Regional limits on controls
Amazon Security Hub controls may not be available in all Amazon Web Services Regions. This page shows which controls are unavailable in specific Regions. A control doesn't appear on the list of controls in the Security Hub console if it's not available in the Region that you are signed in to. The exception is if you're signed in to an aggregation Region. In that case, you can see controls that are available in the aggregation Region or in one or more linked Regions.
Contents
- US East (N. Virginia)
- US East (Ohio)
- US West (N. California)
- US West (Oregon)
- Africa (Cape Town)
- Asia Pacific (Hong Kong)
- Asia Pacific (Hyderabad)
- Asia Pacific (Jakarta)
- Asia Pacific (Mumbai)
- Asia Pacific (Melbourne)
- Asia Pacific (Osaka)
- Asia Pacific (Seoul)
- Asia Pacific (Singapore)
- Asia Pacific (Sydney)
- Asia Pacific (Tokyo)
- Canada (Central)
- China (Beijing)
- China (Ningxia)
- Europe (Frankfurt)
- Europe (Ireland)
- Europe (London)
- Europe (Milan)
- Europe (Paris)
- Europe (Spain)
- Europe (Stockholm)
- Europe (Zurich)
- Israel (Tel Aviv)
- Middle East (Bahrain)
- Middle East (UAE)
- South America (São Paulo)
- Amazon GovCloud (US-East)
- Amazon GovCloud (US-West)
US East (N. Virginia)
The following controls are not supported in US East (N. Virginia).
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
US East (Ohio)
The following controls are not supported in US East (Ohio).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
US West (N. California)
The following controls are not supported in US West (N. California).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest
-
[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period
-
[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public
-
[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
-
[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
US West (Oregon)
The following controls are not supported in US West (Oregon).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
Africa (Cape Town)
The following controls are not supported in Africa (Cape Town).
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled
-
[AppSync.2] Amazon AppSync should have field-level logging enabled
-
[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.1] Database Migration Service replication instances should not be public
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest
-
[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period
-
[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public
-
[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
-
[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
-
[EC2.4] Stopped EC2 instances should be removed after a specified time period
-
[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22
-
[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
-
[ELB.4] Application Load Balancer should be configured to drop http headers
-
[ELB.16] Application Load Balancers should be associated with an Amazon WAF web ACL
-
[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[EventBridge.4] EventBridge global endpoints should have event replication enabled
-
[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.3] IAM users' access keys should be rotated every 90 days or less
-
[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.2] OpenSearch domains should not be publicly accessible
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[RDS.9] RDS DB instances should publish logs to CloudWatch Logs
-
[RDS.10] IAM authentication should be configured for RDS instances
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
Asia Pacific (Hong Kong)
The following controls are not supported in Asia Pacific (Hong Kong).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest
-
[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period
-
[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public
-
[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
-
[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[EventBridge.4] EventBridge global endpoints should have event replication enabled
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[RDS.10] IAM authentication should be configured for RDS instances
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
Asia Pacific (Hyderabad)
The following controls are not supported in Asia Pacific (Hyderabad).
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
-
[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization
-
[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled
-
[APIGateway.3] API Gateway REST API stages should have Amazon X-Ray tracing enabled
-
[APIGateway.4] API Gateway should be associated with a WAF Web ACL
-
[APIGateway.8] API Gateway routes should specify an authorization type
-
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
-
[AppSync.2] Amazon AppSync should have field-level logging enabled
-
[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys
-
[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks
-
[Backup.1] Amazon Backup recovery points should be encrypted at rest
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
-
[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
-
[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.1] Database Migration Service replication instances should not be public
-
[DMS.6] DMS replication instances should have automatic minor version upgrade enabled
-
[DMS.7] DMS replication tasks for the target database should have logging enabled
-
[DMS.8] DMS replication tasks for the source database should have logging enabled
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest
-
[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period
-
[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public
-
[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
-
[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22
-
[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389
-
[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces
-
[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECR.2] ECR private repositories should have tag immutability configured
-
[ECR.3] ECR repositories should have at least one lifecycle policy configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[ECS.9] ECS task definitions should have a logging configuration
-
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[ELB.5] Application and Classic Load Balancers logging should be enabled
-
[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones
-
[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses
-
[ES.1] Elasticsearch domains should have encryption at-rest enabled
-
[ES.2] Elasticsearch domains should not be publicly accessible
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled
-
[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached
-
[EventBridge.4] EventBridge global endpoints should have event replication enabled
-
[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.1] IAM policies should not allow full "*" administrative privileges
-
[IAM.3] IAM users' access keys should be rotated every 90 days or less
-
[IAM.5] MFA should be enabled for all IAM users that have a console password
-
[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support
-
[IAM.22] IAM user credentials unused for 45 days should be removed
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached
-
[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys
-
[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones
-
[Macie.2] Macie automated sensitive data discovery should be enabled
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[MQ.5] ActiveMQ brokers should use active/standby deployment mode
-
[MSK.1] MSK clusters should be encrypted in transit among broker nodes
-
[MSK.2] MSK clusters should have enhanced monitoring configured
-
[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs
-
[Neptune.3] Neptune DB cluster snapshots should not be public
-
[Neptune.4] Neptune DB clusters should have deletion protection enabled
-
[Neptune.5] Neptune DB clusters should have automated backups enabled
-
[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest
-
[Neptune.7] Neptune DB clusters should have IAM database authentication enabled
-
[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots
-
[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones
-
[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones
-
[NetworkFirewall.2] Network Firewall logging should be enabled
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.2] OpenSearch domains should not be publicly accessible
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.10] OpenSearch domains should have the latest software update installed
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.9] RDS DB instances should publish logs to CloudWatch Logs
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.26] RDS DB instances should be protected by a backup plan
-
[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs
-
[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled
-
[Redshift.1] Amazon Redshift clusters should prohibit public access
-
[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled
-
[Redshift.7] Redshift clusters should use enhanced VPC routing
-
[Redshift.12] Redshift event notification subscriptions should be tagged
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[S3.17] S3 general purpose buckets should be encrypted at rest with Amazon KMS keys
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC
-
[SageMaker.3] Users should not have root access to SageMaker notebook instances
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[SSM.1] Amazon EC2 instances should be managed by Amazon Systems Manager
-
[StepFunctions.1] Step Functions state machines should have logging turned on
-
[Transfer.1] Amazon Transfer Family workflows should be tagged
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.2] Amazon WAF Classic Regional rules should have at least one condition
-
[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule
-
[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
-
[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group
Asia Pacific (Jakarta)
The following controls are not supported in Asia Pacific (Jakarta).
-
[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization
-
[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled
-
[APIGateway.3] API Gateway REST API stages should have Amazon X-Ray tracing enabled
-
[APIGateway.4] API Gateway should be associated with a WAF Web ACL
-
[APIGateway.8] API Gateway routes should specify an authorization type
-
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
-
[AppSync.2] Amazon AppSync should have field-level logging enabled
-
[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys
-
[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates
-
[Backup.1] Amazon Backup recovery points should be encrypted at rest
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudWatch.17] CloudWatch alarm actions should be activated
-
[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.1] Database Migration Service replication instances should not be public
-
[DMS.6] DMS replication instances should have automatic minor version upgrade enabled
-
[DMS.7] DMS replication tasks for the target database should have logging enabled
-
[DMS.8] DMS replication tasks for the source database should have logging enabled
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest
-
[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period
-
[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public
-
[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
-
[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22
-
[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389
-
[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECR.2] ECR private repositories should have tag immutability configured
-
[ECR.3] ECR repositories should have at least one lifecycle policy configured
-
[ECS.2] ECS services should not have public IP addresses assigned to them automatically
-
[ECS.3] ECS task definitions should not share the host's process namespace
-
[ECS.5] ECS containers should be limited to read-only access to root filesystems
-
[ECS.8] Secrets should not be passed as container environment variables
-
[ECS.9] ECS task definitions should have a logging configuration
-
[ECS.10] ECS Fargate services should run on the latest Fargate platform version
-
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones
-
[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses
-
[ES.1] Elasticsearch domains should have encryption at-rest enabled
-
[ES.2] Elasticsearch domains should not be publicly accessible
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[EventBridge.4] EventBridge global endpoints should have event replication enabled
-
[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones
-
[Macie.2] Macie automated sensitive data discovery should be enabled
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[MSK.1] MSK clusters should be encrypted in transit among broker nodes
-
[MSK.2] MSK clusters should have enhanced monitoring configured
-
[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs
-
[Neptune.3] Neptune DB cluster snapshots should not be public
-
[Neptune.4] Neptune DB clusters should have deletion protection enabled
-
[Neptune.5] Neptune DB clusters should have automated backups enabled
-
[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest
-
[Neptune.7] Neptune DB clusters should have IAM database authentication enabled
-
[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots
-
[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones
-
[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.2] OpenSearch domains should not be publicly accessible
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[RDS.9] RDS DB instances should publish logs to CloudWatch Logs
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.26] RDS DB instances should be protected by a backup plan
-
[Redshift.1] Amazon Redshift clusters should prohibit public access
-
[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[Redshift.7] Redshift clusters should use enhanced VPC routing
-
[Redshift.9] Redshift clusters should not use the default database name
-
[Redshift.12] Redshift event notification subscriptions should be tagged
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[S3.11] S3 general purpose buckets should have event notifications enabled
-
[S3.13] S3 general purpose buckets should have Lifecycle configurations
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC
-
[SageMaker.3] Users should not have root access to SageMaker notebook instances
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[SSM.1] Amazon EC2 instances should be managed by Amazon Systems Manager
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.2] Amazon WAF Classic Regional rules should have at least one condition
-
[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule
-
[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
-
[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group
Asia Pacific (Mumbai)
The following controls are not supported in Asia Pacific (Mumbai).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
Asia Pacific (Melbourne)
The following controls are not supported in Asia Pacific (Melbourne).
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
-
[APIGateway.4] API Gateway should be associated with a WAF Web ACL
-
[APIGateway.8] API Gateway routes should specify an authorization type
-
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
-
[AppSync.2] Amazon AppSync should have field-level logging enabled
-
[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys
-
[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks
-
[Backup.1] Amazon Backup recovery points should be encrypted at rest
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.1] Database Migration Service replication instances should not be public
-
[DMS.6] DMS replication instances should have automatic minor version upgrade enabled
-
[DMS.7] DMS replication tasks for the target database should have logging enabled
-
[DMS.8] DMS replication tasks for the source database should have logging enabled
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest
-
[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period
-
[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public
-
[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
-
[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.1] Amazon EBS snapshots should not be publicly restorable
-
[EC2.4] Stopped EC2 instances should be removed after a specified time period
-
[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
-
[EC2.9] Amazon EC2 instances should not have a public IPv4 address
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22
-
[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389
-
[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces
-
[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[ECS.9] ECS task definitions should have a logging configuration
-
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[EKS.7] EKS identity provider configurations should be tagged
-
[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones
-
[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled
-
[ElastiCache.2] ElastiCache for Redis cache clusters should have auto minor version upgrade enabled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses
-
[ES.1] Elasticsearch domains should have encryption at-rest enabled
-
[ES.2] Elasticsearch domains should not be publicly accessible
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled
-
[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached
-
[EventBridge.4] EventBridge global endpoints should have event replication enabled
-
[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.1] IAM policies should not allow full "*" administrative privileges
-
[IAM.3] IAM users' access keys should be rotated every 90 days or less
-
[IAM.5] MFA should be enabled for all IAM users that have a console password
-
[IAM.7] Password policies for IAM users should have strong configurations
-
[IAM.10] Password policies for IAM users should have strong Amazon Configurations
-
[IAM.11] Ensure IAM password policy requires at least one uppercase letter
-
[IAM.12] Ensure IAM password policy requires at least one lowercase letter
-
[IAM.13] Ensure IAM password policy requires at least one symbol
-
[IAM.14] Ensure IAM password policy requires at least one number
-
[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater
-
[IAM.17] Ensure IAM password policy expires passwords within 90 days or less
-
[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support
-
[IAM.22] IAM user credentials unused for 45 days should be removed
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached
-
[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys
-
[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones
-
[Macie.2] Macie automated sensitive data discovery should be enabled
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[MQ.5] ActiveMQ brokers should use active/standby deployment mode
-
[MSK.1] MSK clusters should be encrypted in transit among broker nodes
-
[MSK.2] MSK clusters should have enhanced monitoring configured
-
[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs
-
[Neptune.3] Neptune DB cluster snapshots should not be public
-
[Neptune.4] Neptune DB clusters should have deletion protection enabled
-
[Neptune.5] Neptune DB clusters should have automated backups enabled
-
[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest
-
[Neptune.7] Neptune DB clusters should have IAM database authentication enabled
-
[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots
-
[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones
-
[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones
-
[NetworkFirewall.2] Network Firewall logging should be enabled
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.2] OpenSearch domains should not be publicly accessible
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.10] OpenSearch domains should have the latest software update installed
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[RDS.3] RDS DB instances should have encryption at-rest enabled
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.26] RDS DB instances should be protected by a backup plan
-
[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs
-
[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled
-
[Redshift.12] Redshift event notification subscriptions should be tagged
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[S3.14] S3 general purpose buckets should have versioning enabled
-
[S3.15] S3 general purpose buckets should have Object Lock enabled
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC
-
[SageMaker.3] Users should not have root access to SageMaker notebook instances
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[SNS.1] SNS topics should be encrypted at-rest using Amazon KMS
-
[StepFunctions.1] Step Functions state machines should have logging turned on
-
[StepFunctions.2] Step Functions activities should be tagged
-
[Transfer.1] Amazon Transfer Family workflows should be tagged
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
Asia Pacific (Osaka)
The following controls are not supported in Asia Pacific (Osaka).
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization
-
[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled
-
[APIGateway.3] API Gateway REST API stages should have Amazon X-Ray tracing enabled
-
[APIGateway.4] API Gateway should be associated with a WAF Web ACL
-
[Backup.1] Amazon Backup recovery points should be encrypted at rest
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudWatch.15] CloudWatch alarms should have specified actions configured
-
[CloudWatch.16] CloudWatch log groups should be retained for a specified time period
-
[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.1] Database Migration Service replication instances should not be public
-
[DMS.7] DMS replication tasks for the target database should have logging enabled
-
[DMS.8] DMS replication tasks for the source database should have logging enabled
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest
-
[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period
-
[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public
-
[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
-
[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
-
[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.1] Amazon EBS snapshots should not be publicly restorable
-
[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
-
[EC2.4] Stopped EC2 instances should be removed after a specified time period
-
[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
-
[EC2.9] Amazon EC2 instances should not have a public IPv4 address
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22
-
[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389
-
[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses
-
[EC2.16] Unused Network Access Control Lists should be removed
-
[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports
-
[EC2.20] Both VPN tunnels for an Amazon Site-to-Site VPN connection should be up
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECR.2] ECR private repositories should have tag immutability configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[ECS.2] ECS services should not have public IP addresses assigned to them automatically
-
[ECS.3] ECS task definitions should not share the host's process namespace
-
[ECS.8] Secrets should not be passed as container environment variables
-
[ECS.9] ECS task definitions should have a logging configuration
-
[ECS.10] ECS Fargate services should run on the latest Fargate platform version
-
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
-
[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination
-
[ELB.4] Application Load Balancer should be configured to drop http headers
-
[ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled
-
[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled
-
[ELB.16] Application Load Balancers should be associated with an Amazon WAF web ACL
-
[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses
-
[ES.1] Elasticsearch domains should have encryption at-rest enabled
-
[ES.2] Elasticsearch domains should not be publicly accessible
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys
-
[KMS.3] Amazon KMS keys should not be deleted unintentionally
-
[Lambda.1] Lambda function policies should prohibit public access
-
[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs
-
[Neptune.3] Neptune DB cluster snapshots should not be public
-
[Neptune.4] Neptune DB clusters should have deletion protection enabled
-
[Neptune.5] Neptune DB clusters should have automated backups enabled
-
[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest
-
[Neptune.7] Neptune DB clusters should have IAM database authentication enabled
-
[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots
-
[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.2] OpenSearch domains should not be publicly accessible
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest
-
[RDS.6] Enhanced monitoring should be configured for RDS DB instances
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.8] RDS DB instances should have deletion protection enabled
-
[RDS.9] RDS DB instances should publish logs to CloudWatch Logs
-
[RDS.10] IAM authentication should be configured for RDS instances
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.13] RDS automatic minor version upgrades should be enabled
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.26] RDS DB instances should be protected by a backup plan
-
[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled
-
[Redshift.1] Amazon Redshift clusters should prohibit public access
-
[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[Redshift.7] Redshift clusters should use enhanced VPC routing
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[S3.8] S3 general purpose buckets should block public access
-
[S3.15] S3 general purpose buckets should have Object Lock enabled
-
[S3.17] S3 general purpose buckets should be encrypted at rest with Amazon KMS keys
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled
-
[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[SNS.1] SNS topics should be encrypted at-rest using Amazon KMS
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
-
[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group
Asia Pacific (Seoul)
The following controls are not supported in Asia Pacific (Seoul).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
Asia Pacific (Singapore)
The following controls are not supported in Asia Pacific (Singapore).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
Asia Pacific (Sydney)
The following controls are not supported in Asia Pacific (Sydney).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
Asia Pacific (Tokyo)
The following controls are not supported in Asia Pacific (Tokyo).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
Canada (Central)
The following controls are not supported in Canada (Central).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
China (Beijing)
The following controls are not supported in China (Beijing).
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
-
[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization
-
[APIGateway.3] API Gateway REST API stages should have Amazon X-Ray tracing enabled
-
[APIGateway.4] API Gateway should be associated with a WAF Web ACL
-
[Backup.1] Amazon Backup recovery points should be encrypted at rest
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudWatch.15] CloudWatch alarms should have specified actions configured
-
[CloudWatch.16] CloudWatch log groups should be retained for a specified time period
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest
-
[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period
-
[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public
-
[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
-
[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses
-
[EC2.16] Unused Network Access Control Lists should be removed
-
[EC2.20] Both VPN tunnels for an Amazon Site-to-Site VPN connection should be up
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[EKS.7] EKS identity provider configurations should be tagged
-
[ELB.16] Application Load Balancers should be associated with an Amazon WAF web ACL
-
[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[EMR.2] Amazon EMR block public access setting should be enabled
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled
-
[EventBridge.4] EventBridge global endpoints should have event replication enabled
-
[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached
-
[IAM.28] IAM Access Analyzer external access analyzer should be enabled
-
[Macie.2] Macie automated sensitive data discovery should be enabled
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs
-
[Neptune.3] Neptune DB cluster snapshots should not be public
-
[Neptune.4] Neptune DB clusters should have deletion protection enabled
-
[Neptune.5] Neptune DB clusters should have automated backups enabled
-
[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest
-
[Neptune.7] Neptune DB clusters should have IAM database authentication enabled
-
[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots
-
[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones
-
[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones
-
[NetworkFirewall.2] Network Firewall logging should be enabled
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[NetworkFirewall.7] Network Firewall firewalls should be tagged
-
[NetworkFirewall.8] Network Firewall firewall policies should be tagged
-
[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.2] OpenSearch domains should not be publicly accessible
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[PCA.1] Amazon Private CA root certificate authority should be disabled
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.10] IAM authentication should be configured for RDS instances
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.13] RDS automatic minor version upgrades should be enabled
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.25] RDS database instances should use a custom administrator username
-
[RDS.26] RDS DB instances should be protected by a backup plan
-
[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs
-
[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled
-
[Redshift.7] Redshift clusters should use enhanced VPC routing
-
[Redshift.12] Redshift event notification subscriptions should be tagged
-
[Redshift.14] Redshift cluster subnet groups should be tagged
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[S3.1] S3 general purpose buckets should have block public access settings enabled
-
[S3.8] S3 general purpose buckets should block public access
-
[S3.14] S3 general purpose buckets should have versioning enabled
-
[S3.22] S3 general purpose buckets should log object-level write events
-
[S3.23] S3 general purpose buckets should log object-level read events
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[StepFunctions.2] Step Functions activities should be tagged
-
[Transfer.1] Amazon Transfer Family workflows should be tagged
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
China (Ningxia)
The following controls are not supported in China (Ningxia).
