Skip to content

The 48 AWS security checks Black Cat runs

Black Cat SSPM evaluates 48 security policies against your AWS configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

criticalRoot Access Key Exists

Delete all access keys associated with the AWS root account

mediumUnused Access Keys

Deactivate or delete IAM access keys that have not been used recently

mediumOld Access Keys Not Rotated

Rotate IAM access keys older than 90 days

mediumInactive IAM Users

Deactivate or remove IAM users who have been inactive for 90+ days

mediumPassword Never Used

Deactivate the console login profile for IAM users who have never signed in

criticalOverly Permissive IAM Policy

Replace wildcard IAM policy permissions with specific actions and resource ARNs

highWeak Password Policy

Strengthen the IAM account password policy to meet security best practices

mediumPassword Policy Expiration Too Long

Reduce maximum password age to 90 days or fewer

highSCP Not Attached to Root

Attach at least one SCP to the organizational root to enforce root-level guardrails

mediumSCP Allows All Actions

Replace the wildcard Allow SCP with restrictive deny-based guardrails

mediumSCP Overly Broad Deny Exception

Narrow the NotAction exception list in the SCP Deny statement

audit

criticalCloudTrail Not Logging

Enable logging on the CloudTrail trail to ensure API activity is being recorded

mediumCloudTrail Log Validation Disabled

Enable log file validation on the CloudTrail trail to detect tampering

highCloudTrail Not Multi-Region

Configure the CloudTrail trail to log events across all AWS regions

highCloudTrail Data Events Disabled

Enable data event logging for S3, Lambda, and DynamoDB on the CloudTrail trail

highVPC Flow Logs Disabled

Enable VPC flow logs to capture accepted and rejected traffic metadata

highAWS Config Not Recording

Enable AWS Config in every active region and record all supported resource types

configuration

highS3 Bucket Encryption Disabled

Enable default server-side encryption on the flagged S3 bucket

lowS3 Bucket Versioning Disabled

Enable versioning on the flagged S3 bucket to protect against accidental deletion and overwrites

lowS3 Bucket Logging Disabled

Enable server access logging on the flagged S3 bucket for audit visibility

criticalUnrestricted SSH Access

Restrict inbound SSH (port 22) access in the security group to specific IP ranges

criticalUnrestricted RDP Access

Restrict inbound RDP (port 3389) access in the security group to specific IP ranges

mediumUnrestricted Egress

Replace the default "all traffic to 0.0.0.0/0" egress rule with specific destinations

mediumDefault Security Group Has Rules

Strip all ingress and egress rules from the default VPC security group

mediumKMS Key Rotation Disabled

Enable automatic annual key rotation for the flagged KMS customer managed key

highKMS Key Pending Deletion

Cancel the scheduled deletion for the KMS key or confirm deletion and re-encrypt dependent resources

mediumKMS Key Disabled

Re-enable the KMS key if it was manually disabled, or wait out transient Creating/Unavailable states before contacting AWS Support

mediumDefault VPC In Use

Delete the default VPC or explicitly prohibit workloads from using it

highGuardDuty Not Enabled

Enable GuardDuty in every active region to detect IAM abuse and threats

highEC2 IMDSv2 Not Enforced

Require IMDSv2 on the EC2 instance to prevent SSRF-based credential theft

mediumEC2 Instance Has Public IP

Remove the public IP from the EC2 instance and route traffic through a load balancer or NAT gateway

criticalRDS Publicly Accessible

Disable Public accessibility on the RDS instance and move it into private subnets

highRDS Storage Not Encrypted

Re-create the RDS instance with storage encryption enabled (cannot be toggled on an existing instance)

mediumRDS Backup Retention Too Short

Increase the automated backup retention period to at least 7 days

highOrganization All Features Not Enabled

Enable All Features in the AWS Organization

mediumResource Control Policies Not Used

Enable Resource Control Policies in the Organization

lowOrganization Account Security Alternate Contact Missing

Add a security alternate contact to the AWS account

lowOrganization Account Suspended

Review and close or reactivate suspended AWS accounts

highSecurity Hub Not Enabled

Enable AWS Security Hub in the region

highSecurity Hub No Standards Enabled

Subscribe to compliance standards in Security Hub

criticalSecurity Hub Critical Findings Unresolved

Investigate and remediate critical Security Hub findings within 7 days

highSecurity Hub High Findings Unresolved

Investigate and remediate high-severity Security Hub findings within 14 days

mediumSecurity Hub Auto-Enable Controls Disabled

Enable automatic control enablement in Security Hub

mediumSecurity Hub CIS Standard Not Enabled

Enable the CIS AWS Foundations Benchmark standard in Security Hub

mfa

criticalRoot Account MFA Not Enabled

Enable MFA on the AWS root account

highUser MFA Not Enabled

Enable MFA for the flagged IAM user

sharing

criticalS3 Bucket Public Access Not Blocked

Enable S3 Block Public Access settings on the flagged bucket

criticalS3 Bucket Policy Public

Remove public Allow statements from the S3 bucket policy

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial