Security Hub controls reference - Amazon Security Hub
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security Hub controls reference

This controls reference provides a list of available Amazon Security Hub controls with links to more information about each control. The overview table displays the controls in alphabetical order by control ID. Only controls in active use by Security Hub are included here. Retired controls are excluded from this list. The table provides the following information for each control:

  • Security control ID – This ID applies across standards and indicates the Amazon Web Services service and resource that the control relates to. The Security Hub console displays security control IDs, regardless of whether consolidated control findings is turned on or off in your account. However, Security Hub findings reference security control IDs only if consolidated control findings is turned on in your account. If consolidated control findings is turned off in your account, some control IDs vary by standard in your control findings. For a mapping of standard-specific control IDs to security control IDs, see How consolidation impacts control IDs and titles.

    If you want to set up automations for security controls, we recommend filtering based on control ID rather than title or description. Whereas Security Hub may occasionally update control titles or descriptions, control IDs stay the same.

    Control IDs may skip numbers. These are placeholders for future controls.

  • Applicable standards – Indicates which standards a control applies to. Select a control to see specific requirements from third-party compliance frameworks.

  • Security control title – This title applies across standards. The Security Hub console displays security control titles, regardless of whether consolidated control findings is turned on or off in your account. However, Security Hub findings reference security control titles only if consolidated control findings is turned on in your account. If consolidated control findings is turned off in your account, some control titles vary by standard in your control findings. For a mapping of standard-specific control IDs to security control IDs, see How consolidation impacts control IDs and titles.

  • Severity – The severity of a control identifies its importance from a security standpoint. For information about how Security Hub determines control severity, see Severity level of control findings.

  • Schedule type – Indicates when the control is evaluated. For more information, see Schedule for running security checks.

  • Supports custom parameters – Indicates whether the control supports custom values for one or more parameters. Select a control to see the parameter details. For more information, see Understanding control parameters in Security Hub.

Select a control to view further details. Controls are listed in alphabetical order of the service name.

Security control ID Security control title Applicable standards Severity Supports custom parameters Schedule type
Account.1 Security contact information should be provided for an Amazon Web Services account CIS Amazon Foundations Benchmark v3.0.0, Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Periodic
Account.2 Amazon Web Services account should be part of an Amazon Organizations organization NIST SP 800-53 Rev. 5 HIGH No Periodic
ACM.1 Imported and ACM-issued certificates should be renewed after a specified time period Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM Yes Change triggered and periodic
ACM.2 RSA certificates managed by ACM should use a key length of at least 2,048 bits Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 HIGH No Change triggered
ACM.3 ACM certificates should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
APIGateway.1 API Gateway REST and WebSocket API execution logging should be enabled Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM Yes Change triggered
APIGateway.2 API Gateway REST API stages should be configured to use SSL certificates for backend authentication Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
APIGateway.3 API Gateway REST API stages should have Amazon X-Ray tracing enabled Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 LOW No Change triggered
APIGateway.4 API Gateway should be associated with a WAF Web ACL Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
APIGateway.5 API Gateway REST API cache data should be encrypted at rest Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
APIGateway.8 API Gateway routes should specify an authorization type Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM Yes Periodic
APIGateway.9 Access logging should be configured for API Gateway V2 Stages Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
AppSync.1 Amazon AppSync API caches should be encrypted at rest Amazon Foundational Security Best Practices v1.0.0 MEDIUM No Change triggered
AppSync.2 Amazon AppSync should have field-level logging enabled Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 MEDIUM Yes Change triggered
AppSync.4 Amazon AppSync GraphQL APIs should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
AppSync.5 Amazon AppSync GraphQL APIs should not be authenticated with API keys Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 HIGH No Change triggered
AppSync.6 Amazon AppSync API caches should be encrypted in transit Amazon Foundational Security Best Practices v1.0.0 MEDIUM No Change triggered
Athena.2 Athena data catalogs should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
Athena.3 Athena workgroups should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
Athena.4 Athena workgroups should have logging enabled Amazon Foundational Security Best Practices v1.0.0 MEDIUM No Change triggered
AutoScaling.1 Auto Scaling groups associated with a load balancer should use ELB health checks Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 LOW No Change triggered
AutoScaling.2 Amazon EC2 Auto Scaling group should cover multiple Availability Zones Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM Yes Change triggered
AutoScaling.3 Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2) Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 HIGH No Change triggered
Autoscaling.5 Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 HIGH No Change triggered
AutoScaling.6 Auto Scaling groups should use multiple instance types in multiple Availability Zones Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
AutoScaling.9 EC2 Auto Scaling groups should use EC2 launch templates Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
AutoScaling.10 EC2 Auto Scaling groups should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
Backup.1 Amazon Backup recovery points should be encrypted at rest Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
Backup.2 Amazon Backup recovery points should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
Backup.3 Amazon Backup vaults should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
Backup.4 Amazon Backup report plans should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
Backup.5 Amazon Backup backup plans should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
CloudFormation.2 CloudFormation stacks should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
CloudFront.1 CloudFront distributions should have a default root object configured Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 HIGH No Change triggered
CloudFront.3 CloudFront distributions should require encryption in transit Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
CloudFront.4 CloudFront distributions should have origin failover configured Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 LOW No Change triggered
CloudFront.5 CloudFront distributions should have logging enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
CloudFront.6 CloudFront distributions should have WAF enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
CloudFront.7 CloudFront distributions should use custom SSL/TLS certificates Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
CloudFront.8 CloudFront distributions should use SNI to serve HTTPS requests Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 LOW No Change triggered
CloudFront.9 CloudFront distributions should encrypt traffic to custom origins Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
CloudFront.10 CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
CloudFront.12 CloudFront distributions should not point to non-existent S3 origins Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 HIGH No Periodic
CloudFront.13 CloudFront distributions should use origin access control Amazon Foundational Security Best Practices v1.0.0 MEDIUM No Change triggered
CloudFront.14 CloudFront distributions should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
CloudTrail.1 CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 HIGH No Periodic
CloudTrail.2 CloudTrail should have encryption at-rest enabled CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.2.0, CIS Amazon Foundations Benchmark v1.4.0 Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Periodic
CloudTrail.3 At least one CloudTrail trail should be enabled PCI DSS v3.2.1, PCI DSS v4.0.1 HIGH No Periodic
CloudTrail.4 CloudTrail log file validation should be enabled CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, PCI DSS v3.2.1, PCI DSS v4.0.1, CIS Amazon Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 LOW No Periodic
CloudTrail.5 CloudTrail trails should be integrated with Amazon CloudWatch Logs CIS Amazon Foundations Benchmark v1.2.0, CIS Amazon Foundations Benchmark v1.4.0, Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower LOW No Periodic
CloudTrail.6 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible CIS Amazon Foundations Benchmark v1.2.0, CIS Amazon Foundations Benchmark v1.4.0, PCI DSS v4.0.1 CRITICAL No Change triggered and periodic
CloudTrail.7 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket CIS Amazon Foundations Benchmark v1.2.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v3.0.0, PCI DSS v4.0.1 LOW No Periodic
CloudTrail.9 CloudTrail trails should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
CloudWatch.1 A log metric filter and alarm should exist for usage of the "root" user CIS Amazon Foundations Benchmark v1.2.0, PCI DSS v3.2.1, CIS Amazon Foundations Benchmark v1.4.0 LOW No Periodic
CloudWatch.2 Ensure a log metric filter and alarm exist for unauthorized API calls CIS Amazon Foundations Benchmark v1.2.0 LOW No Periodic
CloudWatch.3 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA CIS Amazon Foundations Benchmark v1.2.0 LOW No Periodic
CloudWatch.4 Ensure a log metric filter and alarm exist for IAM policy changes CIS Amazon Foundations Benchmark v1.2.0, CIS Amazon Foundations Benchmark v1.4.0 LOW No Periodic
CloudWatch.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes CIS Amazon Foundations Benchmark v1.2.0, CIS Amazon Foundations Benchmark v1.4.0 LOW No Periodic
CloudWatch.6 Ensure a log metric filter and alarm exist for Amazon Web Services Management Console authentication failures CIS Amazon Foundations Benchmark v1.2.0, CIS Amazon Foundations Benchmark v1.4.0 LOW No Periodic
CloudWatch.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs CIS Amazon Foundations Benchmark v1.2.0, CIS Amazon Foundations Benchmark v1.4.0 LOW No Periodic
CloudWatch.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes CIS Amazon Foundations Benchmark v1.2.0, CIS Amazon Foundations Benchmark v1.4.0 LOW No Periodic
CloudWatch.9 Ensure a log metric filter and alarm exist for Amazon Config configuration changes CIS Amazon Foundations Benchmark v1.2.0, CIS Amazon Foundations Benchmark v1.4.0 LOW No Periodic
CloudWatch.10 Ensure a log metric filter and alarm exist for security group changes CIS Amazon Foundations Benchmark v1.2.0, CIS Amazon Foundations Benchmark v1.4.0 LOW No Periodic
CloudWatch.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) CIS Amazon Foundations Benchmark v1.2.0, CIS Amazon Foundations Benchmark v1.4.0 LOW No Periodic
CloudWatch.12 Ensure a log metric filter and alarm exist for changes to network gateways CIS Amazon Foundations Benchmark v1.2.0, CIS Amazon Foundations Benchmark v1.4.0 LOW No Periodic
CloudWatch.13 Ensure a log metric filter and alarm exist for route table changes CIS Amazon Foundations Benchmark v1.2.0, CIS Amazon Foundations Benchmark v1.4.0 LOW No Periodic
CloudWatch.14 Ensure a log metric filter and alarm exist for VPC changes CIS Amazon Foundations Benchmark v1.2.0, CIS Amazon Foundations Benchmark v1.4.0 LOW No Periodic
CloudWatch.15 CloudWatch alarms should have specified actions configured NIST SP 800-53 Rev. 5 HIGH Yes Change triggered
CloudWatch.16 CloudWatch log groups should be retained for a specified time period NIST SP 800-53 Rev. 5 MEDIUM Yes Periodic
CloudWatch.17 CloudWatch alarm actions should be enabled NIST SP 800-53 Rev. 5 HIGH No Change triggered
CodeArtifact.1 CodeArtifact repositories should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
CodeBuild.1 CodeBuild Bitbucket source repository URLs should not contain sensitive credentials Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower CRITICAL No Change triggered
CodeBuild.2 CodeBuild project environment variables should not contain clear text credentials Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower CRITICAL No Change triggered
CodeBuild.3 CodeBuild S3 logs should be encrypted Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower, LOW No Change triggered
CodeBuild.4 CodeBuild project environments should have a logging configuration Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
CodeBuild.7 CodeBuild report group exports should be encrypted at rest Amazon Foundational Security Best Practices v1.0.0 MEDIUM No Change triggered
Cognito.1 Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication Amazon Foundational Security Best Practices v1.0.0 MEDIUM Yes Change triggered
Config.1 Amazon Config should be enabled and use the service-linked role for resource recording CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1 CRITICAL Yes Periodic
DataFirehose.1 Firehose delivery streams should be encrypted at rest Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM No Periodic
DataSync.1 DataSync tasks should have logging enabled Amazon Foundational Security Best Practices v1.0.0 MEDIUM No Change triggered
Detective.1 Detective behavior graphs should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
DMS.1 Database Migration Service replication instances should not be public Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower CRITICAL No Periodic
DMS.2 DMS certificates should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
DMS.3 DMS event subscriptions should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
DMS.4 DMS replication instances should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
DMS.5 DMS replication subnet groups should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
DMS.6 DMS replication instances should have automatic minor version upgrade enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
DMS.7 DMS replication tasks for the target database should have logging enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
DMS.8 DMS replication tasks for the source database should have logging enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
DMS.9 DMS endpoints should use SSL Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
DMS.10 DMS endpoints for Neptune databases should have IAM authorization enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
DMS.11 DMS endpoints for MongoDB should have an authentication mechanism enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
DMS.12 DMS endpoints for Redis OSS should have TLS enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
DocumentDB.1 Amazon DocumentDB clusters should be encrypted at rest Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
DocumentDB.2 Amazon DocumentDB clusters should have an adequate backup retention period Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM Yes Change triggered
DocumentDB.3 Amazon DocumentDB manual cluster snapshots should not be public Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 CRITICAL No Change triggered
DocumentDB.4 Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
DocumentDB.5 Amazon DocumentDB clusters should have deletion protection enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
DynamoDB.1 DynamoDB tables should automatically scale capacity with demand Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM Yes Periodic
DynamoDB.2 DynamoDB tables should have point-in-time recovery enabled Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
DynamoDB.3 DynamoDB Accelerator (DAX) clusters should be encrypted at rest Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM No Periodic
DynamoDB.4 DynamoDB tables should be present in a backup plan NIST SP 800-53 Rev. 5 MEDIUM Yes Periodic
DynamoDB.5 DynamoDB tables should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
DynamoDB.6 DynamoDB tables should have deletion protection enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
DynamoDB.7 DynamoDB Accelerator clusters should be encrypted in transit Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Periodic
EC2.1 EBS snapshots should not be publicly restorable Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 CRITICAL No Periodic
EC2.2 VPC default security groups should not allow inbound or outbound traffic CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, PCI DSS v3.2.1, CIS Amazon Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 HIGH No Change triggered
EC2.3 Attached EBS volumes should be encrypted at-rest Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
EC2.4 Stopped EC2 instances should be removed after a specified time period Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM Yes Periodic
EC2.6 VPC flow logging should be enabled in all VPCs CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, PCI DSS v3.2.1, CIS Amazon Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 MEDIUM No Periodic
EC2.7 EBS default encryption should be enabled CIS Amazon Foundations Benchmark v3.0.0, Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, CIS Amazon Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 MEDIUM No Periodic
EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) CIS Amazon Foundations Benchmark v3.0.0, Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower HIGH No Change triggered
EC2.9 EC2 instances should not have a public IPv4 address Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 HIGH No Change triggered
EC2.10 Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Periodic
EC2.12 Unused EC2 EIPs should be removed PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 LOW No Change triggered
EC2.13 Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 CIS Amazon Foundations Benchmark v1.2.0, PCI DSS v3.2.1, PCI DSS v4.0.1, NIST SP 800-53 Rev. 5 HIGH No Change triggered and periodic
EC2.14 Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389 CIS Amazon Foundations Benchmark v1.2.0, PCI DSS v4.0.1 HIGH No Change triggered and periodic
EC2.15 EC2 subnets should not automatically assign public IP addresses Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower, MEDIUM No Change triggered
EC2.16 Unused Network Access Control Lists should be removed Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower, LOW No Change triggered
EC2.17 EC2 instances should not use multiple ENIs Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 LOW No Change triggered
EC2.18 Security groups should only allow unrestricted incoming traffic for authorized ports Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 HIGH Yes Change triggered
EC2.19 Security groups should not allow unrestricted access to ports with high risk Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 CRITICAL No Change triggered and periodic
EC2.20 Both VPN tunnels for an Amazon Site-to-Site VPN connection should be up Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
EC2.21 Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
EC2.22 Unused EC2 security groups should be removed Service-Managed Standard: Amazon Control Tower MEDIUM No Periodic
EC2.23 EC2 Transit Gateways should not automatically accept VPC attachment requests Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 HIGH No Change triggered
EC2.24 EC2 paravirtual instance types should not be used Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
EC2.25 EC2 launch templates should not assign public IPs to network interfaces Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower HIGH No Change triggered
EC2.28 EBS volumes should be in a backup plan NIST SP 800-53 Rev. 5 LOW Yes Periodic
EC2.33 EC2 transit gateway attachments should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EC2.34 EC2 transit gateway route tables should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EC2.35 EC2 network interfaces should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EC2.36 EC2 customer gateways should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EC2.37 EC2 Elastic IP addresses should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EC2.38 EC2 instances should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EC2.39 EC2 internet gateways should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EC2.40 EC2 NAT gateways should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EC2.41 EC2 network ACLs should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EC2.42 EC2 route tables should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EC2.43 EC2 security groups should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EC2.44 EC2 subnets should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EC2.45 EC2 volumes should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EC2.46 Amazon VPCs should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EC2.47 Amazon VPC endpoint services should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EC2.48 Amazon VPC flow logs should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EC2.49 Amazon VPC peering connections should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EC2.50 EC2 VPN gateways should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EC2.51 EC2 Client VPN endpoints should have client connection logging enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 LOW No Change triggered
EC2.52 EC2 transit gateways should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EC2.53 EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports CIS Amazon Foundations Benchmark v3.0.0, PCI DSS v4.0.1 HIGH No Periodic
EC2.54 EC2 security groups should not allow ingress from ::/0 to remote server administration ports CIS Amazon Foundations Benchmark v3.0.0, PCI DSS v4.0.1 HIGH No Periodic
EC2.55 VPCs should be configured with an interface endpoint for ECR API Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM Yes Periodic
