Compliance

Disable insecure access modes and protocols

One capability across IAM, EKS, Lambda, S3, Transfer Family and Transit Gateway: turn off the legacy access modes, open defaults and plaintext protocols that grant reach nobody deliberately intended.

14 min·10 sections·AWS

Last reviewed 16 June 2026

Remediates AWS Security Hub: EC2.23 EKS.1 IAM.4 Lambda.1 S3.12 Transfer.2

Disabling insecure access: the basics

What counts as an insecure access mode across AWS?

Insecure access is not one setting. It shows up as a property in many shapes: a root access key that bypasses every guardrail, an EKS cluster whose Kubernetes API endpoint is open to the internet, a Lambda function whose resource policy lets any principal invoke it, an S3 bucket still managing access with legacy ACLs, a Transfer Family server speaking plain FTP, a Transit Gateway that auto-accepts attachment requests. Each service expresses the weakness differently, but the theme is identical: an access mode that grants more reach, to more people, than anyone deliberately chose.

AWS Security Hub turns each of these into its own control, which is why one estate can fail several insecure-access checks at once. IAM.4 covers the root access key; EKS.1 covers public cluster endpoints; Lambda.1 covers public function policies; S3.12 covers buckets using ACLs; Transfer.2 covers FTP-enabled servers; EC2.23 covers Transit Gateway auto-accept. They look like separate problems on the report, but they are one capability: close the door that was open by default or left open by habit, and replace it with an explicit, identity-aware alternative.

Most of these are the result of a default rather than a decision. A cluster spun up on the public default, a bucket created before BucketOwnerEnforced was the norm, a wildcard pasted into a function policy to unblock a deploy, a Transfer server set to FTP because the wizard offered it. The job is to find every insecure access mode, decide the small number that are genuinely intended, route those through a controlled, authenticated alternative, and turn off the rest.

In this lesson you will learn how AWS expresses insecure access across identity, compute, storage, file transfer and networking, how to find every insecure mode in an account, and how to close them without breaking the few callers that genuinely depend on a public or legacy path. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

The key that was never meant to exist

When AWS launched, the root access key was the only way to call the API, because IAM did not exist yet. IAM arrived in 2010 and AWS has spent every year since telling customers to stop using root keys. The advice worked so well that AWS changed account creation itself: new accounts today ship with no root access key and the console actively discourages making one. The same pattern runs through this whole capability. FTP predates TCP/IP, S3 ACLs predate IAM, and EKS clusters once defaulted to public. The protocols and modes still work; the world around them changed, and the controls exist to catch the ones nobody revisited.

Finding insecure access modes across an estate

Priya is the security lead at a scale-up preparing for its first SOC 2 audit. Security Hub shows insecure-access failures spread across IAM, EKS, Lambda and Transfer Family in three accounts that pre-date the team's current guardrails.

Rather than work the findings one by one, she starts with the highest-blast-radius item, the one that bypasses every other control, before touching anything else: is there a root access key on any of these accounts?

Start with the worst case. A root access key bypasses every IAM policy and Service Control Policy, so it is the first insecure mode to confirm and close.

$ aws iam get-account-summary --query 'SummaryMap.AccountAccessKeysPresent'

# A value of 1 means a root access key exists. IAM.4 FAILS.

# The only passing value is 0. There is no acceptable non-zero count.

AccountAccessKeysPresent is binary: 1 means a root key exists and bypasses every guardrail. Close this first.

How AWS decides an access mode is insecuredeep dive

Most controls in this group resolve to one of three mechanisms. The first is a credential or principal that is too powerful: a root access key (IAM.4) that no policy can constrain, or a Lambda resource policy with a wildcard principal (Lambda.1) that lets any AWS principal invoke the function. The second is an open network or auto-accept default: an EKS cluster with endpointPublicAccess set to true (EKS.1), or a Transit Gateway that auto-accepts attachment requests (EC2.23) rather than requiring explicit approval. The third is a legacy access model or plaintext protocol: an S3 bucket still using ACLs instead of BucketOwnerEnforced (S3.12), or a Transfer Family server with FTP in its protocol set (Transfer.2).

Security Hub evaluates these through AWS Config. Some checks are change-triggered, so a remediated bucket or function clears within minutes; others, like the root-key check, are periodic, so deleting the key flips the finding on the next scheduled run rather than instantly. The control-plane change itself takes effect immediately, so query the underlying service to confirm state rather than waiting on the report when you are gathering audit evidence.

The strongest version of this capability is preventive. An organisation-wide Service Control Policy that denies root key creation, a landing-zone module that defaults EKS clusters to private and S3 buckets to BucketOwnerEnforced, an IaC guardrail that blocks FTP and wildcard function policies: these make the insecure mode impossible to reach rather than merely quick to clean up. Detective controls find the gap after the fact; preventive controls stop it shipping.

What is the impact of leaving insecure access on?

The direct impact is exposure, scaled by what the mode reaches. A leaked root key is total account compromise with no internal control able to contain it. A public Lambda or EKS endpoint is a usable entry point into the workload behind it, defended only by an authentication layer. A bucket ACL granting AllUsers makes data world-readable through a grant a normal policy review never sees. An FTP server sends credentials and files in clear text to anyone on the path. The probability per event is low, but across all modes over years it is not.

The second-order impact is blast radius and discoverability. Every public endpoint and open default is attack surface that internet-wide scanners find within hours: public EKS endpoints leak through certificate-transparency logs, leaked keys are crawled out of public repos within minutes, open Lambda functions can be hammered into a five-figure bill over a weekend. Closing insecure access shrinks the surface to the handful of authenticated front doors you actually operate.

On the compliance side, every modern framework, SOC 2, ISO 27001, HIPAA, PCI DSS and FedRAMP, expects evidence that access is authenticated, scoped and encrypted by default. A public endpoint, a root key or a plaintext protocol is a clean, demonstrable failure an auditor will write up, and it can stall a certification or a customer security review at exactly the wrong moment in a sales cycle. A passing set of these controls is among the cheapest defensible artefacts you can produce.

How do you disable insecure access safely?

Work the capability as one loop rather than chasing individual findings. The order matters: find the legitimate exceptions before you start closing things, so you do not lock yourself out of a cluster or strand a partner integration.

1. Inventory every insecure access mode

Across services, list the modes that are open or legacy: root access keys, EKS clusters with public endpoints, Lambda functions with wildcard principals, S3 buckets using ACLs, Transfer servers speaking FTP, and Transit Gateways set to auto-accept. Treat this inventory as the source of truth rather than the finding count, and rank it by blast radius. The root key and any public endpoint fronting data are the urgent ones.

2. Separate genuine exceptions from defaults

Most insecure access is unintended. For each mode, decide whether it is needed on purpose. A genuinely public endpoint belongs behind a controlled, authenticated front door, never on the open internet; a partner that must use the public path gets a CIDR-restricted endpoint or an authenticated protocol, not plain FTP. There is no legitimate exception for a root access key; the target is always zero.

3. Close the modes, highest blast radius first

Delete the root key as the root user, set EKS clusters to private after confirming a private path so you do not lock yourself out, remove wildcard principals from function policies and rescope service triggers with a fixed-value source condition, switch buckets to BucketOwnerEnforced after replicating any ACL-based grant as a policy, and migrate Transfer servers to SFTP, FTPS or AS2 after confirming the partner's client supports it. Each is a single API call per resource, but the verification before the call is what keeps a live workload online.

4. Prevent it shipping again

Closing existing modes is one-off; stopping new ones is the durable fix. Deny root key creation with an organisation-wide Service Control Policy, default EKS clusters to private and S3 buckets to BucketOwnerEnforced in your IaC modules, block FTP and wildcard function policies in the deployment pipeline, and keep the relevant AWS Config rules enabled for detection. The goal is that an insecure access mode can only exist deliberately, never by default.

# Close the highest-blast-radius mode first: confirm and remove the root access key.
# (Deletion is done as the root user via the console; an IAM identity cannot do it.)
aws iam get-account-summary --query 'SummaryMap.AccountAccessKeysPresent'
# Expect 0 after deletion.