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
-
[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization
-
[APIGateway.3] API Gateway REST API stages should have Amazon X-Ray tracing enabled
-
[APIGateway.4] API Gateway should be associated with a WAF Web ACL
-
[Backup.1] Amazon Backup recovery points should be encrypted at rest
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudWatch.15] CloudWatch alarms should have specified actions configured
-
[CloudWatch.16] CloudWatch log groups should be retained for a specified time period
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses
-
[EC2.16] Unused Network Access Control Lists should be removed
-
[EC2.20] Both VPN tunnels for an Amazon Site-to-Site VPN connection should be up
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[EKS.7] EKS identity provider configurations should be tagged
-
[ELB.16] Application Load Balancers should be associated with an Amazon WAF web ACL
-
[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[EMR.2] Amazon EMR block public access setting should be enabled
-
[ES.1] Elasticsearch domains should have encryption at-rest enabled
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled
-
[EventBridge.4] EventBridge global endpoints should have event replication enabled
-
[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached
-
[IAM.28] IAM Access Analyzer external access analyzer should be enabled
-
[Lambda.1] Lambda function policies should prohibit public access
-
[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones
-
[Macie.2] Macie automated sensitive data discovery should be enabled
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Neptune.3] Neptune DB cluster snapshots should not be public
-
[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones
-
[NetworkFirewall.2] Network Firewall logging should be enabled
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[NetworkFirewall.7] Network Firewall firewalls should be tagged
-
[NetworkFirewall.8] Network Firewall firewall policies should be tagged
-
[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.2] OpenSearch domains should not be publicly accessible
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[PCA.1] Amazon Private CA root certificate authority should be disabled
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.9] RDS DB instances should publish logs to CloudWatch Logs
-
[RDS.10] IAM authentication should be configured for RDS instances
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.13] RDS automatic minor version upgrades should be enabled
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.25] RDS database instances should use a custom administrator username
-
[RDS.26] RDS DB instances should be protected by a backup plan
-
[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs
-
[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[Redshift.7] Redshift clusters should use enhanced VPC routing
-
[Redshift.12] Redshift event notification subscriptions should be tagged
-
[Redshift.14] Redshift cluster subnet groups should be tagged
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[S3.1] S3 general purpose buckets should have block public access settings enabled
-
[S3.8] S3 general purpose buckets should block public access
-
[S3.14] S3 general purpose buckets should have versioning enabled
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[StepFunctions.2] Step Functions activities should be tagged
-
[Transfer.1] Amazon Transfer Family workflows should be tagged
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
Europe (Frankfurt)
The following controls are not supported in Europe (Frankfurt).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
Europe (Ireland)
The following controls are not supported in Europe (Ireland).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
Europe (London)
The following controls are not supported in Europe (London).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
Europe (Milan)
The following controls are not supported in Europe (Milan).
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.1] Database Migration Service replication instances should not be public
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
-
[EC2.4] Stopped EC2 instances should be removed after a specified time period
-
[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22
-
[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
-
[ELB.4] Application Load Balancer should be configured to drop http headers
-
[ELB.16] Application Load Balancers should be associated with an Amazon WAF web ACL
-
[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[EventBridge.4] EventBridge global endpoints should have event replication enabled
-
[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.3] IAM users' access keys should be rotated every 90 days or less
-
[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[KMS.3] Amazon KMS keys should not be deleted unintentionally
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs
-
[Neptune.3] Neptune DB cluster snapshots should not be public
-
[Neptune.4] Neptune DB clusters should have deletion protection enabled
-
[Neptune.5] Neptune DB clusters should have automated backups enabled
-
[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest
-
[Neptune.7] Neptune DB clusters should have IAM database authentication enabled
-
[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots
-
[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.2] OpenSearch domains should not be publicly accessible
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest
-
[RDS.9] RDS DB instances should publish logs to CloudWatch Logs
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
Europe (Paris)
The following controls are not supported in Europe (Paris).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
Europe (Spain)
The following controls are not supported in Europe (Spain).
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
-
[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization
-
[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled
-
[APIGateway.3] API Gateway REST API stages should have Amazon X-Ray tracing enabled
-
[APIGateway.4] API Gateway should be associated with a WAF Web ACL
-
[APIGateway.8] API Gateway routes should specify an authorization type
-
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
-
[AppSync.2] Amazon AppSync should have field-level logging enabled
-
[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys
-
[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks
-
[Backup.1] Amazon Backup recovery points should be encrypted at rest
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
-
[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
-
[CloudWatch.16] CloudWatch log groups should be retained for a specified time period
-
[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.1] Database Migration Service replication instances should not be public
-
[DMS.6] DMS replication instances should have automatic minor version upgrade enabled
-
[DMS.7] DMS replication tasks for the target database should have logging enabled
-
[DMS.8] DMS replication tasks for the source database should have logging enabled
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest
-
[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period
-
[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public
-
[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
-
[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
-
[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand
-
[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.1] Amazon EBS snapshots should not be publicly restorable
-
[EC2.2] VPC default security groups should not allow inbound or outbound traffic
-
[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
-
[EC2.4] Stopped EC2 instances should be removed after a specified time period
-
[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
-
[EC2.9] Amazon EC2 instances should not have a public IPv4 address
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22
-
[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389
-
[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses
-
[EC2.16] Unused Network Access Control Lists should be removed
-
[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports
-
[EC2.20] Both VPN tunnels for an Amazon Site-to-Site VPN connection should be up
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces
-
[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECR.2] ECR private repositories should have tag immutability configured
-
[ECR.3] ECR repositories should have at least one lifecycle policy configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[ECS.9] ECS task definitions should have a logging configuration
-
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
-
[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination
-
[ELB.4] Application Load Balancer should be configured to drop http headers
-
[ELB.5] Application and Classic Load Balancers logging should be enabled
-
[ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled
-
[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled
-
[ELB.16] Application Load Balancers should be associated with an Amazon WAF web ACL
-
[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses
-
[ES.1] Elasticsearch domains should have encryption at-rest enabled
-
[ES.2] Elasticsearch domains should not be publicly accessible
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled
-
[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached
-
[EventBridge.4] EventBridge global endpoints should have event replication enabled
-
[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.1] IAM policies should not allow full "*" administrative privileges
-
[IAM.3] IAM users' access keys should be rotated every 90 days or less
-
[IAM.5] MFA should be enabled for all IAM users that have a console password
-
[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support
-
[IAM.22] IAM user credentials unused for 45 days should be removed
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached
-
[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys
-
[Lambda.1] Lambda function policies should prohibit public access
-
[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones
-
[Macie.2] Macie automated sensitive data discovery should be enabled
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[MQ.5] ActiveMQ brokers should use active/standby deployment mode
-
[MSK.1] MSK clusters should be encrypted in transit among broker nodes
-
[MSK.2] MSK clusters should have enhanced monitoring configured
-
[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs
-
[Neptune.3] Neptune DB cluster snapshots should not be public
-
[Neptune.4] Neptune DB clusters should have deletion protection enabled
-
[Neptune.5] Neptune DB clusters should have automated backups enabled
-
[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest
-
[Neptune.7] Neptune DB clusters should have IAM database authentication enabled
-
[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots
-
[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones
-
[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones
-
[NetworkFirewall.2] Network Firewall logging should be enabled
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.2] OpenSearch domains should not be publicly accessible
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.10] OpenSearch domains should have the latest software update installed
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[RDS.3] RDS DB instances should have encryption at-rest enabled
-
[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest
-
[RDS.5] RDS DB instances should be configured with multiple Availability Zones
-
[RDS.6] Enhanced monitoring should be configured for RDS DB instances
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.8] RDS DB instances should have deletion protection enabled
-
[RDS.9] RDS DB instances should publish logs to CloudWatch Logs
-
[RDS.10] IAM authentication should be configured for RDS instances
-
[RDS.11] RDS instances should have automatic backups enabled
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.13] RDS automatic minor version upgrades should be enabled
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.26] RDS DB instances should be protected by a backup plan
-
[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs
-
[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled
-
[Redshift.1] Amazon Redshift clusters should prohibit public access
-
[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled
-
[Redshift.7] Redshift clusters should use enhanced VPC routing
-
[Redshift.12] Redshift event notification subscriptions should be tagged
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[S3.1] S3 general purpose buckets should have block public access settings enabled
-
[S3.5] S3 general purpose buckets should require requests to use SSL
-
[S3.8] S3 general purpose buckets should block public access
-
[S3.9] S3 general purpose buckets should have server access logging enabled
-
[S3.15] S3 general purpose buckets should have Object Lock enabled
-
[S3.17] S3 general purpose buckets should be encrypted at rest with Amazon KMS keys
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC
-
[SageMaker.3] Users should not have root access to SageMaker notebook instances
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[SNS.1] SNS topics should be encrypted at-rest using Amazon KMS
-
[SSM.1] Amazon EC2 instances should be managed by Amazon Systems Manager
-
[StepFunctions.1] Step Functions state machines should have logging turned on
-
[Transfer.1] Amazon Transfer Family workflows should be tagged
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.2] Amazon WAF Classic Regional rules should have at least one condition
-
[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule
-
[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
-
[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group
Europe (Stockholm)
The following controls are not supported in Europe (Stockholm).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest
-
[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period
-
[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public
-
[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
-
[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
Europe (Zurich)
The following controls are not supported in Europe (Zurich).
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
-
[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled
-
[APIGateway.8] API Gateway routes should specify an authorization type
-
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
-
[AppSync.2] Amazon AppSync should have field-level logging enabled
-
[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys
-
[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks
-
[Backup.1] Amazon Backup recovery points should be encrypted at rest
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
-
[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
-
[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.1] Database Migration Service replication instances should not be public
-
[DMS.6] DMS replication instances should have automatic minor version upgrade enabled
-
[DMS.7] DMS replication tasks for the target database should have logging enabled
-
[DMS.8] DMS replication tasks for the source database should have logging enabled
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest
-
[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period
-
[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public
-
[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
-
[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
-
[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand
-
[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.2] VPC default security groups should not allow inbound or outbound traffic
-
[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
-
[EC2.4] Stopped EC2 instances should be removed after a specified time period
-
[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
-
[EC2.9] Amazon EC2 instances should not have a public IPv4 address
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22
-
[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389
-
[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses
-
[EC2.16] Unused Network Access Control Lists should be removed
-
[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports
-
[EC2.20] Both VPN tunnels for an Amazon Site-to-Site VPN connection should be up
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces
-
[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECR.2] ECR private repositories should have tag immutability configured
-
[ECR.3] ECR repositories should have at least one lifecycle policy configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[ECS.9] ECS task definitions should have a logging configuration
-
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
-
[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination
-
[ELB.4] Application Load Balancer should be configured to drop http headers
-
[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled
-
[ELB.16] Application Load Balancers should be associated with an Amazon WAF web ACL
-
[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses
-
[ES.1] Elasticsearch domains should have encryption at-rest enabled
-
[ES.2] Elasticsearch domains should not be publicly accessible
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled
-
[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached
-
[EventBridge.4] EventBridge global endpoints should have event replication enabled
-
[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.1] IAM policies should not allow full "*" administrative privileges
-
[IAM.3] IAM users' access keys should be rotated every 90 days or less
-
[IAM.5] MFA should be enabled for all IAM users that have a console password
-
[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support
-
[IAM.22] IAM user credentials unused for 45 days should be removed
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached
-
[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys
-
[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones
-
[Macie.2] Macie automated sensitive data discovery should be enabled
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[MQ.5] ActiveMQ brokers should use active/standby deployment mode
-
[MSK.1] MSK clusters should be encrypted in transit among broker nodes
-
[MSK.2] MSK clusters should have enhanced monitoring configured
-
[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs
-
[Neptune.3] Neptune DB cluster snapshots should not be public
-
[Neptune.4] Neptune DB clusters should have deletion protection enabled
-
[Neptune.5] Neptune DB clusters should have automated backups enabled
-
[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest
-
[Neptune.7] Neptune DB clusters should have IAM database authentication enabled
-
[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots
-
[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones
-
[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones
-
[NetworkFirewall.2] Network Firewall logging should be enabled
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.2] OpenSearch domains should not be publicly accessible
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.10] OpenSearch domains should have the latest software update installed
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[RDS.3] RDS DB instances should have encryption at-rest enabled
-
[RDS.5] RDS DB instances should be configured with multiple Availability Zones
-
[RDS.8] RDS DB instances should have deletion protection enabled
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.26] RDS DB instances should be protected by a backup plan
-
[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[Redshift.12] Redshift event notification subscriptions should be tagged
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[S3.1] S3 general purpose buckets should have block public access settings enabled
-
[S3.8] S3 general purpose buckets should block public access
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC
-
[SageMaker.3] Users should not have root access to SageMaker notebook instances
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[SNS.1] SNS topics should be encrypted at-rest using Amazon KMS
-
[StepFunctions.1] Step Functions state machines should have logging turned on
-
[Transfer.1] Amazon Transfer Family workflows should be tagged
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.2] Amazon WAF Classic Regional rules should have at least one condition
-
[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule
-
[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
-
[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group
Israel (Tel Aviv)
The following controls are not supported in Israel (Tel Aviv).
