| 💼 1 Identity and Access Management | 21 | | | |
| 💼 1.1 Maintain current contact details - Level 1 (Manual) | | | 1 | |
| 💼 1.2 Ensure security contact information is registered - Level 1 (Manual) | | | 1 | |
| 💼 1.3 Ensure security questions are registered in the AWS account - Level 1 (Manual) | | | | |
| 💼 1.4 Ensure no 'root' user account access key exists - Level 1 (Automated) | | 1 | 1 | |
| 💼 1.5 Ensure MFA is enabled for the 'root' user account - Level 1 (Automated) | | | 1 | |
| 💼 1.6 Ensure hardware MFA is enabled for the 'root' user account - Level 2 (Automated) | | | 1 | |
| 💼 1.7 Eliminate use of the 'root' user for administrative and daily tasks - Level 1 (Automated) | | 1 | 1 | |
| 💼 1.8 Ensure IAM password policy requires minimum length of 14 or greater - Level 1 (Automated) | | | 1 | |
| 💼 1.9 Ensure IAM password policy prevents password reuse - Level 1 (Automated) | | 1 | 1 | |
| 💼 1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password - Level 1 (Automated) | | | 1 | |
| 💼 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password - Level 1 (Automated) | | 1 | 1 | |
| 💼 1.12 Ensure credentials unused for 45 days or greater are disabled - Level 1 (Automated) | | | 1 | |
| 💼 1.13 Ensure there is only one active access key available for any single IAM user - Level 1 (Automated) | | 1 | 1 | |
| 💼 1.14 Ensure access keys are rotated every 90 days or less - Level 1 (Automated) | | 1 | 1 | |
| 💼 1.15 Ensure IAM Users Receive Permissions Only Through Groups - Level 1 (Automated) | | 1 | 1 | |
| 💼 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached - Level 1 (Automated) | | | 1 | |
| 💼 1.17 Ensure a support role has been created to manage incidents with AWS Support - Level 1 (Automated) | | | 1 | |
| 💼 1.18 Ensure IAM instance roles are used for AWS resource access from instances - Level 2 (Manual) | | 1 | 1 | |
| 💼 1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed - Level 1 (Automated) | | 1 | 1 | |
| 💼 1.20 Ensure that IAM Access analyzer is enabled for all regions - Level 1 (Automated) | | 1 | 1 | |
| 💼 1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments - Level 2 (Manual) | | | 1 | |
| 💼 2 Storage | 4 | | | |
| 💼 2.1 Simple Storage Service (S3) | 5 | | | |
| 💼 2.1.1 Ensure all S3 buckets employ encryption-at-rest - Level 2 (Automated) | | | | |
| 💼 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests - Level 2 (Automated) | | 1 | 1 | |
| 💼 2.1.3 Ensure MFA Delete is enabled on S3 buckets - Level 1 (Automated) | | 1 | 1 | |
| 💼 2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required. - Level 2 (Manual) | | | 1 | |
| 💼 2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' - Level 1 (Automated) | | 1 | 1 | |
| 💼 2.2 Elastic Compute Cloud (EC2) | 1 | | | |
| 💼 2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions - Level 1 (Automated) | | 1 | 1 | |
| 💼 2.3 Relational Database Service (RDS) | 3 | | | |
| 💼 2.3.1 Ensure that encryption is enabled for RDS Instances - Level 1 (Automated) | | 1 | 1 | |
| 💼 2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances - Level 1 (Automated) | | 1 | 1 | |
| 💼 2.3.3 Ensure that public access is not given to RDS Instance - Level 1 (Automated) | | 1 | 1 | |
| 💼 2.4 Elastic File System (EFS) | 1 | | | |
| 💼 2.4.1 Ensure that encryption is enabled for EFS file systems - Level 1 (Manual) | | | 1 | |
| 💼 3 Logging | 11 | | | |
| 💼 3.1 Ensure CloudTrail is enabled in all regions - Level 1 (Automated) | | | 1 | |
| 💼 3.2 Ensure CloudTrail log file validation is enabled - Level 2 (Automated) | | 1 | 1 | |
| 💼 3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible - Level 1 (Automated) | | | | |
| 💼 3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs - Level 1 (Automated) | | | | |
| 💼 3.5 Ensure AWS Config is enabled in all regions - Level 2 (Automated) | | | 1 | |
| 💼 3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket - Level 1 (Automated) | | | 1 | |
| 💼 3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs - Level 2 (Automated) | | | 1 | |
| 💼 3.8 Ensure rotation for customer created symmetric CMKs is enabled - Level 2 (Automated) | | 1 | 1 | |
| 💼 3.9 Ensure VPC flow logging is enabled in all VPCs - Level 2 (Automated) | | 1 | 1 | |
| 💼 3.10 Ensure that Object-level logging for write events is enabled for S3 bucket - Level 2 (Automated) | | | 1 | |
| 💼 3.11 Ensure that Object-level logging for read events is enabled for S3 bucket - Level 2 (Automated) | | | 1 | |
| 💼 4 Monitoring | 16 | | | |
| 💼 4.1 Ensure a log metric filter and alarm exist for unauthorized API calls - Level 1 (Automated) | | | 1 | |
| 💼 4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA - Level 1 (Automated) | | | 1 | |
| 💼 4.3 Ensure a log metric filter and alarm exist for usage of 'root' account - Level 1 (Automated) | | | 1 | |
| 💼 4.4 Ensure a log metric filter and alarm exist for IAM policy changes - Level 1 (Automated) | | | 1 | |
| 💼 4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes - Level 1 (Automated) | | | 1 | |
| 💼 4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures - Level 2 (Automated) | | | 1 | |
| 💼 4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs - Level 2 (Automated) | | | 1 | |
| 💼 4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes - Level 1 (Automated) | | | 1 | |
| 💼 4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes - Level 2 (Automated) | | | 1 | |
| 💼 4.10 Ensure a log metric filter and alarm exist for security group changes - Level 2 (Automated) | | | 1 | |
| 💼 4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) - Level 2 (Automated) | | | 1 | |
| 💼 4.12 Ensure a log metric filter and alarm exist for changes to network gateways - Level 1 (Automated) | | | 1 | |
| 💼 4.13 Ensure a log metric filter and alarm exist for route table changes - Level 1 (Automated) | | | 1 | |
| 💼 4.14 Ensure a log metric filter and alarm exist for VPC changes - Level 1 (Automated) | | | 1 | |
| 💼 4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes - Level 1 (Automated) | | | 1 | |
| 💼 4.16 Ensure AWS Security Hub is enabled - Level 2 (Automated) | | 1 | 1 | |
| 💼 5 Networking | 5 | | | |
| 💼 5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports - Level 1 (Automated) | | | 1 | |
| 💼 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports - Level 1 (Automated) | | 1 | 1 | |
| 💼 5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports - Level 1 (Automated) | | 1 | 1 | |
| 💼 5.4 Ensure the default security group of every VPC restricts all traffic - Level 2 (Automated) | | | 1 | |
| 💼 5.5 Ensure routing tables for VPC peering are "least access" - Level 2 (Manual) | | | 1 | |