| 💼 Account | 1 | | | |
| 💼 [Account.1] Security contact information should be provided for an AWS account | | 1 | 1 | |
| 💼 AppSync | 4 | | | |
| 💼 [AppSync.1] AWS AppSync API caches should be encrypted at rest | | | | |
| 💼 [AppSync.2] AWS AppSync should have field-level logging enabled | | | | |
| 💼 [AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys | | | | |
| 💼 [AppSync.6] AWS AppSync API caches should be encrypted in transit | | | | |
| 💼 API Gateway | 7 | | | |
| 💼 [APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled | | 1 | 1 | |
| 💼 [APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication" | | 1 | 1 | |
| 💼 [APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled | | 1 | 1 | |
| 💼 [APIGateway.4] API Gateway should be associated with a WAF Web ACL | | 1 | 1 | |
| 💼 [APIGateway.5] API Gateway REST API cache data should be encrypted at rest | | | | |
| 💼 [APIGateway.8] API Gateway routes should specify an authorization type | | 1 | 1 | |
| 💼 [APIGateway.9] Access logging should be configured for API Gateway V2 Stages | | 1 | 1 | |
| 💼 Athena | 1 | | | |
| 💼 [Athena.4] Athena workgroups should have logging enabled | | | 1 | |
| 💼 Auto Scaling | 6 | | | |
| 💼 [Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses | | | | |
| 💼 [AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks | | 1 | 1 | |
| 💼 [AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones | | | | |
| 💼 [AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2) | | | | |
| 💼 [AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones | | | | |
| 💼 [AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates | | | | |
| 💼 Backup | 1 | | | |
| 💼 [Backup.1] AWS Backup recovery points should be encrypted at rest | | | | |
| 💼 Certificate Manager (ACM) | 2 | | | |
| 💼 [ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period | | 1 | 1 | |
| 💼 [ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits | | 1 | 1 | |
| 💼 CloudFront | 11 | | | |
| 💼 [CloudFront.1] CloudFront distributions should have a default root object configured | | | | |
| 💼 [CloudFront.3] CloudFront distributions should require encryption in transit | | | | |
| 💼 [CloudFront.4] CloudFront distributions should have origin failover configured | | | | |
| 💼 [CloudFront.5] CloudFront distributions should have logging enabled | | | | |
| 💼 [CloudFront.6] CloudFront distributions should have WAF enabled | | | | |
| 💼 [CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates | | | | |
| 💼 [CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests | | | | |
| 💼 [CloudFront.9] CloudFront distributions should encrypt traffic to custom origins | | | | |
| 💼 [CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins | | | | |
| 💼 [CloudFront.12] CloudFront distributions should not point to non-existent S3 origins | | | | |
| 💼 [CloudFront.13] CloudFront distributions should use origin access control | | | | |
| 💼 CloudTrail | 4 | | | |
| 💼 [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events | | | 1 | |
| 💼 [CloudTrail.2] CloudTrail should have encryption at-rest enabled | | | 1 | |
| 💼 [CloudTrail.4] CloudTrail log file validation should be enabled | | 1 | 1 | |
| 💼 [CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs | | | | |
| 💼 CodeBuild | 5 | | | |
| 💼 [CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials | | | | |
| 💼 [CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials | | | | |
| 💼 [CodeBuild.3] CodeBuild S3 logs should be encrypted | | | | |
| 💼 [CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration | | | | |
| 💼 [CodeBuild.7] CodeBuild report group exports should be encrypted at rest | | | | |
| 💼 Config | 1 | | | |
| 💼 [Config.1] AWS Config should be enabled and use the service-linked role for resource recording | | | 1 | |
| 💼 Connect | 1 | | | |
| 💼 [Connect.2] Amazon Connect instances should have CloudWatch logging enabled | | | | |
| 💼 Data Firehouse | 1 | | | |
| 💼 [DataFirehose.1] Firehose delivery streams should be encrypted at rest | | | | |
| 💼 Database Migration Service (DMS) | 8 | | | |
| 💼 [DMS.1] Database Migration Service replication instances should not be public | | | | |
| 💼 [DMS.6] DMS replication instances should have automatic minor version upgrade enabled | | | | |
| 💼 [DMS.7] DMS replication tasks for the target database should have logging enabled | | | | |
| 💼 [DMS.8] DMS replication tasks for the source database should have logging enabled | | | | |
| 💼 [DMS.9] DMS endpoints should use SSL | | | | |
| 💼 [DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled | | | | |
| 💼 [DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled | | | | |
| 💼 [DMS.12] DMS endpoints for Redis OSS should have TLS enabled | | | | |
| 💼 DataSync | 1 | | | |
| 💼 [DataSync.1] DataSync tasks should have logging enabled | | | | |
| 💼 DocumentDB | 5 | | | |
| 💼 [DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest | | | | |
| 💼 [DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period | | | | |
| 💼 [DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public | | | | |
| 💼 [DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs | | | | |
| 💼 [DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled | | | | |
| 💼 DynamoDB | 5 | | | |
| 💼 [DynamoDB.1] DynamoDB tables should automatically scale capacity with demand | | | | |
| 💼 [DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled | | | | |
| 💼 [DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest | | | | |
| 💼 [DynamoDB.6] DynamoDB tables should have deletion protection enabled | | | | |
| 💼 [DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit | | | | |
| 💼 Elastic Beanstalk | 3 | | | |
| 💼 [ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled | | | | |
| 💼 [ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled | | | | |
| 💼 [ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch | | | | |
| ��💼 Elastic Compute Cloud (EC2) | 28 | | | |
| 💼 [EC2.1] Amazon EBS snapshots should not be publicly restorable | | | | |
| 💼 [EC2.2] VPC default security groups should not allow inbound or outbound traffic | | | 1 | |
| 💼 [EC2.3] Attached Amazon EBS volumes should be encrypted at-rest | | | | |
| 💼 [EC2.4] Stopped EC2 instances should be removed after a specified time period | | | | |
| 💼 [EC2.6] VPC flow logging should be enabled in all VPCs | | 1 | 1 | |
| 💼 [EC2.7] EBS default encryption should be enabled | | 1 | 1 | |
| 💼 [EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) | | 1 | 1 | |
| 💼 [EC2.9] Amazon EC2 instances should not have a public IPv4 address | | | | |
| 💼 [EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service | | | | |
| 💼 [EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses | | | | |
| 💼 [EC2.16] Unused Network Access Control Lists should be removed | | | | |
| 💼 [EC2.17] Amazon EC2 instances should not use multiple ENIs | | | | |
| 💼 [EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports | | | | |
| 💼 [EC2.19] Security groups should not allow unrestricted access to ports with high risk | | | 10 | |
| 💼 [EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up | | | | |
| 💼 [EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 | | | 1 | |
| 💼 [EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests | | | | |
| 💼 [EC2.24] Amazon EC2 paravirtual instance types should not be used | | | | |
| 💼 [EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces | | | | |
| 💼 [EC2.51] EC2 Client VPN endpoints should have client connection logging enabled | | | | |
| 💼 [EC2.55] VPCs should be configured with an interface endpoint for ECR API | | | | |
| 💼 [EC2.56] VPCs should be configured with an interface endpoint for Docker Registry | | | | |
| 💼 [EC2.57] VPCs should be configured with an interface endpoint for Systems Manager | | | | |
| 💼 [EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts | | | | |
| 💼 [EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager | | | | |
| 💼 [EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2) | | | | |
| 💼 [EC2.171] EC2 VPN connections should have logging enabled | | | | |
| 💼 [EC2.172] EC2 VPC Block Public Access settings should block internet gateway traffic | | | | |
| 💼 Elastic Container Registry (ECR) | 3 | | | |
| 💼 [ECR.1] ECR private repositories should have image scanning configured | | | | |
| 💼 [ECR.2] ECR private repositories should have tag immutability configured | | | | |
| 💼 [ECR.3] ECR repositories should have at least one lifecycle policy configured | | | | |
| 💼 Elastic Container Service (ECS) | 10 | | | |
| 💼 [ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions. | | | | |
| 💼 [ECS.2] ECS services should not have public IP addresses assigned to them automatically | | | | |
| 💼 [ECS.3] ECS task definitions should not share the host's process namespace | | | | |
| 💼 [ECS.4] ECS containers should run as non-privileged | | | | |
| 💼 [ECS.5] ECS containers should be limited to read-only access to root filesystems | | | | |
| 💼 [ECS.8] Secrets should not be passed as container environment variables | | | | |
| 💼 [ECS.9] ECS task definitions should have a logging configuration | | | | |
| 💼 [ECS.10] ECS Fargate services should run on the latest Fargate platform version | | | | |
| 💼 [ECS.12] ECS clusters should use Container Insights | | | | |
| 💼 [ECS.16] ECS task sets should not automatically assign public IP addresses | | | | |
| 💼 Elastic File System (EFS) | 7 | | | |
| 💼 [EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS | | 1 | 1 | |
| 💼 [EFS.2] Amazon EFS volumes should be in backup plans | | | | |
| 💼 [EFS.3] EFS access points should enforce a root directory | | | | |
| 💼 [EFS.4] EFS access points should enforce a user identity | | | | |
| 💼 [EFS.6] EFS mount targets should not be associated with a public subnet | | | | |
| 💼 [EFS.7] EFS file systems should have automatic backups enabled | | | | |
| 💼 [EFS.8] EFS file systems should be encrypted at rest | | | | |
| 💼 Elastic Kubernetes Service (EKS) | 4 | | | |
| 💼 [EKS.1] EKS cluster endpoints should not be publicly accessible | | | | |
| 💼 [EKS.2] EKS clusters should run on a supported Kubernetes version | | | | |
| 💼 [EKS.3] EKS clusters should use encrypted Kubernetes secrets | | | | |
| 💼 [EKS.8] EKS clusters should have audit logging enabled | | | | |
| 💼 Elastic Load Balancing (ELB) | 14 | | | |
| 💼 [ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS | | | | |
| 💼 [ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager | | | | |
| 💼 [ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination | | | | |
| 💼 [ELB.4] Application Load Balancer should be configured to drop invalid http headers | | | | |
| 💼 [ELB.5] Application and Classic Load Balancers logging should be enabled | | | | |
| 💼 [ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled | | | | |
| 💼 [ELB.7] Classic Load Balancers should have connection draining enabled | | | | |
| 💼 [ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration | | | | |
| 💼 [ELB.9] Classic Load Balancers should have cross-zone load balancing enabled | | | | |
| 💼 [ELB.10] Classic Load Balancer should span multiple Availability Zones | | | | |
| 💼 [ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode | | | | |
| 💼 [ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones | | | | |
| 💼 [ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode | | | | |
| 💼 [ELB.17] Application and Network Load Balancers with listeners should use recommended security policies | | | | |
| 💼 Elasticsearch | 8 | | | |
| 💼 [ES.1] Elasticsearch domains should have encryption at-rest enabled | | | | |
| 💼 [ES.2] Elasticsearch domains should not be publicly accessible | | | | |
| 💼 [ES.3] Elasticsearch domains should encrypt data sent between nodes | | | | |
| 💼 [ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled | | | | |
| 💼 [ES.5] Elasticsearch domains should have audit logging enabled | | | | |
| 💼 [ES.6] Elasticsearch domains should have at least three data nodes | | | | |
| 💼 [ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes | | | | |
| 💼 [ES.8] Connections to Elasticsearch domains should be encrypted using the latest TLS security policy | | | | |
| 💼 ElastiCache | 7 | | | |
| 💼 [ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled | | | | |
| 💼 [ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled | | | | |
| 💼 [ElastiCache.3] ElastiCache replication groups should have automatic failover enabled | | | | |
| 💼 [ElastiCache.4] ElastiCache replication groups should be encrypted at rest | | | | |
| 💼 [ElastiCache.5] ElastiCache replication groups should be encrypted in transit | | | | |
| 💼 [ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled | | | | |
| 💼 [ElastiCache.7] ElastiCache clusters should not use the default subnet group | | | | |
| 💼 EMR | 4 | | | |
| 💼 [EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses | | | | |
| 💼 [EMR.2] Amazon EMR block public access setting should be enabled | | | | |
| 💼 [EMR.3] Amazon EMR security configurations should be encrypted at rest | | | | |
| 💼 [EMR.4] Amazon EMR security configurations should be encrypted in transit | | | | |
| 💼 EventBridge | 1 | | | |
| 💼 [EventBridge.3] EventBridge custom event buses should have a resource-based policy attached | | | | |
| 💼 FSx | 5 | | | |
