Hub
Hub
Plugins
Mods
Docs
Home
Mods
turbot
/
aws_compliance
169 Stars
Overview
386
Controls
200
Queries
GitHub
Install Mod
CIS v1.3.0
1 Identity and Access Management
1.1 Maintain current contact details
1.2 Ensure security contact information is registered
1.3 Ensure security questions are registered in the AWS account
1.4 Ensure no root user account access key exists
1.5 Ensure MFA is enabled for the "root user" account
1.6 Ensure hardware MFA is enabled for the "root user" account
1.7 Eliminate use of the root user for administrative and daily tasks
1.8 Ensure IAM password policy requires minimum length of 14 or greater
1.9 Ensure IAM password policy prevents password reuse
1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
1.11 Do not setup access keys during initial user setup for all IAM users that have a console password
1.12 Ensure credentials unused for 90 days or greater are disabled
1.13 Ensure there is only one active access key available for any single IAM user
1.14 Ensure access keys are rotated every 90 days or less
1.15 Ensure IAM Users Receive Permissions Only Through Groups
1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached
1.17 Ensure a support role has been created to manage incidents with AWS Support
1.18 Ensure IAM instance roles are used for AWS resource access from instances
1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
1.20 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
1.21 Ensure that IAM Access analyzer is enabled
1.22 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
2 Storage
2.1 Simple Storage Service (S3)
2.1.1 Ensure all S3 buckets employ encryption-at-rest
2.1.2 Ensure S3 Bucket Policy allows HTTPS requests
2.2 Elastic Compute Cloud (EC2)
2.2.1 Ensure EBS volume encryption is enabled
3 Logging
3.1 Ensure CloudTrail is enabled in all regions
3.2 Ensure CloudTrail log file validation is enabled.
3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs
3.5 Ensure AWS Config is enabled in all regions
3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs
3.8 Ensure rotation for customer created CMKs is enabled
3.9 Ensure VPC flow logging is enabled in all VPCs
3.10 Ensure that Object-level logging for write events is enabled for S3 bucket
3.11 Ensure that Object-level logging for read events is enabled for S3 bucket
4 Monitoring
4.1 Ensure a log metric filter and alarm exist for unauthorized API calls
4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
4.3 Ensure a log metric filter and alarm exist for usage of "root" account
4.4 Ensure a log metric filter and alarm exist for IAM policy changes
4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes
4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes
4.10 Ensure a log metric filter and alarm exist for security group changes
4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
4.12 Ensure a log metric filter and alarm exist for changes to network gateways
4.13 Ensure a log metric filter and alarm exist for route table changes
4.14 Ensure a log metric filter and alarm exist for VPC changes
4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes
5 Networking
5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
5.3 Ensure the default security group of every VPC restricts all traffic
5.4 Ensure routing tables for VPC peering are 'least access'
CIS v1.4.0
1 Identity and Access Management
1.1 Maintain current contact details
1.2 Ensure security contact information is registered
1.3 Ensure security questions are registered in the AWS account
1.4 Ensure no 'root' user account access key exists
1.5 Ensure MFA is enabled for the 'root' user account
1.6 Ensure hardware MFA is enabled for the 'root' user account
1.7 Eliminate use of the 'root' user for administrative and daily tasks
1.8 Ensure IAM password policy requires minimum length of 14 or greater
1.9 Ensure IAM password policy prevents password reuse
1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
1.11 Do not setup access keys during initial user setup for all IAM users that have a console password
1.12 Ensure credentials unused for 45 days or greater are disabled
1.13 Ensure there is only one active access key available for any single IAM user
1.14 Ensure access keys are rotated every 90 days or less
1.15 Ensure IAM Users Receive Permissions Only Through Groups
1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached
1.17 Ensure a support role has been created to manage incidents with AWS Support
1.18 Ensure IAM instance roles are used for AWS resource access from instances
1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
1.20 Ensure that IAM Access analyzer is enabled for all regions
1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
2 Storage
2.1 Simple Storage Service (S3)
2.1.1 Ensure all S3 buckets employ encryption-at-rest
2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests
2.1.3 Ensure MFA Delete is enable on S3 buckets
2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required
2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
2.2 Elastic Compute Cloud (EC2)
2.2.1 Ensure EBS volume encryption is enabled
2.3 Relational Database Service (RDS)
2.3.1 Ensure that encryption is enabled for RDS Instances
3 Logging
3.1 Ensure CloudTrail is enabled in all regions
3.2 Ensure CloudTrail log file validation is enabled
3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs
3.5 Ensure AWS Config is enabled in all regions
3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs
3.8 Ensure rotation for customer created CMKs is enabled
3.9 Ensure VPC flow logging is enabled in all VPCs
3.10 Ensure that Object-level logging for write events is enabled for S3 bucket
3.11 Ensure that Object-level logging for read events is enabled for S3 bucket
4 Monitoring
4.1 Ensure a log metric filter and alarm exist for unauthorized API calls
4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
4.3 Ensure a log metric filter and alarm exist for usage of 'root' account
4.4 Ensure a log metric filter and alarm exist for IAM policy changes
4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes
4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes
4.10 Ensure a log metric filter and alarm exist for security group changes
4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
4.12 Ensure a log metric filter and alarm exist for changes to network gateways
4.13 Ensure a log metric filter and alarm exist for route table changes
4.14 Ensure a log metric filter and alarm exist for VPC changes
4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes
5 Networking
5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
5.3 Ensure the default security group of every VPC restricts all traffic
5.4 Ensure routing tables for VPC peering are "least access"
AWS Foundational Security Best Practices
ACM
1 Imported ACM certificates should be renewed after a specified time period
API Gateway
1 API Gateway REST and WebSocket API logging should be enabled
2 API Gateway REST API stages should be configured to use SSL certificates for backend authentication
3 API Gateway REST API stages should have AWS X-Ray tracing enabled
4 API Gateway should be associated with an AWS WAF web ACL
5 API Gateway REST API cache data should be encrypted at rest
Auto Scaling
1 Auto Scaling groups associated with a load balancer should use load balancer health checks
CloudFront
1 CloudFront distributions should have a default root object configured
2 CloudFront distributions should have origin access identity enabled
3 CloudFront distributions should require encryption in transit
4 CloudFront distributions should have origin failover configured
5 CloudFront distributions should have logging enabled
6 CloudFront distributions should have AWS WAF enabled
CloudTrail
1 CloudTrail should be enabled and configured with at least one multi-Region trail
2 CloudTrail should have encryption at rest enabled
4 Ensure CloudTrail log file validation is enabled
5 Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs
CodeBuild
1 CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
2 CodeBuild project environment variables should not contain clear text credentials
Config
1 AWS Config should be enabled
DMS
1 AWS Database Migration Service replication instances should not be public
DynamoDB
1 DynamoDB tables should automatically scale capacity with demand
2 DynamoDB tables should have point-in-time recovery enabled
3 DynamoDB Accelerator (DAX) clusters should be encrypted at rest
EC2
1 Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone
2 The VPC default security group should not allow inbound and outbound traffic
3 Attached EBS volumes should be encrypted at rest
4 Stopped EC2 instances should be removed after a specified time period
6 VPC flow logging should be enabled in all VPCs
7 EBS default encryption should be enabled
8 EC2 instances should use IMDSv2
9 EC2 instances should not have a public IP address
10 Amazon EC2 should be configured to use VPC endpoints
15 EC2 subnets should not automatically assign public IP addresses
16 Unused network access control lists should be removed
17 EC2 instances should not use multiple ENIs
18 Security groups should only allow unrestricted incoming traffic for authorized ports
19 Security groups should not allow unrestricted access to ports with high risk
Elastic Container Service
1 Amazon ECS task definitions should have secure networking modes and user definitions
2 Amazon ECS services should not have public IP addresses assigned to them automatically
EFS
1 Amazon EFS should be configured to encrypt file data at rest using AWS KMS
2 Amazon EFS volumes should be in backup plans
Elastic Beanstalk
1 Elastic Beanstalk environments should have enhanced health reporting enabled
ELB
3 Classic Load Balancer listeners should be configured with HTTPS or TLS termination
4 Application load balancers should be configured to drop HTTP headers
5 Application and Classic Load Balancers logging should be enabled
6 Application Load Balancer deletion protection should be enabled
7 Classic Load Balancers should have connection draining enabled
ELBv2
1 Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
EMR
1 Amazon EMR cluster master nodes should not have public IP addresses
Elasticsearch
1 Elasticsearch domains should have encryption at-rest enabled
2 Amazon Elasticsearch Service domains should be in a VPC
3 Amazon Elasticsearch Service domains should encrypt data sent between nodes
6 Elasticsearch domains should have at least three data nodes
7 Elasticsearch domains should be configured with at least three dedicated master nodes
8 Connections to Elasticsearch domains should be encrypted using TLS 1.2
GuardDuty
1 GuardDuty should be enabled
IAM
1 IAM policies should not allow full '*' administrative privileges
2 IAM users should not have IAM policies attached
3 IAM users' access keys should be rotated every 90 days or less
4 IAM root user access key should not exist
5 MFA should be enabled for all IAM users that have a console password
6 Hardware MFA should be enabled for the root user
7 Password policies for IAM users should have strong configurations
8 Unused IAM user credentials should be removed
21 IAM customer managed policies that you create should not allow wildcard actions for services
KMS
1 IAM customer managed policies should not allow decryption actions on all KMS keys
2 IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys
3 AWS KMS keys should not be unintentionally deleted
Lambda
1 Lambda function policies should prohibit public access
2 Lambda functions should use latest runtimes
4 Lambda functions should have a dead-letter queue configured
RDS
1 RDS snapshots should be private
2 RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration
3 RDS DB instances should have encryption at rest enabled
4 RDS cluster snapshots and database snapshots should be encrypted at rest
5 RDS DB instances should be configured with multiple Availability Zones
6 Enhanced monitoring should be configured for RDS DB instances and clusters
7 RDS clusters should have deletion protection enabled
8 RDS DB instances should have deletion protection enabled
9 Database logging should be enabled
10 IAM authentication should be configured for RDS instances
12 IAM authentication should be configured for RDS clusters
13 RDS automatic minor version upgrades should be enabled
14 Amazon Aurora clusters should have backtracking enabled
15 RDS DB clusters should be configured for multiple Availability Zones
16 RDS DB clusters should be configured to copy tags to snapshots
17 RDS DB instances should be configured to copy tags to snapshots
18 RDS instances should be deployed in a VPC
19 An RDS event notifications subscription should be configured for critical cluster events
20 An RDS event notifications subscription should be configured for critical database instance events
21 An RDS event notifications subscription should be configured for critical database parameter group events
22 An RDS event notifications subscription should be configured for critical database security group events
23 RDS databases and clusters should not use a database engine default port
Redshift
1 Amazon Redshift clusters should prohibit public access
2 Connections to Amazon Redshift clusters should be encrypted in transit
3 Amazon Redshift clusters should have automatic snapshots enabled
4 Amazon Redshift clusters should have audit logging enabled
6 Amazon Redshift should have automatic upgrades to major versions enabled
7 Amazon Redshift clusters should use enhanced VPC routing
S3
1 S3 Block Public Access setting should be enabled
2 S3 buckets should prohibit public read access
3 S3 buckets should prohibit public write access
4 S3 buckets should have server-side encryption enabled
5 S3 buckets should require requests to use Secure Socket Layer
6 Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted
8 S3 Block Public Access setting should be enabled at the bucket level
SageMaker
1 SageMaker notebook instances should not have direct internet access
Secrets Manager
1 Secrets Manager secrets should have automatic rotation enabled
2 Secrets Manager secrets configured with automatic rotation should rotate successfully
3 Remove unused Secrets Manager secrets
4 Secrets Manager secrets should be rotated within a specified number of days
SNS
1 SNS topics should be encrypted at rest using AWS KMS
SSM
1 EC2 instances should be managed by AWS Systems Manager
2 All EC2 instances managed by Systems Manager should be compliant with patching requirements
3 Instances managed by Systems Manager should have an association compliance status of COMPLIANT
SQS
1 Amazon SQS queues should be encrypted at rest
HIPAA
164.308(a)(1)(ii)(B) Risk Management
API Gateway stage cache encryption at rest should be enabled
Auto Scaling groups with a load balancer should use health checks
CloudTrail trail logs should be encrypted with KMS CMK
CloudTrail trail log file validation should be enabled
CodeBuild project plaintext environment variables should not contain sensitive AWS values
CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
DMS replication instances should not be publicly accessible
DynamoDB table auto scaling should be enabled
DynamoDB table point-in-time recovery should be enabled
EBS snapshots should not be publicly restorable
EBS volume encryption at rest should be enabled
EBS default encryption should be enabled
EC2 instances should be in a VPC
EC2 instances should not have a public IP address
EC2 stopped instances should be removed in 30 days
EFS file system encryption at rest should be enabled
ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
ELB application load balancer deletion protection should be enabled
ELB application load balancers should redirect HTTP requests to HTTPS
ELB classic load balancers should use SSL certificates
EMR cluster master nodes should not have public IP addresses
ES domain encryption at rest should be enabled
ES domains should be in a VPC
IAM policy should not have statements with admin access
IAM root user should not have access keys
KMS keys should not be pending deletion
Lambda functions should be in a VPC
Lambda functions should restrict public access
Log group encryption at rest should be enabled
RDS DB instance backup should be enabled
RDS DB instance encryption at rest should be enabled
RDS DB instance multiple az should be enabled
RDS DB snapshots should be encrypted at rest
RDS snapshots should prohibit public access
Redshift cluster encryption in transit should be enabled
Redshift cluster audit logging and encryption should be enabled
Redshift clusters should prohibit public access
S3 bucket cross-region replication should enabled
S3 bucket default encryption should be enabled
S3 buckets should enforce SSL
S3 bucket object lock should be enabled
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 bucket versioning should be enabled
S3 public access should be blocked at account level
SageMaker endpoint configuration encryption should be enabled
SageMaker notebook instances should not have direct internet access
SageMaker notebook instance encryption should be enabled
SNS topics should be encrypted at rest
VPC internet gateways should be attached to authorized vpc
VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
VPC security groups should restrict ingress SSH access from 0.0.0.0/0
VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
164.308(a)(1)(ii)(D) Information system activity review
API Gateway stage logging should be enabled
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
ELB application and classic load balancer logging should be enabled
GuardDuty should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket logging should be enabled
AWS Security Hub should be enabled for an AWS Account
VPC flow logs should be enabled
164.308(a)(3)(i) Workforce security
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EC2 instances should be in a VPC
EC2 instances should not have a public IP address
ES domains should be in a VPC
IAM groups should have at least one user
IAM policy should not have statements with admin access
IAM root user should not have access keys
IAM users should be in at least one group
IAM user should not have any inline or attached policies
Lambda functions should be in a VPC
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift clusters should prohibit public access
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 public access should be blocked at account and bucket levels
SageMaker notebook instances should not have direct internet access
164.308(a)(3)(ii)(A) Authorization and/or supervision
API Gateway stage logging should be enabled
At least one enabled trail should be present in a region
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
ELB application and classic load balancer logging should be enabled
EMR cluster Kerberos should be enabled
GuardDuty should be enabled
IAM root user hardware MFA should be enabled
IAM root user MFA should be enabled
IAM users with console access should have MFA enabled
IAM user MFA should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket logging should be enabled
AWS Security Hub should be enabled for an AWS Account
VPC flow logs should be enabled
164.308(a)(3)(ii)(B) Workforce clearance procedure
IAM groups should have at least one user
IAM policy should not have statements with admin access
IAM root user should not have access keys
IAM users should be in at least one group
IAM user should not have any inline or attached policies
IAM user credentials that have not been used in 90 days should be disabled
164.308(a)(3)(ii)(C) Termination procedures
IAM user access keys should be rotated at least every 90 days
164.308(a)(4)(i) Information access management
IAM groups should have at least one user
IAM policy should not have statements with admin access
IAM users should be in at least one group
IAM user should not have any inline or attached policies
164.308(a)(4)(ii)(B) Access authorization
IAM groups should have at least one user
IAM policy should not have statements with admin access
IAM users should be in at least one group
IAM user should not have any inline or attached policies
164.308(a)(4)(ii)(C) Access establishment and modification
IAM password policies for users should have strong configurations
IAM groups should have at least one user
IAM policy should not have statements with admin access
IAM root user should not have access keys
IAM user access keys should be rotated at least every 90 days
IAM users should be in at least one group
IAM user should not have any inline or attached policies
IAM user credentials that have not been used in 90 days should be disabled
Secrets Manager secrets should have automatic rotation enabled
164.308(a)(6)(i) Security incident procedures
CloudWatch alarm action should be enabled
GuardDuty should be enabled
Lambda functions should be configured with a dead-letter queue
AWS Security Hub should be enabled for an AWS Account
164.308(a)(6)(ii) Response and reporting
API Gateway stage logging should be enabled
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
ELB application and classic load balancer logging should be enabled
GuardDuty should be enabled
GuardDuty findings should be archived
S3 bucket logging should be enabled
AWS Security Hub should be enabled for an AWS Account
VPC flow logs should be enabled
164.308(a)(7)(i) Contingency plan
Auto Scaling groups with a load balancer should use health checks
DynamoDB table auto scaling should be enabled
RDS DB instance multiple az should be enabled
S3 bucket cross-region replication should enabled
Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
164.308(a)(7)(ii)(A) Data backup plan
DynamoDB table point-in-time recovery should be enabled
ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
RDS DB instance backup should be enabled
S3 bucket cross-region replication should enabled
S3 bucket versioning should be enabled
164.312(a)(1) Access control
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EC2 instances should be in a VPC
EC2 instances should not have a public IP address
EMR cluster Kerberos should be enabled
EMR cluster master nodes should not have public IP addresses
ES domains should be in a VPC
IAM groups should have at least one user
IAM policy should not have statements with admin access
IAM users should be in at least one group
IAM user should not have any inline or attached policies
Lambda functions should be in a VPC
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift clusters should prohibit public access
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 public access should be blocked at account and bucket levels
SageMaker notebook instances should not have direct internet access
164.312(a)(2)(i) Unique user identification
IAM root user should not have access keys
164.312(a)(2)(ii) Emergency access procedure
DynamoDB table point-in-time recovery should be enabled
ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
RDS DB instance backup should be enabled
S3 bucket cross-region replication should enabled
S3 bucket versioning should be enabled
164.312(a)(2)(iv) Encryption and decryption
API Gateway stage cache encryption at rest should be enabled
CloudTrail trail logs should be encrypted with KMS CMK
EBS volume encryption at rest should be enabled
EBS default encryption should be enabled
EFS file system encryption at rest should be enabled
ES domain encryption at rest should be enabled
KMS keys should not be pending deletion
Log group encryption at rest should be enabled
RDS DB instance encryption at rest should be enabled
RDS DB snapshots should be encrypted at rest
Redshift cluster encryption in transit should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket default encryption should be enabled
S3 buckets should enforce SSL
SageMaker endpoint configuration encryption should be enabled
SageMaker notebook instance encryption should be enabled
SNS topics should be encrypted at rest
164.312(b) Audit controls
API Gateway stage logging should be enabled
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
ELB application and classic load balancer logging should be enabled
GuardDuty should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket logging should be enabled
AWS Security Hub should be enabled for an AWS Account
VPC flow logs should be enabled
164.312(c)(1) Integrity
CloudTrail trail log file validation should be enabled
S3 bucket object lock should be enabled
S3 bucket versioning should be enabled
164.312(c)(2) Mechanism to authenticate electronic protected health information
CloudTrail trail log file validation should be enabled
S3 bucket object lock should be enabled
S3 bucket versioning should be enabled
164.312(d) Person or entity authentication
IAM password policies for users should have strong configurations
IAM root user hardware MFA should be enabled
IAM root user MFA should be enabled
IAM users with console access should have MFA enabled
IAM user MFA should be enabled
164.312(e)(1) Transmission security
EC2 instances should be in a VPC
ELB classic load balancers should use SSL certificates
ES domains should be in a VPC
Lambda functions should be in a VPC
Redshift cluster encryption in transit should be enabled
S3 buckets should enforce SSL
VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
VPC security groups should restrict ingress SSH access from 0.0.0.0/0
VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
164.312(e)(2)(i) Integrity controls
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
ELB application load balancers should redirect HTTP requests to HTTPS
ELB classic load balancers should use SSL certificates
GuardDuty should be enabled
Redshift cluster encryption in transit should be enabled
S3 buckets should enforce SSL
S3 bucket logging should be enabled
AWS Security Hub should be enabled for an AWS Account
164.312(e)(2)(ii) Encryption
API Gateway stage cache encryption at rest should be enabled
CloudTrail trail logs should be encrypted with KMS CMK
EBS volume encryption at rest should be enabled
EBS default encryption should be enabled
EFS file system encryption at rest should be enabled
ELB application load balancers should redirect HTTP requests to HTTPS
ELB classic load balancers should use SSL certificates
ES domain encryption at rest should be enabled
Log group encryption at rest should be enabled
RDS DB instance encryption at rest should be enabled
RDS DB snapshots should be encrypted at rest
Redshift cluster encryption in transit should be enabled
S3 bucket default encryption should be enabled
S3 buckets should enforce SSL
SageMaker endpoint configuration encryption should be enabled
SageMaker notebook instance encryption should be enabled
SNS topics should be encrypted at rest
NIST 800-53 Revision 4
Access Control (AC)
Account Management (AC-2)
AC-2(1) Automated System Account Management
GuardDuty should be enabled
IAM password policies for users should have strong configurations
IAM user access keys should be rotated at least every 90 days
IAM users should be in at least one group
IAM user credentials that have not been used in 90 days should be disabled
Secrets Manager secrets should be rotated as per the rotation schedule
AWS Security Hub should be enabled for an AWS Account
AC-2(3) Disable Inactive Accounts
IAM user credentials that have not been used in 90 days should be disabled
AC-2(4) Automated Audit Actions
At least one multi-region AWS CloudTrail should be present in an account
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
CloudWatch alarm action should be enabled
GuardDuty should be enabled
Database logging should be enabled
Redshift cluster audit logging and encryption should be enabled
AWS Security Hub should be enabled for an AWS Account
AC-2(12) Account Monitoring
GuardDuty should be enabled
AWS Security Hub should be enabled for an AWS Account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
EMR cluster Kerberos should be enabled
GuardDuty should be enabled
IAM password policies for users should have strong configurations
IAM groups should have at least one user
IAM policy should not have statements with admin access
IAM root user MFA should be enabled
IAM root user should not have access keys
IAM user access keys should be rotated at least every 90 days
IAM users should be in at least one group
IAM user should not have any inline or attached policies
IAM user credentials that have not been used in 90 days should be disabled
Database logging should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket logging should be enabled
Secrets Manager secrets should be rotated as per the rotation schedule
AWS Security Hub should be enabled for an AWS Account
Access Enforcement (AC-3)
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EMR cluster Kerberos should be enabled
IAM groups should have at least one user
IAM policy should not have statements with admin access
IAM root user should not have access keys
IAM users should be in at least one group
IAM user should not have any inline or attached policies
IAM user credentials that have not been used in 90 days should be disabled
Lambda functions should restrict public access
RDS snapshots should prohibit public access
Redshift clusters should prohibit public access
SageMaker notebook instances should not have direct internet access
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 public access should be blocked at account and bucket levels
Information Flow Enforcement (AC-4)
ACM certificates should be set to expire within 30 days
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EC2 instances should be in a VPC
EC2 instances should not have a public IP address
EMR cluster master nodes should not have public IP addresses
ES domains should be in a VPC
Lambda functions should be in a VPC
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift clusters should prohibit public access
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 public access should be blocked at account and bucket levels
SageMaker notebook instances should not have direct internet access
VPC default security group should not allow inbound and outbound traffic
VPC internet gateways should be attached to authorized vpc
VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
VPC security groups should restrict ingress SSH access from 0.0.0.0/0
VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
Separation Of Duties (AC-5)
EMR cluster Kerberos should be enabled
IAM groups should have at least one user
IAM policy should not have statements with admin access
IAM user should not have any inline or attached policies
Least Privilege (AC-6)
AC-6(10) Prohibit Non-Privileged Users From Executing Privileged Functions
IAM root user should not have access keys
CodeBuild project plaintext environment variables should not contain sensitive AWS values
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EC2 instances should not have a public IP address
EC2 instances should use IMDSv2
EMR cluster Kerberos should be enabled
IAM groups should have at least one user
IAM groups, users, and roles should not have any inline policies
IAM policy should not have statements with admin access
IAM root user should not have access keys
IAM users should be in at least one group
IAM user should not have any inline or attached policies
IAM user credentials that have not been used in 90 days should be disabled
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift clusters should prohibit public access
