Hub
Hub
Plugins
Mods
Docs
Home
Mods
turbot
/
aws_compliance
Overview
0
Dashboards
474
Controls
252
Queries
0
Variables
GitHub
Install Mod
AWS Audit Manager Control Tower Guardrails
EBS checks
1.0.1 - Disallow launch of EC2 instance types that are not EBS-optimized
EC2 instance should have EBS optimization enabled
1.0.2 - Disallow EBS volumes that are unattached to an EC2 instance
Attached EBS volumes should have delete on termination enabled
1.0.3 - Enable encryption for EBS volumes attached to EC2 instances
Attached EBS volumes should have encryption enabled
Disallow Internet Connection
2.0.1 - Disallow internet connection through RDP
VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
2.0.2 - Disallow internet connection through SSH
VPC security groups should restrict ingress SSH access from 0.0.0.0/0
Multi-Factor Authentication
3.0.1 - Disallow access to IAM users without MFA
IAM user MFA should be enabled
3.0.2 - Disallow console access to IAM users without MFA
IAM users with console access should have MFA enabled
3.0.3 - Enable MFA for the root user
IAM root user MFA should be enabled
Disallow Public Access
4.0.1 - Disallow public access to RDS database instances
RDS DB instances should prohibit public access
4.0.2 - Disallow public access to RDS database snapshots
RDS snapshots should prohibit public access
4.1.1 - Disallow public read access to S3 buckets
S3 buckets should prohibit public read access
4.1.2 - Disallow public write access to S3 buckets
S3 buckets should prohibit public write access
Disallow Instances
5.0.1 - Disallow RDS database instances that are not storage encrypted
RDS DB snapshots should be encrypted at rest
5.1.1 - Disallow S3 buckets that are not versioning enabled
S3 bucket versioning should be enabled
CIS v1.3.0
1 Identity and Access Management
1.1 Maintain current contact details
1.2 Ensure security contact information is registered
1.3 Ensure security questions are registered in the AWS account
1.4 Ensure no root user account access key exists
1.5 Ensure MFA is enabled for the "root user" account
1.6 Ensure hardware MFA is enabled for the "root user" account
1.7 Eliminate use of the root user for administrative and daily tasks
1.8 Ensure IAM password policy requires minimum length of 14 or greater
1.9 Ensure IAM password policy prevents password reuse
1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
1.11 Do not setup access keys during initial user setup for all IAM users that have a console password
1.12 Ensure credentials unused for 90 days or greater are disabled
1.13 Ensure there is only one active access key available for any single IAM user
1.14 Ensure access keys are rotated every 90 days or less
1.15 Ensure IAM Users Receive Permissions Only Through Groups
1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached
1.17 Ensure a support role has been created to manage incidents with AWS Support
1.18 Ensure IAM instance roles are used for AWS resource access from instances
1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
1.20 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
1.21 Ensure that IAM Access analyzer is enabled
1.22 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
2 Storage
2.1 Simple Storage Service (S3)
2.1.1 Ensure all S3 buckets employ encryption-at-rest
2.1.2 Ensure S3 Bucket Policy allows HTTPS requests
2.2 Elastic Compute Cloud (EC2)
2.2.1 Ensure EBS volume encryption is enabled
3 Logging
3.1 Ensure CloudTrail is enabled in all regions
3.2 Ensure CloudTrail log file validation is enabled.
3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs
3.5 Ensure AWS Config is enabled in all regions
3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs
3.8 Ensure rotation for customer created CMKs is enabled
3.9 Ensure VPC flow logging is enabled in all VPCs
3.10 Ensure that Object-level logging for write events is enabled for S3 bucket
3.11 Ensure that Object-level logging for read events is enabled for S3 bucket
4 Monitoring
4.1 Ensure a log metric filter and alarm exist for unauthorized API calls
4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
4.3 Ensure a log metric filter and alarm exist for usage of "root" account
4.4 Ensure a log metric filter and alarm exist for IAM policy changes
4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes
4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes
4.10 Ensure a log metric filter and alarm exist for security group changes
4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
4.12 Ensure a log metric filter and alarm exist for changes to network gateways
4.13 Ensure a log metric filter and alarm exist for route table changes
4.14 Ensure a log metric filter and alarm exist for VPC changes
4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes
5 Networking
5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
5.3 Ensure the default security group of every VPC restricts all traffic
5.4 Ensure routing tables for VPC peering are 'least access'
CIS v1.4.0
1 Identity and Access Management
1.1 Maintain current contact details
1.2 Ensure security contact information is registered
