| 💼 2 Identity and Access Management | 21 | | 19 | | no data |
|  💼 2.1 Organizations | 6 | | | | no data |
|   💼 2.1.1 Ensure centralized root access in AWS Organizations (Manual) | | | | | no data |
|   💼 2.1.2 Ensure authorization guardrails for all AWS Organization accounts (Manual) | | | | | no data |
|   💼 2.1.3 Ensure Organizations management account is not used for workloads (Manual) | | | | | no data |
|   💼 2.1.4 Ensure Organizational Units are structured by environment and sensitivity (Manual | | | | | no data |
|   💼 2.1.5 Ensure delegated admin manages AWS Organizations policies (Manual) | | | | | no data |
|   💼 2.1.6 Ensure delegated admins manage AWS Organizations-integrated services (Manual) | | | | | no data |
|  💼 2.2 Maintain current AWS account contact details (Manual) | | | 1 | | no data |
|  💼 2.3 Ensure security contact information is registered (Manual) | | | 1 | | no data |
|  💼 2.4 Ensure no 'root' user account access key exists (Automated) | | | 1 | | no data |
|  💼 2.5 Ensure MFA is enabled for the 'root' user account (Automated) | | | 1 | | no data |
|  💼 2.6 Ensure hardware MFA is enabled for the 'root' user account (Manual) | | | 1 | | no data |
|  💼 2.7 Eliminate use of the 'root' user for administrative and daily tasks (Manual) | | | 1 | | no data |
|  💼 2.8 Ensure IAM password policy requires minimum length of 14 or greater (Automated) | | | 1 | | no data |
|  💼 2.9 Ensure IAM password policy prevents password reuse (Automated) | | | 1 | | no data |
|  💼 2.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Automated) | | | 1 | | no data |
|  💼 2.11 Ensure credentials unused for 45 days or more are disabled (Automated) | | | 1 | | no data |
|  💼 2.12 Ensure access keys are rotated every 90 days or less (Automated) | | | 1 | | no data |
|  💼 2.13 Ensure IAM users receive permissions only through groups (Automated) | | | 1 | | no data |
|  💼 2.14 Ensure IAM policies that allow full ":" administrative privileges are not attached (Automated) | | | 1 | | no data |
|  💼 2.15 Ensure a support role has been created to manage incidents with AWS Support (Automated) | | | 1 | | no data |
|  💼 2.16 Ensure IAM instance roles are used for AWS resource access from instances (Automated) | | | 1 | | no data |
|  💼 2.17 Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed (Automated) | | | 1 | | no data |
|  💼 2.18 Ensure that IAM External Access Analyzer is enabled for all regions (Automated) | | | 1 | | no data |
|  💼 2.19 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments (Manual) | | | 1 | | no data |
|  💼 2.20 Ensure access to AWSCloudShellFullAccess is restricted (Manual) | | | 1 | | no data |
|  💼 2.21 Ensure AWS resource policies do not allow unrestricted access using 'Principal': '*' (Manual) | | | | | no data |
| 💼 3 Storage | 3 | | 9 | | no data |
|  💼 3.1 Simple Storage Service (S3) | 4 | | 4 | | no data |
|   💼 3.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests (Automated) | | | 1 | | no data |
|   💼 3.1.2 Ensure MFA Delete is enabled on S3 buckets (Manual) | | | 1 | | no data |
|   💼 3.1.3 Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary (Manual) | | | 1 | | no data |
|   💼 3.1.4 Ensure that S3 is configured with 'Block Public Access' enabled (Automated) | | | 1 | | no data |
|  💼 3.2 Relational Database Service (RDS) | 4 | | 4 | | no data |
|   💼 3.2.1 Ensure that encryption-at-rest is enabled for RDS instances (Automated) | | | 1 | | no data |
|   💼 3.2.2 Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances (Automated) | | | 1 | | no data |
|   💼 3.2.3 Ensure that RDS instances are not publicly accessible (Automated) | | | 1 | | no data |
|   💼 3.2.4 Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS (Manual) | | | 1 | | no data |