| 💼 [FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes | | | | |
| 💼 [FSx.2] FSx for Lustre file systems should be configured to copy tags to backups | | | | |
| 💼 [FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment | | | | |
| 💼 [FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment | | | | |
| 💼 [FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment | | | | |
| 💼 Glue | 2 | | | |
| 💼 [Glue.3] AWS Glue machine learning transforms should be encrypted at rest | | | | |
| 💼 [Glue.4] AWS Glue Spark jobs should run on supported versions of AWS Glue | | | | |
| 💼 GuardDuty | 10 | | | |
| 💼 [GuardDuty.1] GuardDuty should be enabled | | | | |
| 💼 [GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled | | | | |
| 💼 [GuardDuty.6] GuardDuty Lambda Protection should be enabled | | | | |
| 💼 [GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled | | | | |
| 💼 [GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled | | | | |
| 💼 [GuardDuty.9] GuardDuty RDS Protection should be enabled | | | | |
| 💼 [GuardDuty.10] GuardDuty S3 Protection should be enabled | | | | |
| 💼 [GuardDuty.11] GuardDuty Runtime Monitoring should be enabled | | | | |
| 💼 [GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled | | | | |
| 💼 [GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled | | | | |
| 💼 Identity and Access Management (IAM) | 9 | | | |
| 💼 [IAM.1] IAM policies should not allow full "*" administrative privileges | | 1 | 1 | |
| 💼 [IAM.2] IAM users should not have IAM policies attached | | 1 | 1 | |
| 💼 [IAM.3] IAM users' access keys should be rotated every 90 days or less | | 1 | 1 | |
| 💼 [IAM.4] IAM root user access key should not exist | | 1 | 1 | |
| 💼 [IAM.5] MFA should be enabled for all IAM users that have a console password | | | 1 | |
| 💼 [IAM.6] Hardware MFA should be enabled for the root user | | | 1 | |
| 💼 [IAM.7] Password policies for IAM users should have strong configurations | | 1 | 2 | |
| 💼 [IAM.8] Unused IAM user credentials should be removed | | | 1 | |
| 💼 [IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services | | | | |
| 💼 Inspector | 4 | | | |
| 💼 [Inspector.1] Amazon Inspector EC2 scanning should be enabled | | | | |
| 💼 [Inspector.2] Amazon Inspector ECR scanning should be enabled | | | | |
| 💼 [Inspector.3] Amazon Inspector Lambda code scanning should be enabled | | | | |
| 💼 [Inspector.4] Amazon Inspector Lambda standard scanning should be enabled | | | | |
| 💼 Key Management Service (KMS) | 4 | | | |
| 💼 [KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys | | | | |
| 💼 [KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys | | | | |
| 💼 [KMS.3] AWS KMS keys should not be deleted unintentionally | | | | |
| 💼 [KMS.5] KMS keys should not be publicly accessible | | | | |
| 💼 Kinesis | 2 | | | |
| 💼 [Kinesis.1] Kinesis streams should be encrypted at rest | | | | |
| 💼 [Kinesis.3] Kinesis streams should have an adequate data retention period | | | | |
| 💼 Lambda | 3 | | | |
| 💼 [Lambda.1] Lambda function policies should prohibit public access | | | | |
| 💼 [Lambda.2] Lambda functions should use supported runtimes | | | | |
| 💼 [Lambda.5] VPC Lambda functions should operate in multiple Availability Zones | | | | |
| 💼 Macie | 2 | | | |
| 💼 [Macie.1] Amazon Macie should be enabled | | | | |
| 💼 [Macie.2] Macie automated sensitive data discovery should be enabled | | | | |
| 💼 Managed Streaming for Apache Kafka (MSK) | 2 | | | |
| 💼 [MSK.1] MSK clusters should be encrypted in transit among broker nodes | | | | |
| 💼 [MSK.3] MSK Connect connectors should be encrypted in transit | | | | |
| 💼 MQ | 2 | | | |
| 💼 [MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch | | | | |
| 💼 [MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled | | | | |
| 💼 Neptune | 8 | | | |
| 💼 [Neptune.1] Neptune DB clusters should be encrypted at rest | | | | |
| 💼 [Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs | | | | |
| 💼 [Neptune.3] Neptune DB cluster snapshots should not be public | | | | |
| 💼 [Neptune.4] Neptune DB clusters should have deletion protection enabled | | | | |
| 💼 [Neptune.5] Neptune DB clusters should have automated backups enabled | | | | |
| 💼 [Neptune.6] Neptune DB cluster snapshots should be encrypted at rest | | | | |
| 💼 [Neptune.7] Neptune DB clusters should have IAM database authentication enabled | | | | |
| 💼 [Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots | | | | |
| 💼 Network Firewall | 7 | | | |
| 💼 [NetworkFirewall.2] Network Firewall logging should be enabled | | | | |
| 💼 [NetworkFirewall.3] Network Firewall policies should have at least one rule group associated | | | | |
| 💼 [NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets | | | | |
| 💼 [NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets | | | | |
| 💼 [NetworkFirewall.6] Stateless Network Firewall rule group should not be empty | | | | |
| 💼 [NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled | | | | |
| 💼 [NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled | | | | |
| 💼 OpenSearch | 9 | | | |
| 💼 [Opensearch.1] OpenSearch domains should have encryption at rest enabled | | | | |
| 💼 [Opensearch.2] OpenSearch domains should not be publicly accessible | | | | |
| 💼 [Opensearch.3] OpenSearch domains should encrypt data sent between nodes | | | | |
| 💼 [Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled | | | | |
| 💼 [Opensearch.5] OpenSearch domains should have audit logging enabled | | | | |
| 💼 [Opensearch.6] OpenSearch domains should have at least three data nodes | | | | |
| 💼 [Opensearch.7] OpenSearch domains should have fine-grained access control enabled | | | | |
| 💼 [Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy | | | | |
| 💼 [Opensearch.10] OpenSearch domains should have the latest software update installed | | | | |
| 💼 Private Certificate Authority (CA) | 1 | | | |
| 💼 [PCA.1] AWS Private CA root certificate authority should be disabled | | | | |
| 💼 Redshift | 10 | | | |
| 💼 [Redshift.1] Amazon Redshift clusters should prohibit public access | | | | |
| 💼 [Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit | | | | |
| 💼 [Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled | | | | |
| 💼 [Redshift.4] Amazon Redshift clusters should have audit logging enabled | | | | |
| 💼 [Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled | | | | |
| 💼 [Redshift.7] Redshift clusters should use enhanced VPC routing | | | | |
| 💼 [Redshift.8] Amazon Redshift clusters should not use the default Admin username | | | | |
| 💼 [Redshift.9] Redshift clusters should not use the default database name | | | | |
| 💼 [Redshift.10] Redshift clusters should be encrypted at rest | | | | |
| 💼 [Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins | | | | |
| 💼 Redshift Serverless | 1 | | | |
| 💼 [RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing | | | | |
| 💼 Relational Database Service (RDS) | 31 | | | |
| 💼 [RDS.1] RDS snapshot should be private | | 1 | 1 | |
| 💼 [RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration | | 1 | 1 | |
| 💼 [RDS.3] RDS DB instances should have encryption at-rest enabled | | 1 | 1 | |
| 💼 [RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest | | | | |
| 💼 [RDS.5] RDS DB instances should be configured with multiple Availability Zones | | 1 | 1 | |
| 💼 [RDS.6] Enhanced monitoring should be configured for RDS DB instances | | | | |
| 💼 [RDS.7] RDS clusters should have deletion protection enabled | | | | |
| 💼 [RDS.8] RDS DB instances should have deletion protection enabled | | | | |
| 💼 [RDS.9] RDS DB instances should publish logs to CloudWatch Logs | | | | |
| 💼 [RDS.10] IAM authentication should be configured for RDS instances | | | | |
| 💼 [RDS.11] RDS instances should have automatic backups enabled | | | | |
| 💼 [RDS.12] IAM authentication should be configured for RDS clusters | | | | |
| 💼 [RDS.13] RDS automatic minor version upgrades should be enabled | | 1 | 1 | |
| 💼 [RDS.14] Amazon Aurora clusters should have backtracking enabled | | | | |
| 💼 [RDS.15] RDS DB clusters should be configured for multiple Availability Zones | | | | |
| 💼 [RDS.16] RDS DB clusters should be configured to copy tags to snapshots | | | | |
| 💼 [RDS.17] RDS DB instances should be configured to copy tags to snapshots | | | | |
| 💼 [RDS.18] RDS instances should be deployed in a VPC | | | | |
| 💼 [RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events | | | | |
| 💼 [RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events | | | | |
| 💼 [RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events | | | | |
| 💼 [RDS.22] An RDS event notifications subscription should be configured for critical database security group events | | | | |
| 💼 [RDS.23] RDS instances should not use a database engine default port | | 1 | 1 | |
| 💼 [RDS.24] RDS Database clusters should use a custom administrator username | | | | |
| 💼 [RDS.25] RDS database instances should use a custom administrator username | | | | |
| 💼 [RDS.27] RDS DB clusters should be encrypted at rest | | | | |
| 💼 [RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs | | | | |
| 💼 [RDS.35] RDS DB clusters should have automatic minor version upgrade enabled | | | | |
| 💼 [RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs | | | | |
| 💼 [RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs | | | | |
| 💼 [RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs | | | | |
| 💼 Route 53 | 1 | | | |
| 💼 [Route53.2] Route 53 public hosted zones should log DNS queries | | | | |
| 💼 SageMaker | 5 | | | |
| 💼 [SageMaker.1] Amazon SageMaker AI notebook instances should not have direct internet access | | | | |
| 💼 [SageMaker.2] SageMaker AI notebook instances should be launched in a custom VPC | | | | |
| 💼 [SageMaker.3] Users should not have root access to SageMaker AI notebook instances | | | | |
| 💼 [SageMaker.4] SageMaker AI endpoint production variants should have an initial instance count greater than 1 | | | | |
| 💼 [SageMaker.5] SageMaker models should block inbound traffic | | | | |
| 💼 Secrets Manager | 4 | | | |
| 💼 [SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled | | | | |
| 💼 [SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfully | | | | |
| 💼 [SecretsManager.3] Remove unused Secrets Manager secrets | | | | |
| 💼 [SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days | | | | |
| 💼 Service Catalog | 1 | | | |
| 💼 [ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization only | | | | |
| 💼 Simple Notification Service (SNS) | 1 | | | |
| 💼 [SNS.4] SNS topic access policies should not allow public access | | | | |
| 💼 Simple Queue Service (SQS) | 2 | | | |
| 💼 [SQS.1] Amazon SQS queues should be encrypted at rest | | | | |
| 💼 [SQS.3] SQS queue access policies should not allow public access | | | | |
| 💼 Simple Storage Service (S3) | 10 | | | |
| 💼 [S3.1] S3 general purpose buckets should have block public access settings enabled | | | 1 | |
| 💼 [S3.2] S3 general purpose buckets should block public read access | | | | |
| 💼 [S3.3] S3 general purpose buckets should block public write access | | | | |
| 💼 [S3.5] S3 general purpose buckets should require requests to use SSL | | 1 | 1 | |
| 💼 [S3.6] S3 general purpose bucket policies should restrict access to other AWS accounts | | | | |
| 💼 [S3.9] S3 general purpose buckets should have server access logging enabled | | 1 | 2 | |
| 💼 [S3.12] ACLs should not be used to manage user access to S3 general purpose buckets | | | | |
| 💼 [S3.13] S3 general purpose buckets should have Lifecycle configurations | | 1 | 1 | |
| 💼 [S3.19] S3 access points should have block public access settings enabled | | | | |
| 💼 [S3.24] S3 Multi-Region Access Points should have block public access settings enabled | | | | |
| 💼 Step Functions | 1 | | | |
| 💼 [StepFunctions.1] Step Functions state machines should have logging turned on | | | | |
| 💼 Systems Manager (SSM) | 4 | | | |
| 💼 [SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager | | | | |
| 💼 [SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation | | | | |
| 💼 [SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT | | | | |
| 💼 [SSM.4] SSM documents should not be public | | | | |
| 💼 Transfer Family | 2 | | | |
| 💼 [Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection | | | | |
| 💼 [Transfer.3] Transfer Family connectors should have logging enabled | | | | |
| 💼 WAF | 9 | | | |
| 💼 [WAF.1] AWS WAF Classic Global Web ACL logging should be enabled | | | | |
| 💼 [WAF.2] AWS WAF Classic Regional rules should have at least one condition | | | | |
| 💼 [WAF.3] AWS WAF Classic Regional rule groups should have at least one rule | | | | |
| 💼 [WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group | | | | |
| 💼 [WAF.6] AWS WAF Classic global rules should have at least one condition | | | | |
| 💼 [WAF.7] AWS WAF Classic global rule groups should have at least one rule | | | | |
| 💼 [WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group | | | | |
| 💼 [WAF.10] AWS WAF web ACLs should have at least one rule or rule group | | | | |
| 💼 [WAF.12] AWS WAF rules should have CloudWatch metrics enabled | | | | |
| 💼 WorkSpaces | 2 | | | |
| 💼 [WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest | | | | |
| 💼 [WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest | | | | |