Skip to main content

💼 AWS Foundational Security Best Practices v1.0.0

  • ID: /frameworks/aws-fsbp-v1.0.0

Description​

Empty...

Similar​

  • Internal
    • ID: dec-a-4cf64d45

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 Account111no data
 💼 [Account.1] Security contact information should be provided for an AWS account11no data
💼 AppSync4no data
 💼 [AppSync.1] AWS AppSync API caches should be encrypted at restno data
 💼 [AppSync.2] AWS AppSync should have field-level logging enabledno data
 💼 [AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keysno data
 💼 [AppSync.6] AWS AppSync API caches should be encrypted in transitno data
💼 API Gateway766no data
 💼 [APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled11no data
 💼 [APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication"11no data
 💼 [APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled11no data
 💼 [APIGateway.4] API Gateway should be associated with a WAF Web ACL11no data
 💼 [APIGateway.5] API Gateway REST API cache data should be encrypted at restno data
 💼 [APIGateway.8] API Gateway routes should specify an authorization type11no data
 💼 [APIGateway.9] Access logging should be configured for API Gateway V2 Stages11no data
💼 Athena11no data
 💼 [Athena.4] Athena workgroups should have logging enabled1no data
💼 Auto Scaling645no data
 💼 [AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks11no data
 💼 [AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones1no data
 💼 [AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)11no data
 💼 [AutoScaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses11no data
 💼 [AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zonesno data
 💼 [AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates11no data
💼 Backup11no data
 💼 [Backup.1] AWS Backup recovery points should be encrypted at rest1no data
💼 Certificate Manager (ACM)222no data
 💼 [ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period11no data
 💼 [ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits11no data
💼 CloudFormation2no data
 💼 [CloudFormation.3] CloudFormation stacks should have termination protection enabledno data
 💼 [CloudFormation.4] CloudFormation stacks should have associated service rolesno data
💼 CloudFront1479no data
 💼 [CloudFront.1] CloudFront distributions should have a default root object configured11no data
 💼 [CloudFront.3] CloudFront distributions should require encryption in transit11no data
 💼 [CloudFront.4] CloudFront distributions should have origin failover configuredno data
 💼 [CloudFront.5] CloudFront distributions should have logging enabled11no data
 💼 [CloudFront.6] CloudFront distributions should have WAF enabled1no data
 💼 [CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates11no data
 💼 [CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests11no data
 💼 [CloudFront.9] CloudFront distributions should encrypt traffic to custom origins11no data
 💼 [CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins11no data
 💼 [CloudFront.12] CloudFront distributions should not point to non-existent S3 originsno data
 💼 [CloudFront.13] CloudFront distributions should use origin access controlno data
 💼 [CloudFront.15] CloudFront distributions should use the recommended TLS security policy1no data
 💼 [CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL originsno data
 💼 [CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookiesno data
💼 CloudTrail423no data
 💼 [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events11no data
 💼 [CloudTrail.2] CloudTrail should have encryption at-rest enabled1no data
 💼 [CloudTrail.4] CloudTrail log file validation should be enabled11no data
 💼 [CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logsno data
💼 CodeBuild511no data
 💼 [CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials11no data
 💼 [CodeBuild.2] CodeBuild project environment variables should not contain clear text credentialsno data
 💼 [CodeBuild.3] CodeBuild S3 logs should be encryptedno data
 💼 [CodeBuild.4] CodeBuild project environments should have a logging AWS Configurationno data
 💼 [CodeBuild.7] CodeBuild report group exports should be encrypted at restno data
💼 Cognito5no data
 💼 [Cognito.2] Cognito identity pools should not allow unauthenticated identitiesno data
 💼 [Cognito.3] Password policies for Cognito user pools should have strong configurationsno data
 💼 [Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authenticationno data
 💼 [Cognito.5] MFA should be enabled for Cognito user poolsno data
 💼 [Cognito.6] Cognito user pools should have deletion protection enabledno data
💼 Config11no data
 💼 [Config.1] AWS Config should be enabled and use the service-linked role for resource recording1no data
💼 Connect11no data
