| 💼 1 Identity and Access Management | 22 | | | |
| 💼 1.1 Avoid the use of the "root" account | | 1 | 1 | |
| 💼 1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | | | 1 | |
| 💼 1.3 Ensure credentials unused for 90 days or greater are disabled | | | | |
| 💼 1.4 Ensure access keys are rotated every 90 days or less | | 1 | 1 | |
| 💼 1.5 Ensure IAM password policy requires at least one uppercase letter | | | | |
| 💼 1.6 Ensure IAM password policy require at least one lowercase letter | | | | |
| 💼 1.7 Ensure IAM password policy require at least one symbol | | | | |
| 💼 1.8 Ensure IAM password policy require at least one number | | | | |
| 💼 1.9 Ensure IAM password policy requires minimum length of 14 or greater | | | 1 | |
| 💼 1.10 Ensure IAM password policy prevents password reuse | | 1 | 1 | |
| 💼 1.11 Ensure IAM password policy expires passwords within 90 days or less | | | | |
| 💼 1.12 Ensure no root account access key exists | | 1 | 1 | |
| 💼 1.13 Ensure MFA is enabled for the "root" account | | | 1 | |
| 💼 1.14 Ensure hardware MFA is enabled for the "root" account | | | 1 | |
| 💼 1.15 Ensure security questions are registered in the AWS account | | | | |
| 💼 1.16 Ensure IAM policies are attached only to groups or roles | | 1 | 1 | |
| 💼 1.17 Maintain current contact details | | | 1 | |
| 💼 1.18 Ensure security contact information is registered | | | 1 | |
| 💼 1.19 Ensure IAM instance roles are used for AWS resource access from instances | | 1 | 1 | |
| 💼 1.20 Ensure a support role has been created to manage incidents with AWS Support | | | 1 | |
| 💼 1.21 Do not setup access keys during initial user setup for all IAM users that have a console password | | 1 | 1 | |
| 💼 1.22 Ensure IAM policies that allow full ":" administrative privileges are not created | | 1 | 1 | |
| 💼 2 Logging | 9 | | | |
| 💼 2.1 Ensure CloudTrail is enabled in all regions | | 1 | 1 | |
| 💼 2.2 Ensure CloudTrail log file validation is enabled | | 1 | 1 | |
| 💼 2.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | | | | |
| 💼 2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs | | | | |
| 💼 2.5 Ensure AWS Config is enabled in all regions | | | 1 | |
| 💼 2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | | | 1 | |
| 💼 2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs | | | 1 | |
| 💼 2.8 Ensure rotation for customer created CMKs is enabled | | 1 | 1 | |
| 💼 2.9 Ensure VPC flow logging is enabled in all VPCs | | 1 | 1 | |
| 💼 3 Monitoring | 14 | | | |
| 💼 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls | | | 1 | |
| 💼 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | | | 1 | |
| 💼 3.3 Ensure a log metric filter and alarm exist for usage of 'root' account | | | 1 | |
| 💼 3.4 Ensure a log metric filter and alarm exist for IAM policy changes | | | 1 | |
| 💼 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes | | | 1 | |
| 💼 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | | | 1 | |
| 💼 3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | | | 1 | |
| 💼 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes | | | 1 | |
| 💼 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes | | | 1 | |
| 💼 3.10 Ensure a log metric filter and alarm exist for security group changes | | | 1 | |
| 💼 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | | | 1 | |
| 💼 3.12 Ensure a log metric filter and alarm exist for changes to network gateways | | | 1 | |
| 💼 3.13 Ensure a log metric filter and alarm exist for route table changes | | | 1 | |
| 💼 3.14 Ensure a log metric filter and alarm exist for VPC changes | | | 1 | |
| 💼 4 Networking | 4 | | | |
| 💼 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 | | | | |
| 💼 4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 | | | | |
| 💼 4.3 Ensure the default security group of every VPC restricts all traffic | | | 1 | |
| 💼 4.4 Ensure routing tables for VPC peering are "least access" | | | 1 | |