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 public access should be blocked at account and bucket levels
SageMaker notebook instances should not have direct internet access
Remote Access (AC-17)
AC-17(1) Automated Monitoring/Control
GuardDuty should be enabled
AWS Security Hub should be enabled for an AWS Account
AC-17(2) Protection Of Confidentiality/Integrity Using Encryption
ACM certificates should be set to expire within 30 days
ELB application load balancers should be drop HTTP headers
ELB application load balancers should redirect HTTP requests to HTTPS
ELB classic load balancers should use SSL certificates
ELB classic load balancers should only use SSL or HTTPS listeners
Redshift cluster encryption in transit should be enabled
S3 buckets should enforce SSL
AC-17(3) Managed Access Control Points
VPC internet gateways should be attached to authorized vpc
Information Sharing (AC-21)
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EC2 instances should not have a public IP address
EMR cluster master nodes should not have public IP addresses
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift clusters should prohibit public access
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 public access should be blocked at account and bucket levels
SageMaker notebook instances should not have direct internet access
Audit and Accountability (AU)
Event Logging (AU-2)
API Gateway stage logging should be enabled
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
ELB application and classic load balancer logging should be enabled
Database logging should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket logging should be enabled
VPC flow logs should be enabled
Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
Content of Audit Records (AU-3)
API Gateway stage logging should be enabled
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
ELB application and classic load balancer logging should be enabled
Database logging should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket logging should be enabled
VPC flow logs should be enabled
Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
Audit Review, Analysis And Reporting (AU-6)
AU-6(1) Process Integration
CloudTrail trails should be integrated with CloudWatch logs
CloudWatch alarm action should be enabled
GuardDuty should be enabled
AWS Security Hub should be enabled for an AWS Account
AU-6(3) Correlate Audit Repositories
CloudTrail trails should be integrated with CloudWatch logs
CloudWatch alarm action should be enabled
GuardDuty should be enabled
AWS Security Hub should be enabled for an AWS Account
Audit Reduction And Report Generation (AU-7)
AU-7(1) Automatic Processing
CloudWatch alarm action should be enabled
CloudTrail trails should be integrated with CloudWatch logs
Protection of Audit Information (AU-9)
AU-9(2) Audit Backup On Separate Physical Systems / Components
S3 bucket cross-region replication should enabled
CloudTrail trail logs should be encrypted with KMS CMK
Log group encryption at rest should be enabled
Audit Record Retention (AU-11)
Log group retention period should be at least 365 days
Audit Generation (AU-12)
API Gateway stage logging should be enabled
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
ELB application and classic load balancer logging should be enabled
Database logging should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket logging should be enabled
VPC flow logs should be enabled
Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
Security Assessment And Authorization (CA)
Continuous Monitoring (CA-7)
CloudTrail trails should be integrated with CloudWatch logs
CloudWatch alarm action should be enabled
EC2 instance detailed monitoring should be enabled
GuardDuty should be enabled
RDS DB instance and cluster enhanced monitoring should be enabled
AWS Security Hub should be enabled for an AWS Account
Configuration Management (CM)
Baseline Configuration (CM-2)
At least one trail should be enabled with security best practices
Attached EBS volumes should have delete on termination enabled
EC2 instances should be managed by AWS Systems Manager
EC2 stopped instances should be removed in 30 days
ELB application load balancer deletion protection should be enabled
SSM managed instance associations should be compliant
VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
Least Functionality (CM-7)
EC2 instances should be managed by AWS Systems Manager
SSM managed instance associations should be compliant
Information System Component Inventory (CM-8)
CM-8(1) Updates During Installation / Removals
EC2 instances should be managed by AWS Systems Manager
CM-8(3) Automated Unauthorized Component Detection
EC2 instances should be managed by AWS Systems Manager
SSM managed instance associations should be compliant
SSM managed instance patching should be compliant
Contingency Planning (CP)
Information System Backup (CP-9)
DynamoDB tables should be in a backup plan
DynamoDB table point-in-time recovery should be enabled
EBS volumes should be in a backup plan
EFS file systems should be in a backup plan
ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
RDS DB instance backup should be enabled
RDS DB instances should be in a backup plan
S3 bucket cross-region replication should enabled
Information System Recovery And Reconstitution (CP-10)
DynamoDB table auto scaling should be enabled
DynamoDB tables should be in a backup plan
DynamoDB table point-in-time recovery should be enabled
EBS volumes should be in a backup plan
EFS file systems should be in a backup plan
ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
ELB application load balancer deletion protection should be enabled
ELB classic load balancers should have cross-zone load balancing enabled
RDS DB instance backup should be enabled
RDS DB instances should be in a backup plan
RDS DB instance multiple az should be enabled
S3 bucket cross-region replication should enabled
S3 bucket versioning should be enabled
Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
Identification and Authentication (IA)
Identification and Authentication (Organizational users) (IA-2)
IA-2(1) Network Access To Privileged Accounts
IAM root user hardware MFA should be enabled
IAM root user MFA should be enabled
IAM users with console access should have MFA enabled
IAM user MFA should be enabled
IA-2(2) Network Access To Non-Privileged Accounts
IAM users with console access should have MFA enabled
IAM user MFA should be enabled
IA-2(11) Remote Access - Separate Device
IAM root user hardware MFA should be enabled
IAM root user MFA should be enabled
IAM users with console access should have MFA enabled
IAM user MFA should be enabled
IAM password policies for users should have strong configurations
Authenticator Management (IA-5)
IA-5(1) Password-Based Authentication
IAM password policies for users should have strong configurations
IA-5(4) Automated Support For Password Strength Determination
IAM password policies for users should have strong configurations
IA-5(7) No Embedded Unencrypted Static Authenticators
CodeBuild project plaintext environment variables should not contain sensitive AWS values
Incident Response (IR)
Incident Handling (IR-4)
IR-4(1) Automated Incident Handling Processes
CloudWatch alarm action should be enabled
GuardDuty findings should be archived
Incident Reporting (IR-6)
IR-6(1) Automated Reporting
GuardDuty findings should be archived
Incident Response Assistance (IR-7)
IR-7(1) Automation Support For Availability Of Information / Support
GuardDuty findings should be archived
Risk Assessment (RA)
Vulnerability Scanning (RA-5)
GuardDuty should be enabled
GuardDuty findings should be archived
System and Services Acquisition (SA)
System Development Life Cycle (SA-3)
CodeBuild project plaintext environment variables should not contain sensitive AWS values
CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
EC2 instances should be managed by AWS Systems Manager
Developer Configuration Management (SA-10)
EC2 instances should be managed by AWS Systems Manager
GuardDuty should be enabled
GuardDuty findings should be archived
AWS Security Hub should be enabled for an AWS Account
System and Communications Protection (SC)
Application Partitioning (SC-2)
IAM groups should have at least one user
IAM policy should not have statements with admin access
Information In Shared Resources (SC-4)
Attached EBS volumes should have delete on termination enabled
Denial Of Service Protection (SC-5)
Auto Scaling groups with a load balancer should use health checks
DynamoDB table auto scaling should be enabled
ELB classic load balancers should have cross-zone load balancing enabled
RDS DB instances should have deletion protection enabled
RDS DB instance multiple az should be enabled
S3 bucket cross-region replication should enabled
Boundary Protection (SC-7)
SC-7(3) Access Points
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EC2 instances should be in a VPC
EC2 instances should not have a public IP address
EMR cluster master nodes should not have public IP addresses
ES domains should be in a VPC
Lambda functions should be in a VPC
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift clusters should prohibit public access
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 public access should be blocked at account level
SageMaker notebook instances should not have direct internet access
VPC default security group should not allow inbound and outbound traffic
VPC internet gateways should be attached to authorized vpc
VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
VPC security groups should restrict ingress SSH access from 0.0.0.0/0
VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EC2 instances should be in a VPC
EC2 instances should not have a public IP address
ELB application load balancers should be drop HTTP headers
ELB application load balancers should redirect HTTP requests to HTTPS
ELB application load balancers should have Web Application Firewall (WAF) enabled
ELB classic load balancers should use SSL certificates
ELB classic load balancers should only use SSL or HTTPS listeners
EMR cluster master nodes should not have public IP addresses
ES domains should be in a VPC
Elasticsearch domain node-to-node encryption should be enabled
Lambda functions should be in a VPC
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift cluster encryption in transit should be enabled
Redshift clusters should prohibit public access
S3 buckets should enforce SSL
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access