# Close a public EKS endpoint (only after confirming a private path exists).
aws eks update-cluster-config --name svc-orders \
  --resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true

# Disable legacy ACLs on a bucket and let policy govern access.
aws s3api put-bucket-ownership-controls --bucket my-legacy-assets \
  --ownership-controls 'Rules=[{ObjectOwnership=BucketOwnerEnforced}]'

# Migrate a Transfer Family server off plain FTP to SFTP only.
aws transfer update-server --server-id s-0a1b2c3d4e5f --protocols SFTP

Quick quiz

Question 1 of 5

Security Hub shows insecure-access failures across IAM, EKS, Lambda and Transfer Family. What is the most efficient way to think about them?

Keep learning

Go deeper on how AWS expresses insecure access across the services in this capability.

You can now treat insecure access as one capability rather than a scatter of findings: inventory the open and legacy modes across IAM, EKS, Lambda, S3, Transfer Family and Transit Gateway, separate the genuine exceptions and route them through an authenticated front door, close the rest by blast radius, and prevent insecure defaults from shipping again with guardrails. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

Disabling insecure access: the cost and risk view

A near-zero-cost capability that removes a large class of accidental-exposure liability

Insecure access modes are a common source of accidental exposure, and almost every control in this group costs nothing in AWS spend to fix. Deleting a root key, closing an EKS endpoint, removing a wildcard from a function policy, disabling ACLs on a bucket or switching a Transfer server to SFTP does not change your bill. The cost sits in the few legitimate exceptions: a genuinely public endpoint that needs a controlled front door, or a partner integration that needs a graceful protocol migration.

Frame each failing control as a line on the risk register rather than a compliance checkbox, and weight by the data behind it. A root access key carries unbounded, account-wide exposure; a public Lambda fronting a database carries both a breach risk and a runaway invocation bill; an FTP server moving customer files is a PCI exposure. A test-box default is far lower. Map the failures to what they expose and prioritise by that, not by the order the report lists them.

The insurance maths is one-sided. The remediation is engineering time plus a small, bounded migration for the legitimate exceptions. The downside of leaving it is the documented cost of an accidental-exposure breach: regulatory fines, breach notification, forensics, legal fees and stalled audits or deals when an open finding fails a customer security review.

This lesson is for the finance partner who sees a cluster of insecure-access findings on the security report and wants to know what the right response is and what it costs. It covers why most of these controls are free to fix, which exceptions carry a real migration cost, and how to turn a list of red findings into a risk-ordered remediation plan weighted by what each one exposes.

Fun fact

The key that was never meant to exist

How a finance partner risk-weights a scatter of insecure-access findings

Priya, the finance partner at a scale-up heading into its first SOC 2 audit, opens the security pack and finds insecure-access failures spread across IAM, EKS, Lambda and Transfer Family in three older accounts. Her instinct is not to ask what the fix costs, because she already knows the answer is almost nothing in AWS spend: deleting a root key, closing an EKS endpoint, removing a wildcard from a function policy and switching a Transfer server to SFTP all leave the bill unchanged. Her job is to make sure the team works them in the order that retires the most liability first.

She asks for the inventory weighted by what each mode actually reaches, not by the order Security Hub printed them. The root access key (IAM.4) sits at the top with unbounded, account-wide exposure that no other control can contain, so it is the first item and there is no acceptable non-zero count. Next come the public Lambda function fronting a database, which carries both a breach risk and an uncapped per-invocation bill an attacker could run up over a weekend, and the FTP server moving customer files, which is a live PCI exposure. The test-box defaults drop to the bottom. The only line that needs real money is the partner integration that must keep working through a graceful protocol migration, which she books as a small, bounded one-time piece of engineering rather than letting it block the free fixes.

Why insecure access belongs on the risk register

The cost model here is asymmetric in a way that is rare for security work. Closing insecure access costs nothing in AWS spend, and leaving it open creates an unbounded tail risk. Each failing control is a mode where a future accident or compromise could expose what it reaches, and the worst of them, a root key or a public function fronting customer data, has no acceptable non-zero floor.

Two of these controls also touch the bill directly, which most security findings do not. A public Lambda function open to the internet bills per invocation with no cap, so an attacker or scanner can convert the exposure into a four- or five-figure surprise charge in hours. That makes this capability one a CFO should care about on cost grounds alone, not just risk.

The documented cost of an accidental-exposure breach includes mandatory notification within tight regulatory windows, forensics and legal fees that routinely run into six and seven figures, and customer churn. Against that, the remediation is engineering time plus a bounded migration for the few legitimate exceptions. The finance role is to attach expected loss to each failing mode so the work is prioritised by what it exposes, not by the order the report lists it.

What finance can actually do about insecure access

Finance does not delete the root key or close the cluster, but it owns the framing that turns a scatter of red findings into a risk-ordered plan with a clear floor and visible exceptions. Three levers at the review cadence.

1. Risk-weight the findings by what each mode reaches, not by control count

Insist the remediation order is set by blast radius, not by the order the report lists. A root access key with unbounded account-wide reach and a public function fronting customer data are urgent and free to fix; a default on a test box is low. Ask for each failing control mapped to the data or reach behind it, so the team retires the largest liability first and you can see why a given finding is ranked where it is.

2. Separate the free flips from the one bounded migration cost

Almost every control in this group costs nothing in AWS spend, so the only real money is the small, bounded migration for a legitimate exception, typically a partner integration moving off plain FTP to an encrypted protocol. Book that as a distinct one-time engineering line and do not let it stall the free fixes around it. The cost of leaving the gap, by contrast, is the documented breach exposure: regulatory fines, notification, forensics, legal fees and stalled audits or deals.

3. Require a recorded exception for any mode left open on purpose

There is no legitimate exception for a root access key; its target is always zero. For anything else left insecure by deliberate choice, finance should see a documented exception with an owner and a reason, not a silently suppressed finding. That list of accepted risks is exactly what a customer security review or an auditor will ask for, and it is what separates a defensible decision from an oversight when an open finding surfaces mid sales cycle.

Quick quiz

Question 1 of 5

What is the AWS spend impact of fixing most of the controls in this group?

Keep learning

Go deeper on how AWS expresses insecure access across the services in this capability.

You have finished the finance view of disabling insecure access. You know that almost every control in this group is free to fix in AWS terms, that the only real money is the small bounded migration for a legitimate exception such as a partner on plain FTP, and that the right move is to risk-weight each failing mode by what it reaches rather than by control count. Next time a cluster of these findings lands, you will ask for a blast-radius-ordered plan and a recorded exception for anything left open on purpose, with the root key always targeted at zero.

Back to the library

Disabling insecure access: the headline

Whether anything in the estate grants access by an insecure default rather than a deliberate choice

Insecure access is the category of risk that turns a default nobody chose into a headline. A master credential that bypasses every control, a cluster open to the internet, a function anyone can invoke, a file pipe moving data in clear text: each is one bad moment away from exposure, and the report shows them as a scatter of separate findings across many services.

The leadership question is not whether we are compliant today; it is whether access is granted on purpose, to identified callers, or whether it leaks through defaults and legacy modes nobody revisited. The defensible end state is that insecure modes are prevented by policy, with the small number of genuinely necessary exceptions routed through a controlled, authenticated front door.

None of this is a cost decision. Closing insecure access is free in AWS terms. It is a governance decision about whether reach is granted deliberately or only by everyone remembering not to take the easy default.

A short read for the leader who needs to know what insecure access exposes, why closing it is a governance decision rather than a budget one, and what a defensible end state looks like: deliberate, authenticated access everywhere, with insecure defaults prevented by policy.

Fun fact

The key that was never meant to exist

When reach is granted on purpose rather than by a default nobody revisited

The leadership team learned the shape of this risk from an audit calendar rather than a breach. A readiness scan showed that the accounts carrying the most business risk were precisely the ones still running insecure defaults: a root access key that bypasses every guardrail, a Kubernetes endpoint open to the internet, a function any AWS principal could invoke, and a file pipe still moving data in clear text. None of it had been chosen; each had simply been left at the easy default while the world around it moved on.

The response was to stop treating each red finding as a separate chore and to set one governance line: access is granted deliberately, to identified callers, or it is closed. The small number of genuinely necessary public paths get a controlled, authenticated front door; everything else is turned off, and a Service Control Policy makes the worst modes impossible to recreate. Because none of this is a cost decision, the only thing leadership had to weigh was whether reach should depend on everyone remembering not to take the easy default, or on a policy that closes the door by design. The signal at the review is no longer the finding count but whether insecure access can still appear by accident.

Why this is a board-level risk

Nearly every major cloud breach that involved exposed access came back to the same root cause: a mode that could be left open or insecure was left that way by default. Disabling insecure access modes is the control that makes that root cause structurally difficult, and the preventive guardrails, an SCP against root keys, private-by-default clusters, FTP blocked at creation, make it close to impossible.

The cost of getting this wrong is large and well documented, while the cost of fixing it is essentially engineering time. This is the rare class of control where the risk of inaction is severe and the cost of action is small, which is exactly the trade leadership should be quickest to approve, and quickest to make permanent with a guardrail so the same finding cannot reappear one ticket at a time.

The leadership move on insecure access

The handle for an executive is not to approve each closure, but to set the policy that makes insecure access deliberate and rare, and to make the fix permanent so the same finding cannot reappear one ticket at a time.

1. Set the policy: access is deliberate and authenticated, never a default

Make it an organisational standard that no estate grants reach through an insecure default or a legacy mode. The genuinely necessary public paths sit behind a controlled, authenticated front door; everything else is closed. This removes the per-finding debate and meets the obligation by design rather than by whoever remembered not to take the easy default, which matters because the riskiest modes are exactly the oldest, least-revisited ones.

2. Make the worst modes impossible to recreate with a guardrail

Closing today's findings is one-off; the durable fix is preventive. Approve an organisation-wide Service Control Policy that denies root key creation, landing-zone defaults that ship EKS clusters private and S3 buckets on BucketOwnerEnforced, and a pipeline that blocks FTP and wildcard function policies. This is the rare class of control where the risk of inaction is severe and the cost of action is essentially engineering time, so it is the trade leadership should be quickest to make permanent.

3. Ask whether the gap can still appear by accident, not for a zero count

The one-line ask at the review is whether insecure access can still be created by default, or only by a deliberate, recorded decision. A clean list of documented exceptions with the preventive guardrails in place is a healthy posture. A finding count driven to zero by closing tickets without a guardrail is not the same thing, because the same default will reappear on the next cluster, bucket or function that nobody revisited.

Quick quiz

Question 1 of 5

Why is disabling insecure access framed as a governance decision rather than a budget one?

Keep learning

Go deeper on how AWS expresses insecure access across the services in this capability.

Two takeaways. This is a governance decision, not a budget one: closing insecure access is free in AWS terms, so a finding here is a default nobody revisited rather than a hard call. And the metric that matters is not a zero count but whether the gap can still appear by accident, every necessary path behind an authenticated front door, every exception recorded with an owner, and a Service Control Policy and private-by-default modules that make the worst modes impossible to recreate.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

Disable insecure access modes and protocols

Disabling insecure access: the basics

The key that was never meant to exist

Finding insecure access modes across an estate

How AWS decides an access mode is insecuredeep dive

What is the impact of leaving insecure access on?

How do you disable insecure access safely?

1. Inventory every insecure access mode

2. Separate genuine exceptions from defaults

3. Close the modes, highest blast radius first

4. Prevent it shipping again

Quick quiz

Keep learning

Disabling insecure access: the cost and risk view

The key that was never meant to exist

How a finance partner risk-weights a scatter of insecure-access findings

Why insecure access belongs on the risk register

What finance can actually do about insecure access

1. Risk-weight the findings by what each mode reaches, not by control count

2. Separate the free flips from the one bounded migration cost

3. Require a recorded exception for any mode left open on purpose

Quick quiz

Keep learning

Disabling insecure access: the headline

The key that was never meant to exist

When reach is granted on purpose rather than by a default nobody revisited

Why this is a board-level risk

The leadership move on insecure access

1. Set the policy: access is deliberate and authenticated, never a default

2. Make the worst modes impossible to recreate with a guardrail

3. Ask whether the gap can still appear by accident, not for a zero count

Quick quiz

Keep learning

Controls this lesson covers

EC2

EKS

IAM

Lambda

S3

Transfer

Related compliance lessons