1.3 Ensure security questions are registered in the AWS account
1.4 Ensure no 'root' user account access key exists
1.5 Ensure MFA is enabled for the 'root' user account
1.6 Ensure hardware MFA is enabled for the 'root' user account
1.7 Eliminate use of the 'root' user for administrative and daily tasks
1.8 Ensure IAM password policy requires minimum length of 14 or greater
1.9 Ensure IAM password policy prevents password reuse
1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
1.11 Do not setup access keys during initial user setup for all IAM users that have a console password
1.12 Ensure credentials unused for 45 days or greater are disabled
1.13 Ensure there is only one active access key available for any single IAM user
1.14 Ensure access keys are rotated every 90 days or less
1.15 Ensure IAM Users Receive Permissions Only Through Groups
1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached
1.17 Ensure a support role has been created to manage incidents with AWS Support
1.18 Ensure IAM instance roles are used for AWS resource access from instances
1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
1.20 Ensure that IAM Access analyzer is enabled for all regions
1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
2 Storage
2.1 Simple Storage Service (S3)
2.1.1 Ensure all S3 buckets employ encryption-at-rest
2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests
2.1.3 Ensure MFA Delete is enabled on S3 buckets
2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required
2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
2.2 Elastic Compute Cloud (EC2)
2.2.1 Ensure EBS volume encryption is enabled
2.3 Relational Database Service (RDS)
2.3.1 Ensure that encryption is enabled for RDS Instances
3 Logging
3.1 Ensure CloudTrail is enabled in all regions
3.2 Ensure CloudTrail log file validation is enabled
3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs
3.5 Ensure AWS Config is enabled in all regions
3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs
3.8 Ensure rotation for customer created CMKs is enabled
3.9 Ensure VPC flow logging is enabled in all VPCs
3.10 Ensure that Object-level logging for write events is enabled for S3 bucket
3.11 Ensure that Object-level logging for read events is enabled for S3 bucket
4 Monitoring
4.1 Ensure a log metric filter and alarm exist for unauthorized API calls
4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
4.3 Ensure a log metric filter and alarm exist for usage of 'root' account
4.4 Ensure a log metric filter and alarm exist for IAM policy changes
4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes
4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes
4.10 Ensure a log metric filter and alarm exist for security group changes
4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
4.12 Ensure a log metric filter and alarm exist for changes to network gateways
4.13 Ensure a log metric filter and alarm exist for route table changes
4.14 Ensure a log metric filter and alarm exist for VPC changes
4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes
5 Networking
5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
5.3 Ensure the default security group of every VPC restricts all traffic
5.4 Ensure routing tables for VPC peering are "least access"
FedRAMP Low Revision 4
Access Control (AC)
Account Management (AC-2)
API Gateway stage logging should be enabled
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
CloudWatch alarm action should be enabled
ECS task definition container definitions should be checked for host mode
Elasticsearch domain should send logs to cloudWatch
GuardDuty should be enabled
Ensure IAM password policy requires a minimum length of 14 or greater
Ensure IAM policy should not grant full access to service
IAM groups should have at least one user
IAM groups, users, and roles should not have any inline policies
Ensure managed IAM policies should not allow blocked actions on KMS keys
IAM policy should not have statements with admin access
IAM root user hardware MFA should be enabled
IAM root user MFA should be enabled
IAM root user should not have access keys
IAM user access keys should be rotated at least every 90 days
IAM users with console access should have MFA enabled
IAM users should be in at least one group
IAM user MFA should be enabled
IAM user should not have any inline or attached policies
IAM user credentials that have not been used in 90 days should be disabled
Database logging should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket logging should be enabled
AWS Security Hub should be enabled for an AWS Account
Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
Access Enforcement (AC-3)
Auto Scaling launch config public IP should be disabled
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EC2 instances should not have a public IP address
EC2 instances should use IMDSv2
ECS task definition container definitions should be checked for host mode
EMR cluster master nodes should not have public IP addresses
ES domains should be in a VPC
Ensure IAM policy should not grant full access to service
IAM groups should have at least one user
