Prowler Documentation Site

Networking policies

prowler-cloud/prowler

Networking policies

Ensure AWS Security Group does not allow all traffic on SSH port 22

Ensure Security Groups do not allow ingress from 0.0.0.0/0 to port 3389

Ensure AWS Default Security Group restricts all traffic

Ensure VPC peering routing tables have least access

Ensure EC2 instances do not have security groups attached

Ensure AWS VPC endpoints are not exposed

Ensure Security Groups do not have unrestricted access

Ensure Security Groups accept traffic only from ports 80 and 443

Ensure EC2 instance does not have unrestricted security group attached

Ensure RDS database does not have unrestricted security group attached

Ensure network interface does not have unrestricted security group attached

Ensure classical load balancer does not have unrestricted security group attached

Ensure application load balancer does not have unrestricted security group attached

Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 9300 (Elasticsearch)

Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 5601 (Kibana)

Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 6379 (Redis)

Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 2379 (etcd)

Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP 27017 (MongoDB)

Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP 27018 (MongoDB)

Ensure Security Group attached to ELB instance does not allow inbound traffic from all to TCP 27017 (MongoDB)

Ensure Security Group attached to ELB instance does not allow inbound traffic from all to TCP 27018 (MongoDB)

Ensure Security Group attached to application load balancer instance does not allow inbound traffic from all to TCP 27017 (MongoDB)

Ensure Security Group attached to application load balancer instance does not allow inbound traffic from all to TCP 27018 (MongoDB)

Do not use default settings of a VPC

Ensure Internet-facing ELBs are whitelisted

Ensure ALB protocol is HTTPS
Violation ID: BC_AWS_NETWORKING_29

Ensure every Security Group rule has a description

Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS

Ensure CloudFront distributions do not use deprecated SSL protocols

Ensure ELBs do not allow insecure SSL protocols or ciphers

Ensure EC2 instances behind load balancers are not publicly accessible

Ensure ELBs use SSL listeners

Ensure DocDB TLS is not disabled

Ensure AWS SageMaker notebook instance is configured with direct internet access feature

VPC endpoint service is configured for manual acceptance

Ensure Amazon EMR clusters' security groups are not open to the world

Ensure that ALB drops HTTP headers

Ensure that Elasticsearch is configured inside a VPC

Ensure ELB has cross-zone-load-balancing enabled

AWS Redshift Clusters Should Not Be Publicly Accessible

Ensure auto scaling groups associated with a load balancer use elastic load balancing health checks

Ensure AWS EC2 instance is configured with VPC

Ensure all EIP addresses allocated to a VPC are attached to EC2 instances or NAT Gateways

Ensure ALB redirects HTTP requests into HTTPS ones

Ensure all NACL are attached to subnets

Ensure Security Groups are attached to EC2 instances or ENIs

Ensure S3 Bucket has public access blocks

Ensure VPC subnets do not assign public IP by default

Ensure no default VPC is planned to be provisioned

Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled

Ensure Redshift is not deployed outside of a VPC

Ensure Transfer Server is not exposed publicly

Ensure public facing ALB are protected by WAF

Ensure public API gateway are protected by WAF

Security Group modifications detected