BlueArchCitable IDs in every alert
Every BlueArch finding links back to a Hub entry with the same ID — so an alert in your inbox carries the full context, remediation, and compliance mapping. No more "what does this mean?"
Plain-text, version-controlled →
Free product · Open dataFree to use
The world's largest
LLM-formatted
AWS misconfiguration
database.
Governance Hub is a free, continuously updated, machine-readable catalog of AWS misconfigurations — written so engineers, auditors, and LLMs can all consume it. Mirrored live from GitHub, queryable from your terminal, your CI, or any model context window.
Live mirror of bluearchio/aws-misconfig-db
323 recommendations · 46 service groups · generated 2026-05-15View repo →
323 recommendations · 46 service groups · generated 2026-05-15View repo →
Catalog snapshot
- 323recommendations loaded
- 46AWS service groups
- 2026-05-15website catalog generated
0
Misconfigurations cataloged
Across IAM, S3, RDS, EKS, networking, encryption, billing, and more.
0
Service groups covered
Generated from the checked-in aws-misconfig-db source of truth.
0
High-severity entries
Prioritized entries where the risk value is highest.
0% free
License
MIT. Mirror it, query it, train on it.
Browse the database
Searchable. Citable. LLM-ready.
Every entry is structured: IDs, severity, business impact, remediation, IaC patches, and an LLM-formatted body you can drop straight into a model context. Filter by service, severity, or compliance framework.
- 3e4cd300-6cff-4fd6-9504-38c0f38ab2ac · MediumAWS account does not have alternate security contact information configured
- 75a780d7-e8f9-4175-bc93-8c5c5039fd4e · HighRSA certificates managed by ACM use a key length smaller than 2048 bits
- 9be76839-271a-4733-b947-c4c3705da1f5 · Mediumuser wants SSL/TLS certificate expiration alert 1 month in advance
- d8163f98-8bb2-4159-bde7-e7668e8ee21d · Mediumuser wants SSL/TLS certificate expiration alert 1 week in advance
- b0ee1465-5cd5-4b8e-9ceb-c22ffcbdba88 · Mediumapplication / load balancers are not detecting failed connections fast enough
- 475b24d9-4b5b-4ce4-8161-af25f89bee49 · LowIdle Load Balancers
- 75ba739e-a10d-4233-9d93-233587bf1de5 · HighIdle Load Balancers
- f8873ffb-d1ce-44d2-adf9-50148350fc92 · LowIdle Load Balancers
- 38ef673f-016f-4b10-ba8c-e0ab9d15494a · Mediumuser wants to be notified when ALB securied listener certificate expires in 1 month
- 255365fe-3007-414f-85b6-713846173847 · Mediumuser wants to be notified when ALB securied listener certificate expires in 1 week
- a3e36ea7-b611-4706-bc1f-40f09a17dc70 · Mediumuser wants to be notified when ELB securied listener certificate expires in 1 month
- b70a15dd-4b86-4345-ab46-a3e02c6abfea · Mediumuser wants to be notified when ELB securied listener certificate expires in 1 week
- 8ac617e8-5a7a-4da8-8084-7ef5e5cbc74c · Mediumuser wants to ensure ELB are created with access logs enabled
- b5337466-a827-460e-873e-613c28a101e4 · Mediumuser wants to ensure ELB is setup with SSL for secure communication
- 00b372b2-8825-4bdf-834f-b10742dc715b · Mediumuser wants to ensure that elb has a recommended ssl/tls protocol version
- eba421cf-bea5-4fa2-982a-c992016bd34f · Mediumuser wants to ensure the availability / performance of their auto scaling group(s)
- 71534f32-7b63-4d9b-8c41-9328ea305e23 · Mediumuser wants to remove weak ciphers for ELB
- 01e58c92-8f90-4ef0-a438-e35bf01ecfd8 · Mediumusers are being routed to instances that are not running (or have performance issues)
- be4fc192-947d-4012-aeb5-54bec0d07873 · MediumYou are creating an application that is going to expose an HTTP REST API. There is a need to provide request routing rules at the HTTP level. Due to security requirements, your application can only be exposed through the use of two static IPs.
- 297a0e89-3930-4c98-aaae-108dd7dc6c90 · MediumYour application load balancer is hosting X target groups with various hostnames; you would like to expose https traffic for each of these host names.
- 277608d6-b89d-459a-ab2d-e2c05ac47af3 · Lowuser needs to have an index of resources across regions they can search for
- 3360f1f0-c035-4fc1-93d0-1b6afe58d609 · Mediumuser requires immutable resource tags
- 6abe56fe-881d-404c-81e3-a87ed491685b · Mediumuser wants to associate costs to cost centers, projects, teams, and other business units
- 6ba41fc1-7084-4ae2-a0ee-aa50d85f1cea · Mediumuser wants to associate user groups & roles to projects, teams, and other business units
- c54ea650-2481-4d0d-a61c-9f08443c7cd1 · Mediumuser wants to use api gateway with edge locations AND cares about performance
- e6001001-cf01-4001-a001-001000000001 · LowContinuous AWS Config Recording in Non-Production Environments
- e6001002-cf02-4002-a002-002000000002 · LowExcessive AWS Config Costs from Spot Instances
- e6001003-cf03-4003-a003-003000000003 · LowUnfiltered Recording of High-Churn Resource Types in AWS Config
- e6001004-cf04-4004-a004-004000000004 · LowUnnecessarily High Recording Granularity in AWS Config
- 6e839f06-4474-45c8-82a9-84003aade522 · Mediumuser wants to ensure AWS config is enabled in all regions
- a1382004-5e31-4004-b004-004000000004 · MediumMissing Caching Layer for Repetitive Bedrock Inference Workloads
- a1382001-fbbe-4001-b001-001000000001 · MediumSuboptimal Bedrock Custom Model Configuration
