Hub
Hub
Plugins
Mods
Docs
Home
Mods
turbot
/
aws_compliance
Overview
0
Dashboards
469
Controls
249
Queries
0
Variables
GitHub
Install Mod
AWS Audit Manager Control Tower Guardrails
EBS checks
1.0.1 - Disallow launch of EC2 instance types that are not EBS-optimized
EC2 instance should have EBS optimization enabled
1.0.2 - Disallow EBS volumes that are unattached to an EC2 instance
Attached EBS volumes should have delete on termination enabled
1.0.3 - Enable encryption for EBS volumes attached to EC2 instances
Attached EBS volumes should have encryption enabled
Disallow Internet Connection
2.0.1 - Disallow internet connection through RDP
VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
2.0.2 - Disallow internet connection through SSH
VPC security groups should restrict ingress SSH access from 0.0.0.0/0
Multi-Factor Authentication
3.0.1 - Disallow access to IAM users without MFA
IAM user MFA should be enabled
3.0.2 - Disallow console access to IAM users without MFA
IAM users with console access should have MFA enabled
3.0.3 - Enable MFA for the root user
IAM root user MFA should be enabled
Disallow Public Access
4.0.1 - Disallow public access to RDS database instances
RDS DB instances should prohibit public access
4.0.2 - Disallow public access to RDS database snapshots
RDS snapshots should prohibit public access
4.1.1 - Disallow public read access to S3 buckets
S3 buckets should prohibit public read access
4.1.2 - Disallow public write access to S3 buckets
S3 buckets should prohibit public write access
Disallow Instances
5.0.1 - Disallow RDS database instances that are not storage encrypted
RDS DB snapshots should be encrypted at rest
5.1.1 - Disallow S3 buckets that are not versioning enabled
S3 bucket versioning should be enabled
CIS v1.3.0
1 Identity and Access Management
1.1 Maintain current contact details
1.2 Ensure security contact information is registered
1.3 Ensure security questions are registered in the AWS account
1.4 Ensure no root user account access key exists
1.5 Ensure MFA is enabled for the "root user" account
1.6 Ensure hardware MFA is enabled for the "root user" account
1.7 Eliminate use of the root user for administrative and daily tasks
1.8 Ensure IAM password policy requires minimum length of 14 or greater
1.9 Ensure IAM password policy prevents password reuse
1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
1.11 Do not setup access keys during initial user setup for all IAM users that have a console password
1.12 Ensure credentials unused for 90 days or greater are disabled
1.13 Ensure there is only one active access key available for any single IAM user
1.14 Ensure access keys are rotated every 90 days or less
1.15 Ensure IAM Users Receive Permissions Only Through Groups
1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached
1.17 Ensure a support role has been created to manage incidents with AWS Support
1.18 Ensure IAM instance roles are used for AWS resource access from instances
1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
1.20 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
1.21 Ensure that IAM Access analyzer is enabled
1.22 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
2 Storage
2.1 Simple Storage Service (S3)
2.1.1 Ensure all S3 buckets employ encryption-at-rest
2.1.2 Ensure S3 Bucket Policy allows HTTPS requests
2.2 Elastic Compute Cloud (EC2)
2.2.1 Ensure EBS volume encryption is enabled
3 Logging
3.1 Ensure CloudTrail is enabled in all regions
3.2 Ensure CloudTrail log file validation is enabled.
3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs
3.5 Ensure AWS Config is enabled in all regions
3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs
3.8 Ensure rotation for customer created CMKs is enabled
3.9 Ensure VPC flow logging is enabled in all VPCs
3.10 Ensure that Object-level logging for write events is enabled for S3 bucket
3.11 Ensure that Object-level logging for read events is enabled for S3 bucket
4 Monitoring
4.1 Ensure a log metric filter and alarm exist for unauthorized API calls
4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
4.3 Ensure a log metric filter and alarm exist for usage of "root" account
4.4 Ensure a log metric filter and alarm exist for IAM policy changes
4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes
4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes
4.10 Ensure a log metric filter and alarm exist for security group changes
4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
4.12 Ensure a log metric filter and alarm exist for changes to network gateways
4.13 Ensure a log metric filter and alarm exist for route table changes
4.14 Ensure a log metric filter and alarm exist for VPC changes
4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes
5 Networking
5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
5.3 Ensure the default security group of every VPC restricts all traffic
5.4 Ensure routing tables for VPC peering are 'least access'
CIS v1.4.0
1 Identity and Access Management
1.1 Maintain current contact details
1.2 Ensure security contact information is registered
1.3 Ensure security questions are registered in the AWS account
1.4 Ensure no 'root' user account access key exists
1.5 Ensure MFA is enabled for the 'root' user account
1.6 Ensure hardware MFA is enabled for the 'root' user account
1.7 Eliminate use of the 'root' user for administrative and daily tasks
1.8 Ensure IAM password policy requires minimum length of 14 or greater
1.9 Ensure IAM password policy prevents password reuse
1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
1.11 Do not setup access keys during initial user setup for all IAM users that have a console password
1.12 Ensure credentials unused for 45 days or greater are disabled