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
-
[APIGateway.8] API Gateway routes should specify an authorization type
-
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
-
[AppSync.2] Amazon AppSync should have field-level logging enabled
-
[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys
-
[Backup.1] Amazon Backup recovery points should be encrypted at rest
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.1] Database Migration Service replication instances should not be public
-
[DMS.6] DMS replication instances should have automatic minor version upgrade enabled
-
[DMS.7] DMS replication tasks for the target database should have logging enabled
-
[DMS.8] DMS replication tasks for the source database should have logging enabled
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest
-
[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period
-
[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public
-
[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
-
[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
-
[EC2.4] Stopped EC2 instances should be removed after a specified time period
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22
-
[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389
-
[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports
-
[EC2.20] Both VPN tunnels for an Amazon Site-to-Site VPN connection should be up
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces
-
[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled
-
[ECR.2] ECR private repositories should have tag immutability configured
-
[ECR.3] ECR repositories should have at least one lifecycle policy configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[ECS.9] ECS task definitions should have a logging configuration
-
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[EKS.7] EKS identity provider configurations should be tagged
-
[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
-
[ELB.4] Application Load Balancer should be configured to drop http headers
-
[ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled
-
[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones
-
[ELB.16] Application Load Balancers should be associated with an Amazon WAF web ACL
-
[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled
-
[ElastiCache.2] ElastiCache for Redis cache clusters should have auto minor version upgrade enabled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses
-
[ES.1] Elasticsearch domains should have encryption at-rest enabled
-
[ES.2] Elasticsearch domains should not be publicly accessible
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled
-
[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached
-
[EventBridge.4] EventBridge global endpoints should have event replication enabled
-
[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.1] IAM policies should not allow full "*" administrative privileges
-
[IAM.3] IAM users' access keys should be rotated every 90 days or less
-
[IAM.5] MFA should be enabled for all IAM users that have a console password
-
[IAM.7] Password policies for IAM users should have strong configurations
-
[IAM.10] Password policies for IAM users should have strong Amazon Configurations
-
[IAM.11] Ensure IAM password policy requires at least one uppercase letter
-
[IAM.12] Ensure IAM password policy requires at least one lowercase letter
-
[IAM.13] Ensure IAM password policy requires at least one symbol
-
[IAM.14] Ensure IAM password policy requires at least one number
-
[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater
-
[IAM.17] Ensure IAM password policy expires passwords within 90 days or less
-
[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support
-
[IAM.22] IAM user credentials unused for 45 days should be removed
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached
-
[IAM.28] IAM Access Analyzer external access analyzer should be enabled
-
[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys
-
[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[MQ.5] ActiveMQ brokers should use active/standby deployment mode
-
[MSK.1] MSK clusters should be encrypted in transit among broker nodes
-
[MSK.2] MSK clusters should have enhanced monitoring configured
-
[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs
-
[Neptune.3] Neptune DB cluster snapshots should not be public
-
[Neptune.4] Neptune DB clusters should have deletion protection enabled
-
[Neptune.5] Neptune DB clusters should have automated backups enabled
-
[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest
-
[Neptune.7] Neptune DB clusters should have IAM database authentication enabled
-
[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots
-
[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones
-
[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones
-
[NetworkFirewall.2] Network Firewall logging should be enabled
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.2] OpenSearch domains should not be publicly accessible
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.10] OpenSearch domains should have the latest software update installed
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[PCA.1] Amazon Private CA root certificate authority should be disabled
-
[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.8] RDS DB instances should have deletion protection enabled
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.26] RDS DB instances should be protected by a backup plan
-
[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs
-
[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[Redshift.8] Amazon Redshift clusters should not use the default Admin username
-
[Redshift.9] Redshift clusters should not use the default database name
-
[Redshift.12] Redshift event notification subscriptions should be tagged
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[S3.1] S3 general purpose buckets should have block public access settings enabled
-
[S3.2] S3 general purpose buckets should block public read access
-
[S3.3] S3 general purpose buckets should block public write access
-
[S3.8] S3 general purpose buckets should block public access
-
[S3.9] S3 general purpose buckets should have server access logging enabled
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC
-
[SageMaker.3] Users should not have root access to SageMaker notebook instances
-
[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled
-
[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[SNS.1] SNS topics should be encrypted at-rest using Amazon KMS
-
[SSM.1] Amazon EC2 instances should be managed by Amazon Systems Manager
-
[StepFunctions.1] Step Functions state machines should have logging turned on
-
[StepFunctions.2] Step Functions activities should be tagged
-
[Transfer.1] Amazon Transfer Family workflows should be tagged
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.2] Amazon WAF Classic Regional rules should have at least one condition
-
[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule
-
[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
-
[WAF.12] Amazon WAF rules should have CloudWatch metrics enabled
Middle East (Bahrain)
The following controls are not supported in Middle East (Bahrain).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest
-
[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period
-
[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public
-
[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
-
[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.20] Both VPN tunnels for an Amazon Site-to-Site VPN connection should be up
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[EventBridge.4] EventBridge global endpoints should have event replication enabled
-
[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
Middle East (UAE)
The following controls are not supported in Middle East (UAE).
-
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
-
[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled
-
[APIGateway.8] API Gateway routes should specify an authorization type
-
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
-
[AppSync.2] Amazon AppSync should have field-level logging enabled
-
[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys
-
[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks
-
[Backup.1] Amazon Backup recovery points should be encrypted at rest
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
-
[CloudWatch.15] CloudWatch alarms should have specified actions configured
-
[CloudWatch.16] CloudWatch log groups should be retained for a specified time period
-
[CloudWatch.17] CloudWatch alarm actions should be activated
-
[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.1] Database Migration Service replication instances should not be public
-
[DMS.6] DMS replication instances should have automatic minor version upgrade enabled
-
[DMS.7] DMS replication tasks for the target database should have logging enabled
-
[DMS.8] DMS replication tasks for the source database should have logging enabled
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest
-
[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period
-
[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public
-
[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
-
[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
-
[EC2.4] Stopped EC2 instances should be removed after a specified time period
-
[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22
-
[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces
-
[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECR.2] ECR private repositories should have tag immutability configured
-
[ECR.3] ECR repositories should have at least one lifecycle policy configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[ECS.9] ECS task definitions should have a logging configuration
-
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
-
[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination
-
[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled
-
[ELB.16] Application Load Balancers should be associated with an Amazon WAF web ACL
-
[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled
-
[ElastiCache.2] ElastiCache for Redis cache clusters should have auto minor version upgrade enabled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses
-
[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached
-
[EventBridge.4] EventBridge global endpoints should have event replication enabled
-
[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.1] IAM policies should not allow full "*" administrative privileges
-
[IAM.3] IAM users' access keys should be rotated every 90 days or less
-
[IAM.5] MFA should be enabled for all IAM users that have a console password
-
[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support
-
[IAM.22] IAM user credentials unused for 45 days should be removed
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached
-
[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys
-
[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones
-
[Macie.2] Macie automated sensitive data discovery should be enabled
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[MSK.1] MSK clusters should be encrypted in transit among broker nodes
-
[MSK.2] MSK clusters should have enhanced monitoring configured
-
[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs
-
[Neptune.3] Neptune DB cluster snapshots should not be public
-
[Neptune.4] Neptune DB clusters should have deletion protection enabled
-
[Neptune.5] Neptune DB clusters should have automated backups enabled
-
[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest
-
[Neptune.7] Neptune DB clusters should have IAM database authentication enabled
-
[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots
-
[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones
-
[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones
-
[NetworkFirewall.2] Network Firewall logging should be enabled
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[NetworkFirewall.7] Network Firewall firewalls should be tagged
-
[NetworkFirewall.8] Network Firewall firewall policies should be tagged
-
[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.2] OpenSearch domains should not be publicly accessible
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.10] OpenSearch domains should have the latest software update installed
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[RDS.3] RDS DB instances should have encryption at-rest enabled
-
[RDS.5] RDS DB instances should be configured with multiple Availability Zones
-
[RDS.6] Enhanced monitoring should be configured for RDS DB instances
-
[RDS.8] RDS DB instances should have deletion protection enabled
-
[RDS.11] RDS instances should have automatic backups enabled
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.26] RDS DB instances should be protected by a backup plan
-
[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled
-
[Redshift.9] Redshift clusters should not use the default database name
-
[Redshift.12] Redshift event notification subscriptions should be tagged
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[S3.2] S3 general purpose buckets should block public read access
-
[S3.3] S3 general purpose buckets should block public write access
-
[S3.5] S3 general purpose buckets should require requests to use SSL
-
[S3.14] S3 general purpose buckets should have versioning enabled
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC
-
[SageMaker.3] Users should not have root access to SageMaker notebook instances
-
[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled
-
[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[SNS.1] SNS topics should be encrypted at-rest using Amazon KMS
-
[SSM.1] Amazon EC2 instances should be managed by Amazon Systems Manager
-
[StepFunctions.1] Step Functions state machines should have logging turned on
-
[Transfer.1] Amazon Transfer Family workflows should be tagged
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.2] Amazon WAF Classic Regional rules should have at least one condition
-
[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule
-
[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
-
[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group
South America (São Paulo)
The following controls are not supported in South America (São Paulo).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
Amazon GovCloud (US-East)
The following controls are not supported in Amazon GovCloud (US-East).
-
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
-
[Account.1] Security contact information should be provided for an Amazon Web Services account
-
[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization
-
[APIGateway.3] API Gateway REST API stages should have Amazon X-Ray tracing enabled
-
[APIGateway.4] API Gateway should be associated with a WAF Web ACL
-
[APIGateway.8] API Gateway routes should specify an authorization type
-
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
-
[AppSync.2] Amazon AppSync should have field-level logging enabled
-
[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys
-
[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones
-
[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudWatch.15] CloudWatch alarms should have specified actions configured
-
[CloudWatch.16] CloudWatch log groups should be retained for a specified time period
-
[CloudWatch.17] CloudWatch alarm actions should be activated
-
[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.6] DMS replication instances should have automatic minor version upgrade enabled
-
[DMS.7] DMS replication tasks for the target database should have logging enabled
-
[DMS.8] DMS replication tasks for the source database should have logging enabled
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest
-
[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period
-
[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public
-
[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
-
[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
-
[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses
-
[EC2.16] Unused Network Access Control Lists should be removed
-
[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECR.2] ECR private repositories should have tag immutability configured
-
[ECR.3] ECR repositories should have at least one lifecycle policy configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[ECS.3] ECS task definitions should not share the host's process namespace
-
[ECS.5] ECS containers should be limited to read-only access to root filesystems
-
[ECS.8] Secrets should not be passed as container environment variables
-
[ECS.9] ECS task definitions should have a logging configuration
-
[ECS.10] ECS Fargate services should run on the latest Fargate platform version
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[EKS.7] EKS identity provider configurations should be tagged
-
[ELB.10] Classic Load Balancer should span multiple Availability Zones
-
[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones
-
[ELB.16] Application Load Balancers should be associated with an Amazon WAF web ACL
-
[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled
-
[ElastiCache.2] ElastiCache for Redis cache clusters should have auto minor version upgrade enabled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[EMR.2] Amazon EMR block public access setting should be enabled
-
[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled
-
[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached
-
[EventBridge.4] EventBridge global endpoints should have event replication enabled
-
[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed
-
[IAM.28] IAM Access Analyzer external access analyzer should be enabled
-
[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones
-
[Macie.2] Macie automated sensitive data discovery should be enabled
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[MQ.5] ActiveMQ brokers should use active/standby deployment mode
-
[MSK.1] MSK clusters should be encrypted in transit among broker nodes
-
[MSK.2] MSK clusters should have enhanced monitoring configured
-
[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs
-
[Neptune.3] Neptune DB cluster snapshots should not be public
-
[Neptune.4] Neptune DB clusters should have deletion protection enabled
-
[Neptune.5] Neptune DB clusters should have automated backups enabled
-
[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest
-
[Neptune.7] Neptune DB clusters should have IAM database authentication enabled
-
[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots
-
[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones
-
[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones
-
[NetworkFirewall.2] Network Firewall logging should be enabled
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[NetworkFirewall.7] Network Firewall firewalls should be tagged
-
[NetworkFirewall.8] Network Firewall firewall policies should be tagged
-
[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.2] OpenSearch domains should not be publicly accessible
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[PCA.1] Amazon Private CA root certificate authority should be disabled
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.13] RDS automatic minor version upgrades should be enabled
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.25] RDS database instances should use a custom administrator username
-
[RDS.26] RDS DB instances should be protected by a backup plan
-
[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs
-
[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled
-
[Redshift.7] Redshift clusters should use enhanced VPC routing
-
[Redshift.8] Amazon Redshift clusters should not use the default Admin username
-
[Redshift.9] Redshift clusters should not use the default database name
-
[Redshift.12] Redshift event notification subscriptions should be tagged
-
[Redshift.14] Redshift cluster subnet groups should be tagged
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[S3.1] S3 general purpose buckets should have block public access settings enabled
-
[S3.8] S3 general purpose buckets should block public access
-
[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations
-
[S3.11] S3 general purpose buckets should have event notifications enabled
-
[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets
-
[S3.13] S3 general purpose buckets should have Lifecycle configurations
-
[S3.14] S3 general purpose buckets should have versioning enabled
-
[S3.20] S3 general purpose buckets should have MFA delete enabled
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC
-
[SageMaker.3] Users should not have root access to SageMaker notebook instances
-
[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[StepFunctions.1] Step Functions state machines should have logging turned on
-
[StepFunctions.2] Step Functions activities should be tagged
-
[Transfer.1] Amazon Transfer Family workflows should be tagged
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.2] Amazon WAF Classic Regional rules should have at least one condition
-
[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule
-
[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
-
[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group
-
[WAF.12] Amazon WAF rules should have CloudWatch metrics enabled
Amazon GovCloud (US-West)
The following controls are not supported in Amazon GovCloud (US-West).
