1-Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
2-Ensure credentials unused for 90 days or greater are disabled
3-Ensure access keys are rotated every 90 days or less
4-Ensure IAM password policy requires at least one uppercase letter
5-Ensure IAM password policy requires at least one lowercase letter
6-Ensure IAM password policy requires at least one symbol
7-Ensure IAM password policy requires at least one number
8-Ensure IAM password policy requires minimum length of 14 or greater
9-Ensure no root account access key exists
10-Ensure MFA is enabled for the "root" account
11-Ensure security questions are registered in the AWS account
12-Ensure IAM policies are attached only to groups or role
13-Enable detailed billing
14-Maintain current contact details
15-Ensure security contact information is registered
16-Ensure IAM instance roles are used for AWS resource access from instances
17-Avoid the use of the "root" account
=Logging
1-Ensure CloudTrail is enabled in all regions
2-Ensure CloudTrail log file validation is enabled
3-Ensure the S3 bucket CloudTrail logs to is not publicly accessible
4-Ensure CloudTrail trails are integrated with CloudWatch Logs
5-Ensure AWS Config is enabled in all regions
6-Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
7-Ensure CloudTrail logs are encrypted at rest using KMS CMKs
8-Ensure rotation for customer created CMKs is enabled
= Networking
1-Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
2-Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
3-Ensure VPC flow logging is enabled in all VPC
4-Ensure the default security group of every VPC restricts all traffic
= Monitoring
1-Ensure a log metric filter and alarm exist for unauthorized API calls
2-Ensure a log metric filter and alarm exist for Management Consolesign-in without MFA
3-Ensure a log metric filter and alarm exist for usage of "root" account
4-Ensure a log metric filter and alarm exist for IAM policy changes
5-Ensure a log metric filter and alarm exist for CloudTrail configuration changes
6-Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
7-Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
8-Ensure a log metric filter and alarm exist for S3 bucket policy changes
9-Ensure a log metric filter and alarm exist for AWS Config configuration changes
10-Ensure a log metric filter and alarm exist for security group changes
11-Ensure a log metric filter and alarm exist for changes to NetworkAccess Control Lists (NACL)
12-Ensure a log metric filter and alarm exist for changes to network gateways
13-Ensure a log metric filter and alarm exist for route table changes
14-Ensure a log metric filter and alarm exist for VPC changes
1-Identify Security Requirements
-Define and Categorize Assets in AWS
-Create Classifications for Data and Applications
2-Deploy Solutions Designed to Solve Cloud Security Challenges
-Manage Cloud Access: Limiting
-Use Cloud-Native Security Solutions
-Protect All Your Perimeters and Segment Everything
-Maintain a Consistent Security Posture Throughout AWS Deployments
-Manage AWS accounts, IAM Users, Groups, and Roles
-Manage Access to Amazon EC2 Instances
3-Protect AWS Workloads
-Implement Cloud Workload Protection for Serverless and Containers
-Implement Proactive Cloud Security
-Define Incident Response Policies and Procedures
2-Append an extra file extension-If the application is not properly validating for the file extension, this can be exploited by appending another extension, for example from script.php to script.php.gif or script.gif.php
3-Change the casing of the extension-Try different combinations of lower and upper case, for example pHp, PhP, phP, Php etc