EC2.56 VPCs should be configured with an interface endpoint for Docker Registry Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM Yes Periodic
EC2.57 VPCs should be configured with an interface endpoint for Systems Manager Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM Yes Periodic
EC2.58 VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM Yes Periodic
EC2.60 VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM Yes Periodic
EC2.170 EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2) Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 LOW No Change triggered
EC2.171 EC2 VPN connections should have logging enabled Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 MEDIUM No Change triggered
ECR.1 ECR private repositories should have image scanning configured Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower HIGH No Periodic
ECR.2 ECR private repositories should have tag immutability configured Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
ECR.3 ECR repositories should have at least one lifecycle policy configured Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
ECR.4 ECR public repositories should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
ECS.1 Amazon ECS task definitions should have secure networking modes and user definitions. Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 HIGH No Change triggered
ECS.2 ECS services should not have public IP addresses assigned to them automatically Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower HIGH No Change triggered
ECS.3 ECS task definitions should not share the host's process namespace Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 HIGH No Change triggered
ECS.4 ECS containers should run as non-privileged Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 HIGH No Change triggered
ECS.5 ECS containers should be limited to read-only access to root filesystems Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 HIGH No Change triggered
ECS.8 Secrets should not be passed as container environment variables Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower HIGH No Change triggered
ECS.9 ECS task definitions should have a logging configuration Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 HIGH No Change triggered
ECS.10 ECS Fargate services should run on the latest Fargate platform version Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
ECS.12 ECS clusters should use Container Insights Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
ECS.13 ECS services should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
ECS.14 ECS clusters should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
ECS.15 ECS task definitions should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
ECS.16 ECS task sets should not automatically assign public IP addresses Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 HIGH No Change triggered
EFS.1 Elastic File System should be configured to encrypt file data at-rest using Amazon KMS CIS Amazon Foundations Benchmark v3.0.0, Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Periodic
EFS.2 Amazon EFS volumes should be in backup plans Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Periodic
EFS.3 EFS access points should enforce a root directory Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
EFS.4 EFS access points should enforce a user identity Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
EFS.5 EFS access points should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EFS.6 EFS mount targets should not be associated with a public subnet Amazon Foundational Security Best Practices v1.0.0 MEDIUM No Periodic
EFS.7 EFS file systems should have automatic backups enabled Amazon Foundational Security Best Practices v1.0.0 MEDIUM No Change triggered
EFS.8 EFS file systems should be encrypted at rest Amazon Foundational Security Best Practices v1.0.0 MEDIUM Yes Change triggered
EKS.1 EKS cluster endpoints should not be publicly accessible Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 HIGH No Periodic
EKS.2 EKS clusters should run on a supported Kubernetes version Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower HIGH No Change triggered
EKS.3 EKS clusters should use encrypted Kubernetes secrets Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Periodic
EKS.6 EKS clusters should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EKS.7 EKS identity provider configurations should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EKS.8 EKS clusters should have audit logging enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
ElastiCache.1 ElastiCache (Redis OSS) clusters should have automatic backups enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 HIGH Yes Periodic
ElastiCache.2 ElastiCache clusters should have automatic minor version upgrades enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 HIGH No Periodic
ElastiCache.3 ElastiCache replication groups should have automatic failover enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM No Periodic
ElastiCache.4 ElastiCache replication groups should be encrypted-at-rest Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM No Periodic
ElastiCache.5 ElastiCache replication groups should be encrypted-in-transit Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Periodic
ElastiCache.6 ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Periodic
ElastiCache.7 ElastiCache clusters should not use the default subnet group Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 HIGH No Periodic
ElasticBeanstalk.1 Elastic Beanstalk environments should have enhanced health reporting enabled Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 LOW No Change triggered
ElasticBeanstalk.2 Elastic Beanstalk managed platform updates should be enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower HIGH Yes Change triggered
ElasticBeanstalk.3 Elastic Beanstalk should stream logs to CloudWatch Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 HIGH Yes Change triggered
ELB.1 Application Load Balancer should be configured to redirect all HTTP requests to HTTPS Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 MEDIUM No Periodic
ELB.2 Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by Amazon Certificate Manager Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
ELB.3 Classic Load Balancer listeners should be configured with HTTPS or TLS termination Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
ELB.4 Application Load Balancer should be configured to drop http headers Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
ELB.5 Application and Classic Load Balancers logging should be enabled Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
ELB.6 Application, Gateway, and Network Load Balancers should have deletion protection enabled Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
ELB.7 Classic Load Balancers should have connection draining enabled Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
ELB.8 Classic Load Balancers with SSL listeners should use a predefined security policy that has strong configuration Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
ELB.9 Classic Load Balancers should have cross-zone load balancing enabled Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
ELB.10 Classic Load Balancer should span multiple Availability Zones Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM Yes Change triggered
ELB.12 Application Load Balancer should be configured with defensive or strictest desync mitigation mode Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
ELB.13 Application, Network and Gateway Load Balancers should span multiple Availability Zones Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM Yes Change triggered
ELB.14 Classic Load Balancer should be configured with defensive or strictest desync mitigation mode Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
ELB.16 Application Load Balancers should be associated with an Amazon WAF web ACL NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
EMR.1 Amazon EMR cluster primary nodes should not have public IP addresses Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower HIGH No Periodic
EMR.2 Amazon EMR block public access setting should be enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 CRITICAL No Periodic
ES.1 Elasticsearch domains should have encryption at-rest enabled Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 MEDIUM No Periodic
ES.2 Elasticsearch domains should not be publicly accessible Amazon Foundational Security Best Practices v1.0.0, PCI DSS v3.2.1, PCI DSS v4.0.1, NIST SP 800-53 Rev. 5, Service-Managed Standard: Amazon Control Tower CRITICAL No Periodic
ES.3 Elasticsearch domains should encrypt data sent between nodes Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower, MEDIUM No Change triggered
ES.4 Elasticsearch domain error logging to CloudWatch Logs should be enabled Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
ES.5 Elasticsearch domains should have audit logging enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
ES.6 Elasticsearch domains should have at least three data nodes Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
ES.7 Elasticsearch domains should be configured with at least three dedicated master nodes Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
ES.8 Connections to Elasticsearch domains should be encrypted using the latest TLS security policy Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
ES.9 Elasticsearch domains should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EventBridge.2 EventBridge event buses should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
EventBridge.3 EventBridge custom event buses should have a resource-based policy attached Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 LOW No Change triggered
EventBridge.4 EventBridge global endpoints should have event replication enabled NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
FSx.1 FSx for OpenZFS file systems should be configured to copy tags to backups and volumes Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 LOW No Periodic
FSx.2 FSx for Lustre file systems should be configured to copy tags to backups Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 LOW No Periodic
Glue.1 Amazon Glue jobs should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
Glue.2 Amazon Glue jobs should have logging enabled Amazon Foundational Security Best Practices v1.0.0 MEDIUM No Change triggered
Glue.3 Amazon Glue machine learning transforms should be encrypted at rest Amazon Foundational Security Best Practices v1.0.0 MEDIUM No Change triggered
GlobalAccelerator.1 Global Accelerator accelerators should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
GuardDuty.1 GuardDuty should be enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower HIGH No Periodic
GuardDuty.2 GuardDuty filters should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
GuardDuty.3 GuardDuty IPSets should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
GuardDuty.4 GuardDuty detectors should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
GuardDuty.5 GuardDuty EKS Audit Log Monitoring should be enabled Amazon Foundational Security Best Practices v1.0.0 HIGH No Periodic
GuardDuty.6 GuardDuty Lambda Protection should be enabled Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 HIGH No Periodic
GuardDuty.7 GuardDuty EKS Runtime Monitoring should be enabled Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 MEDIUM No Periodic
GuardDuty.8 GuardDuty Malware Protection for EC2 should be enabled Amazon Foundational Security Best Practices v1.0.0 HIGH No Periodic
GuardDuty.9 GuardDuty RDS Protection should be enabled Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 HIGH No Periodic
GuardDuty.10 GuardDuty S3 Protection should be enabled Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 HIGH No Periodic
IAM.1 IAM policies should not allow full "*" administrative privileges CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, PCI DSS v3.2.1, CIS Amazon Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 HIGH No Change triggered
IAM.2 IAM users should not have IAM policies attached CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 LOW No Change triggered
IAM.3 IAM users' access keys should be rotated every 90 days or less CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Periodic
IAM.4 IAM root user access key should not exist CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 CRITICAL No Periodic
IAM.5 MFA should be enabled for all IAM users that have a console password CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Periodic
IAM.6 Hardware MFA should be enabled for the root user CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower CRITICAL No Periodic
IAM.7 Password policies for IAM users should have strong configurations Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM Yes Periodic
IAM.8 Unused IAM user credentials should be removed CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Periodic
IAM.9 MFA should be enabled for the root user CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 CRITICAL No Periodic
IAM.10 Password policies for IAM users should have strong configurations PCI DSS v3.2.1, PCI DSS v4.0.1 MEDIUM No Periodic
IAM.11 Ensure IAM password policy requires at least one uppercase letter CIS Amazon Foundations Benchmark v1.2.0, PCI DSS v4.0.1 MEDIUM No Periodic
IAM.12 Ensure IAM password policy requires at least one lowercase letter CIS Amazon Foundations Benchmark v1.2.0, PCI DSS v4.0.1 MEDIUM No Periodic
IAM.13 Ensure IAM password policy requires at least one symbol CIS Amazon Foundations Benchmark v1.2.0, PCI DSS v4.0.1 MEDIUM No Periodic
IAM.14 Ensure IAM password policy requires at least one number CIS Amazon Foundations Benchmark v1.2.0, PCI DSS v4.0.1 MEDIUM No Periodic
IAM.15 Ensure IAM password policy requires minimum password length of 14 or greater CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0 MEDIUM No Periodic
IAM.16 Ensure IAM password policy prevents password reuse CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, PCI DSS v4.0.1 LOW No Periodic
IAM.17 Ensure IAM password policy expires passwords within 90 days or less CIS Amazon Foundations Benchmark v1.2.0, PCI DSS v4.0.1 LOW No Periodic
IAM.18 Ensure a support role has been created to manage incidents with Amazon Web Services Support CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, PCI DSS v4.0.1 LOW No Periodic
IAM.19 MFA should be enabled for all IAM users NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 MEDIUM No Periodic
IAM.21 IAM customer managed policies that you create should not allow wildcard actions for services Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 LOW No Change triggered
IAM.22 IAM user credentials unused for 45 days should be removed CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0 MEDIUM No Periodic
IAM.23 IAM Access Analyzer analyzers should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
IAM.24 IAM roles should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
IAM.25 IAM users should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
IAM.26 Expired SSL/TLS certificates managed in IAM should be removed CIS Amazon Foundations Benchmark v3.0.0 MEDIUM No Periodic