- a1382002-08c0-4002-b002-002000000002 · MediumSuboptimal Bedrock Inference Profile Model Selection
- a1382003-6144-4003-b003-003000000003 · MediumSuboptimal Bedrock Model Type for Use Case
- a1382005-734c-4005-b005-005000000005 · MediumUsing High-Cost Bedrock Models for Low-Complexity Tasks
- 0d84ee37-e841-4b16-ae87-5b0ec720c927 · MediumCloudFront Alternate Domain Names
- 915cc2d1-9ea7-4fab-83ad-92b623cb163b · MediumCloudFront Alternate Domain Names
- ef6b202e-cb88-4f1b-aadb-a2f17804a8e5 · MediumCloudFront Alternate Domain Names
- 4769bb75-f7b8-4604-8ad1-2fbdabd7420d · HighCloudFront Content Delivery Optimization
- cc4250bc-4065-4a12-8fa8-74f386b45702 · HighCloudFront Content Delivery Optimization
- a9f10db4-5c47-4865-8b9f-648f09a81605 · Mediumcloudfront distributions are too expensive
- 937fff55-6361-4546-a3be-9b4769c904e4 · LowCloudFront Header Forwarding and Cache Hit Ratio
- 327f7304-6e47-4eff-93b2-e070afcfc180 · Mediumstreaming service needs to reduce latency for its users
- fa2ba14d-f984-4efb-a5ae-6a7da7f4257a · Mediumuser wants an encrypted connection between cloudfront and origin server
- 15ac6ce0-cfab-4e25-87dd-ff769faec385 · Mediumuser wants their application optimized based on the command types (e,g, GET vs POST)
- 12f2d76b-5c61-403a-bcbe-71c1a4d3ec61 · Highuser wants to ensure his CDN is secure
- f9b6e58a-21cb-47b1-92af-1841391713ff · Mediumuser wants to restrict users from accessing their content from a particular country
- 19e6e1a5-3569-460a-8be6-582246d05090 · MediumYou would like to provide your users access to hundreds of private files in your CloudFront distribution, which is fronting an HTTP web server behind an application load balancer
- 1a48e014-dc5b-4b3d-9e8a-4fa00ebd4223 · Highuser wants to ensure CloudTrail is enabled in all regions
- 450eb05d-23fe-47dc-83f0-4e13c1149c00 · Mediumuser wants to ensure CloudTrail log file validation is enabled
- bbeaea1f-8aeb-4a4b-978c-7f05c0ed0722 · Mediumuser wants to ensure CLoudTrail logs are encrypted at rest using KMS CMKs
- 3eae64a8-7a42-4ffc-b552-6e7a8555d3c3 · Mediumuser wants to ensure CloudTrail trails are integrated with CloudWatch
- a947ee7d-2155-4f72-8c3f-4097c7ec3974 · Mediumuser wants to ensure multi-region trail exists for each AWS CloudTrail
- e7b5c9a1-3f2d-4e8b-9c6a-1d5e8f2b4a3c · LowCloudWatch Logs groups without retention policies accumulating costs indefinitely
- 4e7fe812-5f0d-478f-9959-2409c8dc0b45 · MediumHTTP/S & TCP endpoint health checks are not linked to cloudwatch
- 83691b2b-0b0b-4549-b2da-fcbb1708c6cb · MediumNo CloudWatch anomaly detection configured to identify unexpected cost increases
- 06f2bdc9-2b6e-4c70-895d-1b6d4e17f87c · MediumAWS Config is not enabled to track resource configuration changes and compliance
- e3de8e59-c849-4544-8b17-e66164d45a64 · Mediumdynamo table read and write capacity is too low
- d9e86614-ba81-4bee-9a3f-5e3457216033 · MediumdynamoDB hot shards
- 21e8990b-f442-4975-8927-70399f242f0f · MediumDynamoDB tables with critical data lack cross-account global table replication for disaster recovery isolation
- b4839001-ddb1-4001-c001-001000000001 · LowInactive DynamoDB Table
- b4839002-ddb2-4002-c002-002000000002 · LowInefficient Use of On-Demand Capacity in DynamoDB
- 169e3c58-a78a-4525-bcef-eb0656ec5bb0 · Mediumread latency is not performant for dynamodb tables OR user needs full replication (high reliability) of their dynamo tables
- b4839003-ddb3-4003-c003-003000000003 · LowSuboptimal Storage Type for DynamoDB Table
- b4839004-ddb4-4004-c004-004000000004 · LowUnderutilized Read Capacity on DynamoDB Table
- b4839005-ddb5-4005-c005-005000000005 · LowUnderutilized Write Capacity on DynamoDB Table
- b950825d-41ae-4637-a0c8-281f8903596f · Mediumuser cannot predict the capacity needed with dynamo (RCUs / WCUs)
- ef9201c9-a59f-4006-b52d-fe50003e8e32 · Mediumuser has the "hot key" problem (too many reads) with dynamo
- a2a0dabe-1714-4a11-ab47-5ae2c539eb77 · Mediumuser wants to know whether they should cache read content (in a serverless architecture) at the api gateway level or with a DAX caching layer (or other)
- 444fd30a-f2f2-4a7f-afbc-063349fc900f · LowAmazon EBS Provisioned IOPS (SSD) Volume Attachment Configuration
- 257affcf-d8a7-479b-92b7-80d7d91c59c5 · MediumClustered Linux powered application needs higher availability (eg Teradata)
- 33fc1c4b-3302-4eb4-8f10-a43041c80105 · MediumMax IOPs hit (<32,000)
- 61ee7b36-d8eb-4bff-a1f5-01e5a4d55c1e · MediumNeed up to 100k IOPS or more throughput on Linux or Windows machine
- 8312c521-673e-48df-aca3-ae6a284f7079 · LowOrphaned EBS snapshots and AMIs consuming storage costs after source volumes deleted
- 03060d2d-96d3-43aa-ba18-2968fc8a7189 · LowOverutilized Amazon EBS Magnetic Volumes
- f12f548d-4986-4309-883e-a3673a5c3ef8 · Mediumuaer needs on premise volume data backed up in the cloud
- 9b4bd9b6-9139-4e8d-a157-055bbb6bacc3 · Lowuser wants to ensure ebs volumes are deleted when an instance is terminated
- 8dfe3ba4-c72f-4ed8-9a07-f88c1ccc8b3b · Lowuser wants to ensure that only necessary / needed snapshots are available for use
- 9962a78d-7100-4d15-bc9c-c62a6c0d3b91 · Lowuser wants to prevent volumes (root or attached) from filling up, forcing a restart and leading to a new IP address (if an elastic ip has not been assigned)
- 4a085886-dc3f-4573-bcb3-1ac3b6527f70 · Medium??? EC2 failing and web address not valid?
- 6d6e48e1-29bb-49ac-a848-a33fba2a712a · LowAmazon EC2 Reserved Instance Lease Expiration
- 8dcdbfff-850b-40c9-96c7-3186a9fe04ea · LowAmazon EC2 to EBS Throughput Optimization
- 533911b3-772f-418e-bb8c-dce2e14bdee4 · Mediumapplications are exposed through an appication load balancer, and the load balancer is deployed on a VPC and the EC2s security on port 80 does not reference the ALBs security group
- 7de705c0-ed35-4f5b-a023-aca48102cd22 · MediumAs a solution architect managing a complex ERP software suite, you are orchestrating a migration to the AWS cloud. The software traditionally takes well over an hour to setup on a Linux machine, and you would like to make sure your application does leverage the ASG feature of auto scaling based on the demand.
- 59fb7aa6-d2ef-48db-843a-042f56df477c · Mediumbin packing and consolidated instance types
- 380cb25a-4494-4d13-9389-a2e0c249ede5 · Mediumdefault auto scaling cooldown is too long and unecessary costs are being incurred as a result
- a0ffe81c-483b-448e-a899-884e5258a106 · LowDevelopment and test environments running 24/7 without scheduled shutdown during non-business hours
- bc4ad253-abd3-4931-81e0-f5b80b9026a7 · MediumDon't care about network performance, but need to maximize reliability of compute on large workloads (HDFS, Kafka, Hbase)
- 23cd2bca-6852-444b-ba04-a7b624d2a9cb · MediumDon't care about network performance, but need to maximize reliability of compute on small to medium workloads
- 0f5cfb3e-623b-4140-a5ed-db4b5be406f8 · MediumEBS volumes are running on previous generations
- 030f361e-eb21-4382-8d26-fcd86f47c8d5 · MediumEC2 instances are running on previous generations
- fb608bb0-abfd-4543-876d-b7d44bc64329 · LowEC2 instances running with very low CPU utilization indicating rightsizing opportunity
- 3bcb0076-e857-4761-988a-4982185813a5 · Lowec2 network performance is not what is expected / paid for
- 4168462a-cff5-4404-92b1-b305e36762fd · LowFault-tolerant and flexible workloads not leveraging EC2 Spot Instances for cost savings
- e9b86ebe-9480-4618-b0b3-886757fb26f7 · MediumHelpful to increase HPC workloads
- f15adfc7-d970-4925-b0fb-99dbe1796d3b · LowHigh Utilization Amazon EC2 Instances
- 74492e33-2626-4630-bf53-2bd5ef074061 · MediumIdle Amazon EC2 Instance
- bc73c591-36b2-43dd-8ad3-4406fec4e694 · Mediuminfrequent, intermittent or unpredictable database workloads
- f9c9fd97-68ee-4c50-8cfe-d1ce2fef132b · Mediuminstance types differ too much + CapacityReservationSpecification is set to open + reserved instance capacity underutilized
- a7704b72-96f9-4c82-bd21-8b107242085c · MediumLicensing costs charge by the core + CPU is underutilized
- 5bdf9fa1-673d-4360-968b-d3068417c76a · MediumMax IOPs Hit (=32,000)
- 0dfe8dc1-9e65-4aed-b143-30df906e82db · Mediummaximum cpu utlization is greater than the alarm value and your application has auto scaling groups enabled
- 8b5352c8-2b0a-420a-a653-dd24694bd34a · MediumNeed more ec2 network performance, but don't care about reliability (eg big data workload)
- f0b2c0d5-ae4d-49e6-b063-222a991b109a · Mediumpem key credentials stored on ec2 instance
- 863e1006-a446-4efb-99d3-b6408c851cd0 · MediumProduction workloads without Auto Scaling unable to optimize costs during variable demand
- f99e83f1-1109-486b-8210-fa3ef702cb8b · Mediumrds read replica has been created in another region
- 8b61f08a-4b4d-483b-870c-ea4f613a8435 · MediumReserved instance recommendation
- f2efa818-c80e-433c-9c7a-a41336423e2c · Mediumservice autoscaling
- fd54bbf8-76c4-4475-a8b6-a3979e33a26f · MediumSlow EC2 boot time
- e89b978c-c76a-4be3-8333-32c61af547c8 · MediumSpot fleet (spot + on demand) recommended
- 40d46878-ac12-44c8-902f-196a18dc9f6c · LowUnassociated Elastic IP Addresses
- c2868099-49ec-4473-8020-47a470a23414 · Mediumunhealthy, orphaned ec2 instances exist
- b971de6f-9227-4782-a708-9d2999765755 · Lowuser has already reduced waste, has a deep understanding of their future compute usage requirements, and wants to save money on their instance usage rates going forward
- b21a13ee-39f2-4a77-bebc-c9a49613e826 · Lowuser has already reduced waste, has a good understanding of their future compute usage requirements, and wants to save money on their instance usage rates going forward
- 3e17f505-9507-4244-b494-02c1c9e7f559 · Lowuser has already reduced waste, has an okay understanding of their future compute usage requirements, and wants to save money on their instance usage rates going forward
- 82a851f7-3ef6-4d02-9204-dde82c5a75da · Mediumuser has an applicaiton that is running on ec2 that distributes software updates "once and a while"; when a new software update is out the user gets a lot of requests and the content distibuted in mass ovecr the network is very costly; user does NOT want to change or re-architect the applicaiton
- e8fc5179-9193-4d19-808f-dee3aa5a08a1 · Mediumuser has instances that are not being used regularly
- 033ae438-4620-4f65-80cd-776fd0102bb0 · Lowuser has unattached or unused volumes
- 249dd667-4b1e-4200-bec5-19c6c718f958 · Lowuser has unencrypted volumes currently in use
- 558c548a-8e9a-47d3-8f38-1240867af942 · MediumUser is unsure how to decide between EFS, EBS, or instance store
- 6a2c2d54-b4ce-4d2c-a3c1-4ce04986052c · Mediumuser wants to be notified when/if their reserved instance lease is going to expire
- b3fcf6d3-9c7f-4728-bdaa-6c2b06fc2709 · Mediumuser wants to ensure instances are only on when needed (used during business hours, during a jobs runtime schedule, etc.)
- 63b4f412-c3ab-4ec8-af7f-ddfecbc25269 · Mediumuser wants to increase the security of their ec2 instances
- 89e0797c-0de8-4d2a-826e-810dd6843d23 · Highuser wants to increase the security of their ec2 instances
- e5bd9c73-a9fb-4dab-b90c-55d37577bc19 · Highuser wants to increase the security of their ec2 instances
- ebe7cf51-ecf8-4eee-a8f4-61d7e7d8fa1c · Mediumuser wants to increase the security of their ec2 instances
- f86cf839-ad7f-4d22-969c-4ba62fdd52c1 · Mediumuser wants to know which OS are deployed to EC2 instances
- 9f8cd266-20b2-4bb8-867c-7ef54923cc00 · Mediumusers application has connectivity issues and cannot determine why
- 57fdeba4-4823-4bd7-957f-5cb8b0d9f84e · High- user wants to increase the reliability of their ecs sevices / tasks and/or - user has been experiencing frequent service failures and/or - users' ecs services have been failing health checks
- b792ba90-f7d5-4324-938d-3213142d9d01 · HighECS task definitions are configured with unsafe defaults including public IPs, privileged mode, or plaintext secrets
- e19c54e2-286b-4fbd-b1a8-5ea9f3495da1 · Mediumuser wants ecs cluster to be encrypted at rest
- 4649adc3-53cc-4ccc-bd61-5c79f7fa6999 · Lowuser wants to increase the performance of their ecs service(s)
- 326eaec8-4b35-417d-b883-33c31948a9cd · Lowuser wants to make sure their services are all running the latest platform version
- 4305d944-eb3c-473c-b9ce-99fe6911713b · Lowuser wants to remove or update inactive tasks
- d5001001-ef01-4001-b001-001000000001 · LowInactive and Unmounted EFS File System
- d5001002-ef02-4002-b002-002000000002 · LowMissing Intelligent Tiering on EFS Lifecycle Policy
- d5001003-ef03-4003-b003-003000000003 · LowMissing Lifecycle Policy on Replicated EFS File System
- d5001004-ef04-4004-b004-004000000004 · LowOverprovisioned Throughput in EFS
- d5001005-ef05-4005-b005-005000000005 · MediumSuboptimal Use of EFS Storage Classes
- eef7a0f5-ada3-4b40-988f-86a2055b59bc · Mediumuser needs network file share system, but needs windows instances to access network files
- 74b0f0d7-fcb8-46ed-beb4-3d3ec6ecbe64 · Mediumuser wants to ensure amazon efs file systems are encrypted
- 4e33a295-b0c0-4cb5-a8ac-942a08de57b3 · Mediumuser wants to ensure amazon efs file systems are encrypted using KMS CMK
- 38c186b1-36f2-4133-a6ef-9c1628f5c6f6 · MediumAmazon EKS clusters do not have GuardDuty Extended Threat Detection enabled
- 5fc3d4a9-96ef-4bba-82e9-bccabe531b34 · Lowpods OR nodes within cluster are not appropriately sized (artur to clarify)
- c727a01a-e43a-4157-a80c-21dc130a50c5 · Highuser wants to make sure all environments are healthy
- ceb5228b-8733-4978-8fed-36588bfb638d · Lowuser wants to make sure all environments are up to date
- 6aa5f0f0-2e69-4f2e-82f2-e4110654b102 · LowAmazon ElastiCache Reserved Node Optimization
- 30397890-41a8-4c51-a957-c1fe893cdbe7 · Mediumclient wants to build a gaming leaderboard that guarantees both uniqueness and element ordering;
- e1b071d7-7358-4318-9021-015de19b783b · LowAmazon Elasticsearch Reserved Instance Optimization
- 2b6ae2c7-d432-401b-8164-23782cb1b1dc · MediumEMR (or other) cluster is used and task nodes are not utilizing spot instances
- cf28fb38-e084-42c6-9e82-49a836a7a1b3 · MediumAWS accounts lack budgets and proactive spending controls resulting in cost overruns
- ba16b11d-85b2-4f83-81e5-33e1255afce0 · MediumAWS resources lack cost allocation tags for tracking and attribution
- a946417d-d42f-4c9e-b129-de887414717f · Mediumclient wants more detailed invoicing
- 6562cd29-30a1-436b-835c-c38060e0501e · MediumConvertible Reserved instances recommended
- 2aae8134-3a6d-4207-b1e3-73687851270e · Mediumcustomer wants to auto-scale their instances based on the number of requests per minute (or some other metric)
- 770874ca-2a47-4243-96fe-25014d6c403d · MediumDedicated host recommended
- 98c656bb-8ca3-4ca9-a69a-3c8f30279ed3 · Mediumend-user would like to group costs based on their business logic or product catalog
- f9a6b1c4-2d7e-4f8a-9b6c-3d8e9f7a5b1c · MediumEngineering teams lack cost awareness and accountability for cloud spending
- 5aeeba22-fdc7-444a-9ba1-1fd5e11f3557 · Mediumlanguage used is not ideal for the specific workload
- a3a4dde9-da1b-4b50-bbb9-8bac2c25059e · Mediumlogs full & cpu utilization spiked
- 6bb5f985-d986-414b-851d-1cd985e89c4e · MediumNo standardized decommissioning process resulting in abandoned resources accumulating costs
- c6d9e5f2-7b3a-4c8e-9d1f-8a2b7e4c5d6e · HighOrganization lacks dedicated Cloud Financial Management team or FinOps function
- c121f7a5-3181-448f-a419-c64d6edb936b · Mediumparameter groups or database is not configured to ONLY allow SSL connection
- a1b7c2d8-3e9f-4a5b-8c6d-9e1f7a4b3c5d · LowResources not leveraging shared infrastructure leading to resource sprawl and duplication
- 59d4888f-2041-4113-b08e-ee5353b37f14 · Mediumroot volumes are not encrypted
- 88fbe98e-6f7d-481f-9c1d-5ac56aa50cac · Mediumrouting is currently set to a geolocation based policy, but does not have a default IP address
- 77c37bf0-446e-4292-bc1e-cdb3dfb81a6a · MediumScheduled reserved instances recommended