IAM groups, users, and roles should not have any inline policies
IAM policy should not have statements with admin access
IAM root user should not have access keys
IAM users should be in at least one group
IAM user should not have any inline or attached policies
IAM user credentials that have not been used in 90 days should be disabled
Lambda functions should be in a VPC
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift clusters should prohibit public access
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 public access should be blocked at account level
S3 public access should be blocked at bucket levels
SageMaker notebook instances should not have direct internet access
VPC subnet auto assign public ip should be disabled
Remote Access (AC-17)
ACM certificates should be set to expire within 30 days
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EC2 instances should be in a VPC
EC2 instances should not have a public IP address
ELB application load balancers should be drop HTTP headers
ELB application load balancers should redirect HTTP requests to HTTPS
ELB classic load balancers should use SSL certificates
ELB classic load balancers should only use SSL or HTTPS listeners
EMR cluster master nodes should not have public IP addresses
ES domains should be in a VPC
GuardDuty should be enabled
Lambda functions should be in a VPC
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift cluster encryption in transit should be enabled
Redshift clusters should prohibit public access
S3 buckets should enforce SSL
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 public access should be blocked at account level
S3 public access should be blocked at bucket levels
SageMaker notebook instances should not have direct internet access
AWS Security Hub should be enabled for an AWS Account
VPC default security group should not allow inbound and outbound traffic
VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
VPC security groups should restrict ingress SSH access from 0.0.0.0/0
VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
VPC subnet auto assign public ip should be disabled
Audit and Accountability (AU)
Audit Events (AU-2)
API Gateway stage logging should be enabled
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
ELB application and classic load balancer logging should be enabled
Database logging should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket logging should be enabled
VPC flow logs should be enabled
Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
Protection of Audit Information (AU-9)
CloudTrail trail logs should be encrypted with KMS CMK
CloudTrail trail log file validation should be enabled
Log group encryption at rest should be enabled
S3 bucket cross-region replication should enabled
S3 bucket versioning should be enabled
Audit Record Retention (AU-11)
Log group retention period should be at least 365 days
Security Assessment And Authorization (CA)
Continuous Monitoring (CA-7)
Auto Scaling groups with a load balancer should use health checks
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudWatch alarm action should be enabled
EC2 instance detailed monitoring should be enabled
Elastic Beanstalk enhanced health reporting should be enabled
ELB application load balancers should have Web Application Firewall (WAF) enabled
GuardDuty should be enabled
Lambda functions concurrent execution limit configured
Lambda functions should be configured with a dead-letter queue
RDS DB instance and cluster enhanced monitoring should be enabled
Redshift cluster audit logging and encryption should be enabled
AWS Security Hub should be enabled for an AWS Account
Configuration Management (CM)
Baseline Configuration (CM-2)
API Gateway stage should be associated with waf
Auto Scaling launch config public IP should be disabled
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EBS volumes should be attached to EC2 instance
EC2 instances should be in a VPC
EC2 instances should not have a public IP address
EC2 instances should be managed by AWS Systems Manager
EC2 stopped instances should be removed in 30 days
ELB application load balancer deletion protection should be enabled
EMR cluster master nodes should not have public IP addresses
ES domains should be in a VPC
Lambda functions should be in a VPC
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift clusters should prohibit public access
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 public access should be blocked at account level
S3 public access should be blocked at bucket levels
SageMaker notebook instances should not have direct internet access
SSM managed instance associations should be compliant
VPC default security group should not allow inbound and outbound traffic
VPC route table should restrict public access to IGW
VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
VPC security groups should restrict ingress SSH access from 0.0.0.0/0
VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
VPC subnet auto assign public ip should be disabled
Information System Component Inventory (CM-8)
EC2 instances should be managed by AWS Systems Manager