1.13 Ensure there is only one active access key available for any single IAM user
1.14 Ensure access keys are rotated every 90 days or less
1.15 Ensure IAM Users Receive Permissions Only Through Groups
1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached
1.17 Ensure a support role has been created to manage incidents with AWS Support
1.18 Ensure IAM instance roles are used for AWS resource access from instances
1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
1.20 Ensure that IAM Access analyzer is enabled for all regions
1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
2 Storage
2.1 Simple Storage Service (S3)
2.1.1 Ensure all S3 buckets employ encryption-at-rest
2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests
2.1.3 Ensure MFA Delete is enabled on S3 buckets
2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required
2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
2.2 Elastic Compute Cloud (EC2)
2.2.1 Ensure EBS volume encryption is enabled
2.3 Relational Database Service (RDS)
2.3.1 Ensure that encryption is enabled for RDS Instances
3 Logging
3.1 Ensure CloudTrail is enabled in all regions
3.2 Ensure CloudTrail log file validation is enabled
3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs
3.5 Ensure AWS Config is enabled in all regions
3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs
3.8 Ensure rotation for customer created CMKs is enabled
3.9 Ensure VPC flow logging is enabled in all VPCs
3.10 Ensure that Object-level logging for write events is enabled for S3 bucket
3.11 Ensure that Object-level logging for read events is enabled for S3 bucket
4 Monitoring
4.1 Ensure a log metric filter and alarm exist for unauthorized API calls
4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
4.3 Ensure a log metric filter and alarm exist for usage of 'root' account
4.4 Ensure a log metric filter and alarm exist for IAM policy changes
4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes
4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes
4.10 Ensure a log metric filter and alarm exist for security group changes
4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
4.12 Ensure a log metric filter and alarm exist for changes to network gateways
4.13 Ensure a log metric filter and alarm exist for route table changes
4.14 Ensure a log metric filter and alarm exist for VPC changes
4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes
5 Networking
5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
5.3 Ensure the default security group of every VPC restricts all traffic
5.4 Ensure routing tables for VPC peering are "least access"
AWS Foundational Security Best Practices
ACM
1 Imported ACM certificates should be renewed after a specified time period
API Gateway
1 API Gateway REST and WebSocket API logging should be enabled
2 API Gateway REST API stages should be configured to use SSL certificates for backend authentication
3 API Gateway REST API stages should have AWS X-Ray tracing enabled
4 API Gateway should be associated with an AWS WAF web ACL
5 API Gateway REST API cache data should be encrypted at rest
Auto Scaling
1 Auto Scaling groups associated with a load balancer should use load balancer health checks
2 Amazon EC2 Auto Scaling group should cover multiple Availability Zones
5 Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses
CloudFront
1 CloudFront distributions should have a default root object configured
2 CloudFront distributions should have origin access identity enabled
3 CloudFront distributions should require encryption in transit
4 CloudFront distributions should have origin failover configured
5 CloudFront distributions should have logging enabled
6 CloudFront distributions should have AWS WAF enabled
7 CloudFront distributions should use custom SSL/TLS certificates
8 CloudFront distributions should use SNI to serve HTTPS requests
9 CloudFront distributions should encrypt traffic to custom origins
CloudTrail
1 CloudTrail should be enabled and configured with at least one multi-Region trail
2 CloudTrail should have encryption at rest enabled
4 Ensure CloudTrail log file validation is enabled
5 Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs
CodeBuild
1 CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
2 CodeBuild project environment variables should not contain clear text credentials
4 CodeBuild project environments should have a logging configuration
5 CodeBuild project environments should not have privileged mode enabled
Config
1 AWS Config should be enabled
DMS
1 AWS Database Migration Service replication instances should not be public
DynamoDB
1 DynamoDB tables should automatically scale capacity with demand
2 DynamoDB tables should have point-in-time recovery enabled
3 DynamoDB Accelerator (DAX) clusters should be encrypted at rest
EC2
1 Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone
2 The VPC default security group should not allow inbound and outbound traffic
3 Attached EBS volumes should be encrypted at rest
4 Stopped EC2 instances should be removed after a specified time period
6 VPC flow logging should be enabled in all VPCs
7 EBS default encryption should be enabled
8 EC2 instances should use IMDSv2
9 EC2 instances should not have a public IP address
10 Amazon EC2 should be configured to use VPC endpoints
15 EC2 subnets should not automatically assign public IP addresses
16 Unused network access control lists should be removed
17 EC2 instances should not use multiple ENIs
18 Security groups should only allow unrestricted incoming traffic for authorized ports
19 Security groups should not allow unrestricted access to ports with high risk
21 Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
22 Unused EC2 security groups should be removed
Elastic Container Registry
3 ECR repositories should have at least one lifecycle policy configured
Elastic Container Service
1 Amazon ECS task definitions should have secure networking modes and user definitions
2 Amazon ECS services should not have public IP addresses assigned to them automatically
EFS
1 Amazon EFS should be configured to encrypt file data at rest using AWS KMS
2 Amazon EFS volumes should be in backup plans
Elastic Beanstalk
1 Elastic Beanstalk environments should have enhanced health reporting enabled
ELB
3 Classic Load Balancer listeners should be configured with HTTPS or TLS termination
4 Application load balancers should be configured to drop HTTP headers
5 Application and Classic Load Balancers logging should be enabled
6 Application Load Balancer deletion protection should be enabled
7 Classic Load Balancers should have connection draining enabled
10 Classic Load Balancers should span multiple Availability Zones
ELBv2
1 Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
EMR
1 Amazon EMR cluster master nodes should not have public IP addresses
Elasticsearch
1 Elasticsearch domains should have encryption at-rest enabled
2 Amazon Elasticsearch Service domains should be in a VPC
3 Amazon Elasticsearch Service domains should encrypt data sent between nodes
4 Elasticsearch domain error logging to CloudWatch Logs should be enabled
5 Elasticsearch domains should have audit logging enabled
6 Elasticsearch domains should have at least three data nodes
7 Elasticsearch domains should be configured with at least three dedicated master nodes
8 Connections to Elasticsearch domains should be encrypted using TLS 1.2
GuardDuty
1 GuardDuty should be enabled
IAM
1 IAM policies should not allow full '*' administrative privileges
2 IAM users should not have IAM policies attached
3 IAM users' access keys should be rotated every 90 days or less
4 IAM root user access key should not exist
5 MFA should be enabled for all IAM users that have a console password
6 Hardware MFA should be enabled for the root user
7 Password policies for IAM users should have strong configurations
8 Unused IAM user credentials should be removed
21 IAM customer managed policies that you create should not allow wildcard actions for services
KMS
1 IAM customer managed policies should not allow decryption actions on all KMS keys
2 IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys
3 AWS KMS keys should not be unintentionally deleted
Lambda
1 Lambda function policies should prohibit public access
2 Lambda functions should use latest runtimes
4 Lambda functions should have a dead-letter queue configured
5 VPC Lambda functions should operate in more than one Availability Zone
Network Firewall
6 Stateless network firewall rule group should not be empty
RDS
1 RDS snapshots should be private
2 RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration
3 RDS DB instances should have encryption at rest enabled
4 RDS cluster snapshots and database snapshots should be encrypted at rest
5 RDS DB instances should be configured with multiple Availability Zones
6 Enhanced monitoring should be configured for RDS DB instances and clusters
7 RDS clusters should have deletion protection enabled
8 RDS DB instances should have deletion protection enabled
9 Database logging should be enabled
10 IAM authentication should be configured for RDS instances
12 IAM authentication should be configured for RDS clusters
13 RDS automatic minor version upgrades should be enabled
14 Amazon Aurora clusters should have backtracking enabled
15 RDS DB clusters should be configured for multiple Availability Zones
16 RDS DB clusters should be configured to copy tags to snapshots
17 RDS DB instances should be configured to copy tags to snapshots
18 RDS instances should be deployed in a VPC
19 An RDS event notifications subscription should be configured for critical cluster events
20 An RDS event notifications subscription should be configured for critical database instance events
21 An RDS event notifications subscription should be configured for critical database parameter group events
22 An RDS event notifications subscription should be configured for critical database security group events
23 RDS databases and clusters should not use a database engine default port
24 RDS database clusters should use a custom administrator username
25 RDS database instances should use a custom administrator username
Redshift
1 Amazon Redshift clusters should prohibit public access
2 Connections to Amazon Redshift clusters should be encrypted in transit
3 Amazon Redshift clusters should have automatic snapshots enabled
4 Amazon Redshift clusters should have audit logging enabled
6 Amazon Redshift should have automatic upgrades to major versions enabled
7 Amazon Redshift clusters should use enhanced VPC routing
8 Amazon Redshift clusters should not use the default Admin username
S3
1 S3 Block Public Access setting should be enabled
2 S3 buckets should prohibit public read access
3 S3 buckets should prohibit public write access
4 S3 buckets should have server-side encryption enabled
5 S3 buckets should require requests to use Secure Socket Layer
6 Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted
8 S3 Block Public Access setting should be enabled at the bucket level
9 S3 bucket server access logging should be enabled
10 S3 buckets with versioning enabled should have lifecycle policies configured
11 S3 buckets should have event notifications enabled
SageMaker
1 SageMaker notebook instances should not have direct internet access
Secrets Manager
1 Secrets Manager secrets should have automatic rotation enabled
2 Secrets Manager secrets configured with automatic rotation should rotate successfully
3 Remove unused Secrets Manager secrets
4 Secrets Manager secrets should be rotated within a specified number of days
SNS
1 SNS topics should be encrypted at rest using AWS KMS
SSM
1 EC2 instances should be managed by AWS Systems Manager
2 All EC2 instances managed by Systems Manager should be compliant with patching requirements
3 Instances managed by Systems Manager should have an association compliance status of COMPLIANT
SQS
1 Amazon SQS queues should be encrypted at rest
General Data Protection Regulation (GDPR)
Article 25 Data protection by design and by default
Ensure the S3 bucket CloudTrail logs to is not publicly accessible
Ensure CloudTrail is enabled in all Regions
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
CloudTrail trails should be integrated with CloudWatch logs
CloudTrail trail logs should be encrypted with KMS CMK
CloudTrail trail log file validation should be enabled
AWS Config should be enabled
Ensure IAM password policy requires a minimum length of 14 or greater
Ensure IAM password policy requires at least one lowercase letter
Ensure IAM password policy requires at least one number
Ensure IAM password policy requires at least one symbol
Ensure IAM password policy requires at least one uppercase letter
Ensure IAM password policy prevents password reuse
Password policies for IAM users should have strong configurations
Ensure IAM password policy expires passwords within 90 days or less
IAM policy should not have statements with admin access
IAM root user hardware MFA should be enabled
IAM root user MFA should be enabled
IAM root user should not have access keys
Ensure a support role has been created to manage incidents with AWS Support
IAM user access keys should be rotated at least every 90 days
IAM users with console access should have MFA enabled
IAM user should not have any inline or attached policies
IAM user credentials that have not been used in 90 days should be disabled
KMS CMK rotation should be enabled
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Ensure a log metric filter and alarm exist for CloudTrail configuration changes
Ensure a log metric filter and alarm exist for AWS Config configuration changes
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
Ensure a log metric filter and alarm exist for IAM policy changes
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Ensure a log metric filter and alarm exist for changes to network gateways
Ensure a log metric filter and alarm exist for usage of 'root' account
Ensure a log metric filter and alarm exist for route table changes
Ensure a log metric filter and alarm exist for security group changes
Ensure a log metric filter and alarm exist for unauthorized API calls
Ensure a log metric filter and alarm exist for VPC changes
VPC flow logs should be enabled
Article 30 Records of processing activities
Ensure CloudTrail is enabled in all Regions
All S3 buckets should log S3 data events in CloudTrail
At least one trail should be enabled with security best practices
CloudTrail trails should be integrated with CloudWatch logs
CloudTrail trail logs should be encrypted with KMS CMK
AWS Config should be enabled
ELB application and classic load balancer logging should be enabled
KMS CMK rotation should be enabled
Redshift cluster audit logging and encryption should be enabled
VPC flow logs should be enabled
Article 32 Security of processing
ACM certificates should be set to expire within 30 days
API Gateway stage cache encryption at rest should be enabled
CloudFront distributions should require encryption in transit
CloudTrail trail logs should be encrypted with KMS CMK
CloudTrail trail log file validation should be enabled
DynamoDB Accelerator (DAX) clusters should be encrypted at rest
DynamoDB table should be encrypted with AWS KMS
DynamoDB table should have encryption enabled
Attached EBS volumes should have encryption enabled
EBS volume encryption at rest should be enabled
EFS file system encryption at rest should be enabled
ELB application load balancers should be drop HTTP headers
ELB application load balancers should redirect HTTP requests to HTTPS
ELB classic load balancers should use SSL certificates
ELB classic load balancers should only use SSL or HTTPS listeners
ES domain encryption at rest should be enabled
Elasticsearch domain node-to-node encryption should be enabled
Log group encryption at rest should be enabled
RDS DB instance encryption at rest should be enabled
RDS DB instances should be in a backup plan
Database logging should be enabled
RDS DB snapshots should be encrypted at rest
Amazon Redshift clusters should have automatic snapshots enabled
Redshift cluster encryption in transit should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket default encryption should be enabled
S3 bucket default encryption should be enabled with KMS
S3 buckets should enforce SSL
SageMaker endpoint configuration encryption should be enabled
SageMaker notebook instance encryption should be enabled
SNS topics should be encrypted at rest
Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
HIPAA
164.308 Administrative Safeguards
164.308(a)(1)(ii)(A) Risk analysis
AWS Config should be enabled
GuardDuty should be enabled
164.308(a)(1)(ii)(B) Risk Management
API Gateway stage cache encryption at rest should be enabled
Auto Scaling groups with a load balancer should use health checks
CloudTrail trail logs should be encrypted with KMS CMK
CloudTrail trail log file validation should be enabled
CodeBuild project plaintext environment variables should not contain sensitive AWS values
CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
DMS replication instances should not be publicly accessible
DynamoDB table auto scaling should be enabled
DynamoDB table point-in-time recovery should be enabled
EBS snapshots should not be publicly restorable
EBS volume encryption at rest should be enabled
EBS default encryption should be enabled
EC2 instances should be in a VPC
EC2 instances should not have a public IP address
EC2 stopped instances should be removed in 30 days
EFS file system encryption at rest should be enabled
ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
ELB application load balancer deletion protection should be enabled
ELB application load balancers should redirect HTTP requests to HTTPS
ELB classic load balancers should use SSL certificates
EMR cluster master nodes should not have public IP addresses
ES domain encryption at rest should be enabled
ES domains should be in a VPC
IAM policy should not have statements with admin access
IAM root user should not have access keys
KMS keys should not be pending deletion
Lambda functions should be in a VPC
Lambda functions should restrict public access
Log group encryption at rest should be enabled
RDS DB instance backup should be enabled
RDS DB instance encryption at rest should be enabled
RDS DB instance multiple az should be enabled
RDS DB snapshots should be encrypted at rest
RDS snapshots should prohibit public access
Redshift cluster encryption in transit should be enabled
Redshift cluster audit logging and encryption should be enabled
Redshift clusters should prohibit public access
S3 bucket cross-region replication should enabled
S3 bucket default encryption should be enabled
S3 buckets should enforce SSL
S3 bucket object lock should be enabled
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 bucket versioning should be enabled
S3 public access should be blocked at account level
SageMaker endpoint configuration encryption should be enabled
SageMaker notebook instances should not have direct internet access
SageMaker notebook instance encryption should be enabled
SNS topics should be encrypted at rest
VPC internet gateways should be attached to authorized vpc
VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
VPC security groups should restrict ingress SSH access from 0.0.0.0/0
VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
164.308(a)(1)(ii)(D) Information system activity review
API Gateway stage logging should be enabled
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
CloudTrail trail logs should be encrypted with KMS CMK
CloudTrail trail log file validation should be enabled
ELB application and classic load balancer logging should be enabled
GuardDuty should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket logging should be enabled
AWS Security Hub should be enabled for an AWS Account
VPC flow logs should be enabled
164.308(a)(3)(i) Workforce security
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EC2 instances should be in a VPC
EC2 instances should not have a public IP address
ES domains should be in a VPC
IAM groups should have at least one user
IAM policy should not have statements with admin access
IAM root user should not have access keys
IAM users should be in at least one group
IAM user should not have any inline or attached policies
Lambda functions should be in a VPC
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift clusters should prohibit public access
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 public access should be blocked at account level
SageMaker notebook instances should not have direct internet access
164.308(a)(3)(ii)(A) Authorization and/or supervision
API Gateway stage logging should be enabled
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
ELB application and classic load balancer logging should be enabled
EMR cluster Kerberos should be enabled
GuardDuty should be enabled
IAM root user hardware MFA should be enabled
IAM root user MFA should be enabled
IAM users with console access should have MFA enabled
IAM user MFA should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket logging should be enabled
AWS Security Hub should be enabled for an AWS Account
VPC flow logs should be enabled
164.308(a)(3)(ii)(B) Workforce clearance procedure
IAM groups should have at least one user
IAM policy should not have statements with admin access
IAM root user should not have access keys
IAM users should be in at least one group
IAM user should not have any inline or attached policies
IAM user credentials that have not been used in 90 days should be disabled
164.308(a)(3)(ii)(C) Termination procedures
IAM user access keys should be rotated at least every 90 days
164.308(a)(4)(i) Information access management
IAM groups should have at least one user
IAM policy should not have statements with admin access
IAM users should be in at least one group
IAM user should not have any inline or attached policies
164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions
ACM certificates should be set to expire within 30 days
API Gateway stage cache encryption at rest should be enabled
CloudFront distributions should require encryption in transit
CloudTrail trail logs should be encrypted with KMS CMK
DynamoDB Accelerator (DAX) clusters should be encrypted at rest
DynamoDB table should be encrypted with AWS KMS
DynamoDB table should have encryption enabled
Attached EBS volumes should have encryption enabled
EBS volume encryption at rest should be enabled
EBS default encryption should be enabled
EFS file system encryption at rest should be enabled
EKS clusters should be configured to have kubernetes secrets encrypted using KMS
ELB application load balancers should be drop HTTP headers
ELB application load balancers should redirect HTTP requests to HTTPS
ELB classic load balancers should use SSL certificates
ELB classic load balancers should only use SSL or HTTPS listeners
ES domain encryption at rest should be enabled
Elasticsearch domain node-to-node encryption should be enabled
Log group encryption at rest should be enabled
RDS DB instance encryption at rest should be enabled
RDS DB instances should be in a backup plan
Database logging should be enabled
RDS DB snapshots should be encrypted at rest
Amazon Redshift clusters should have automatic snapshots enabled
Redshift cluster encryption in transit should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket default encryption should be enabled with KMS
S3 bucket default encryption should be enabled
SageMaker endpoint configuration encryption should be enabled
SageMaker notebook instance encryption should be enabled
SNS topics should be encrypted at rest
Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
164.308(a)(4)(ii)(B) Access authorization
IAM groups should have at least one user
IAM policy should not have statements with admin access
IAM users should be in at least one group
IAM user should not have any inline or attached policies
164.308(a)(4)(ii)(C) Access establishment and modification
IAM password policies for users should have strong configurations
IAM groups should have at least one user
IAM policy should not have statements with admin access
IAM root user should not have access keys
IAM user access keys should be rotated at least every 90 days
IAM users should be in at least one group
IAM user should not have any inline or attached policies
IAM user credentials that have not been used in 90 days should be disabled
Secrets Manager secrets should have automatic rotation enabled
164.308(a)(5)(ii)(B) Protection from malicious software
EC2 instances should be managed by AWS Systems Manager
SSM managed instance associations should be compliant
SSM managed instance patching should be compliant
164.308(a)(5)(ii)(C) Log-in monitoring
GuardDuty should be enabled
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
AWS Security Hub should be enabled for an AWS Account
164.308(a)(5)(ii)(D) Password management
Ensure IAM password policy requires a minimum length of 14 or greater
Ensure IAM password policy requires at least one lowercase letter
Ensure IAM password policy requires at least one number
Ensure IAM password policy requires at least one symbol
Ensure IAM password policy requires at least one uppercase letter
Ensure IAM password policy prevents password reuse
Ensure IAM password policy expires passwords within 90 days or less
IAM user access keys should be rotated at least every 90 days
IAM user credentials that have not been used in 90 days should be disabled
164.308(a)(6)(i) Security incident procedures
CloudWatch alarm action should be enabled
GuardDuty should be enabled
Lambda functions should be configured with a dead-letter queue
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
Ensure a log metric filter and alarm exist for usage of 'root' account
AWS Security Hub should be enabled for an AWS Account
164.308(a)(6)(ii) Response and reporting
API Gateway stage logging should be enabled
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
ELB application and classic load balancer logging should be enabled
GuardDuty should be enabled
GuardDuty findings should be archived
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
Ensure a log metric filter and alarm exist for usage of 'root' account
S3 bucket logging should be enabled
AWS Security Hub should be enabled for an AWS Account
VPC flow logs should be enabled
164.308(a)(7)(i) Contingency plan
Auto Scaling groups with a load balancer should use health checks
Backup plan min frequency and min retention check
Backup recovery point should be encrypted
Backup recovery point manual deletion should be disabled
DynamoDB table auto scaling should be enabled
DynamoDB tables should be in a backup plan
DynamoDB table point-in-time recovery should be enabled
DynamoDB table should be protected by backup plan
EBS volumes should be in a backup plan
EBS volumes should be protected by backup plan
EC2 instance should have EBS optimization enabled
EC2 instances should be protected by backup plan
EFS file systems should be in a backup plan
EFS file systems should be protected by backup plan
ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
FSx file system should be protected by backup plan
RDS Aurora clusters should be protected by backup plan
RDS DB instance backup should be enabled
RDS DB instances should be in a backup plan
RDS DB instance multiple az should be enabled
RDS DB instance should be protected by backup plan
Amazon Redshift clusters should have automatic snapshots enabled
S3 bucket cross-region replication should enabled
S3 bucket versioning should be enabled
Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
164.308(a)(7)(ii)(A) Data backup plan
Auto Scaling groups with a load balancer should use health checks
Backup plan min frequency and min retention check
Backup recovery point should be encrypted
Backup recovery point manual deletion should be disabled
DynamoDB table auto scaling should be enabled
DynamoDB tables should be in a backup plan
DynamoDB table point-in-time recovery should be enabled
DynamoDB table should be protected by backup plan
EBS volumes should be in a backup plan
EBS volumes should be protected by backup plan
EC2 instance should have EBS optimization enabled
EC2 instances should be protected by backup plan
EFS file systems should be in a backup plan
EFS file systems should be protected by backup plan
ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
FSx file system should be protected by backup plan
RDS Aurora clusters should be protected by backup plan
RDS DB instance backup should be enabled
RDS DB instances should be in a backup plan
RDS DB instance multiple az should be enabled
RDS DB instance should be protected by backup plan
Amazon Redshift clusters should have automatic snapshots enabled
S3 bucket cross-region replication should enabled
S3 bucket versioning should be enabled
Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
164.308(a)(7)(ii)(B) Disaster recovery plan
Auto Scaling groups with a load balancer should use health checks
Backup plan min frequency and min retention check
Backup recovery point should be encrypted
Backup recovery point manual deletion should be disabled
DynamoDB table auto scaling should be enabled
DynamoDB tables should be in a backup plan
DynamoDB table point-in-time recovery should be enabled
DynamoDB table should be protected by backup plan
EBS volumes should be in a backup plan
EBS volumes should be protected by backup plan
EC2 instance should have EBS optimization enabled
EC2 instances should be protected by backup plan
EFS file systems should be in a backup plan
EFS file systems should be protected by backup plan
ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
FSx file system should be protected by backup plan
RDS Aurora clusters should be protected by backup plan
RDS DB instance backup should be enabled
RDS DB instances should be in a backup plan
RDS DB instance multiple az should be enabled
RDS DB instance should be protected by backup plan
Amazon Redshift clusters should have automatic snapshots enabled
S3 bucket cross-region replication should enabled
S3 bucket versioning should be enabled
Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
164.308(a)(7)(ii)(C) Emergency mode operation plan
Auto Scaling groups with a load balancer should use health checks
Backup plan min frequency and min retention check
Backup recovery point should be encrypted
Backup recovery point manual deletion should be disabled
DynamoDB table auto scaling should be enabled
DynamoDB tables should be in a backup plan
DynamoDB table point-in-time recovery should be enabled
DynamoDB table should be protected by backup plan
EBS volumes should be in a backup plan
EBS volumes should be protected by backup plan
EC2 instance should have EBS optimization enabled
EC2 instances should be protected by backup plan
EFS file systems should be in a backup plan
EFS file systems should be protected by backup plan
ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
FSx file system should be protected by backup plan
RDS Aurora clusters should be protected by backup plan
RDS DB instance backup should be enabled
RDS DB instances should be in a backup plan
RDS DB instance multiple az should be enabled
RDS DB instance should be protected by backup plan
Amazon Redshift clusters should have automatic snapshots enabled
S3 bucket cross-region replication should enabled
S3 bucket versioning should be enabled
Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
164.308(a)(8) Evaluation
GuardDuty should be enabled
AWS Security Hub should be enabled for an AWS Account
164.312 Technical Safeguards
164.312(a)(1) Access control
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EC2 instances should be in a VPC
EC2 instances should not have a public IP address
EMR cluster Kerberos should be enabled
EMR cluster master nodes should not have public IP addresses
ES domains should be in a VPC
IAM groups should have at least one user
IAM policy should not have statements with admin access
IAM users with console access should have MFA enabled
IAM users should be in at least one group
IAM user should not have any inline or attached policies
Lambda functions should be in a VPC
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift clusters should prohibit public access
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 public access should be blocked at account and bucket levels
SageMaker notebook instances should not have direct internet access
164.312(a)(2)(i) Unique user identification
All S3 buckets should log S3 data events in CloudTrail
IAM root user should not have access keys
S3 buckets should prohibit public read access
164.312(a)(2)(ii) Emergency access procedure
Backup plan min frequency and min retention check
Backup recovery point should be encrypted
Backup recovery point manual deletion should be disabled
DynamoDB tables should be in a backup plan
DynamoDB table point-in-time recovery should be enabled
DynamoDB table should be protected by backup plan
EBS volumes should be in a backup plan
EBS volumes should be protected by backup plan
EC2 instance should have EBS optimization enabled
EC2 instances should be protected by backup plan
EFS file systems should be in a backup plan
EFS file systems should be protected by backup plan
ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
FSx file system should be protected by backup plan
RDS Aurora clusters should be protected by backup plan
RDS DB instance backup should be enabled
RDS DB instances should be in a backup plan
RDS DB instance should be protected by backup plan
Amazon Redshift clusters should have automatic snapshots enabled
S3 bucket cross-region replication should enabled
S3 bucket versioning should be enabled
164.312(a)(2)(iv) Encryption and decryption
API Gateway stage cache encryption at rest should be enabled
CloudTrail trail logs should be encrypted with KMS CMK
DynamoDB Accelerator (DAX) clusters should be encrypted at rest
DynamoDB table should be encrypted with AWS KMS
DynamoDB table should have encryption enabled
EBS volume encryption at rest should be enabled
EBS default encryption should be enabled
EFS file system encryption at rest should be enabled
EKS clusters should be configured to have kubernetes secrets encrypted using KMS
ES domain encryption at rest should be enabled
KMS CMK rotation should be enabled
KMS key decryption should be restricted in IAM customer managed policy
KMS key decryption should be restricted in IAM inline policy