- 40814f77-0b20-4cd2-92b9-ca3b36e1627b · Mediumuaer needs on premise file data backed up in the cloud
- 26e95c6f-5656-46a5-a1fa-35a516468d41 · Mediumuaer needs on premise tape data backed up in the cloud
- 9c7e25a7-9655-4bb0-ab9f-287cf3cd9952 · Mediumuser does not want instances with unencrypted ports
- c6c883a7-949d-469c-a468-4acb0889dede · Mediumuser does not want networkloadbalancer with unencrypted ports
- 7f1dd337-60f3-4072-88a5-a67bcaef7fcd · Mediumuser does not want to allow get actions from all principals
- 58e96572-c0f4-466d-ab62-4452d7a1bca6 · Mediumuser does not want to allow list actions from all principals
- 7cf0ec49-3d87-46ce-957a-72afa928c6ce · Mediumuser does not want to grant any external privileges via ACL
- 0c9148d4-9510-4da6-9512-33286d31a480 · Mediumuser wants encrypted storage for instances that might host a database
- f44654fb-441f-489b-b814-fa7366050862 · Mediumuser wants to be notified when a credentials report was generated in the last 24 hours
- d01ab648-6ef5-45fe-ad93-539da6d9a9bb · Mediumuser wants to ensure rotation for customer created CMKs is enabled
- 4931f8b7-1bff-4c2b-adf9-926a338b926f · Highuser wants to know WHEN the right time to purchase a savings plan in
- 0e7afc00-2870-4cc7-a079-00e74c45fe6f · Mediumuser wants to supply their own encryption keys
- d7e4f8a2-9c5b-4d3e-8f6a-1b9c7e5d4a6f · MediumWorkloads built with undifferentiated heavy lifting instead of leveraging managed services
- e8f5a9b3-1c6d-4e7f-9a8b-2c5d8f6e3b7a · MediumWorkloads deployed without upfront cost modeling leading to budget overruns
- a902454a-eb8f-43f0-82cc-37579ed18a47 · LowWorkloads with predictable steady-state usage lack Savings Plan or Reserved Instance coverage
- ffb6b99f-0dec-47a4-9274-6e1552c05c02 · HighAmazon GuardDuty threat detection is not enabled in all regions
- 314f0d94-7381-454d-915d-45b962d801e3 · HighAWS account root user does not have MFA enabled or enforced
- f2ee54dd-37e7-4118-80f9-f164d89f3a8f · Mediumuser wants the password policy to require at least one number (+ specific password requirements)
- 50ba9f4d-388d-46dc-9b71-bd7a10c588c5 · Mediumuser wants the use of 'root' account to be avoided
- 297883ae-5ece-4511-8c34-1a2008cf1ad4 · Mediumuser wants to be notified of new security groups
- 718ac930-9ba0-42a1-a31b-fad73f2a66da · Mediumuser wants to enable least privilege access across all accounts
- aead0be5-3b3f-4e96-b561-6bafc7162801 · Mediumuser wants to enforce password policy
- 07f63c10-f164-4f31-95fb-57c07eb87261 · Mediumuser wants to ensure a support role has been created to manage incidients with AWS support
- 13bddd8f-7a89-4fa4-8f4e-bce30b3da26c · Mediumuser wants to ensure first access key is rotated every 90 days or less
- a843c50e-63a8-4e20-8ef8-c7f6ec4a4500 · Mediumuser wants to ensure hardware MFA is enabled for the 'root' account
- 6a285348-b16e-4905-b347-09df596d02d5 · Mediumuser wants to ensure iam policies are attached only to groups or roles
- 20da6654-9c4a-4b02-aaaf-5327efab6599 · Mediumuser wants to ensure iam policies that allow full "*:*" are not created
- e53ff93a-a43d-4580-bf17-a915dfeba8ce · Mediumuser wants to ensure no root account access key exists
- 299fc2d0-a2f2-4b79-a3d2-2b479b25d07f · Mediumuser wants to ensure second access key is rotated every 90 days or less
- e3e22326-af1e-4fc5-89e6-757cf12a2f4a · Mediumuser wants to ensure that MFA is enabled for all IAM users with console password
- e831d84f-db29-456e-a4fa-21d1bfa57984 · Mediumuser wants to ensure virtual MFA is enabled for the 'root' account
- 8c0a3d78-a5e3-4ac1-a1ca-f25306b46143 · Highuser wants to get notified / know of non-compliant IAM keys (keys older than 90 days)
- 85d589af-ca9b-4cb6-8311-6c9e50da0687 · Mediumuser wants to know which keys need rotating (are old or expired)
- a2e6377a-b62c-47a6-b957-452e9b79883b · Mediumuser wants to remove unused security groups
- 4ad76651-ce07-4d4e-bcf0-0a6fdff81146 · MediumInfrastructure as Code (IaC) templates are not scanned for security vulnerabilities before deployment
- be5dfe89-42e6-489b-9b70-3c32a154ffc8 · Mediumuser wanst to be notified when there are any high level findings in inspector scan
- fc98e70f-8e79-439d-9453-1e786bd5846e · Mediumuser wants to be notified if there has not been an inspector run in the last 30 days
- dcd9838a-b5dc-4c19-ab0f-b239a25b8fc7 · Medium1 - user wants to do streaming ETL, select columns, and make simple transformations 2 - user wants to generate metrics continuosly, like a live leaderboard game 3 - responsive analytics, look for a certain criteria and build alerting
- 9f926c3f-adce-47e7-8d55-e2fad047d3a9 · Mediumuser wants AWS kinesis server data to have SSE at rest
- df37f539-ce9b-4eb3-9ff9-fc8b820b6e7d · Mediumuser wants AWS kinesis streams to be encrypted with KMS CMK
- 5428f26e-ffe7-4c6a-89a0-4d953c2ec068 · Mediumuser wants to detect anomalous behavior in their data streams
- 48fb1784-79f1-4c41-a4fc-3b05282f2e45 · Mediumuser wants to detect dense areas in their data streams
- 56a298fa-1fb1-4371-8d22-b7fa5c273cb2 · Mediumuser wants to rotate kinesis streams
- 4c8b68a6-06b5-4fb2-8b6a-c8090bc0124e · Mediumuser wants to stream videos, such as camera footage, or a producer sdk
- fbff91c8-6bb2-4ed7-81e6-69463756e497 · Mediumuser wants a encryption with an audit trail
- 51e22636-4dae-4f77-ab58-c4f4961013a2 · MediumAWS Lambda Functions with Excessive Timeouts
- 59b90e10-df31-4a2e-9cd7-1a598eecb2a1 · MediumAWS Lambda Functions with High Error Rates
- 44183041-c87c-4bf2-ab10-3a593057135a · Mediumlambda function consistently and significantly under memory limits
- f11f43fb-072f-4a2a-9a4a-2851f8bae0aa · Mediumlambda function consistently reaches memory limits
- 64a6e315-cfef-4450-a761-247576cbe77e · Mediumlambda function(s) has/have not been invoked in a long time
- c3d4e5f6-a7b8-4901-c234-56789abcdef0 · MediumLambda functions making external API calls without retry logic or using fixed-interval retries
- a1b2c3d4-e5f6-4789-a012-3456789abcde · HighLambda functions making synchronous calls to external services without circuit breaker implementation
- d4e5f6a7-b8c9-4012-d345-6789abcdef01 · MediumLambda functions processing variable workload spikes synchronously without message queue buffering
- 37841661-4dc1-4fe6-a5f5-3f95013da436 · Mediumlambda functions should not be used
- b2c8d3e9-4f1a-5b6c-9d7e-1a8f4b5c6d7e · LowLambda functions with provisioned concurrency enabled for workloads with variable or infrequent traffic
- e5f6a7b8-c9d0-4123-e456-789abcdef012 · HighMultiple Lambda functions sharing unreserved concurrency pool without isolation
- 1f780989-b697-4817-b38c-dee807324c6b · Mediumprocesses that are controlled / run by lambda function are performing poorly
- 81a5a270-6eef-45f9-921b-593eb7ef6bd6 · Lowtime between when the last record in a batch was written to a stream (e.g., Kinesis, DynamoDB) and when Lambda received the batch increases dramatically
- c8fd0f3c-90c1-45ec-9467-963920497527 · Highuse wants to be made aware of any function throttling that ocurrs
- 34fb31df-b922-42a7-a462-c684bda929a4 · Mediumuser has an IoT system (e.g. AWS edge) and wants to filter requests before they get to the application
- 2cd8897d-8db5-4bde-8476-1edbe7f97894 · Lowuser needs serverless (lambda) tracing functionality
- 1d169e83-e553-4a67-8796-1c4365265efc · Lowuser wants to avoide lambda function throttling
- d814745d-a655-4612-9d03-07f7236cab77 · Lowuser wants to clean up unused or inactive lambda functions
- 24a0eea7-9e43-4549-9c5d-17d1ddcaa4ef · Mediumuser wants to ensure that lambda functions do not share the same AWS iam execution role
- 14e59ac7-8087-4489-8073-4bee498c0897 · Lowuser wants to limit the time it takes to load and initialize function calls (as the current initialization code runtime takes too long)
- 5539e36a-7ff0-4feb-9edf-02a6a51ebd51 · Mediumuser wants to prevent lambda functions with admin priviliges
- c7739006-aa06-4006-b006-006000000006 · MediumImbalanced Data Transfer Between Availability Zones
- c7739001-aa01-4001-b001-001000000001 · LowInactive NAT Gateway
- c7739002-aa02-4002-b002-002000000002 · LowInactive VPC Interface Endpoint
- c8908001-aa03-4003-b003-003000000003 · MediumMissing VPC Endpoints for High-Volume AWS Service Access
- c7739005-aa05-4005-b005-005000000005 · MediumRouting Through NAT Gateway Instead of VPC Endpoint for AWS Services
- c7739004-aa04-4004-b004-004000000004 · MediumSuboptimal Cross-AZ Routing to NAT Gateway
- b86ef141-f21b-4818-9062-fee738816c22 · HighAWS Network Firewall does not have active threat defense enabled for real-time malware protection
- a03af80d-8c8a-492d-9aa7-d32a2bcbaa17 · LowHigh data transfer costs from cross-region or internet data egress without optimization
- 721c9e93-f089-4269-b9ad-cf9ba3bb3ebe · Mediummutuple security groups for ssh access to ec2s
- 2f8c9e4a-1d5b-4c8f-9a6e-7b3d2e1f4a5c · LowNAT Gateway incurring high costs from cross-AZ data transfer and AWS service traffic
- a6c18252-225d-4e21-b7ca-5c591200715c · MediumNAT instances are used
- 64036652-ec42-41db-a7d6-32819a169fe5 · Mediumuser does not want rdp ports publically accessible
- bfea29bc-2ef9-4c6e-9ce3-d0c5823e3447 · Mediumuser does not want ssh ports publically accessible
- 87a20cc9-c7c2-403b-88a1-c2032d9034b5 · Mediumuser has a real time data feed from outside their vpc and is experiencing timeouts or slow download / response times
- 5d501b94-d91b-4ea0-8dff-f722393a3ad6 · Mediumuser wants all instances configured under VPC
- 04dbd22f-e862-4f8b-8a00-7ad7ac48836e · Mediumuser wants fault tolerant internet access
- 66837592-9e61-4dca-8784-f46209ed7d41 · Mediumuser wants security groups to be defined under a VPC
- d38ff956-167f-4916-8335-1b224bf8a75b · Mediumuser wants to ensure no security gorups allow ingress from 0.0.0.0/0
- 7e35eb21-1180-43d0-8d7d-5bb01fff7874 · Mediumuser wants to ensure that the defualt security group of every vpc restricts all traffic
- 955b348e-b934-4d1a-bc1b-966994f99322 · Mediumuser wants to ensure vpc flow logging is enabled in all applicable regions
- 15ed0da6-a382-4fe0-969b-e0c4f66425bd · Mediumuser wants to ensure vpc flow logging is enabled in all vpcs
- 21a71cb9-1d42-43ce-8461-f8cd6fda32cf · Mediumuser wants to restrict access to API from within VPC only
- 77ef079b-c64e-403b-973f-6782b3f8087d · MediumAWS account is not part of an AWS Organizations organization for centralized governance
- edc58eac-b68f-45ff-9905-28165178d256 · MediumAmazon RDS for MySQL or Aurora MySQL audit logs are not exported to S3 for long-term retention and compliance analysis
- 3afeb36c-4c09-400f-8f70-13314ff8d578 · HighAmazon RDS Idle DB Instances
- 08c3c3cd-25d9-4cb6-8c30-926c823276a8 · LowAmazon Relational Database Service (RDS) Reserved Instance Optimization
- 615f34d8-5c68-4f9e-bb45-69e66714b2cf · Mediumclient wants ml predictins to your applications via sql
- 02c10f83-1d4e-4889-b707-a7a564032af3 · Mediumcustomer needs a database but is not sure which one to select or what to configure
- f70af24d-8ea3-4434-a18a-7f4ceb78c1d3 · Mediumcustomer needs a database but is not sure which one to select or what to configure
- b2c3d4e5-f6a7-4890-b123-456789abcdef · MediumDatabase queries repeated without caching layer implementation
- 3660d10c-dcb8-4539-a478-17568ea89eba · Mediumhigh cpu / write frequency to aurora read replicas are causing performance issues, or you would like to specify custom endpoints for analytical queries
- b5d48d1f-0c91-4abb-97cb-fb1c04bb59ba · Mediumprovisioned aurora db or serverless v1
- 5c3d02fe-0ca2-45fe-be46-ef6ac1c678be · MediumRDS for SQL Server multi-tenant instances expose all database names to authenticated users by default
- a1f5645b-0bce-475a-b036-d34b9abd5dbb · MediumRDS instances are running on previous generations
- b3c7e2d1-8a4f-4b6e-9c5d-7e1a8f3b2c4d · LowRDS instances using GP2 storage instead of cost-effective GP3 storage type
- a4d8f3e1-9c2b-4f7e-8a5d-6b1c9e3f2a4d · LowRDS instances with over-provisioned storage capacity without auto-scaling enabled
- 4dd1933d-e014-4a2f-b044-497c050c5983 · MediumRDS Proxy subnets have insufficient available IP addresses causing connection failures and blocking security patches
- daff4201-ab90-42a9-a503-17ec9374a89e · Mediumrds struggles to keep up with demand of users on the website. users mostly read news / content and we (the company) do not post news / content often
- 2ba334ec-3d39-40fd-9753-a7efec8e3091 · Mediumreporting / analytics team wants to generate insights from your production relational database (e.g. RDS) but your production database is already taking on a normal load and you do not want to risk performance declines
- d5daba29-69b4-4a46-8223-73ece5a7b5ef · Mediumrightsize RDS instances
- c0764b9f-5241-46c5-af3f-3bcf30721fec · Mediumuser does not want RDS to have public interface
- b0c84bfb-87ed-4bc0-8cd5-76289fc81aa1 · Mediumuser is experiencing poor performance on the website / application
- e6108cb9-4ece-4882-b763-fa29ec6b1bd3 · Mediumuser is experiencing poor performance on the website / application
- 67c7713f-5866-4e0e-bd65-2fd445775878 · Mediumuser wants multi az disaster recovery for their application
- 4a77b3fb-647d-4f79-8605-28d7ab946ad2 · Mediumuser wants the rds storage to be encrypted
- daa4711f-c1d3-4104-a9e4-f709af67ecf7 · LowAmazon Redshift Reserved Node Optimization
- 0c1b66db-e282-4fbe-91cb-5c49cc88427a · HighUnderutilized Amazon Redshift Clusters
- 7d5eed76-e0e9-41d3-98ca-5d1becff0c18 · HighUnderutilized Amazon Redshift Clusters
- 332b3d41-5118-4fa2-ab98-1b2181c80f84 · MediumAmazon Route 53 Alias Resource Record Sets
- c5a5b3c1-b229-4839-8c91-63c630ad1fb9 · MediumAmazon Route 53 Alias Resource Record Sets
- e39158bd-8550-4a6e-ba9f-6060f584ec73 · MediumAmazon Route 53 Alias Resource Record Sets
- 57dd389a-4580-44db-a15e-499506415d56 · LowAmazon Route 53 Latency Resource Record Sets
- a1b7380e-dc29-411e-8847-5955cbde0c9a · Mediumcustomer would like their users to get the least amount of latency when accessing thier application
- aaa2e18d-2765-4d71-b465-d3552091c9b6 · Mediumlatency of applicaiton endpoints is not measured
- 3c011b9e-8392-43e5-ba2b-0436319cd6a4 · Mediumuser needs to increase the traffic to a specific region or AZ
- 761371b6-1c7d-4ba8-894e-b562375bacdb · Mediumuser wants to test a new app version with only a portion of the traffic sent
- ffc337be-4cb6-4899-b02c-d447af23221e · LowS3 buckets storing infrequently accessed data in Standard storage class without lifecycle policies
- 6179a4db-f9ff-4e69-ad33-2de230e7c706 · Mediums3 performance dips
- 06aabba0-436b-4295-91b1-165ee4741dc8 · Mediumuser does not want s3 bucket to allow all actions from all principals
- 743e9f6e-7cda-4e47-bbbb-10e47c728456 · Mediumuser does not want s3 bucket to allow delete actions from all principals
- b874846b-c586-47bf-a2fd-167ef2877f9f · Mediumuser is hosting highly dynamic content in Amazon S3 in [REGION_1]. Recently, there has been a need to make that data available with low latency in [REGION_2]
- 60c00aeb-ec1d-4b10-91fa-7025fd7a70be · Mediumuser states that they want to be able to recover deleted s3 objects immediately for a set time (15 days) athough it happens rarely. after the set time, and for up to a year, deleted objects should be recoverable within 48 hours.