GuardDuty should be enabled
SSM managed instance associations should be compliant
SSM managed instance patching should be compliant
Contingency Planning (CP)
Information System Backup (CP-9)
Backup plan min frequency and min retention check
DynamoDB table point-in-time recovery should be enabled
DynamoDB table should be protected by backup plan
EBS volumes should be protected by backup plan
EC2 instances should be protected by backup plan
EFS file systems should be protected by backup plan
ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
FSx file system should be protected by backup plan
RDS Aurora clusters should be protected by backup plan
RDS DB instance backup should be enabled
RDS DB instance should be protected by backup plan
Amazon Redshift clusters should have automatic snapshots enabled
S3 bucket cross-region replication should enabled
S3 bucket versioning should be enabled
Information System Recovery And Reconstitution (CP-10)
Backup plan min frequency and min retention check
DynamoDB table auto scaling should be enabled
DynamoDB table point-in-time recovery should be enabled
DynamoDB table should be protected by backup plan
EBS volumes should be protected by backup plan
EC2 instance should have EBS optimization enabled
EC2 instances should be protected by backup plan
EFS file systems should be protected by backup plan
ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
ELB application load balancer deletion protection should be enabled
ELB classic load balancers should have cross-zone load balancing enabled
FSx file system should be protected by backup plan
RDS Aurora clusters should be protected by backup plan
RDS DB instance backup should be enabled
RDS DB instance multiple az should be enabled
RDS DB instance should be protected by backup plan
Amazon Redshift clusters should have automatic snapshots enabled
S3 bucket cross-region replication should enabled
S3 bucket versioning should be enabled
Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
Identification and Authentication (IA)
Identification and Authentication (Organizational users) (IA-2)
Ensure IAM password policy requires a minimum length of 14 or greater
IAM root user hardware MFA should be enabled
IAM root user MFA should be enabled
IAM root user should not have access keys
IAM users with console access should have MFA enabled
IAM user MFA should be enabled
Incident Response (IR)
Incident Handling (IR-4)
Auto Scaling groups with a load balancer should use health checks
CloudWatch alarm action should be enabled
GuardDuty should be enabled
GuardDuty findings should be archived
AWS Security Hub should be enabled for an AWS Account
System and Services Acquisition (SA)
System Development Life Cycle (SA-3)
CodeBuild project plaintext environment variables should not contain sensitive AWS values
CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
EC2 instances should be managed by AWS Systems Manager
System and Communications Protection (SC)
Denial Of Service Protection (SC-5)
Auto Scaling groups with a load balancer should use health checks
DynamoDB table auto scaling should be enabled
DynamoDB table point-in-time recovery should be enabled
EC2 instance should have EBS optimization enabled
ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
ELB application load balancer deletion protection should be enabled
ELB classic load balancers should have cross-zone load balancing enabled
GuardDuty should be enabled
RDS DB instance backup should be enabled
RDS DB instances should have deletion protection enabled
RDS DB instance multiple az should be enabled
Amazon Redshift clusters should have automatic snapshots enabled
S3 bucket cross-region replication should enabled
S3 bucket versioning should be enabled
Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
Boundary Protection (SC-7)
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EC2 instances should be in a VPC
EC2 instances should not have a public IP address
ELB application load balancers should redirect HTTP requests to HTTPS
ELB application load balancers should have Web Application Firewall (WAF) enabled
ELB classic load balancers should use SSL certificates
ELB classic load balancers should only use SSL or HTTPS listeners
EMR cluster master nodes should not have public IP addresses
ES domains should be in a VPC
Elasticsearch domain node-to-node encryption should be enabled
Lambda functions should be in a VPC
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift cluster encryption in transit should be enabled
Redshift clusters should prohibit public access
S3 buckets should enforce SSL
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 public access should be blocked at account level
S3 public access should be blocked at bucket levels
SageMaker notebook instances should not have direct internet access
VPC default security group should not allow inbound and outbound traffic
VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
VPC security groups should restrict ingress SSH access from 0.0.0.0/0
VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
VPC subnet auto assign public ip should be disabled
Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
Cryptographic Key Establishment And Management (SC-12)
ACM certificates should be set to expire within 30 days
KMS CMK rotation should be enabled
KMS keys should not be pending deletion
Use of Cryptography (SC-13)
KMS keys should not be pending deletion
Amazon Redshift clusters should be encrypted with KMS
S3 bucket default encryption should be enabled with KMS
SageMaker endpoint configuration encryption should be enabled
SageMaker notebook instance encryption should be enabled
SNS topics should be encrypted at rest
FedRAMP Moderate Revision 4
Access Control (AC)
Account Management (AC-2)
AC-2(1) Automated System Account Management
GuardDuty should be enabled
Ensure IAM password policy requires a minimum length of 14 or greater
IAM groups, users, and roles should not have any inline policies
IAM policy should not have statements with admin access
IAM root user hardware MFA should be enabled
IAM root user MFA should be enabled
IAM root user should not have access keys
IAM user access keys should be rotated at least every 90 days
IAM users with console access should have MFA enabled
IAM users should be in at least one group
IAM user MFA should be enabled
IAM user should not have any inline or attached policies
IAM user credentials that have not been used in 90 days should be disabled
AWS Security Hub should be enabled for an AWS Account
AC-2(4) Automated Audit Actions
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
CloudWatch alarm action should be enabled
GuardDuty should be enabled
Database logging should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket logging should be enabled
AWS Security Hub should be enabled for an AWS Account
AC-2(12) Account Monitoring
AC-2(12)(a)
GuardDuty should be enabled
AWS Security Hub should be enabled for an AWS Account
AC-2(f)
Ensure IAM password policy requires a minimum length of 14 or greater
Ensure IAM policy should not grant full access to service
IAM groups, users, and roles should not have any inline policies
IAM policy should not have statements with admin access
IAM root user hardware MFA should be enabled
IAM root user MFA should be enabled
IAM root user should not have access keys
IAM user access keys should be rotated at least every 90 days
IAM users with console access should have MFA enabled
IAM users should be in at least one group
IAM user MFA should be enabled
IAM user should not have any inline or attached policies
IAM user credentials that have not been used in 90 days should be disabled
AC-2(g)
API Gateway stage logging should be enabled
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
Elasticsearch domain should send logs to cloudWatch
GuardDuty should be enabled
Database logging should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket logging should be enabled
AWS Security Hub should be enabled for an AWS Account
Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
AC-2(j)
ECS task definition container definitions should be checked for host mode
Ensure IAM password policy requires a minimum length of 14 or greater
Ensure IAM policy should not grant full access to service
IAM groups should have at least one user
IAM groups, users, and roles should not have any inline policies
Ensure managed IAM policies should not allow blocked actions on KMS keys
IAM policy should not have statements with admin access
IAM root user MFA should be enabled
IAM root user should not have access keys
IAM user access keys should be rotated at least every 90 days
IAM users with console access should have MFA enabled
IAM users should be in at least one group
IAM user MFA should be enabled
IAM user should not have any inline or attached policies
IAM user credentials that have not been used in 90 days should be disabled
AC-2(3) Disable Inactive Accounts
Ensure IAM password policy requires a minimum length of 14 or greater
IAM user credentials that have not been used in 90 days should be disabled
Access Enforcement (AC-3)
Auto Scaling launch config public IP should be disabled
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EC2 instances should not have a public IP address
EC2 instances should use IMDSv2
ECS task definition container definitions should be checked for host mode
EMR cluster master nodes should not have public IP addresses
ES domains should be in a VPC
Ensure IAM policy should not grant full access to service
IAM groups should have at least one user
IAM groups, users, and roles should not have any inline policies
IAM policy should not have statements with admin access
IAM root user should not have access keys
IAM users should be in at least one group
IAM user should not have any inline or attached policies
IAM user credentials that have not been used in 90 days should be disabled
Lambda functions should be in a VPC
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift clusters should prohibit public access
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 public access should be blocked at account level
S3 public access should be blocked at bucket levels
SageMaker notebook instances should not have direct internet access
VPC subnet auto assign public ip should be disabled
Information Flow Enforcement (AC-4)
ACM certificates should be set to expire within 30 days
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EC2 instances should be in a VPC
EC2 instances should not have a public IP address
EMR cluster master nodes should not have public IP addresses
ES domains should be in a VPC
Lambda functions should be in a VPC
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift clusters should prohibit public access
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
SageMaker notebook instances should not have direct internet access
VPC default security group should not allow inbound and outbound traffic
VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
VPC security groups should restrict ingress SSH access from 0.0.0.0/0
VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
Separation Of Duties (AC-5)
AC-5(c)
ECS task definition container definitions should be checked for host mode
Ensure IAM password policy requires a minimum length of 14 or greater
Ensure IAM policy should not grant full access to service
IAM groups should have at least one user
IAM groups, users, and roles should not have any inline policies
Ensure managed IAM policies should not allow blocked actions on KMS keys
IAM policy should not have statements with admin access
IAM root user should not have access keys
IAM users should be in at least one group
IAM user should not have any inline or attached policies
IAM user credentials that have not been used in 90 days should be disabled
Least Privilege (AC-6)
AC-6(10) Prohibit Non-Privileged Users From Executing Privileged Functions
Ensure IAM policy should not grant full access to service
IAM policy should not have statements with admin access
IAM root user should not have access keys
CodeBuild project plaintext environment variables should not contain sensitive AWS values
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EC2 instances should be in a VPC
EC2 instances should not have a public IP address
EC2 instances should use IMDSv2
EMR cluster master nodes should not have public IP addresses
ES domains should be in a VPC
IAM groups should have at least one user
IAM policy should not have statements with admin access
IAM root user should not have access keys
IAM users should be in at least one group
IAM user should not have any inline or attached policies
IAM user credentials that have not been used in 90 days should be disabled
Lambda functions should be in a VPC
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift clusters should prohibit public access
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 public access should be blocked at account level
S3 public access should be blocked at bucket levels
SageMaker notebook instances should not have direct internet access
VPC subnet auto assign public ip should be disabled
Remote Access (AC-17)
AC-17(1) Automated Monitoring/Control
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EC2 instances should be in a VPC
EC2 instances should not have a public IP address
EMR cluster master nodes should not have public IP addresses
ES domains should be in a VPC
GuardDuty should be enabled
Lambda functions should be in a VPC
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift clusters should prohibit public access
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 public access should be blocked at account level
S3 public access should be blocked at bucket levels
SageMaker notebook instances should not have direct internet access
AWS Security Hub should be enabled for an AWS Account
VPC default security group should not allow inbound and outbound traffic
VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
VPC security groups should restrict ingress SSH access from 0.0.0.0/0
VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
VPC subnet auto assign public ip should be disabled
AC-17(2) Protection Of Confidentiality/Integrity Using Encryption
ACM certificates should be set to expire within 30 days
ELB application load balancers should redirect HTTP requests to HTTPS
ELB classic load balancers should use SSL certificates
ELB classic load balancers should only use SSL or HTTPS listeners
Redshift cluster encryption in transit should be enabled
S3 buckets should enforce SSL
Information Sharing (AC-21)
AC-21(b)
Auto Scaling launch config public IP should be disabled
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EC2 instances should not have a public IP address
EMR cluster master nodes should not have public IP addresses
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift clusters should prohibit public access
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 public access should be blocked at account level
S3 public access should be blocked at bucket levels
SageMaker notebook instances should not have direct internet access
VPC default security group should not allow inbound and outbound traffic
VPC route table should restrict public access to IGW
VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
VPC subnet auto assign public ip should be disabled
