acm_certificate_expires_30_days apigateway_rest_api_stage_use_ssl_certificate apigateway_stage_cache_encryption_at_rest_enabled apigateway_stage_logging_enabled autoscaling_group_with_lb_use_health_check cloudfront_distribution_configured_with_origin_failover cloudfront_distribution_default_root_object_configured cloudfront_distribution_encryption_in_transit_enabled cloudfront_distribution_origin_access_identity_enabled cloudtrail_bucket_not_public cloudtrail_enabled_all_regions cloudtrail_multi_region_trail_enabled cloudtrail_s3_data_events_enabled cloudtrail_s3_logging_enabled cloudtrail_s3_object_read_events_audit_enabled cloudtrail_s3_object_write_events_audit_enabled cloudtrail_trail_integrated_with_logs cloudtrail_trail_logs_encrypted_with_kms_cmk cloudtrail_trail_validation_enabled cloudwatch_alarm_action_enabled codebuild_project_plaintext_env_variables_no_sensitive_aws_values config_enabled_all_regions dax_cluster_encryption_at_rest_enabled dms_replication_instance_not_publicly_accessible dynamodb_table_auto_scaling_enabled dynamodb_table_point_in_time_recovery_enabled ebs_attached_volume_encryption_enabled ebs_snapshot_not_publicly_restorable ebs_volume_encryption_at_rest_enabled ec2_ebs_default_encryption_enabled ec2_instance_detailed_monitoring_enabled ec2_instance_in_vpc ec2_instance_not_publicly_accessible ec2_instance_ssm_managed ec2_instance_termination_protection_enabled ec2_instance_uses_imdsv2 ec2_stopped_instance_30_days efs_file_system_encrypt_data_at_rest elasticache_redis_cluster_automatic_backup_retention_15_days elb_application_classic_lb_logging_enabled elb_application_drop_http_headers elb_application_lb_deletion_protection_enabled elb_application_lb_redirect_http_request_to_https elb_classic_lb_use_ssl_certificate elb_classis_configured_with_https_tls_termination emr_cluster_kerberos_enabled emr_cluster_master_nodes_no_public_ip es_domain_encryption_at_rest_enabled es_domain_in_vpc es_domain_node_to_node_encryption_enabled guardduty_enabled guardduty_finding_archived iam_access_analyzer_enabled iam_account_password_policy_min_length_14 iam_account_password_policy_reuse_24 iam_account_password_policy_strong iam_account_password_policy_strong_min_length_8 iam_account_password_policy_strong_min_reuse_24 iam_group_not_empty iam_policy_no_star_star iam_root_last_used iam_root_user_hardware_mfa_enabled iam_root_user_mfa_enabled iam_root_user_no_access_keys iam_root_user_virtual_mfa iam_server_certificate_not_expired iam_support_role iam_user_access_key_age_90 iam_user_access_keys_and_password_at_setup iam_user_console_access_mfa_enabled iam_user_in_group iam_user_mfa_enabled iam_user_no_inline_attached_policies iam_user_one_active_key iam_user_unused_credentials_45 iam_user_unused_credentials_90 kms_cmk_rotation_enabled kms_key_decryption_restricted_in_iam_customer_managed_policy kms_key_decryption_restricted_in_iam_inline_policy kms_key_not_pending_deletion lambda_function_dead_letter_queue_configured lambda_function_in_vpc lambda_function_restrict_public_access lambda_function_use_latest_runtime log_group_encryption_at_rest_enabled log_metric_filter_bucket_policy log_metric_filter_cloudtrail_configuration log_metric_filter_config_configuration log_metric_filter_console_authentication_failure log_metric_filter_console_login_mfa log_metric_filter_disable_or_delete_cmk log_metric_filter_iam_policy log_metric_filter_network_acl log_metric_filter_network_gateway log_metric_filter_organization log_metric_filter_root_login log_metric_filter_route_table log_metric_filter_security_group log_metric_filter_unauthorized_api log_metric_filter_vpc manual_control rds_db_cluster_aurora_backtracking_enabled rds_db_cluster_deletion_protection_enabled rds_db_cluster_iam_authentication_enabled rds_db_instance_and_cluster_enhanced_monitoring_enabled rds_db_instance_automatic_minor_version_upgrade_enabled rds_db_instance_backup_enabled rds_db_instance_deletion_protection_enabled rds_db_instance_encryption_at_rest_enabled rds_db_instance_iam_authentication_enabled rds_db_instance_logging_enabled rds_db_instance_multiple_az_enabled rds_db_instance_prohibit_public_access rds_db_snapshot_encrypted_at_rest rds_db_snapshot_prohibit_public_access rds_instance_encryption_enabled redshift_cluster_automatic_snapshots_min_7_days redshift_cluster_automatic_upgrade_major_versions_enabled redshift_cluster_encryption_in_transit_enabled redshift_cluster_encryption_logging_enabled redshift_cluster_enhanced_vpc_routing_enabled redshift_cluster_prohibit_public_access s3_bucket_cross_region_replication_enabled s3_bucket_default_encryption_enabled s3_bucket_enforces_ssl s3_bucket_logging_enabled s3_bucket_mfa_delete_enabled s3_bucket_object_lock_enabled s3_bucket_policy_restricts_cross_account_permission_changes s3_bucket_public_access_blocked s3_bucket_restrict_public_read_access s3_bucket_restrict_public_write_access s3_bucket_versioning_enabled s3_public_access_block_account s3_public_access_block_bucket_account sagemaker_endpoint_configuration_encryption_at_rest_enabled sagemaker_notebook_instance_direct_internet_access_disabled sagemaker_notebook_instance_encryption_at_rest_enabled secretsmanager_secret_automatic_rotation_enabled secretsmanager_secret_automatic_rotation_lambda_enabled secretsmanager_secret_last_used_1_day secretsmanager_secret_rotated_per_automatic_rotation_schedule securityhub_enabled sns_topic_encrypted_at_rest vpc_configured_to_use_vpc_endpoints vpc_default_security_group_restricts_all_traffic vpc_eip_associated vpc_flow_logs_enabled vpc_igw_attached_to_authorized_vpc vpc_network_acl_remote_administration vpc_security_group_remote_administration vpc_security_group_restrict_ingress_common_ports_all vpc_security_group_restrict_ingress_ssh_all vpc_security_group_restrict_ingress_tcp_udp_all vpc_unused_security_group vpc_vpn_tunnel_up

Queries in AWS Compliance

The AWS Compliance mod includes 156 queries: