# Evaluating Resources with AWS Config Rules
<a name="evaluate-config"></a>

Use AWS Config to evaluate the configuration settings of your AWS resources. You do this by creating AWS Config rules, which represent your ideal configuration settings. AWS Config provides customizable, predefined rules called managed rules to help you get started.

**Topics**
+ [

## Considerations
](#evaluate-config-considerations)
+ [

## Region Support
](#region-support-config-rules)
+ [Components of a Rule](evaluate-config_components.md)
+ [Managed Rules](evaluate-config_use-managed-rules.md)
+ [Custom Rules](evaluate-config_develop-rules.md)
+ [Service-Linked Rules](service-linked-awsconfig-rules.md)
+ [Organizational Rules](config-rule-multi-account-deployment.md)
+ [Adding Rules](evaluate-config_add-rules.md)
+ [Updating Rules](evaluate-config_update-rules.md)
+ [Deleting Rules](evaluate-config_delete-rules.md)
+ [Viewing Rules](evaluate-config_view-rules.md)
+ [Turning on Proactive Evaluation](evaluate-config_turn-on-proactive-rules.md)
+ [Sending Evaluations to Security Hub CSPM](setting-up-aws-config-rules-with-console-integration.md)
+ [Evaluating Resources with Rules](evaluating-your-resources.md)
+ [Deleting Evaluation Results](deleting-evaluations-results.md)
+ [Troubleshooting](troubleshooting-rules.md)

## Considerations
<a name="evaluate-config-considerations"></a>

------
#### [ Cost Considerations ]

For details about the costs associated with resource recording, see [AWS Config pricing](https://aws.amazon.com/config/pricing/).

**Recommendation: Consider excluding the `AWS::Config::ResourceCompliance` resource type from recording before deleting rules**

Deleting rules creates configuration items (CIs) for `AWS::Config::ResourceCompliance` that can affect your costs for the configuration recorder. If you are deleting rules which evaluate a large number of resource types, this can lead to a spike in the number of CIs recorded.

To avoid the associated costs, you can opt to disable recording for the `AWS::Config::ResourceCompliance` resource type before deleting rules, and re-enable recording after the rules have been deleted.

However, since deleting rules is an asynchronous process, it might take an hour or more to complete. During the time when recording is disabled for `AWS::Config::ResourceCompliance`, rule evaluations will not be recorded in the associated resource’s history.

AWS Config recommends that you weigh these factors on a case-by-case basis before deciding how to proceed with deleting rules.

**Recommendation: Add logic to handle the evaluation of deleted resources for custom lambda rules**

When creating AWS Config custom lambda rules, it is highly recommended that you add logic to handle the evaluation of deleted resources.

When evaluation results are marked as `NOT_APPLICABLE`, they will be marked for deletion and cleaned up. If they're NOT marked as `NOT_APPLICABLE`, the evaluation results will remain unchanged until the rule is deleted, which can cause an unexpected spike in the creation of CIs for `AWS::Config::ResourceCompliance` upon rule deletion.

For information on how to set AWS Config custom lambda rules to return `NOT_APPLICABLE` for deleted resources, see [Managing deleted resources with AWS Config custom lambda rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html#evaluate-config_develop-rules-delete).

**Recommendation: Provide the resources in scope for custom lambda rules**

AWS Config Custom Lambda Rules can cause a high number of Lambda function invocations if the rule is not scoped to one or more resource types. To avoid increased activity associated with your account, it is highly recommended to provide resources in scope for your Custom Lambda rules. If no resource types are selected, the rule will invoke the Lambda function for all resources in the account.

------
#### [ Other considerations ]

**Defaut Values for Managed Rules**

The default values specified for managed rules are pre-populated only when using the AWS console. Default values are not supplied for the API, CLI, or SDK.

**Configuration Item Recording Delays**

AWS Config usually records configuration changes to your resources right after a change is detected, or at the frequency that you specify. However, this is on a best effort basis and can take longer at times. For example, a resource type with known delays is `AWS::SecretsManager::Secret`. This resource type is an example, and this list is non-exhaustive.

**Policies and compliance results**

[IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [other policies managed in AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html) can impact whether AWS Config has permissions to record configuration changes for your resources. Additionally, rules directly evaluate the configuration of a resource and rules don't take into account these policies when running evaluations. Make sure that the policies in effect align with how you intend to use AWS Config.

**Tagging support for resource types**

If a resource type does not support tagging or does not include tag information in its describe API response, AWS Config won't capture tag data in the configuration items (CIs) for that resource type. AWS Config will still record these resources. However, any functionality that relies on tag data won't work. This affects tag-based filtering, grouping, or compliance evaluation that relies on tag data.