 💼 [Connect.2] Amazon Connect instances should have CloudWatch logging enabled1no data
💼 Data Firehouse1no data
 💼 [DataFirehose.1] Firehose delivery streams should be encrypted at restno data
💼 Database Migration Service (DMS)934no data
 💼 [DMS.1] Database Migration Service replication instances should not be public11no data
 💼 [DMS.6] DMS replication instances should have automatic minor version upgrade enabled11no data
 💼 [DMS.7] DMS replication tasks for the target database should have logging enabled1no data
 💼 [DMS.8] DMS replication tasks for the source database should have logging enabled1no data
 💼 [DMS.9] DMS endpoints should use SSL11no data
 💼 [DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabledno data
 💼 [DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabledno data
 💼 [DMS.12] DMS endpoints for Redis OSS should have TLS enabledno data
 💼 [DMS.13] DMS replication instances should be configured to use multiple Availability Zonesno data
💼 DataSync11no data
 💼 [DataSync.1] DataSync tasks should have logging enabled1no data
💼 DocumentDB63no data
 💼 [DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest1no data
 💼 [DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention periodno data
 💼 [DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be publicno data
 💼 [DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs1no data
 💼 [DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled1no data
 💼 [DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transitno data
💼 DynamoDB533no data
 💼 [DynamoDB.1] DynamoDB tables should automatically scale capacity with demand11no data
 💼 [DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled11no data
 💼 [DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest11no data
 💼 [DynamoDB.6] DynamoDB tables should have deletion protection enabledno data
 💼 [DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transitno data
💼 Elastic Beanstalk33no data
 💼 [ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled1no data
 💼 [ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled1no data
 💼 [ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch1no data
💼 Elastic Compute Cloud (EC2)32326no data
 💼 [EC2.1] Amazon EBS snapshots should not be publicly restorable1no data
 💼 [EC2.2] VPC default security groups should not allow inbound or outbound traffic1no data
 💼 [EC2.3] Attached Amazon EBS volumes should be encrypted at-rest3no data
 💼 [EC2.4] Stopped EC2 instances should be removed after a specified time periodno data
 💼 [EC2.6] VPC flow logging should be enabled in all VPCs11no data
 💼 [EC2.7] EBS default encryption should be enabled11no data
 💼 [EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)11no data
 💼 [EC2.9] Amazon EC2 instances should not have a public IPv4 address1no data
 💼 [EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service1no data
 💼 [EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses1no data
 💼 [EC2.16] Unused Network Access Control Lists should be removed1no data
 💼 [EC2.17] Amazon EC2 instances should not use multiple ENIsno data
 💼 [EC2.18] Security groups should only allow unrestricted incoming traffic for authorized portsno data
 💼 [EC2.19] Security groups should not allow unrestricted access to ports with high risk10no data
 💼 [EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up1no data
 💼 [EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 33891no data
 💼 [EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests1no data
 💼 [EC2.24] Amazon EC2 paravirtual instance types should not be used1no data
 💼 [EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfacesno data
 💼 [EC2.51] EC2 Client VPN endpoints should have client connection logging enabledno data
 💼 [EC2.55] VPCs should be configured with an interface endpoint for ECR APIno data
 💼 [EC2.56] VPCs should be configured with an interface endpoint for Docker Registryno data
 💼 [EC2.57] VPCs should be configured with an interface endpoint for Systems Managerno data
 💼 [EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contactsno data
 💼 [EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Managerno data
 💼 [EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)no data
 💼 [EC2.171] EC2 VPN connections should have logging enabledno data
 💼 [EC2.172] EC2 VPC Block Public Access settings should block internet gateway trafficno data
 💼 [EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumesno data
 💼 [EC2.180] EC2 network interfaces should have source/destination checking enabledno data
 💼 [EC2.181] EC2 launch templates should enable encryption for attached EBS volumesno data
 💼 [EC2.182] Amazon EBS Snapshots should not be publicly accessibleno data
💼 Elastic Container Registry (ECR)333no data
 💼 [ECR.1] ECR private repositories should have image scanning configured11no data