Audit and Accountability (AU)
Audit Events (AU-2)
AU-2(a)(d)
API Gateway stage logging should be enabled
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
ELB application and classic load balancer logging should be enabled
Database logging should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket logging should be enabled
VPC flow logs should be enabled
Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
Content of Audit Records (AU-3)
API Gateway stage logging should be enabled
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
ELB application and classic load balancer logging should be enabled
Database logging should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket logging should be enabled
VPC flow logs should be enabled
Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
Audit Review, Analysis And Reporting (AU-6)
AU-6(1)(3)
API Gateway stage logging should be enabled
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
CloudWatch alarm action should be enabled
Log group retention period should be at least 365 days
ELB application and classic load balancer logging should be enabled
GuardDuty should be enabled
Database logging should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket logging should be enabled
AWS Security Hub should be enabled for an AWS Account
VPC flow logs should be enabled
Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
Audit Reduction And Report Generation (AU-7)
AU-7(1) Automatic Processing
CloudTrail trails should be integrated with CloudWatch logs
CloudWatch alarm action should be enabled
Protection of Audit Information (AU-9)
AU-9(2) Audit Backup On Separate Physical Systems / Components
S3 bucket cross-region replication should enabled
S3 bucket versioning should be enabled
CloudTrail trail logs should be encrypted with KMS CMK
CloudTrail trail log file validation should be enabled
Log group encryption at rest should be enabled
Audit Record Retention (AU-11)
Log group retention period should be at least 365 days
Audit Generation (AU-12)
AU-12(a)(c)
API Gateway stage logging should be enabled
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
ELB application and classic load balancer logging should be enabled
Database logging should be enabled
Redshift cluster audit logging and encryption should be enabled
S3 bucket logging should be enabled
VPC flow logs should be enabled
Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
Security Assessment And Authorization (CA)
Continuous Monitoring (CA-7)
CA-7(a)(b)
Auto Scaling groups with a load balancer should use health checks
At least one multi-region AWS CloudTrail should be present in an account
All S3 buckets should log S3 data events in CloudTrail
At least one enabled trail should be present in a region
CloudWatch alarm action should be enabled
EC2 instance detailed monitoring should be enabled
Elastic Beanstalk enhanced health reporting should be enabled
GuardDuty should be enabled
Lambda functions concurrent execution limit configured
Lambda functions should be configured with a dead-letter queue
RDS DB instance and cluster enhanced monitoring should be enabled
Redshift cluster audit logging and encryption should be enabled
AWS Security Hub should be enabled for an AWS Account
Configuration Management (CM)
Baseline Configuration (CM-2)
API Gateway stage should be associated with waf
Auto Scaling launch config public IP should be disabled
DMS replication instances should not be publicly accessible
Attached EBS volumes should have delete on termination enabled
EBS snapshots should not be publicly restorable
EBS volumes should be attached to EC2 instance
EC2 instances should be in a VPC
EC2 instances should not have a public IP address
EC2 instances should be managed by AWS Systems Manager
EC2 stopped instances should be removed in 30 days
ELB application load balancers should have Web Application Firewall (WAF) enabled
EMR cluster master nodes should not have public IP addresses
ES domains should be in a VPC
Lambda functions should be in a VPC
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift clusters should prohibit public access
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 public access should be blocked at account level
S3 public access should be blocked at account and bucket levels
SageMaker notebook instances should not have direct internet access
SSM managed instance associations should be compliant
VPC default security group should not allow inbound and outbound traffic
VPC route table should restrict public access to IGW
VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
VPC security groups should restrict ingress SSH access from 0.0.0.0/0
VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
VPC subnet auto assign public ip should be disabled
Least Functionality (CM-7)
CM-7(a)
EC2 instances should be managed by AWS Systems Manager
SSM managed instance associations should be compliant
Information System Component Inventory (CM-8)
CM-8(1)
EC2 instances should be managed by AWS Systems Manager
SSM managed instance associations should be compliant
CM-8(3) Automated Unauthorized Component Detection