-
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
-
[Account.1] Security contact information should be provided for an Amazon Web Services account
-
[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization
-
[APIGateway.3] API Gateway REST API stages should have Amazon X-Ray tracing enabled
-
[APIGateway.4] API Gateway should be associated with a WAF Web ACL
-
[APIGateway.8] API Gateway routes should specify an authorization type
-
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
-
[AppSync.2] Amazon AppSync should have field-level logging enabled
-
[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys
-
[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones
-
[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudWatch.15] CloudWatch alarms should have specified actions configured
-
[CloudWatch.16] CloudWatch log groups should be retained for a specified time period
-
[CloudWatch.17] CloudWatch alarm actions should be activated
-
[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration
-
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
-
[DMS.6] DMS replication instances should have automatic minor version upgrade enabled
-
[DMS.7] DMS replication tasks for the target database should have logging enabled
-
[DMS.8] DMS replication tasks for the source database should have logging enabled
-
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
-
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
-
[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest
-
[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period
-
[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public
-
[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
-
[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
-
[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
-
[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses
-
[EC2.16] Unused Network Access Control Lists should be removed
-
[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECR.2] ECR private repositories should have tag immutability configured
-
[ECR.3] ECR repositories should have at least one lifecycle policy configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[ECS.3] ECS task definitions should not share the host's process namespace
-
[ECS.5] ECS containers should be limited to read-only access to root filesystems
-
[ECS.8] Secrets should not be passed as container environment variables
-
[ECS.9] ECS task definitions should have a logging configuration
-
[ECS.10] ECS Fargate services should run on the latest Fargate platform version
-
[EFS.6] EFS mount targets should not be associated with a public subnet
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
-
[EKS.7] EKS identity provider configurations should be tagged
-
[ELB.10] Classic Load Balancer should span multiple Availability Zones
-
[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones
-
[ELB.16] Application Load Balancers should be associated with an Amazon WAF web ACL
-
[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled
-
[ElastiCache.2] ElastiCache for Redis cache clusters should have auto minor version upgrade enabled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[EMR.2] Amazon EMR block public access setting should be enabled
-
[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled
-
[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached
-
[EventBridge.4] EventBridge global endpoints should have event replication enabled
-
[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
-
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IAM.28] IAM Access Analyzer external access analyzer should be enabled
-
[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones
-
[Macie.2] Macie automated sensitive data discovery should be enabled
-
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
-
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
-
[MQ.5] ActiveMQ brokers should use active/standby deployment mode
-
[MSK.1] MSK clusters should be encrypted in transit among broker nodes
-
[MSK.2] MSK clusters should have enhanced monitoring configured
-
[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs
-
[Neptune.3] Neptune DB cluster snapshots should not be public
-
[Neptune.4] Neptune DB clusters should have deletion protection enabled
-
[Neptune.5] Neptune DB clusters should have automated backups enabled
-
[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest
-
[Neptune.7] Neptune DB clusters should have IAM database authentication enabled
-
[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots
-
[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones
-
[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones
-
[NetworkFirewall.2] Network Firewall logging should be enabled
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[NetworkFirewall.7] Network Firewall firewalls should be tagged
-
[NetworkFirewall.8] Network Firewall firewall policies should be tagged
-
[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.2] OpenSearch domains should not be publicly accessible
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
-
[PCA.1] Amazon Private CA root certificate authority should be disabled
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.13] RDS automatic minor version upgrades should be enabled
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.25] RDS database instances should use a custom administrator username
-
[RDS.26] RDS DB instances should be protected by a backup plan
-
[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs
-
[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled
-
[Redshift.7] Redshift clusters should use enhanced VPC routing
-
[Redshift.8] Amazon Redshift clusters should not use the default Admin username
-
[Redshift.9] Redshift clusters should not use the default database name
-
[Redshift.12] Redshift event notification subscriptions should be tagged
-
[Redshift.14] Redshift cluster subnet groups should be tagged
-
[Route53.2] Route 53 public hosted zones should log DNS queries
-
[S3.1] S3 general purpose buckets should have block public access settings enabled
-
[S3.8] S3 general purpose buckets should block public access
-
[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations
-
[S3.11] S3 general purpose buckets should have event notifications enabled
-
[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets
-
[S3.13] S3 general purpose buckets should have Lifecycle configurations
-
[S3.14] S3 general purpose buckets should have versioning enabled
-
[S3.20] S3 general purpose buckets should have MFA delete enabled
-
[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC
-
[SageMaker.3] Users should not have root access to SageMaker notebook instances
-
[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days
-
[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
-
[StepFunctions.1] Step Functions state machines should have logging turned on
-
[StepFunctions.2] Step Functions activities should be tagged
-
[Transfer.1] Amazon Transfer Family workflows should be tagged
-
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
-
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled
-
[WAF.2] Amazon WAF Classic Regional rules should have at least one condition
-
[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule
-
[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group
-
[WAF.6] Amazon WAF Classic global rules should have at least one condition
-
[WAF.7] Amazon WAF Classic global rule groups should have at least one rule
-
[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group
-
[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group
-
[WAF.12] Amazon WAF rules should have CloudWatch metrics enabled