- 83c3686a-7b31-478e-b388-453384ad53ba · Mediumuser wants encryption for s3 bucket write actions
- 2b2b9981-af69-40ca-a033-f39dd6eef852 · Mediumuser wants s3 bucket encrypted at rest (SSE)
- fa44e6cf-5243-4819-8256-2379e5347eff · Mediumuser wants s3 bucket to have server access logging enabled
- a97bfdeb-87c8-4550-a146-e926be7e6ecf · Mediumuser wants s3 bucket to have versioning MFA delete enabled
- ce620d59-96ae-4465-b6cf-6262e9e5f403 · Mediumuser wants s3 bucket to utilize SSL
- 356570fe-de33-4782-bc81-152cb144fb05 · Highuser wants to be made aware of the locations of all public s3 buckets (or their contents)
- 8b9e1857-90ef-43e0-8952-f047997ec2a3 · Mediumuser wants to distribute paid content from S3 securely and globally
- 75865815-d13a-4e95-9c50-b97e55f26afb · Mediumuser wants to do analysis / query s3 with complex sql statements (or using a BI related tool)
- 5449c935-aa36-4885-86e0-fee05a533361 · Mediumuser wants to ensure s3 bucket access logging is enabled on the CloudTrail S3 bucket
- f09206a7-4462-400d-811b-fd5f9be3b90a · Mediumuser wants to ensure s3 buckets are not publically accessible
- e8d205d0-3a21-49b3-9b3c-8ef6214a2b5e · Mediumuser wants to ensure that s3 bucket used to store cloudtrail log is not publicly accessible
- 871db617-a165-4b94-855c-8de1bdd71013 · Mediumuser wants to expose their s3 bucket as a file share system for linux devices
- 73c98951-d7a6-4858-b14a-e209b16bb222 · Mediumuser wants to prevent any other user (including themselvs) from overwriting data; user is likely requiring a WORM (write once read many) policy
- f4f39972-34cc-4e9e-9343-072fa9ab94ab · Mediumuser wants to query s3 directly using simple, performant sql statements
- cf7988fc-dd3d-45e2-9f58-53e7557b497f · Mediumuser wants to restrict inline policies
- 85cdd44d-95ec-490c-adcd-da4d9e0a6a3b · Mediumuser wants to: - allow only logged-in user to download a premium video on their s3 bucket - alow an ever changing list of users to download files by generating urls dynamically - allow temporarily a user to upload a file to a precise location in our bucket
- 03736e4a-6ce5-4375-84ce-278711247314 · Mediumusers wants their data encrypted in their data lake
- e9b21a0d-2fe8-4f5b-8875-52995b4cf2e7 · Mediumusers wants to automatically manage data storage tiers
- 1d8ad405-4cb5-4d9a-9326-b436d9bbdfe2 · Mediumuser wants to associate costs to cost centers, projects, teams, and other business units
- e4cc8c22-5fc3-41e7-b677-d313addf046d · HighApplication credentials and API keys are hardcoded instead of using AWS Secrets Manager
- de2df33a-9650-4d05-86a8-5f2c716a6034 · MediumAWS Security Hub is not enabled to aggregate security findings
- 3e1bfe64-1e5a-4b01-9a77-0f1c505ad6b1 · MediumMission-critical applications lack AWS Shield Advanced DDoS protection
- e9b3934d-8bfb-4584-bc59-9c6477fc1169 · MediumUser wants to migrateTB or PB scale data to aws, but has a slow network
- 55db77af-694b-428d-8337-fa10d770e17f · Mediumuser wants to ensure appropriate subscribers to each SNS topic
- 293ff9bc-a6b4-46ac-a524-c967b965101d · MediumUser wants to reduces duplicate messages in their queues
- d423fdff-9ac3-444f-89c7-0dccd282d72b · MediumEC2 instances lack file integrity monitoring for detecting unauthorized changes to critical files
- e7615b72-a401-4432-bb8f-df41c69497f7 · HighNetwork edge devices have exposed management interfaces accessible from the internet
- e55a54dd-f7ab-4b75-bac7-8067de64ea1a · HighPublic-facing applications do not have AWS WAF protection enabled
3e4cd300-6cff-4fd6-9504-38c0f38ab2ac · Medium severity · ACCOUNT
AWS account does not have alternate security contact information configured
# 3e4cd300-6cff-4fd6-9504-38c0f38ab2ac — AWS account does not have alternate security contact information configured
service: ACCOUNT
severity: medium
risk: security, operations
## Detection
AWS account has no security contact defined in the alternate contacts settings. Security Hub control Account.1 fails.
## What it is
AWS uses the alternate security contact to notify your organization about security-related issues. Without a designated security contact, critical notifications such as abuse reports, vulnerability disclosures, and compliance alerts may go to the root account email, which might not be monitored by the security team. This is a CIS AWS Foundations Benchmark v5.0.0 requirement (control 1.2) and maps to NIST 800-53 CM-2. Configuring this contact takes minimal effort and ensures that security-relevant communications reach the right personnel promptly, reducing mean time to response for security incidents.
## How to fix
Configure an alternate security contact for the AWS account by navigating to Account Settings and providing a security contact email, phone number, and name. This ensures AWS can reach the appropriate team for security-related notifications.
Why it exists
An open standard for AWS misconfigurations.
Every cloud security vendor keeps a private list. We're publishing ours — formatted for the tools you and your models actually use.
MCP-formatted bodies
Entries ship as Model Context Protocol manifests — drop one into Claude, GPT, or your in-house model and it knows the rule, the impact, and the fix. No prompt engineering required.
MCP · JSON · YAML · Markdown →
Free, forever, MIT
Mirror it. Fork it. Train on it. Run your own queries inside your VPC. We mirror GitHub every 5 minutes — the source of truth is always the repo.
github.com/bluearchio/aws-misconfig-db →
"
We replaced three internal "AWS best practice" wikis with the Governance Hub. Every alert in our pager now has a permalink an LLM can read. New engineers ramp in days, not quarters.
RK
R. Kapoor
Principal SRE · Series-C SaaS · ~$4M AWS / yr
Case snapshot
- Time to remediate
- ↓ 71%
- Findings auto-triaged
- 83%
- Internal wikis sunset
- 3
- Ramp time, new SRE
- 8 days
FAQ
Common questions.
If something isn't covered, open an issue on the repo.
Is the database really free?+
Yes. MIT-licensed, hosted on GitHub, mirrored here every 5 minutes. We monetize the commercial products (BlueArch CLI, Tag Manager) that use the Hub — not the Hub itself.
How do I integrate it with my LLM?+
Each entry ships as a Model Context Protocol (MCP) manifest. Point your client at our MCP server, or self-host the repo and load entries as static context. Examples for Claude, GPT, and Bedrock live in the README.
How often is it updated?+
Continuously. The mirror runs every 5 minutes; new AWS services and regions are typically cataloged within 24 hours of GA. Subscribe to the repo for release notifications.
Can I contribute?+
Please do. Open a PR with a YAML entry following the template. Every accepted PR is credited in the repo and on the contributors page.
How does this relate to AWS Config / Security Hub?+
AWS Config rules describe detection; Security Hub aggregates findings. The Governance Hub provides the human + LLM context layer on top — what the misconfig means for your business, how to fix it, and the compliance mappings. Use them together.
Put the Hub in your loop.
Wire it into your terminal, your CI, or your model context. Or pair it with BlueArch CLI to get alerts that already cite Hub entries — with the context, the patch, and the compliance trail attached.