KMS keys should not be pending deletion
Log group encryption at rest should be enabled
RDS DB instance encryption at rest should be enabled
RDS DB snapshots should be encrypted at rest
Redshift cluster encryption in transit should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket default encryption should be enabled with KMS
S3 bucket default encryption should be enabled
S3 buckets should enforce SSL
SageMaker endpoint configuration encryption should be enabled
SageMaker notebook instance encryption should be enabled
SNS topics should be encrypted at rest
164.312(b) Audit controls
API Gateway stage logging should be enabled
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
CloudTrail trail log file validation should be enabled
Log group retention period should be at least 365 days
ELB application and classic load balancer logging should be enabled
GuardDuty should be enabled
Database logging should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket logging should be enabled
AWS Security Hub should be enabled for an AWS Account
VPC flow logs should be enabled
Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
164.312(c)(1) Integrity
CloudTrail trail logs should be encrypted with KMS CMK
CloudTrail trail log file validation should be enabled
Attached EBS volumes should have encryption enabled
S3 bucket default encryption should be enabled
S3 buckets should enforce SSL
S3 bucket object lock should be enabled
S3 bucket versioning should be enabled
164.312(c)(2) Mechanism to authenticate electronic protected health information
CloudTrail trail logs should be encrypted with KMS CMK
CloudTrail trail log file validation should be enabled
Attached EBS volumes should have encryption enabled
S3 bucket default encryption should be enabled
S3 buckets should enforce SSL
S3 bucket object lock should be enabled
S3 bucket versioning should be enabled
VPC flow logs should be enabled
164.312(d) Person or entity authentication
IAM password policies for users should have strong configurations
IAM root user hardware MFA should be enabled
IAM root user MFA should be enabled
IAM users with console access should have MFA enabled
IAM user MFA should be enabled
164.312(e)(1) Transmission security
ACM certificates should be set to expire within 30 days
API Gateway stage cache encryption at rest should be enabled
CloudFront distributions should require encryption in transit
ELB application load balancers should be drop HTTP headers
ELB application load balancers should redirect HTTP requests to HTTPS
ELB classic load balancers should use SSL certificates
ELB classic load balancers should only use SSL or HTTPS listeners
Elasticsearch domain node-to-node encryption should be enabled
Redshift cluster encryption in transit should be enabled
EC2 instances should be in a VPC
ES domains should be in a VPC
Lambda functions should be in a VPC
S3 buckets should enforce SSL
VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
VPC security groups should restrict ingress SSH access from 0.0.0.0/0
VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
164.312(e)(2)(i) Integrity controls
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
ELB application load balancers should redirect HTTP requests to HTTPS
ELB classic load balancers should use SSL certificates
GuardDuty should be enabled
Redshift cluster encryption in transit should be enabled
S3 buckets should enforce SSL
S3 bucket logging should be enabled
AWS Security Hub should be enabled for an AWS Account
164.312(e)(2)(ii) Encryption
API Gateway stage cache encryption at rest should be enabled
CloudTrail trail logs should be encrypted with KMS CMK
DynamoDB Accelerator (DAX) clusters should be encrypted at rest
DynamoDB table should be encrypted with AWS KMS
DynamoDB table should have encryption enabled
EBS volume encryption at rest should be enabled
EBS default encryption should be enabled
EFS file system encryption at rest should be enabled
EKS clusters should be configured to have kubernetes secrets encrypted using KMS
ELB application load balancers should redirect HTTP requests to HTTPS
ELB classic load balancers should use SSL certificates
ES domain encryption at rest should be enabled
Log group encryption at rest should be enabled
RDS DB instance encryption at rest should be enabled
RDS DB snapshots should be encrypted at rest
Redshift cluster encryption in transit should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket default encryption should be enabled with KMS
S3 bucket default encryption should be enabled
S3 buckets should enforce SSL
SageMaker endpoint configuration encryption should be enabled
SageMaker notebook instance encryption should be enabled
SNS topics should be encrypted at rest
NIST 800-53 Revision 4
Access Control (AC)
Account Management (AC-2)
AC-2(1) Automated System Account Management
GuardDuty should be enabled
IAM password policies for users should have strong configurations
IAM user access keys should be rotated at least every 90 days
IAM users should be in at least one group
IAM user credentials that have not been used in 90 days should be disabled
Secrets Manager secrets should be rotated as per the rotation schedule
AWS Security Hub should be enabled for an AWS Account
AC-2(3) Disable Inactive Accounts
IAM user credentials that have not been used in 90 days should be disabled
AC-2(4) Automated Audit Actions
At least one multi-region AWS CloudTrail should be present in an account
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
CloudWatch alarm action should be enabled
GuardDuty should be enabled
Database logging should be enabled
Redshift cluster audit logging and encryption should be enabled
AWS Security Hub should be enabled for an AWS Account
AC-2(12) Account Monitoring
GuardDuty should be enabled