 💼 [ECR.2] ECR private repositories should have tag immutability configured11no data
 💼 [ECR.3] ECR repositories should have at least one lifecycle policy configured11no data
💼 Elastic Container Service (ECS)137no data
 💼 [ECS.2] ECS services should not have public IP addresses assigned to them automatically1no data
 💼 [ECS.3] ECS task definitions should not share the host's process namespace1no data
 💼 [ECS.4] ECS containers should run as non-privileged1no data
 💼 [ECS.5] ECS containers should be limited to read-only access to root filesystems1no data
 💼 [ECS.8] Secrets should not be passed as container environment variables1no data
 💼 [ECS.9] ECS task definitions should have a logging configuration1no data
 💼 [ECS.10] ECS Fargate services should run on the latest Fargate platform version1no data
 💼 [ECS.12] ECS clusters should use Container Insightsno data
 💼 [ECS.16] ECS task sets should not automatically assign public IP addressesno data
 💼 [ECS.18] ECS Task Definitions should use in-transit encryption for EFS volumesno data
 💼 [ECS.19] ECS capacity providers should have managed termination protection enabledno data
 💼 [ECS.20] ECS Task Definitions should configure non-root users in Linux container definitionsno data
 💼 [ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitionsno data
💼 Elastic File System (EFS)713no data
 💼 [EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS12no data
 💼 [EFS.2] Amazon EFS volumes should be in backup plansno data
 💼 [EFS.3] EFS access points should enforce a root directoryno data
 💼 [EFS.4] EFS access points should enforce a user identityno data
 💼 [EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch1no data
 💼 [EFS.7] EFS file systems should have automatic backups enabledno data
 💼 [EFS.8] EFS file systems should be encrypted at rest1no data
💼 Elastic Kubernetes Service (EKS)42no data
 💼 [EKS.1] EKS cluster endpoints should not be publicly accessible1no data
 💼 [EKS.2] EKS clusters should run on a supported Kubernetes versionno data
 💼 [EKS.3] EKS clusters should use encrypted Kubernetes secretsno data
 💼 [EKS.8] EKS clusters should have audit logging enabled1no data
💼 Elastic Load Balancing (ELB)1510no data
 💼 [ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS1no data
 💼 [ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Managerno data
 💼 [ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS terminationno data
 💼 [ELB.4] Application Load Balancer should be configured to drop invalid http headers1no data
 💼 [ELB.5] Application and Classic Load Balancers logging should be enabled1no data
 💼 [ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled1no data
 💼 [ELB.7] Classic Load Balancers should have connection draining enabled1no data
 💼 [ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configurationno data
 💼 [ELB.9] Classic Load Balancers should have cross-zone load balancing enabled1no data
 💼 [ELB.10] Classic Load Balancer should span multiple Availability Zones1no data
 💼 [ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode1no data
 💼 [ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones1no data
 💼 [ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode1no data
 💼 [ELB.17] Application and Network Load Balancers with listeners should use recommended security policies1no data
 💼 [ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit1no data
💼 Elasticsearch88no data
 💼 [ES.1] Elasticsearch domains should have encryption at-rest enabled1no data
 💼 [ES.2] Elasticsearch domains should not be publicly accessible1no data
 💼 [ES.3] Elasticsearch domains should encrypt data sent between nodes1no data
 💼 [ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled1no data
 💼 [ES.5] Elasticsearch domains should have audit logging enabled1no data
 💼 [ES.6] Elasticsearch domains should have at least three data nodes1no data
 💼 [ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes1no data
 💼 [ES.8] Connections to Elasticsearch domains should be encrypted using the latest TLS security policy1no data
💼 ElastiCache74no data
 💼 [ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled1no data
 💼 [ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled1no data
 💼 [ElastiCache.3] ElastiCache replication groups should have automatic failover enabledno data
 💼 [ElastiCache.4] ElastiCache replication groups should be encrypted at rest1no data
 💼 [ElastiCache.5] ElastiCache replication groups should be encrypted in transit1no data
 💼 [ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabledno data
 💼 [ElastiCache.7] ElastiCache clusters should not use the default subnet groupno data
💼 EMR41no data
 💼 [EMR.1] Amazon EMR cluster primary nodes should not have public IP addressesno data
 💼 [EMR.2] Amazon EMR block public access setting should be enabledno data
