Skip to main content

Policies

AWS

Auto Scaling

ASG

  1. ASG Underutilization Detection
  2. AWS EC2 ASGs should leverage ARM instances

CloudFormation

Stack

  1. AWS CloudFormation Stack Termination Protection Disabled

CloudFront

Distribution

  1. CloudFront distribution pricing class is not optimized

CloudTrail

Trail

  1. Oversized regional CloudTrail trails
  2. Redundant Global CloudTrail trails

CloudWatch

LogGroup

  1. AWS CloudWatch LogGroup Unlimited Retention
  2. Log Streams with no usage should be removed

DynamoDB

Table

  1. Review tables with stale data

EC2

EIP

  1. Outdated Elastic IP addresses (EIPs) found

Instance

  1. AWS EC2 Idle Instance Detection
  2. AWS EC2 Instance Outdated Instance Type
  3. EC2 instances running for extended periods of time should be reviewed
  4. EC2 instances with low CPU utilization
  5. Review EBS volumes attached to stopped instances
  6. Review EC2 instances without graviton2 processor
  7. Review expiring or expired EC2 reserved instances
  8. Review large EC2 instances for potential outdated architecture pattern

NAT Gateway

  1. Delete Unused NAT Gateway

Snapshot

  1. Delete unnecessary old EBS snapshots
  2. EBS Snapshot Archival Recommendation

VPC Endpoint

  1. VPC Endpoint Unused Traffic Detection

Volume

  1. High IOPS on IO1/2 EBS volume (>32000 IOPS)
  2. Large EBS volumes (>100GB)
  3. Low Usage EBS Volumes (<100 peak daily IOPS/last 30d)
  4. Prefer GP3 over GP2 Volumes.
  5. Prefer GP3 over IO1/2 when <3000 IOPS.
  6. Prefer IO2 over IO1 Volumes
  7. Review EBS volumes attached to stopped instances
  8. Unattached EBS Volumes

ECS

Cluster

  1. ECS Cluster Underutilization Check
  2. ECS cluster container instances without graviton2 processor
  3. Review ECS clusters with low CPU utilization

Service

  1. Autoscaling policy should be used for ECS service

Task

  1. AWS ECS Tasks should leverage ARM instances
  2. ECS Task Underutilization Check

EFS

File System

  1. AWS EFS Unused File System Detector
  2. Idle AWS EFS File System Detector

EKS

Cluster

  1. EKS node groups using x86_64 processors instead of graviton2 should be reviewed

ELB

Load Balancer

  1. AWS ALB Low Traffic Detector
  2. AWS NLB Low Traffic Policy
  3. Check AWS Classic Load Balancer Low Traffic
  4. Delete application load balancers with no targets attached
  5. Delete classic load balancers without attached instance
  6. Delete gateway load balancers with no targets attached
  7. Delete network load balancers with no targets attached.
  8. GWLB Low Usage Detector

EMR

Cluster

  1. Review EMR clusters with previous generation instance types
  2. Review idle EMR clusters running without active tasks for over 30 minutes

ElastiCache

Cluster

  1. AWS ElastiCache Low Connection Count
  2. ElastiCache Instances should leverage ARM instances
  3. ElastiCache Low Utilization Check
  4. Purchase reserved nodes for long running ElastiCache clusters

Kendra

Index

  1. Kendra Index Activity Monitor

Lambda

Function

  1. AWS Lambda Architectures
  2. Excessive timeout in Lambda functions
  3. Lambda Functions with High Error Rate

Neptune

Cluster

  1. Neptune Cluster Inactivity Check

DB

  1. Neptune Cluster Inactivity Check

OpenSearch

Domain

  1. AWS Elasticsearch Domains should leverage ARM instances

RDS

DB

  1. AWS RDS DBClusters should leverage ARM instances
  2. AWS RDS DBInstance Auto Backup Disabled
  3. AWS RDS DBInstance Auto Minor Version Upgrade Disabled
  4. AWS RDS DBInstance Deletion Protection Disabled
  5. AWS RDS DBInstance Encryption Disabled
  6. AWS RDS DBInstance Enhanced Monitoring Disabled
  7. AWS RDS DBInstance Performance Insights Disabled
  8. AWS RDS DBInstance Public Access Enabled
  9. AWS RDS Idle DBInstance Check
  10. Purchase reserved instances for long-running RDS databases
  11. RDS DB instances using non-Graviton2 processors
  12. RDS instances using older generation instance types
  13. Review RDS DB instance with low CPU utilization
  14. Review low connection count RDS DB instances
  15. Review tables with stale data

Redshift

Cluster

  1. Enable Redshift cluster paused resume
  2. Purchase reserved nodes for long running Redshift clusters
  3. Redshift cluster with low CPU utilization

Route53

HealthCheck

  1. Delete unnecessary health checks for endpoints

HostedZone

  1. High TTL should be configured for Route 53 records

S3

Bucket

  1. Enable Lifecycle Policies for Buckets

SQS

Queue

  1. AWS SQS Queue Redrive Policy Disabled
  2. SQS Queue Idle Monitor
  3. SQS Queue No Messages Received

Secrets Manager

Secret

  1. Delete Unused Secrets Manager Secret