|  💼 3.3 Elastic File System (EFS) | 1 | | 1 | | no data |
|   💼 3.3.1 Ensure that encryption is enabled for EFS file systems (Automated) | | | 1 | | no data |
| 💼 4 Logging | 10 | | 9 | | no data |
|  💼 4.1 Ensure CloudTrail is enabled in all regions (Manual) | | | 1 | | no data |
|  💼 4.2 Ensure CloudTrail log file validation is enabled (Automated) | | | 1 | | no data |
|  💼 4.3 Ensure AWS Config is enabled in all regions (Automated) | | | 1 | | no data |
|  💼 4.4 Ensure that server access logging is enabled on the CloudTrail S3 bucket (Manual) | | | 1 | | no data |
|  💼 4.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Automated) | | | 1 | | no data |
|  💼 4.6 Ensure rotation for customer-created symmetric CMKs is enabled (Automated) | | | 1 | | no data |
|  💼 4.7 Ensure VPC flow logging is enabled in all VPCs (Automated) | | | 1 | | no data |
|  💼 4.8 Ensure that object-level logging for write events is enabled for S3 buckets (Automated) | | | 1 | | no data |
|  💼 4.9 Ensure that object-level logging for read events is enabled for S3 buckets (Automated) | | | 1 | | no data |
|  💼 4.10 Ensure all AWS-managed web front-end services have access logging enabled (Manual) | | | | | no data |
| 💼 5 Monitoring | 16 | | 16 | | no data |
|  💼 5.1 Ensure unauthorized API calls are monitored (Automated) | | | 1 | | no data |
|  💼 5.2 Ensure management console sign-in without MFA is monitored (Manual) | | | 1 | | no data |
|  💼 5.3 Ensure usage of the 'root' account is monitored (Manual) | | | 1 | | no data |
|  💼 5.4 Ensure IAM policy changes are monitored (Manual) | | | 1 | | no data |
|  💼 5.5 Ensure CloudTrail configuration changes are monitored (Manual) | | | 1 | | no data |
|  💼 5.6 Ensure AWS Management Console authentication failures are monitored (Manual) | | | 1 | | no data |
|  💼 5.7 Ensure disabling or scheduled deletion of customer created CMKs is monitored (Manual) | | | 1 | | no data |
|  💼 5.8 Ensure S3 bucket policy changes are monitored (Manual) | | | 1 | | no data |
|  💼 5.9 Ensure AWS Config configuration changes are monitored (Manual) | | | 1 | | no data |
|  💼 5.10 Ensure security group changes are monitored (Manual) | | | 1 | | no data |
|  💼 5.11 Ensure Network Access Control List (NACL) changes are monitored (Manual) | | | 1 | | no data |
|  💼 5.12 Ensure changes to network gateways are monitored (Manual) | | | 1 | | no data |
|  💼 5.13 Ensure route table changes are monitored (Manual) | | | 1 | | no data |
|  💼 5.14 Ensure VPC changes are monitored (Manual) | | | 1 | | no data |
|  💼 5.15 Ensure AWS Organizations changes are monitored (Manual) | | | 1 | | no data |
|  💼 5.16 Ensure AWS Security Hub is enabled (Automated) | | | 1 | | no data |
| 💼 6 Networking | 8 | | 8 | | no data |
|  💼 6.1 Elastic Compute Cloud (EC2) | 2 | | 2 | | no data |
|   💼 6.1.1 Ensure EBS volume encryption is enabled in all regions (Automated) | | | 1 | | no data |
|   💼 6.1.2 Ensure CIFS access is restricted to trusted networks to prevent unauthorized access (Automated) | | | 1 | | no data |
|  💼 6.2 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (Automated) | | | 1 | | no data |
|  💼 6.3 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (Automated) | | | 1 | | no data |
|  💼 6.4 Ensure no security groups allow ingress from ::/0 to remote server administration ports (Automated) | | | 1 | | no data |
|  💼 6.5 Ensure the default security group of every VPC restricts all traffic (Automated) | | | 1 | | no data |
|  💼 6.6 Ensure routing tables for VPC peering are "least access" (Manual) | | | 1 | | no data |
|  💼 6.7 Ensure that the EC2 Metadata Service only allows IMDSv2 (Automated) | | | 1 | | no data |
|  💼 6.8 Ensure VPC Endpoints are used for access to AWS Services (Manual) | | | | | no data |