The checks that are provided for free with this service are as follows:

• Unrestricted ports: This is a check on the highest-risk ports in your security groups. They'll be flagged if they're open to everyone (0.0.0.0/0).
• IAM usage: This is a fairly rudimentary check. If there isn't at least one IAM user in your account, this check won't pass. It's considered good practice to not use your root login credentials for your AWS account, and instead create IAM users with least privileged access.
• MFA on root account: You need to have MFA enabled for your root login in order for this check to pass. It's also a good idea to enable MFA for your IAM users as well, as we discussed in Chapter 1, AWS Fundamentals.
• Amazon S3 bucket permissions: This will alert you to any buckets that are configured for public access.
• Service limits: This one is quite handy—if you're approaching 80% of your service limits, this check won't pass. For example, it's nice to know if you're about to hit the cap of CloudFormation stacks or EC2 instances before you attempt to create them.
• EBS and RDS public snapshots: This checks to see if any of your snapshots are open to the general public.

Even though there is only a handful of checks here, these are some of the more useful ones, so we'd encourage you to pay attention to them. The console uses a color scheme to denote the status of each check:

• Red: It's recommended that you take action to remedy this check.
• Yellow: This check requires investigation and possible remediation.
• Green: This check is passing and needs no attention.