IAM.27 IAM identities should not have the AWSCloudShellFullAccess policy attached CIS Amazon Foundations Benchmark v3.0.0 MEDIUM No Change triggered
IAM.28 IAM Access Analyzer external access analyzer should be enabled CIS Amazon Foundations Benchmark v3.0.0 HIGH No Periodic
Inspector.1 Amazon Inspector EC2 scanning should be enabled Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 HIGH No Periodic
Inspector.2 Amazon Inspector ECR scanning should be enabled Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 HIGH No Periodic
Inspector.3 Amazon Inspector Lambda code scanning should be enabled Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 HIGH No Periodic
Inspector.4 Amazon Inspector Lambda standard scanning should be enabled Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 HIGH No Periodic
IoT.1 Amazon IoT Device Defender security profiles should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
IoT.2 Amazon IoT Core mitigation actions should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
IoT.3 Amazon IoT Core dimensions should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
IoT.4 Amazon IoT Core authorizers should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
IoT.5 Amazon IoT Core role aliases should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
IoT.6 Amazon IoT Core policies should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
Kinesis.1 Kinesis streams should be encrypted at rest Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
Kinesis.2 Kinesis streams should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
Kinesis.3 Kinesis streams should have an adequate data retention period Amazon Foundational Security Best Practices v1.0.0 MEDIUM Yes Change triggered
KMS.1 IAM customer managed policies should not allow decryption actions on all KMS keys Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
KMS.2 IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
KMS.3 Amazon KMS keys should not be deleted unintentionally Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 CRITICAL No Change triggered
KMS.4 Amazon KMS key rotation should be enabled CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 MEDIUM No Periodic
KMS.5 KMS keys should not be publicly accessible Amazon Foundational Security Best Practices v1.0.0 CRITICAL No Change triggered
Lambda.1 Lambda function policies should prohibit public access Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower CRITICAL No Change triggered
Lambda.2 Lambda functions should use supported runtimes Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
Lambda.3 Lambda functions should be in a VPC PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 LOW No Change triggered
Lambda.5 VPC Lambda functions should operate in multiple Availability Zones Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM Yes Change triggered
Lambda.6 Lambda functions should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
Macie.1 Amazon Macie should be enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM No Periodic
Macie.2 Macie automated sensitive data discovery should be enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 HIGH No Periodic
MSK.1 MSK clusters should be encrypted in transit among broker nodes Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
MSK.2 MSK clusters should have enhanced monitoring configured NIST SP 800-53 Rev. 5 LOW No Change triggered
MSK.3 MSK Connect connectors should be encrypted in transit Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 MEDIUM N Change triggered
MQ.2 ActiveMQ brokers should stream audit logs to CloudWatch Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
MQ.3 Amazon MQ brokers should have automatic minor version upgrade enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 LOW No Change triggered
MQ.4 Amazon MQ brokers should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
MQ.5 ActiveMQ brokers should use active/standby deployment mode NIST SP 800-53 Rev. 5, Service-Managed Standard: Amazon Control Tower LOW No Change triggered
MQ.6 RabbitMQ brokers should use cluster deployment mode NIST SP 800-53 Rev. 5, Service-Managed Standard: Amazon Control Tower LOW No Change triggered
Neptune.1 Neptune DB clusters should be encrypted at rest Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
Neptune.2 Neptune DB clusters should publish audit logs to CloudWatch Logs Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
Neptune.3 Neptune DB cluster snapshots should not be public Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower CRITICAL No Change triggered
Neptune.4 Neptune DB clusters should have deletion protection enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: Amazon Control Tower LOW No Change triggered
Neptune.5 Neptune DB clusters should have automated backups enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: Amazon Control Tower MEDIUM Yes Change triggered
Neptune.6 Neptune DB cluster snapshots should be encrypted at rest Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
Neptune.7 Neptune DB clusters should have IAM database authentication enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
Neptune.8 Neptune DB clusters should be configured to copy tags to snapshots Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: Amazon Control Tower LOW No Change triggered
Neptune.9 Neptune DB clusters should be deployed across multiple Availability Zones NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
NetworkFirewall.1 Network Firewall firewalls should be deployed across multiple Availability Zones NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
NetworkFirewall.2 Network Firewall logging should be enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM No Periodic
NetworkFirewall.3 Network Firewall policies should have at least one rule group associated Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
NetworkFirewall.4 The default stateless action for Network Firewall policies should be drop or forward for full packets Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
NetworkFirewall.5 The default stateless action for Network Firewall policies should be drop or forward for fragmented packets Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
NetworkFirewall.6 Stateless network firewall rule group should not be empty Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
NetworkFirewall.7 Network Firewall firewalls should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
NetworkFirewall.8 Network Firewall firewall policies should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
NetworkFirewall.9 Network Firewall firewalls should have deletion protection enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
Opensearch.1 OpenSearch domains should have encryption at rest enabled Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
Opensearch.2 OpenSearch domains should not be publicly accessible Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 CRITICAL No Change triggered
Opensearch.3 OpenSearch domains should encrypt data sent between nodes Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
Opensearch.4 OpenSearch domain error logging to CloudWatch Logs should be enabled Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
Opensearch.5 OpenSearch domains should have audit logging enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
Opensearch.6 OpenSearch domains should have at least three data nodes Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
Opensearch.7 OpenSearch domains should have fine-grained access control enabled Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 HIGH No Change triggered
Opensearch.8 Connections to OpenSearch domains should be encrypted using the latest TLS security policy Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
Opensearch.9 OpenSearch domains should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
Opensearch.10 OpenSearch domains should have the latest software update installed Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 LOW No Change triggered
Opensearch.11 OpenSearch domains should have at least three dedicated primary nodes NIST SP 800-53 Rev. 5 LOW No Periodic
PCA.1 Amazon Private CA root certificate authority should be disabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 LOW No Periodic
RDS.1 RDS snapshot should be private Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 CRITICAL No Change triggered
RDS.2 RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration CIS Amazon Foundations Benchmark v3.0.0, Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 CRITICAL No Change triggered
RDS.3 RDS DB instances should have encryption at-rest enabled CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
RDS.4 RDS cluster snapshots and database snapshots should be encrypted at rest Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
RDS.5 RDS DB instances should be configured with multiple Availability Zones Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
RDS.6 Enhanced monitoring should be configured for RDS DB instances Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 LOW Yes Change triggered
RDS.7 RDS clusters should have deletion protection enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 LOW No Change triggered
RDS.8 RDS DB instances should have deletion protection enabled Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 LOW No Change triggered
RDS.9 RDS DB instances should publish logs to CloudWatch Logs Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
RDS.10 IAM authentication should be configured for RDS instances Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
RDS.11 RDS instances should have automatic backups enabled Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM Yes Change triggered
RDS.12 IAM authentication should be configured for RDS clusters Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
RDS.13 RDS automatic minor version upgrades should be enabled CIS Amazon Foundations Benchmark v3.0.0, Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower HIGH No Change triggered
RDS.14 Amazon Aurora clusters should have backtracking enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM Yes Change triggered
RDS.15 RDS DB clusters should be configured for multiple Availability Zones Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
RDS.16 RDS DB clusters should be configured to copy tags to snapshots Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 LOW No Change triggered
RDS.17 RDS DB instances should be configured to copy tags to snapshots Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 LOW No Change triggered
RDS.18 RDS instances should be deployed in a VPC Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 HIGH No Change triggered
RDS.19 Existing RDS event notification subscriptions should be configured for critical cluster events Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 LOW No Change triggered
RDS.20 Existing RDS event notification subscriptions should be configured for critical database instance events Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower LOW No Change triggered
RDS.21 An RDS event notifications subscription should be configured for critical database parameter group events Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower LOW No Change triggered
RDS.22 An RDS event notifications subscription should be configured for critical database security group events Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower LOW No Change triggered
RDS.23 RDS instances should not use a database engine default port Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 LOW No Change triggered
RDS.24 RDS Database Clusters should use a custom administrator username Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
RDS.25 RDS database instances should use a custom administrator username Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
RDS.26 RDS DB instances should be protected by a backup plan NIST SP 800-53 Rev. 5 MEDIUM Yes Periodic
RDS.27 RDS DB clusters should be encrypted at rest Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
RDS.28 RDS DB clusters should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
RDS.29 RDS DB cluster snapshots should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
RDS.30 RDS DB instances should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
RDS.31 RDS DB security groups should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
RDS.32 RDS DB snapshots should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
RDS.33 RDS DB subnet groups should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
RDS.34 Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
RDS.35 RDS DB clusters should have automatic minor version upgrade enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
RDS.36 RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 MEDIUM Yes Change triggered
RDS.37 Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 MEDIUM No Change triggered
RDS.38 RDS for PostgreSQL DB instances should be encrypted in transit Amazon Foundational Security Best Practices v1.0.0 MEDIUM No Periodic
RDS.39 RDS for MySQL DB instances should be encrypted in transit Amazon Foundational Security Best Practices v1.0.0 MEDIUM No Periodic
Redshift.1 Amazon Redshift clusters should prohibit public access Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower CRITICAL No Change triggered
Redshift.2 Connections to Amazon Redshift clusters should be encrypted in transit Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
Redshift.3 Amazon Redshift clusters should have automatic snapshots enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM Yes Change triggered
Redshift.4 Amazon Redshift clusters should have audit logging enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
Redshift.6 Amazon Redshift should have automatic upgrades to major versions enabled Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
Redshift.7 Redshift clusters should use enhanced VPC routing Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
Redshift.8 Amazon Redshift clusters should not use the default Admin username Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
Redshift.9 Redshift clusters should not use the default database name Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
Redshift.10 Redshift clusters should be encrypted at rest Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
Redshift.11 Redshift clusters should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
Redshift.12 Redshift event subscription notifications should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
Redshift.13 Redshift cluster snapshots should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
Redshift.14 Redshift cluster subnet groups should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
Redshift.15 Redshift security groups should allow ingress on the cluster port only from restricted origins Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 HIGH No Periodic
Redshift.16 Redshift cluster subnet groups should have subnets from multiple Availability Zones NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
Route53.1 Route 53 health checks should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
Route53.2 Route 53 public hosted zones should log DNS queries Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Change triggered