 💼 [EMR.3] Amazon EMR security configurations should be encrypted at rest1no data
 💼 [EMR.4] Amazon EMR security configurations should be encrypted in transit1no data
💼 EventBridge1no data
 💼 [EventBridge.3] EventBridge custom event buses should have a resource-based policy attachedno data
💼 FSx5no data
 💼 [FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumesno data
 💼 [FSx.2] FSx for Lustre file systems should be configured to copy tags to backupsno data
 💼 [FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deploymentno data
 💼 [FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deploymentno data
 💼 [FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deploymentno data
💼 Glue2no data
 💼 [Glue.3] AWS Glue machine learning transforms should be encrypted at restno data
 💼 [Glue.4] AWS Glue Spark jobs should run on supported versions of AWS Glueno data
💼 GuardDuty107no data
 💼 [GuardDuty.1] GuardDuty should be enabled1no data
 💼 [GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled1no data
 💼 [GuardDuty.6] GuardDuty Lambda Protection should be enabled1no data
 💼 [GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled1no data
 💼 [GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled1no data
 💼 [GuardDuty.9] GuardDuty RDS Protection should be enabled1no data
 💼 [GuardDuty.10] GuardDuty S3 Protection should be enabled1no data
 💼 [GuardDuty.11] GuardDuty Runtime Monitoring should be enabled1no data
 💼 [GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled1no data
 💼 [GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled1no data
💼 Identity and Access Management (IAM)9511no data
 💼 [IAM.1] IAM policies should not allow full "*" administrative privileges11no data
 💼 [IAM.2] IAM users should not have IAM policies attached11no data
 💼 [IAM.3] IAM users' access keys should be rotated every 90 days or less11no data
 💼 [IAM.4] IAM root user access key should not exist11no data
 💼 [IAM.5] MFA should be enabled for all IAM users that have a console password1no data
 💼 [IAM.6] Hardware MFA should be enabled for the root user1no data
 💼 [IAM.7] Password policies for IAM users should have strong configurations13no data
 💼 [IAM.8] Unused IAM user credentials should be removed2no data
 💼 [IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services1no data
💼 Inspector44no data
 💼 [Inspector.1] Amazon Inspector EC2 scanning should be enabled1no data
 💼 [Inspector.2] Amazon Inspector ECR scanning should be enabled1no data
 💼 [Inspector.3] Amazon Inspector Lambda code scanning should be enabled1no data
 💼 [Inspector.4] Amazon Inspector Lambda standard scanning should be enabled1no data
💼 Key Management Service (KMS)42no data
 💼 [KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keysno data
 💼 [KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keysno data
 💼 [KMS.3] AWS KMS keys should not be deleted unintentionally1no data
 💼 [KMS.5] KMS keys should not be publicly accessible1no data
💼 Kinesis22no data
 💼 [Kinesis.1] Kinesis streams should be encrypted at rest1no data
 💼 [Kinesis.3] Kinesis streams should have an adequate data retention period1no data
💼 Lambda33no data
 💼 [Lambda.1] Lambda function policies should prohibit public access1no data
 💼 [Lambda.2] Lambda functions should use supported runtimes1no data
 💼 [Lambda.5] VPC Lambda functions should operate in multiple Availability Zones1no data
💼 Macie2no data
 💼 [Macie.1] Amazon Macie should be enabledno data
 💼 [Macie.2] Macie automated sensitive data discovery should be enabledno data
💼 Managed Streaming for Apache Kafka (MSK)51no data
 💼 [MSK.1] MSK clusters should be encrypted in transit among broker nodes1no data
 💼 [MSK.3] MSK Connect connectors should be encrypted in transitno data
 💼 [MSK.4] MSK clusters should have public access disabledno data
 💼 [MSK.5] MSK connectors should have logging enabledno data
 💼 [MSK.6] MSK clusters should disable unauthenticated accessno data
💼 MQ11no data
 💼 [MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch1no data
💼 Neptune85no data
 💼 [Neptune.1] Neptune DB clusters should be encrypted at rest1no data
 💼 [Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs1no data
 💼 [Neptune.3] Neptune DB cluster snapshots should not be publicno data
 💼 [Neptune.4] Neptune DB clusters should have deletion protection enabled1no data
 💼 [Neptune.5] Neptune DB clusters should have automated backups enabledno data
 💼 [Neptune.6] Neptune DB cluster snapshots should be encrypted at rest1no data
 💼 [Neptune.7] Neptune DB clusters should have IAM database authentication enabledno data
 💼 [Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots1no data
💼 Network Firewall75no data
 💼 [NetworkFirewall.2] Network Firewall logging should be enabledno data
 💼 [NetworkFirewall.3] Network Firewall policies should have at least one rule group associated1no data
 💼 [NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets1no data
 💼 [NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets1no data
 💼 [NetworkFirewall.6] Stateless Network Firewall rule group should not be empty1no data
 💼 [NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled1no data
 💼 [NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled1no data
💼 OpenSearch97no data
 💼 [Opensearch.1] OpenSearch domains should have encryption at rest enabled1no data
 💼 [Opensearch.2] OpenSearch domains should not be publicly accessible1no data
 💼 [Opensearch.3] OpenSearch domains should encrypt data sent between nodes1no data
 💼 [Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled1no data
 💼 [Opensearch.5] OpenSearch domains should have audit logging enabled1no data
 💼 [Opensearch.6] OpenSearch domains should have at least three data nodes1no data
 💼 [Opensearch.7] OpenSearch domains should have fine-grained access control enabledno data
 💼 [Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy1no data
 💼 [Opensearch.10] OpenSearch domains should have the latest software update installedno data
💼 Private Certificate Authority (CA)1no data
 💼 [PCA.1] AWS Private CA root certificate authority should be disabledno data
💼 Redshift109no data
 💼 [Redshift.1] Amazon Redshift clusters should prohibit public access1no data
 💼 [Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit1no data
 💼 [Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled1no data
 💼 [Redshift.4] Amazon Redshift clusters should have audit logging enabled1no data
 💼 [Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled1no data
 💼 [Redshift.7] Redshift clusters should use enhanced VPC routing1no data
 💼 [Redshift.8] Amazon Redshift clusters should not use the default Admin username1no data
 💼 [Redshift.10] Redshift clusters should be encrypted at rest1no data
 💼 [Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins1no data
 💼 [Redshift.18] Redshift clusters should have Multi-AZ deployments enabledno data
💼 Redshift Serverless5no data
 💼 [RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routingno data
 💼 [RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSLno data
 💼 [RedshiftServerless.3] Redshift Serverless workgroups should prohibit public accessno data
 💼 [RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin usernameno data
 💼 [RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logsno data
💼 Relational Database Service (RDS)38626no data
 💼 [RDS.1] RDS snapshot should be private11no data
 💼 [RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration11no data
 💼 [RDS.3] RDS DB instances should have encryption at-rest enabled11no data
 💼 [RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest1no data
 💼 [RDS.5] RDS DB instances should be configured with multiple Availability Zones11no data
 💼 [RDS.6] Enhanced monitoring should be configured for RDS DB instances1no data
 💼 [RDS.7] RDS clusters should have deletion protection enabled1no data
 💼 [RDS.8] RDS DB instances should have deletion protection enabled1no data
 💼 [RDS.9] RDS DB instances should publish logs to CloudWatch Logs1no data
 💼 [RDS.10] IAM authentication should be configured for RDS instances1no data
 💼 [RDS.11] RDS instances should have automatic backups enabled1no data
 💼 [RDS.12] IAM authentication should be configured for RDS clusters1no data
 💼 [RDS.13] RDS automatic minor version upgrades should be enabled11no data
 💼 [RDS.14] Amazon Aurora clusters should have backtracking enabledno data
 💼 [RDS.15] RDS DB clusters should be configured for multiple Availability Zones1no data
 💼 [RDS.16] Aurora DB clusters should be configured to copy tags to DB snapshots1no data
 💼 [RDS.17] RDS DB instances should be configured to copy tags to snapshots1no data
 💼 [RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events1no data
 💼 [RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events1no data
 💼 [RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events1no data
 💼 [RDS.22] An RDS event notifications subscription should be configured for critical database security group events1no data
 💼 [RDS.23] RDS instances should not use a database engine default port11no data
 💼 [RDS.24] RDS Database clusters should use a custom administrator username1no data
 💼 [RDS.25] RDS database instances should use a custom administrator username1no data
 💼 [RDS.27] RDS DB clusters should be encrypted at rest1no data
 💼 [RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs1no data
 💼 [RDS.35] RDS DB clusters should have automatic minor version upgrade enabled1no data
 💼 [RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs1no data
 💼 [RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs1no data
 💼 [RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs1no data
 💼 [RDS.41] RDS for SQL Server DB instances should be encrypted in transitno data
 💼 [RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logsno data
 💼 [RDS.43] RDS DB proxies should require TLS encryption for connectionsno data
 💼 [RDS.44] RDS for MariaDB DB instances should be encrypted in transitno data
 💼 [RDS.45] Aurora MySQL DB clusters should have audit logging enabledno data
 💼 [RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gatewaysno data
 💼 [RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshotsno data
 💼 [RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshotsno data
💼 Route 531no data
 💼 [Route53.2] Route 53 public hosted zones should log DNS queriesno data
💼 SageMaker64no data
 💼 [SageMaker.1] Amazon SageMaker AI notebook instances should not have direct internet access1no data
 💼 [SageMaker.2] SageMaker AI notebook instances should be launched in a custom VPC1no data
 💼 [SageMaker.3] Users should not have root access to SageMaker AI notebook instances1no data
 💼 [SageMaker.4] SageMaker AI endpoint production variants should have an initial instance count greater than 11no data
 💼 [SageMaker.5] SageMaker models should have network isolation enabledno data
 💼 [SageMaker.8] SageMaker notebook instances should run on supported platformsno data
💼 Secrets Manager42no data
 💼 [SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled1no data
 💼 [SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfullyno data
 💼 [SecretsManager.3] Remove unused Secrets Manager secrets1no data
 💼 [SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of daysno data
💼 Service Catalog1no data
 💼 [ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization onlyno data
💼 Simple Email Service (SES)1no data
 💼 [SES.3] SES configuration sets should have TLS enabled for sending emailsno data
💼 Simple Notification Service (SNS)1no data
 💼 [SNS.4] SNS topic access policies should not allow public accessno data
💼 Simple Queue Service (SQS)2no data
 💼 [SQS.1] Amazon SQS queues should be encrypted at restno data
 💼 [SQS.3] SQS queue access policies should not allow public accessno data
💼 Simple Storage Service (S3)1239no data
 💼 [S3.1] S3 general purpose buckets should have block public access settings enabled1no data
 💼 [S3.2] S3 general purpose buckets should block public read access2no data
 💼 [S3.3] S3 general purpose buckets should block public write access2no data
 💼 [S3.5] S3 general purpose buckets should require requests to use SSL11no data
 💼 [S3.6] S3 general purpose bucket policies should restrict access to other AWS accountsno data
 💼 [S3.8] S3 general purpose buckets should block public access1no data
 💼 [S3.9] S3 general purpose buckets should have server access logging enabled12no data
 💼 [S3.12] ACLs should not be used to manage user access to S3 general purpose bucketsno data
 💼 [S3.13] S3 general purpose buckets should have Lifecycle configurations11no data
 💼 [S3.19] S3 access points should have block public access settings enabled1no data
 💼 [S3.24] S3 Multi-Region Access Points should have block public access settings enabled1no data
 💼 [S3.25] S3 directory buckets should have lifecycle configurationsno data
💼 Step Functions1no data
 💼 [StepFunctions.1] Step Functions state machines should have logging turned onno data
💼 Systems Manager (SSM)6no data
 💼 [SSM.1] Amazon EC2 instances should be managed by AWS Systems Managerno data
 💼 [SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installationno data
 💼 [SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANTno data
 💼 [SSM.4] SSM documents should not be publicno data
 💼 [SSM.6] SSM Automation should have CloudWatch logging enabledno data
 💼 [SSM.7] SSM documents should have the block public sharing setting enabledno data
💼 Transfer Family2no data
 💼 [Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connectionno data
 💼 [Transfer.3] Transfer Family connectors should have logging enabledno data
💼 WAF92no data
 💼 [WAF.1] AWS WAF Classic Global Web ACL logging should be enabledno data
 💼 [WAF.2] AWS WAF Classic Regional rules should have at least one conditionno data
 💼 [WAF.3] AWS WAF Classic Regional rule groups should have at least one rule1no data
 💼 [WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group1no data
 💼 [WAF.6] AWS WAF Classic global rules should have at least one conditionno data
 💼 [WAF.7] AWS WAF Classic global rule groups should have at least one rule1no data
 💼 [WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group1no data
 💼 [WAF.10] AWS WAF web ACLs should have at least one rule or rule group1no data
 💼 [WAF.12] AWS WAF rules should have CloudWatch metrics enabledno data
💼 WorkSpaces21no data
 💼 [WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest1no data
 💼 [WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest1no data