Issue-specific guides for common AWS misconfigurations
This library maps directly to checks surfaced in Posturio scans. Each page explains what the finding means, why it matters, and how to remediate and verify closure in production environments.
Use this as a working index for engineering and platform teams handling cloud hardening. Each guide links to a free scan path so you can validate findings in your own environment quickly.
Coverage
IAM checks
AWS MFA Enforcement Strategy Guide
Build an AWS MFA enforcement strategy that covers root access, IAM users, privileged roles, and day-two operational governance.
AWS Root MFA Not Enabled
Learn how to enable MFA for the AWS root account, why it matters for account takeover prevention, and how to verify the control is enforced.
Access Keys Older Than 90 Days
Rotate aging IAM access keys safely with a staged process that avoids outages while improving credential hygiene.
Account Alternate Contacts Missing
How to remediate and verify: Account Alternate Contacts Missing.
Account Billing Contact Missing
How to remediate and verify: Account Billing Contact Missing.
Account Operations Contact Missing
How to remediate and verify: Account Operations Contact Missing.
Account Security Contact Missing
How to remediate and verify: Account Security Contact Missing.
Console Users Without MFA Enabled
How to remediate and verify: Console Users Without MFA Enabled.
Cross-Account Trust Is Too Broad
How to remediate and verify: Cross-Account Trust Is Too Broad.
IAM Access Analyzer Is Disabled
How to remediate and verify: IAM Access Analyzer Is Disabled.
IAM Access Key Older Than 90 Days
How to remediate and verify: IAM Access Key Older Than 90 Days.
IAM Access Keys Not Rotated
How to remediate and verify: IAM Access Keys Not Rotated.
IAM Admin Users Audit
Audit users with administrator-level permissions and reduce broad access through role-based privilege boundaries.
IAM Credential Report Not Reviewed
How to remediate and verify: IAM Credential Report Not Reviewed.
IAM Inline Policies Attached
How to remediate and verify: IAM Inline Policies Attached.
IAM Policy Allows Wildcard Actions
How to remediate and verify: IAM Policy Allows Wildcard Actions.
IAM Policy Allows Wildcard Resources
How to remediate and verify: IAM Policy Allows Wildcard Resources.
IAM Role Has AdministratorAccess
How to remediate and verify: IAM Role Has AdministratorAccess.
IAM Roles Missing Ownership Tags
How to remediate and verify: IAM Roles Missing Ownership Tags.
IAM Roles Trusted By Everyone
How to remediate and verify: IAM Roles Trusted By Everyone.
IAM User Has AdministratorAccess
How to remediate and verify: IAM User Has AdministratorAccess.
IAM User Has No Last Used Activity
How to remediate and verify: IAM User Has No Last Used Activity.
IAM User Password Not Changed Recently
How to remediate and verify: IAM User Password Not Changed Recently.
IAM Users Missing Ownership Tags
How to remediate and verify: IAM Users Missing Ownership Tags.
IAM Users Without MFA
Find IAM users missing MFA, understand the exposure, and apply a practical rollout plan without blocking critical engineering workflows.
OIDC Provider Configuration Issues
How to remediate and verify: OIDC Provider Configuration Issues.
Root Access Keys Exist
Remove AWS root access keys and replace legacy workflows with scoped IAM roles and temporary credentials.
Root Account MFA Is Disabled
How to remediate and verify: Root Account MFA Is Disabled.
Root User Has Active Access Keys
How to remediate and verify: Root User Has Active Access Keys.
SAML Provider Configuration Issues
How to remediate and verify: SAML Provider Configuration Issues.
Service Role Over-Privileged
How to remediate and verify: Service Role Over-Privileged.
Support Access Role Missing
How to remediate and verify: Support Access Role Missing.
Unused IAM Access Keys
Detect and remove dormant IAM keys that silently expand your attack surface and complicate incident response.
Unused IAM Roles Present
How to remediate and verify: Unused IAM Roles Present.
Weak IAM Account Password Policy
How to remediate and verify: Weak IAM Account Password Policy.
Weak IAM Password Policy
Strengthen your IAM password policy with practical defaults for minimum length, complexity, rotation expectations, and lockout protection.
S3 checks
Public Objects Detected In Bucket
How to remediate and verify: Public Objects Detected In Bucket.
Public S3 Bucket ACL
Find S3 ACL misconfigurations that permit global object access and migrate to safer ownership and policy controls.
Public S3 Bucket Policy
Detect and remediate S3 bucket policies that expose objects to anonymous or overly broad principals.
S3 Block Public Access Is Disabled
How to remediate and verify: S3 Block Public Access Is Disabled.
S3 Bucket ACL Grants Public Access
How to remediate and verify: S3 Bucket ACL Grants Public Access.
S3 Bucket Allows Cross-Account Access
How to remediate and verify: S3 Bucket Allows Cross-Account Access.
S3 Bucket Allows Insecure Transport
How to remediate and verify: S3 Bucket Allows Insecure Transport.
S3 Bucket Allows Public Read
How to remediate and verify: S3 Bucket Allows Public Read.
S3 Bucket Allows Public Write
How to remediate and verify: S3 Bucket Allows Public Write.
S3 Bucket Default Encryption Disabled
How to remediate and verify: S3 Bucket Default Encryption Disabled.
S3 Bucket Missing Deny Guardrails
How to remediate and verify: S3 Bucket Missing Deny Guardrails.
S3 Bucket Missing Lifecycle Policies
How to remediate and verify: S3 Bucket Missing Lifecycle Policies.
S3 Bucket Not Encrypted With KMS
How to remediate and verify: S3 Bucket Not Encrypted With KMS.
S3 Bucket Policy Uses Wildcards
How to remediate and verify: S3 Bucket Policy Uses Wildcards.
S3 Bucket Versioning Disabled
How to remediate and verify: S3 Bucket Versioning Disabled.
S3 Encryption Not Enabled
Enable default encryption for S3 buckets and align key management practices with your data sensitivity model.
S3 KMS Key Rotation Disabled
How to remediate and verify: S3 KMS Key Rotation Disabled.
S3 Logging Not Enabled
Enable S3 access logging for critical buckets to improve incident investigations and data access accountability.
S3 Logging Target Bucket Missing
How to remediate and verify: S3 Logging Target Bucket Missing.
S3 MFA Delete Disabled
How to remediate and verify: S3 MFA Delete Disabled.
S3 Object Lock / Retention Not Configured
How to remediate and verify: S3 Object Lock / Retention Not Configured.
S3 Objects Not Encrypted At Rest
How to remediate and verify: S3 Objects Not Encrypted At Rest.
S3 Policy Action Star Detected
How to remediate and verify: S3 Policy Action Star Detected.
S3 Policy Principal Star Detected
How to remediate and verify: S3 Policy Principal Star Detected.
S3 Policy Resource Star Detected
How to remediate and verify: S3 Policy Resource Star Detected.
S3 Public Access Block Not Enabled
Enable S3 Block Public Access at account and bucket levels to prevent accidental exposure from policy or ACL drift.
S3 Replication Not Configured
How to remediate and verify: S3 Replication Not Configured.
S3 Server Access Logging Disabled
How to remediate and verify: S3 Server Access Logging Disabled.
S3 Static Website Hosting Enabled
How to remediate and verify: S3 Static Website Hosting Enabled.
Sensitive Prefixes Exposed In S3
How to remediate and verify: Sensitive Prefixes Exposed In S3.
Network checks
API Gateway Missing WAF Protection
How to remediate and verify: API Gateway Missing WAF Protection.
Application Load Balancer Is Public
How to remediate and verify: Application Load Balancer Is Public.
CloudFront Allows HTTP
How to remediate and verify: CloudFront Allows HTTP.
CloudFront Uses Weak TLS Policy
How to remediate and verify: CloudFront Uses Weak TLS Policy.
Default Security Group Has Inbound/Outbound Rules
How to remediate and verify: Default Security Group Has Inbound/Outbound Rules.
Default VPC Exposure Risk
Review default VPC resources and security group baselines to prevent inherited exposure in newly launched workloads.
Internet Gateway Attached To VPC
How to remediate and verify: Internet Gateway Attached To VPC.
Load Balancer Access Logs Disabled
How to remediate and verify: Load Balancer Access Logs Disabled.
NAT Gateway Missing For Private Subnets
How to remediate and verify: NAT Gateway Missing For Private Subnets.
Network ACL Allows Open Inbound
How to remediate and verify: Network ACL Allows Open Inbound.
Network ACL Allows Open Outbound
How to remediate and verify: Network ACL Allows Open Outbound.
Network Load Balancer Is Public
How to remediate and verify: Network Load Balancer Is Public.
Route Table Exposes Public Subnet
How to remediate and verify: Route Table Exposes Public Subnet.
Security Group Allows 0.0.0.0/0 Wide Ports
Detect broad internet ingress rules and tighten exposure boundaries to reduce exploitable network surface.
Security Group Allows All Traffic From 0.0.0.0/0
How to remediate and verify: Security Group Allows All Traffic From 0.0.0.0/0.
Security Group Allows RDP From 0.0.0.0/0
How to remediate and verify: Security Group Allows RDP From 0.0.0.0/0.
Security Group Allows SSH From 0.0.0.0/0
How to remediate and verify: Security Group Allows SSH From 0.0.0.0/0.
Security Group Allows Unrestricted Egress
How to remediate and verify: Security Group Allows Unrestricted Egress.
Security Group Open Port 22
Restrict SSH exposure by removing broad inbound rules and moving to controlled administrative access patterns.
Security Group Open Port 3389
Reduce RDP exposure risk by narrowing inbound paths and enforcing controlled administrative access channels.
Shield Advanced Not Enabled
How to remediate and verify: Shield Advanced Not Enabled.
Unused Security Groups Present
How to remediate and verify: Unused Security Groups Present.
VPC Endpoint For DynamoDB Missing
How to remediate and verify: VPC Endpoint For DynamoDB Missing.
VPC Endpoint For S3 Missing
How to remediate and verify: VPC Endpoint For S3 Missing.
VPC Flow Logs Not Centralized
How to remediate and verify: VPC Flow Logs Not Centralized.
VPC Flow Logs Not Enabled
How to remediate and verify: VPC Flow Logs Not Enabled.
VPC Peering Routes Are Too Broad
How to remediate and verify: VPC Peering Routes Are Too Broad.
VPN Tunnel Down Or Unhealthy
How to remediate and verify: VPN Tunnel Down Or Unhealthy.
WAF Is Disabled
How to remediate and verify: WAF Is Disabled.
Logging checks
ALB Access Logs Disabled
How to remediate and verify: ALB Access Logs Disabled.
AWS Config Delivery Channel Missing
How to remediate and verify: AWS Config Delivery Channel Missing.
AWS Config Is Disabled
How to remediate and verify: AWS Config Is Disabled.
AWS Config Recorder Disabled
How to remediate and verify: AWS Config Recorder Disabled.
CloudFront Access Logs Disabled
How to remediate and verify: CloudFront Access Logs Disabled.
CloudTrail Is Disabled
How to remediate and verify: CloudTrail Is Disabled.
CloudTrail Log File Validation Disabled
Enable CloudTrail log file validation to detect tampering and strengthen evidence integrity during investigations.
CloudTrail Log Validation Not Enabled
Enable CloudTrail log validation to detect log tampering and preserve audit-trail integrity.
CloudTrail Logs Bucket Is Public
How to remediate and verify: CloudTrail Logs Bucket Is Public.
CloudTrail Logs Not Encrypted
How to remediate and verify: CloudTrail Logs Not Encrypted.
CloudTrail Not Enabled
Enable AWS CloudTrail across your environment to establish baseline API activity visibility and forensic traceability.
CloudTrail Not Multi-Region
Configure CloudTrail as multi-region so new region activity is captured automatically and consistently.
CloudTrail Not Using KMS
How to remediate and verify: CloudTrail Not Using KMS.
CloudWatch Alarms Missing For Key Metrics
How to remediate and verify: CloudWatch Alarms Missing For Key Metrics.
CloudWatch Log Retention Too Short
How to remediate and verify: CloudWatch Log Retention Too Short.
GuardDuty Is Disabled
How to remediate and verify: GuardDuty Is Disabled.
KMS Key Policy Is Too Permissive
How to remediate and verify: KMS Key Policy Is Too Permissive.
KMS Key Rotation Disabled
How to remediate and verify: KMS Key Rotation Disabled.
S3 Access Logs Disabled
How to remediate and verify: S3 Access Logs Disabled.
SNS Topic Policy Is Public
How to remediate and verify: SNS Topic Policy Is Public.
SQS Queue Policy Is Public
How to remediate and verify: SQS Queue Policy Is Public.
Security Hub Is Disabled
How to remediate and verify: Security Hub Is Disabled.
Compute checks
AMI Is Public
How to remediate and verify: AMI Is Public.
EBS Snapshot Is Public
How to remediate and verify: EBS Snapshot Is Public.
EC2 Instance Allows IMDSv1
How to remediate and verify: EC2 Instance Allows IMDSv1.
EC2 Instance Has Public IP
How to remediate and verify: EC2 Instance Has Public IP.
EC2 Instance Uses Unencrypted EBS Volume
How to remediate and verify: EC2 Instance Uses Unencrypted EBS Volume.
EKS API Endpoint Is Public
How to remediate and verify: EKS API Endpoint Is Public.
EKS Control Plane Logging Disabled
How to remediate and verify: EKS Control Plane Logging Disabled.
EKS Secrets Not Encrypted With KMS
How to remediate and verify: EKS Secrets Not Encrypted With KMS.
Lambda Function Has Public Invoke Permission
How to remediate and verify: Lambda Function Has Public Invoke Permission.
Lambda Missing CloudWatch Log Group
How to remediate and verify: Lambda Missing CloudWatch Log Group.
Lambda Not Configured In VPC Where Required
How to remediate and verify: Lambda Not Configured In VPC Where Required.
RDS Automated Backups Disabled
How to remediate and verify: RDS Automated Backups Disabled.
RDS Deletion Protection Disabled
How to remediate and verify: RDS Deletion Protection Disabled.
RDS Instance Is Publicly Accessible
How to remediate and verify: RDS Instance Is Publicly Accessible.
RDS Storage Not Encrypted
How to remediate and verify: RDS Storage Not Encrypted.