test AWS::CloudFront::Distribution, ensures:

  • CloudFront distribution uses logging. This is not required but may be helpful for incident response.
  • CloudFront distribution uses an S3 origin with a proper access identity.
  • CloudFront distribution uses a non-S3 origin so no access identity to check.
  • CloudFront distribution uses a default root object. Ensure a file is used as the default root object.


The test AWS::CloudTrail::Trail, ensures:

  • CloudTrail trail has log file validation enabled. This is required to verify the integrity of log files delivered by AWS in the event of a compromise.
  • CloudTrail trail has CloudWatch integration enabled. This is an optional, but helpful, feature to be used to alert in the event of security incidents.
  • CloudTrail trail is monitoring global service events. This should be set to true to capture events from all AWS services.
  • CloudTrail trail is set to log events. This should be set to true to ensure CloudTrail is actually logging.
  • CloudTrail trail is being encrypted with KMS. Since logs can contain sensitive information, encryption should be used.


The test AWS::Config::ConfigurationRecorder, ensures:

  • AWS Config Service is configured to record all supported resources. This should be set to true to capture all config changes.
  • AWS Config Service is configured to record global resources. This should be set to true to capture all config changes.
  • AWS Config Service is enabled and specifies a recording group.


The test AWS::EC2::NetworkAclEntry, ensures:

  • Network ACL does not allow all inbound traffic from 0.0.0.0/0.


The test AWS::EC2::Instance, ensures:

  • EC2 instance inline EBS block device uses encryption.
  • EC2 instance does not specify inline block device mappings.
  • EC2 instance is using an AWS key pair. Alternate SSH methods may not be as secure.
  • EC2 instance is not using EC2-Classic security groups. Only VPC groups should be used.
  • EC2 instance has source destination check set to true. "False" should only be used for NAT instances.
  • EC2 instance is not being launched into EC2-Classic. VPCs should be used.


The test AWS::EC2::NetworkInterface, ensures:

  • Network interface does not disable source destination check. This should only be used for NAT instances.


The test AWS::EC2::SecurityGroup, ensures:

  • Security group is not being created in EC2 Classic. Only VPCs should be used.
  • Security group ingress does not expose an IP globally using a port range
  • Security group ingress does not expose a non-web port globally


The test AWS::EC2::SecurityGroupIngress, ensures:

  • Security group ingress does not expose an IP globally using a port range
  • Security group ingress does not expose a non-web port globally


The test AWS::EC2::Subnet, ensures:

  • VPC subnet does not map public IPs on launch. This default should not be used.


The test AWS::EC2::VPCEndpoint, ensures:

  • VPC endpoint specifies a policy document. The default policy allows full access.


The test AWS::EC2::Volume, ensures:

  • Encryption is enabled for EC2 volume.
  • Encryption is enabled for EC2 volume but a KMS key ID is specified. The default master KMS key should be avoided.
  • Encryption is not enabled for EC2 volume. This may not be possible if a supported instance type is not used but should be enabled if it is.


The test AWS::ECR::Repository, ensures:

  • ECR repository specifies a policy document. The default policy allows full account access.


The test AWS::EMR::Cluster, ensures:

  • EMR cluster is not exposed to all users.


The test AWS::ElastiCache::CacheCluster, ensures:

  • ElastiCache instance is not set to prevent minor version upgrades. This may prevent it from receiving security updates.
  • ElastiCache backup retention limit is sufficient.
  • ElastiCache instance is being launched in a VPC environment.


The test AWS::ElastiCache::ReplicationGroup, ensures:

  • ElastiCache replication group is not set to prevent minor version upgrades. This may prevent it from receiving security updates.
  • ElastiCache replication group backup retention limit is sufficient.
  • ElastiCache replication group is being launched in a VPC environment.


The test AWS::ElasticLoadBalancing::LoadBalancer, ensures:

  • Load balancer access logging is enabled.
  • Load balancer access logging policy is configured and enabled.
  • Load balancer is being launched into a VPC.
  • Load balancer listener on port 443 is using an SSL certificate.


The test AWS::Elasticsearch::Domain, ensures:

  • Elasticsearch domain specifies an access policy.


The test AWS::IAM::AccessKey, ensures:

  • IAM access keys are not defined in CloudFormation templates since it risks exposing the secret. 


The test AWS::IAM::User, ensures:

  • IAM user login profile does not hardcode a password into the template.
  • IAM user login profile requires a reset on first login.


The test AWS::KMS::Key, ensures:

  • KMS key has rotation enabled.


The test AWS::Lambda::Function, ensures:

  • Lambda function uses an up-to-date runtime.


The test AWS::Lambda::Permission, ensures:

  • Lambda permission does not allow wildcard.
  • Lambda permission does not allow action from a possible third-party AWS account. Ensure this is desired behavior.
  • Lambda permission does not allow action from a wildcard principal.


The test AWS::Logs::LogGroup, ensures:

  • Log group retention period is sufficient.


The test AWS::OpsWorks::App, ensures:

  • SSL is enabled for OpsWorks application.


The test AWS::OpsWorks::Instance, ensures:

  • OpsWorks instance is set to instance OS and package updates on boot. Potential security updates could be missed.
  • OpsWorks instance is using an AWS key pair. Alternate SSH methods may not be as secure.
  • OpsWorks instance is running in a VPC.


The test AWS::RDS::DBCluster, ensures:

  • RDS cluster retention period is sufficient.
  • RDS cluster does not define the master password in plaintext. This should be a reference to a NoEcho value.
  • RDS cluster does not directly reference master password.
  • RDS cluster is encrypted.
  • RDS cluster is encrypted but not using the KMS master key.
  • RDS cluster is encrypted with a custom KMS key.
  • RDS cluster is being launched in a VPC and specifies VPC security groups.
  • RDS cluster defines VPC security group IDs.


The test AWS::OpsWorks::Layer, ensures:

  • OpsWorks layer is not set to auto assign public IPs. Only NAT instances in a VPC should use public IPs.
  • OpsWorks instance is set to instance OS and package updates on boot. Potential security updates could be missed.


The test AWS::RDS::DBInstance, ensures:

  • RDS instance is not set to prevent minor version upgrades. This may prevent it from receiving security updates.
  • RDS instance retention period is sufficient.
  • RDS instance uses VPC security groups.
  • RDS instance is being launched in a VPC.
  • RDS instance password is not listed as plaintext in the template. Consider using a reference to a NoEcho value.
  • RDS instance is not publicly accessible depending on VPC settings.
  • RDS instance storage is encrypted.
  • RDS instance uses a KMS key for encryption or is snapshot based.
  • RDS instance storage is encrypted.


The test AWS::RDS::DBSecurityGroup, ensures:

  • Security group is not being created in EC2 Classic. Only VPCs should be used.
  • Security group ingress does not expose IPs globally using a port range
  • Security group ingress does not expose a non-web port globally


The test AWS::RDS::DBSecurityGroupIngress, ensures:

  • Security group ingress is being created in VPC.
  • Security group ingress is not exposed globally.


The test AWS::Redshift::Cluster, ensures:

  • Redshift cluster allows upgrades. Security updates may be missed.
  • Redshift cluster retention period is sufficient.
  • Redshift cluster is encrypted.
  • Redshift cluster uses custom KMS key for encryption.
  • Redshift cluster does not use the default KMS key for encryption.
  • Redshift cluster password is not listed as plaintext in the template. Consider using a reference to a NoEcho value.
  • Redshift cluster is not publicly accessible.
  • Redshift cluster is being launched in a VPC.


The test AWS::Redshift::ClusterSecurityGroupIngress, ensures:

  • Security group ingress is being created in VPC.
  • Security group ingress is not exposed globally.


The test AWS::S3::Bucket, ensures:

  • S3 bucket does not allow public read or write.