FinOps for Cloud
Sign In
  • Home
  • Open Source
  • FinOps for Cloud
    • Overview
  • Insights
    • Recommendations
      • Savings Optimization Recommendations
      • Security Recommendations
      • Clean-up Scripts Based on Recommendations
      • Archived Recommendations
    • Resources
      • Constraints
    • Pools
      • Configure Assignment Rules
      • Re-apply Ruleset
      • Delete Pools
      • Pool Constraint Policies
    • Cost Explorer
  • Policies
    • Anomaly Detection
      • Create Anomaly Detection Policies
    • Quotas and Budgets
      • Create Quota or Budget Policies
    • Tagging Policies
      • Create Tagging Policies
  • System
    • User Management
    • Data Sources
      • Amazon Web Services
        • AWS Root Account with Data Export Already Configured
        • AWS Root Account With No Data Export Configured
        • AWS Linked
        • Migrate from CUR to Data Exports CUR 2.0
      • Google Cloud Platform
      • Microsoft Azure
    • Events
    • Settings
  • Help and Support
    • Contact Support
    • FAQs
      • Why does the pricing in FinOps not match the SoftwareOne invoice?
    • Release Notes
    • Terms of Use
Powered by GitBook
LogoLogo

Company

  • About SoftwareOne
  • Careers
  • Media Releases

Policies

  • Codes of Conduct
  • Privacy Statement
  • Terms and Conditions

© 2025 SoftwareOne. All rights reserved.

On this page
  • Inactive IAM users
  • Instances with insecure Security Groups settings
  • IAM users with unused console access
  • Public S3 buckets

Was this helpful?

Export as PDF
  1. Insights
  2. Recommendations

Security Recommendations

PreviousSavings Optimization RecommendationsNextClean-up Scripts Based on Recommendations

Last updated 12 days ago

Was this helpful?

Inactive IAM users

Users who have been inactive for more than 90 days are considered obsolete and subject to deletion. This is due to the security risks they produce for the organization as they can be compromised and become access points for malicious users.

The number of days is a custom parameter. Use to change it. You can also download a list of inactive users as JSON or XLSX by selecting the download icon .

Instances with insecure Security Groups settings

Security check that browses through the resources to find network vulnerabilities and provides a list of instances liable to RDP/SSH hacking. The following are the insecure ports and permissions:

  • port tcp/22

  • port tcp/3389

  • all inbound traffic

with one of:

  • CidrIp: 0.0.0.0/0

  • CidrIpv6: ::/0

AWS

  • Describe regions: ec2.describe_regions()

  • Describe instances: ec2.describe_instances()

  • Describe security groups: ec2.describe_security_groups()

Azure

  • Describe instances: compute.virtual_machines.list_all()

  • Describe security groups: network.network_security_groups.list_all()

Network interfaces without associated security groups are skipped.

You can download the list of insecure Security Groups as JSON for subsequent automated processing.

IAM users with unused console access

The active IAM users that have console access turned on, but have not used it for more than 90 days are in the list. Consider revoking console access to increase security.

Public S3 buckets

The S3 buckets in the list are public. Ensure that the buckets use the correct policies and are not publicly accessible unless explicitly required.

Note that the number of days is a custom parameter. Use to change it.

Inactive IAM users
Settings
Settings