Viewing Security Controls Monitored for AWS
Filter and sort the Reports page to see security controls monitored for AWS.
Oracle CASB Cloud Service monitors password, session, and access control settings for AWS, and generates alerts when the values for these controls don’t match the baseline.
- In the Risk Events page, filter the events so that only AWS events appear.
- Sort the Category column so that Security Control risks appear.
- Click a risk to view its details.
The following table describes the controls that Oracle CASB Cloud Service monitors. By default, Oracle CASB Cloud Service generates an alert if the value for the control deviates from the value shown in the table.
In general, Oracle CASB Cloud Service's default preferred values are more stringent than the default settings within AWS. If you want to change the baseline for Oracle CASB Cloud Service's security control alerts, then you can define custom settings for these controls.
| Security Control Type | Security Control Name | Stringent (Default) Setting | Description |
|---|---|---|---|
|
Password policy |
Minimum password length |
10 characters |
The longer a password is, the harder it is to crack. |
|
Password policy |
Require at least one uppercase letter |
On |
The more complex a password is, the harder it is to crack. |
|
Password policy |
Require at least one lowercase letter |
On |
The more complex a password is, the harder it is to crack. |
|
Password policy |
Require at least one number |
On |
The more complex a password is, the harder it is to crack. |
|
Password policy |
Require at least one non-alphanumeric character |
On |
The more complex a password is, the harder it is to crack. |
|
Password policy |
Allow users to change their own password |
On |
Users are more likely to update passwords when this activity is under their control. |
|
Password policy |
Password expiration period (in days) |
30 |
The more frequently a password is updated, the harder it is to crack. |
|
Password policy |
Number of passwords to remember |
10 |
Reused passwords open a window for an attacker to make use of an old password. |
|
Password policy |
Password expiration requires administrator reset |
On |
When passwords expire, this indicates an unused account. It’s a best practice to not let accounts sit idle. |
|
Setting |
Number of days for an SSH key to be considered old |
30 |
SSH keys authenticate AWS EC2 instances. The more frequently these keys are updated, the harder they are to crack. |
|
Setting |
Number of days for an IAM key to be considered old |
90 |
IAM keys authenticate AWS administrative users. The more frequently these keys are updated, the harder they are to crack. |
|
Access controls |
Require the root user to use multifactor authentication |
On |
Multifactor authentication requires a user to more than one credential when logging in (for example, a password and a one-time code). This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
|
Access controls |
Make sure all S3 server buckets are encrypted |
On |
It’s a best practice to keep data at rest in encrypted form. |
|
Access controls |
Require multifactor authentication when deleting an S3 bucket |
On |
Deleting an S3 bucket means removing a data store. This is a sensitive operation and should require the extra security that multifactor authentication provides. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
|
Access controls |
Require security group checking for unsecured ports |
On |
AWS manages critical organizational infrastructure. Security group checking provides an additional layer of security in the event that a port was left open to the internet. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
|
Access controls |
Require network ACLs to use secure open ports |
On |
AWS services listen for traffic on ports. These ports should require secure (encrypted) communication so that sensitive information isn’t transmitted in the clear. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
|
Access controls |
Do not let network ACLs have Allow All set as the default |
On |
Allow All means that the access control list (ACL) provides access to anyone on the internet. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
|
Access controls |
Check use of Route 53 hosted zones |
On |
Amazon's Route 53 service maps domain name system (DNS) queries to numeric IP addresses. It routes end users to Internet applications by translating domain names (for example, This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
|
Access controls |
Check use of Route 53 health checks |
On |
Amazon Route 53 maps domain name system (DNS) queries to numeric IP addresses. Route 53 health checks ensure that your web resources that reside at these IP addresses are functional before directing traffic to them. Oracle CASB Cloud Service doesn’t monitor for Route 53 health checks in private hosted zones. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
|
Access controls |
Check EBS volume encryption status |
On |
Amazon Elastic Block Storage (EBS) volumes provide incremental backup for Amazon elastic compute cloud (EC2) instances. Encryption of these volumes prevents unauthorized access to the data on them. This setting and the other access controls on this page aren't available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn't enabled. |
|
Access controls |
Check RDS encryption status |
On |
Amazon Relational Database Service (Amazon RDS) is a relational database in the cloud. Ensure that RDS encryption is enabled to prevent unauthorized access to the information stored in the database. Amazon RDS handles authentication, access, and decryption of data transparently with minimal impact on performance. Amazon RDS encryption also helps to fulfill compliance requirements for data-at-rest encryption. This setting and the other access controls on this page aren't available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn't enabled. |