CM-8(3)(a)
EC2 instances should be managed by AWS Systems Manager
GuardDuty should be enabled
SSM managed instance associations should be compliant
SSM managed instance patching should be compliant
Contingency Planning (CP)
Information System Backup (CP-9)
CP-9(b)
Backup plan min frequency and min retention check
DynamoDB table point-in-time recovery should be enabled
DynamoDB table should be protected by backup plan
EBS volumes should be protected by backup plan
EC2 instances should be protected by backup plan
EFS file systems should be protected by backup plan
ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
FSx file system should be protected by backup plan
RDS Aurora clusters should be protected by backup plan
RDS DB instance backup should be enabled
RDS DB instance should be protected by backup plan
Amazon Redshift clusters should have automatic snapshots enabled
S3 bucket cross-region replication should enabled
S3 bucket versioning should be enabled
Information System Recovery And Reconstitution (CP-10)
Backup plan min frequency and min retention check
DynamoDB table auto scaling should be enabled
DynamoDB table point-in-time recovery should be enabled
DynamoDB table should be protected by backup plan
EBS volumes should be protected by backup plan
EC2 instance should have EBS optimization enabled
EC2 instances should be protected by backup plan
EFS file systems should be protected by backup plan
ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
ELB application load balancer deletion protection should be enabled
ELB classic load balancers should have cross-zone load balancing enabled
FSx file system should be protected by backup plan
RDS Aurora clusters should be protected by backup plan
RDS DB instance backup should be enabled
RDS DB instance multiple az should be enabled
RDS DB instance should be protected by backup plan
Amazon Redshift clusters should have automatic snapshots enabled
S3 bucket cross-region replication should enabled
S3 bucket versioning should be enabled
Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
Identification and Authentication (IA)
Identification and Authentication (Organizational users) (IA-2)
IA-2(1) Network Access To Privileged Accounts
IA-2(1)(2)
IAM root user MFA should be enabled
IAM user MFA should be enabled
IAM users with console access should have MFA enabled
IAM root user hardware MFA should be enabled
IAM root user hardware MFA should be enabled
IAM root user MFA should be enabled
IAM users with console access should have MFA enabled
IAM user MFA should be enabled
Ensure IAM password policy requires a minimum length of 14 or greater
IAM root user should not have access keys
Authenticator Management (IA-5)
IA-5(1) Password-Based Authentication
IA-5(1)(a)(d)(e)
Ensure IAM password policy requires a minimum length of 14 or greater
IA-5(4) Automated Support For Password Strength Determination
Ensure IAM password policy requires a minimum length of 14 or greater
IA-5(7) No Embedded Unencrypted Static Authenticators
CodeBuild project plaintext environment variables should not contain sensitive AWS values
Incident Response (IR)
Incident Handling (IR-4)
IR-4(1) Automated Incident Handling Processes
Auto Scaling groups with a load balancer should use health checks
CloudWatch alarm action should be enabled
GuardDuty should be enabled
GuardDuty findings should be archived
AWS Security Hub should be enabled for an AWS Account
Incident Reporting (IR-6)
IR-6(1) Automated Reporting
GuardDuty should be enabled
GuardDuty findings should be archived
AWS Security Hub should be enabled for an AWS Account
Incident Response Assistance (IR-7)
IR-7(1) Automation Support For Availability Of Information / Support
GuardDuty should be enabled
GuardDuty findings should be archived
AWS Security Hub should be enabled for an AWS Account
Risk Assessment (RA)
Vulnerability Scanning (RA-5)
GuardDuty should be enabled
GuardDuty findings should be archived
System and Services Acquisition (SA)
System Development Life Cycle (SA-3)
SA-3(a)
CodeBuild project plaintext environment variables should not contain sensitive AWS values
CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
EC2 instances should be managed by AWS Systems Manager
Developer Configuration Management (SA-10)
EC2 instances should be managed by AWS Systems Manager
GuardDuty should be enabled
GuardDuty findings should be archived
AWS Security Hub should be enabled for an AWS Account
System and Communications Protection (SC)
Application Partitioning (SC-2)
IAM groups should have at least one user
IAM groups, users, and roles should not have any inline policies
IAM policy should not have statements with admin access
IAM users should be in at least one group
IAM user should not have any inline or attached policies
Information In Shared Resources (SC-4)
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EBS volumes should be attached to EC2 instance
Lambda functions should restrict public access
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
Redshift clusters should prohibit public access
S3 buckets should prohibit public read access
