The 48 AWS security checks Black Cat runs
Black Cat SSPM evaluates 48 security policies against your AWS configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Delete all access keys associated with the AWS root account
Deactivate or delete IAM access keys that have not been used recently
Rotate IAM access keys older than 90 days
Deactivate or remove IAM users who have been inactive for 90+ days
Deactivate the console login profile for IAM users who have never signed in
Replace wildcard IAM policy permissions with specific actions and resource ARNs
Strengthen the IAM account password policy to meet security best practices
Reduce maximum password age to 90 days or fewer
Attach at least one SCP to the organizational root to enforce root-level guardrails
Replace the wildcard Allow SCP with restrictive deny-based guardrails
Narrow the NotAction exception list in the SCP Deny statement
audit
Enable logging on the CloudTrail trail to ensure API activity is being recorded
Enable log file validation on the CloudTrail trail to detect tampering
Configure the CloudTrail trail to log events across all AWS regions
Enable data event logging for S3, Lambda, and DynamoDB on the CloudTrail trail
Enable VPC flow logs to capture accepted and rejected traffic metadata
Enable AWS Config in every active region and record all supported resource types
configuration
Enable default server-side encryption on the flagged S3 bucket
Enable versioning on the flagged S3 bucket to protect against accidental deletion and overwrites
Enable server access logging on the flagged S3 bucket for audit visibility
Restrict inbound SSH (port 22) access in the security group to specific IP ranges
Restrict inbound RDP (port 3389) access in the security group to specific IP ranges
Replace the default "all traffic to 0.0.0.0/0" egress rule with specific destinations
Strip all ingress and egress rules from the default VPC security group
Enable automatic annual key rotation for the flagged KMS customer managed key
Cancel the scheduled deletion for the KMS key or confirm deletion and re-encrypt dependent resources
Re-enable the KMS key if it was manually disabled, or wait out transient Creating/Unavailable states before contacting AWS Support
Delete the default VPC or explicitly prohibit workloads from using it
Enable GuardDuty in every active region to detect IAM abuse and threats
Require IMDSv2 on the EC2 instance to prevent SSRF-based credential theft
Remove the public IP from the EC2 instance and route traffic through a load balancer or NAT gateway
Disable Public accessibility on the RDS instance and move it into private subnets
Re-create the RDS instance with storage encryption enabled (cannot be toggled on an existing instance)
Increase the automated backup retention period to at least 7 days
Enable All Features in the AWS Organization
Enable Resource Control Policies in the Organization
Add a security alternate contact to the AWS account
Review and close or reactivate suspended AWS accounts
Enable AWS Security Hub in the region
Subscribe to compliance standards in Security Hub
Investigate and remediate critical Security Hub findings within 7 days
Investigate and remediate high-severity Security Hub findings within 14 days
Enable automatic control enablement in Security Hub
Enable the CIS AWS Foundations Benchmark standard in Security Hub
mfa
Enable MFA on the AWS root account
Enable MFA for the flagged IAM user
sharing
Enable S3 Block Public Access settings on the flagged bucket
Remove public Allow statements from the S3 bucket policy