S3.1 S3 general purpose buckets should have block public access settings enabled CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Periodic
S3.2 S3 general purpose buckets should block public read access Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 CRITICAL No Change triggered and periodic
S3.3 S3 general purpose buckets should block public write access Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 CRITICAL No Change triggered and periodic
S3.5 S3 general purpose buckets should require requests to use SSL CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
S3.6 S3 general purpose bucket policies should restrict access to other Amazon Web Services accounts Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 HIGH No Change triggered
S3.7 S3 general purpose buckets should use cross-Region replication PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 LOW No Change triggered
S3.8 S3 general purpose buckets should block public access CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower HIGH No Change triggered
S3.9 S3 general purpose buckets should have server access logging enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
S3.10 S3 general purpose buckets with versioning enabled should have Lifecycle configurations NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
S3.11 S3 general purpose buckets should have event notifications enabled NIST SP 800-53 Rev. 5 MEDIUM Yes Change triggered
S3.12 ACLs should not be used to manage user access to S3 general purpose buckets Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
S3.13 S3 general purpose buckets should have Lifecycle configurations Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 LOW Yes Change triggered
S3.14 S3 general purpose buckets should have versioning enabled NIST SP 800-53 Rev. 5 LOW No Change triggered
S3.15 S3 general purpose buckets should have Object Lock enabled NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM Yes Change triggered
S3.17 S3 general purpose buckets should be encrypted at rest with Amazon KMS keys NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
S3.19 S3 access points should have block public access settings enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 CRITICAL No Change triggered
S3.20 S3 general purpose buckets should have MFA delete enabled CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 LOW No Change triggered
S3.22 S3 general purpose buckets should log object-level write events CIS Amazon Foundations Benchmark v3.0.0, PCI DSS v4.0.1 MEDIUM No Periodic
S3.23 S3 general purpose buckets should log object-level read events CIS Amazon Foundations Benchmark v3.0.0, PCI DSS v4.0.1 MEDIUM No Periodic
S3.24 S3 Multi-Region Access Points should have block public access settings enabled Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 HIGH No Change triggered
SageMaker.1 Amazon SageMaker AI notebook instances should not have direct internet access Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower HIGH No Periodic
SageMaker.2 SageMaker notebook instances should be launched in a custom VPC Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 HIGH No Change triggered
SageMaker.3 Users should not have root access to SageMaker notebook instances Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 HIGH No Change triggered
SageMaker.4 SageMaker endpoint production variants should have an initial instance count greater than 1 Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM No Periodic
SecretsManager.1 Secrets Manager secrets should have automatic rotation enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM Yes Change triggered
SecretsManager.2 Secrets Manager secrets configured with automatic rotation should rotate successfully Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM No Change triggered
SecretsManager.3 Remove unused Secrets Manager secrets Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: Amazon Control Tower MEDIUM Yes Periodic
SecretsManager.4 Secrets Manager secrets should be rotated within a specified number of days Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower MEDIUM Yes Periodic
SecretsManager.5 Secrets Manager secrets should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
ServiceCatalog.1 Service Catalog portfolios should be shared within an Amazon organization only Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 HIGH No Periodic
SES.1 SES contact lists should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
SES.2 SES configuration sets should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
SNS.1 SNS topics should be encrypted at-rest using Amazon KMS NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
SNS.3 SNS topics should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
SNS.4 SNS topic access policies should not allow public access Amazon Foundational Security Best Practices v1.0.0 HIGH No Change triggered
SQS.1 Amazon SQS queues should be encrypted at rest Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
SQS.2 SQS queues should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
SSM.1 EC2 instances should be managed by Amazon Systems Manager Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
SSM.2 EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower HIGH No Change triggered
SSM.3 EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: Amazon Control Tower LOW No Change triggered
SSM.4 SSM documents should not be public Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 CRITICAL No Periodic
StepFunctions.1 Step Functions state machines should have logging turned on Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 MEDIUM Yes Change triggered
StepFunctions.2 Step Functions activities should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
Transfer.1 Transfer Family workflows should be tagged Amazon Resource Tagging Standard LOW Yes Change triggered
Transfer.2 Transfer Family servers should not use FTP protocol for endpoint connection Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Periodic
WAF.1 Amazon WAF Classic Global Web ACL logging should be enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 MEDIUM No Periodic
WAF.2 Amazon WAF Classic Regional rules should have at least one condition Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
WAF.3 Amazon WAF Classic Regional rule groups should have at least one rule Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
WAF.4 Amazon WAF Classic Regional web ACLs should have at least one rule or rule group Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
WAF.6 Amazon WAF Classic global rules should have at least one condition Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
WAF.7 Amazon WAF Classic global rule groups should have at least one rule Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
WAF.8 Amazon WAF Classic global web ACLs should have at least one rule or rule group Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
WAF.10 Amazon WAF web ACLs should have at least one rule or rule group Amazon Foundational Security Best Practices v1.0.0, Service-Managed Standard: Amazon Control Tower, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
WAF.11 Amazon WAF web ACL logging should be enabled NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 LOW No Periodic
WAF.12 Amazon WAF rules should have CloudWatch metrics enabled Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 MEDIUM No Change triggered
WorkSpaces.1 WorkSpaces user volumes should be encrypted at rest Amazon Foundational Security Best Practices v1.0.0 MEDIUM No Change triggered
WorkSpaces.2 WorkSpaces root volumes should be encrypted at rest Amazon Foundational Security Best Practices v1.0.0 MEDIUM No Change triggered
Topics