Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Changes that introduce high or very high security risks in your environment

PDF
RSS
Focus mode
Changes that introduce high or very high security risks in your environment - AMS Advanced User Guide

The following changes introduce high or very high security risk in your environment:

AWS Identity and Access Management

  • High_Risk-IAM-001: Create access keys for root account

  • High_Risk-IAM-002: SCP policy modification to allow additional access

  • High_Risk-IAM-003: SCP policy modification that could break AMS infrastructure

  • High_Risk-IAM-004: Creation of a role/user with infrastructure mutating permissions (write, permission management or tagging) in customer account

  • High_Risk-IAM-005: IAM roles trust policies between AMS accounts and third-party accounts (not owned by the customer)

  • High_Risk-IAM-006: Cross-account policies to access any KMS key from an AMS account by a third-party account)

  • High_Risk-IAM-007: Cross-account policies from third-party accounts to access an AMS customer S3 bucket or resources where data can be stored (such as Amazon RDS, Amazon DynamoDB, or Amazon Redshift)

  • High_Risk-IAM-008: Assign the IAM permissions with any infrastructure mutating permission in customer account

  • High_Risk-IAM-009: Allow listing and reading on all the S3 buckets in the account

  • High_Risk-IAM-010: Automated IAM Provisioning with read/write permissions

Network security

  • High_Risk-NET-001: Open OS management ports SSH/22 or SSH/2222 (Not SFTP/2222), TELNET/23, RDP/3389, WinRM/5985-5986, VNC/ 5900-5901 TS/CITRIX/1494 or 1604, LDAP/389 or 636 and NETBIOS/137-139 from the internet

  • High_Risk-NET-002: Open database management ports MySQL/3306, PostgreSQL/5432, Oracle/1521, MSSQL/1433 or any management customer port from the internet

  • High_Risk-NET-003: Open application ports HTTP/80, HTTPS/8443 and HTTPS/443 on any compute resources directly. For example, EC2 instances, ECS/EKS/Fargate containers, and so on from the internet

  • High_Risk-NET-004: Any changes to the security groups which controls the access to the AMS infrastructure

  • High_Risk-NET-006: VPC peering with the third-party account (not owned by the customer)

  • High_Risk-NET-007: Adding customer firewall as egress point for all the AMS traffic

  • High_Risk-NET-008: Transit Gateway attachment with the third-party account is not allowed

  • High_Risk-S3-001: Provision or enable public access in the S3 bucket

Logging

  • High_Risk-LOG-001: Disable CloudTrail. (Ops Site Manager Approval Required)

  • High_Risk-LOG-002: Disable VPC Flow Logs. (Ops Site Manager Approval Required)

  • High_Risk-LOG-003: Log forwarding through any method (S3 event notification, SIEM agent pull, SIEM agent push etc) from an AMS managed account to third party account (not owned by customer)

  • High_Risk-LOG-004: Use non-AMS trail for CloudTrail

Host Security

  • High_Risk-HOST-001: Disable End Point Security in the account for any reason.(Ops Site Manager Approval Required)

  • High_Risk-HOST-002: Disable patching in a resource or at account level.

  • High_Risk-HOST-003: Deploying an unmanaged EC2 instance in the account.

  • High_Risk-HOST-004: Running a custom script provided by the customer.

  • High_Risk-HOST-005: Creation of Local Administrator accounts on instances.

  • High_Risk-HOST-006: Trend Micro EPS file type / extension scan exclusions or disabling malware protection on endpoints.

    Note

    Risk acceptance isn't required for EPS anti-malware exclusions or GuardDuty Suppression rules related to penetration tests or vulnerability scans or service impacting events/known performance issues warranting proactive actions. A risk notification is enough in these situations.

  • High_Risk-HOST-007: Create KeyPair for EC2

  • High_Risk-HOST-008: Disable End Point Security in the EC2

  • High_Risk-HOST-009: Accounts using End of Life(EOL) OS

Miscellaneous

  • High_Risk-ENC-001: Disable encryption in any resource if it is enabled

Managed Active Directory

  • High_Risk-AD-001: Provide admin rights to active director user or group

  • High_Risk-AD-002: GPO Policies capable of reducing security posture of the account

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.