**Directory Buckets Are Not Supported**

Managed rules only support general purpose buckets when evaluating Amazon Simple Storage Service (Amazon S3) resources. For more information on general purpose buckets and directory buckets, see [Buckets overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingBucket.html) and [Directory buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-overview.html) in the Amazon S3 User Guide.

**Managed Rules and Global IAM Resource Types**

The global IAM resource types onboarded before February 2022 (`AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, and `AWS::IAM::User`) can only be recorded by AWS Config in AWS Regions where AWS Config was available before February 2022. These resource types cannot be recorded in Regions supported by AWS Config after February 2022. For a list of those Regions, see [Recording AWS Resources \$1 Global Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all).

If you record a global IAM resource type in at least one Region, periodic rules that report compliance on the global IAM resource type will run evaluations in all Regions where the periodic rule is added, even if you have not enabled the recording of the global IAM resource type in the Region where the periodic rule was added.

To avoid unnecessary evaluations, you should only deploy periodic rules that report compliance on a global IAM resource type to one of the supported Regions. For a list of which managed rules are supported in which Regions, see [List of AWS Config Managed Rules by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html).

------

## Region Support
<a name="region-support-config-rules"></a>

Currently, the AWS Config Rule feature is supported in the following AWS regions. For a list of which individual AWS Config rules are supported in which Regions, see [List of AWS Config Managed Rules by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html).

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html)

Deploying AWS Config Rules across member accounts in an AWS Organization is supported in the following Regions.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html)

# Components of an AWS Config Rule
<a name="evaluate-config_components"></a>

AWS Config rules evaluate the configuration settings of your AWS resources. This page discusses the components of a rule.

**Topics**
+ [

## How AWS Config Rules Work
](#evaluate-config-how-rules-work)
+ [

## Trigger Types
](#evaluate-config_use-managed-rules-trigger)
+ [

## Evaluation Modes
](#evaluate-config_use-managed-rules-proactive-detective)
+ [Rule Metadata](#evaluate-config_components_metadata)

## How AWS Config Rules Work
<a name="evaluate-config-how-rules-work"></a>

While AWS Config continuously tracks the configuration changes that occur among your resources, it checks whether these changes do not comply with the conditions in your rules. If a resource does not comply with rule, AWS Config flags the resource and the rule as *noncompliant*.

There are four possible evaluation results for an AWS Config rule.


| **Evaluation result** | **Description** | 
| --- | --- | 
| COMPLIANT | The rule passes the conditions of the compliance check. | 
| NON\$1COMPLIANT | The rule fails the conditions of the compliance check. | 
| ERROR | The one of the required/optional parameters is not valid, not of the correct type, or is formatted incorrectly. | 
| NOT\$1APPLICABLE | Used to filter out resources that the logic of the rule cannot be applied to. For example, the [alb-desync-mode-check](https://docs.aws.amazon.com/config/latest/developerguide/alb-desync-mode-check.html) rule only checks Application Load Balancers, and ignores Network Load Balancers and Gateway Load Balancers. | 

For example, when an EC2 volume is created, AWS Config can evaluate the volume against a rule that requires volumes to be encrypted. If the volume is not encrypted, AWS Config flags the volume and the rule as noncompliant. AWS Config can also check all of your resources for account-wide requirements. For example, AWS Config can check whether the number of EC2 volumes in an account stays within a desired total, or whether an account uses AWS CloudTrail for logging.

## Trigger Types
<a name="evaluate-config_use-managed-rules-trigger"></a>

After you add a rule to your account, AWS Config compares your resources to the conditions of the rule. After this initial evaluation, AWS Config continues to run evaluations each time one is triggered. The evaluation triggers are defined as part of the rule, and they can include the following types.


| **Trigger type** | **Description** | 
| --- | --- | 
| Configuration changes | AWS Config runs evaluations for the rule when there is a resource that matches the rule's scope and there is a change in configuration of the resource. The evaluation runs after AWS Config sends a configuration item change notification. You choose which resources initiate the evaluation by defining the rule's *scope*. The scope can include the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_components.html) AWS Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to define which resources initiate evaluations. | 
| Periodic | AWS Config runs evaluations for the rule at a frequency that you choose; for example, every 24 hours. | 
| Hybrid | Some rules have both configuration change and periodic triggers. For these rules, AWS Config evaluates your resources when it detects a configuration change and also at the frequency that you specify.  | 

## Evaluation Modes
<a name="evaluate-config_use-managed-rules-proactive-detective"></a>

There are two evaluation modes for AWS Config rules.


| **Evaluation mode** | **Description** | 
| --- | --- | 
| Proactive | Use proactive evaluation to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an AWS resource, would be COMPLIANT or NON\$1COMPLIANT given the set of proactive rules that you have in your account in your Region.  | 
| Detective | Use detective evaluation to evaluate resources that have already been deployed. This allows you to evaluate the configuration settings of your existing resources. | 

**Note**  
Proactive rules do not remediate resources that are flagged as NON\$1COMPLIANT or prevent them from being deployed.

For more information, see [Turning on Proactive Evaluation for AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_turn-on-proactive-rules.html).

### List of managed rules with proactive evaluation
<a name="list-proactive-rules"></a>

For a list of managed rules that support proactive evaluation, see [List of AWS Config Managed Rules by Evaluation Mode](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-evaluation-mode.html).

### List of supported resource types for proactive evaluation
<a name="list-proactive-resource-types"></a>

The following is a list of resource types that are supported for proactive evaluation:
+ `AWS::EC2::EIP`
+ `AWS::EC2::Subnet`

## AWS Config Rule Metadata
<a name="evaluate-config_components_metadata"></a>

AWS Config rules can contain the following mutable metadata:

**defaultName**  
The defaultName is the name that instances of a rule will get by default.

**description**  
The rule description provides context for what the rule evaluates. The AWS Config Console has a limit of 256 characters. As a best practice, the rule description should begin with “Checks if” and include a description of the NON\$1COMPLIANT scenario. Service Names should be written in full beginning with AWS or Amazon when first mentioned in the rule description. For example, AWS CloudTrail or Amazon CloudWatch instead of CloudTrail or CloudWatch for first use. Services names can be abbreviated after subsequent reference. 

**scope**  
The scope determines which resource types the rule targets. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources.html).

**compulsoryInputParameterDetails**  
The compulsoryInputParameterDetails are used for parameters that are required for a rule to do its evaluation. For example, the `access-keys-rotated` managed rule includes `maxAccessKeyAge` as a required parameter. If a parameter is required, it will not be marked as (Optional). For each parameter, a type must be specified. Type can be one of "String", "int", "double", "CSV", "boolean" and "StringMap".

**optionalInputParameterDetails**  
The optionalInputParameterDetails are used for parameters that are optional for a rule to do its evaluation. For example, the `elasticsearch-logs-to-cloudwatch` managed rule includes `logTypes` as an optional parameter. For each parameter, a type must be specified. Type can be one of "String", "int", "double", "CSV", "boolean" and "StringMap".

**supportedEvaluationModes**  
The supportedEvaluationModes determines when resources will be evaluated, either before a resource has been deployed or after a resource has been deployed.  
 `DETECTIVE` is used to evaluate resources which have already been deployed. This allows you to evaluate the configuration settings of your existing resources. `PROACTIVE` is used to evaluate resources before they have been deployed.   
This allows you to evaluate whether a set of resource properties, if used to define an AWS resource, would be COMPLIANT or NON\$1COMPLIANT given the set of proactive rules that you have in your account in your Region.   
You can specify the supportedEvaluationModes to `DETECTIVE`, `PROACTIVE`, or both `DETECTIVE` and `PROACTIVE`. You must specify an evaluation mode and this field cannot remain empty.  
Proactive rules do not remediate resources that are flagged as NON\$1COMPLIANT or prevent them from being deployed.

# AWS Config Managed Rules
<a name="evaluate-config_use-managed-rules"></a>

AWS Config provides *AWS managed rules*, which are predefined, customizable rules that AWS Config uses to evaluate whether your AWS resources comply with common best practices. For example, you could use a managed rule to quickly start assessing whether your Amazon Elastic Block Store (Amazon EBS) volumes are encrypted or whether specific tags are applied to your resources.

The AWS Config console guides you through the process of configuring and activating a managed rule. You can also use the AWS Command Line Interface or AWS Config API to pass the JSON code that defines your configuration of a managed rule.

You can customize the behavior of a managed rule to suit your needs. For example, you can define the rule's scope to constrain which resources trigger an evaluation for the rule, such as EC2 instances or volumes.

You can customize the rule's parameters to define attributes that your resources must have to comply with the rule. For example, you can customize a parameter to specify that your security group should block incoming traffic to a specific port number.

Before using managed rules, see [Considerations](evaluate-config.md#evaluate-config-considerations).

**Topics**
+ [List of Managed Rules](managed-rules-by-aws-config.md)
+ [List of Managed Rules by Evaluation Mode](managed-rules-by-evaluation-mode.md)
+ [List of Managed Rules by Trigger Type](managed-rules-by-trigger-type.md)
+ [List of Managed Rules by Region Availability](managing-rules-by-region-availability.md)
+ [Creating Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md)

# List of AWS Config Managed Rules
<a name="managed-rules-by-aws-config"></a>

AWS Config currently supports the following managed rules. Before using these rules, see [Considerations](evaluate-config.md#evaluate-config-considerations).

**Topics**
+ [

# access-keys-rotated
](access-keys-rotated.md)
+ [

# account-part-of-organizations
](account-part-of-organizations.md)
+ [

# acmpca-certificate-authority-tagged
](acmpca-certificate-authority-tagged.md)
+ [

# acm-certificate-expiration-check
](acm-certificate-expiration-check.md)
+ [

# acm-certificate-rsa-check
](acm-certificate-rsa-check.md)
+ [

# acm-certificate-transparent-logging-enabled
](acm-certificate-transparent-logging-enabled.md)
+ [

# acm-pca-root-ca-disabled
](acm-pca-root-ca-disabled.md)
+ [

# active-mq-supported-version
](active-mq-supported-version.md)
+ [

# alb-desync-mode-check
](alb-desync-mode-check.md)
+ [

# alb-http-drop-invalid-header-enabled
](alb-http-drop-invalid-header-enabled.md)
+ [

# alb-http-to-https-redirection-check
](alb-http-to-https-redirection-check.md)
+ [

# alb-internal-scheme-check
](alb-internal-scheme-check.md)
+ [

# alb-listener-tagged
](alb-listener-tagged.md)
+ [

# alb-tagged
](alb-tagged.md)
+ [

# alb-waf-enabled
](alb-waf-enabled.md)
+ [

# amplify-app-branch-auto-deletion-enabled
](amplify-app-branch-auto-deletion-enabled.md)
+ [

# amplify-app-build-spec-configured
](amplify-app-build-spec-configured.md)
+ [

# amplify-app-description
](amplify-app-description.md)
+ [

# amplify-app-no-environment-variables
](amplify-app-no-environment-variables.md)
+ [

# amplify-app-platform-check
](amplify-app-platform-check.md)
+ [

# amplify-app-tagged
](amplify-app-tagged.md)
+ [

# amplify-branch-auto-build-enabled
](amplify-branch-auto-build-enabled.md)
+ [

# amplify-branch-build-spec-configured
](amplify-branch-build-spec-configured.md)
+ [

# amplify-branch-description
](amplify-branch-description.md)
+ [

# amplify-branch-framework-configured
](amplify-branch-framework-configured.md)
+ [

# amplify-branch-performance-mode-enabled
](amplify-branch-performance-mode-enabled.md)
+ [

# amplify-branch-pull-request-preview-enabled
](amplify-branch-pull-request-preview-enabled.md)
+ [

# amplify-branch-tagged
](amplify-branch-tagged.md)
+ [

# apigatewayv2-integration-private-https-enabled
](apigatewayv2-integration-private-https-enabled.md)
+ [

# apigatewayv2-stage-description
](apigatewayv2-stage-description.md)
+ [

# apigateway-domain-name-tls-check
](apigateway-domain-name-tls-check.md)
+ [

# apigateway-stage-access-logs-enabled
](apigateway-stage-access-logs-enabled.md)
+ [

# apigateway-stage-description
](apigateway-stage-description.md)
+ [

# api-gwv2-access-logs-enabled
](api-gwv2-access-logs-enabled.md)
+ [

# api-gwv2-authorization-type-configured
](api-gwv2-authorization-type-configured.md)
+ [

# api-gwv2-stage-default-route-detailed-metrics-enabled
](api-gwv2-stage-default-route-detailed-metrics-enabled.md)
+ [

# api-gw-associated-with-waf
](api-gw-associated-with-waf.md)
+ [

# api-gw-cache-enabled-and-encrypted
](api-gw-cache-enabled-and-encrypted.md)
+ [

# api-gw-endpoint-type-check
](api-gw-endpoint-type-check.md)
+ [

# api-gw-execution-logging-enabled
](api-gw-execution-logging-enabled.md)
+ [

# api-gw-rest-api-tagged
](api-gw-rest-api-tagged.md)
+ [

# api-gw-ssl-enabled
](api-gw-ssl-enabled.md)
+ [

# api-gw-stage-tagged
](api-gw-stage-tagged.md)
+ [

# api-gw-xray-enabled
](api-gw-xray-enabled.md)
+ [

# appconfig-application-description
](appconfig-application-description.md)
+ [

# appconfig-application-tagged
](appconfig-application-tagged.md)
+ [

# appconfig-configuration-profile-tagged
](appconfig-configuration-profile-tagged.md)
+ [

# appconfig-configuration-profile-validators-not-empty
](appconfig-configuration-profile-validators-not-empty.md)
+ [

# appconfig-deployment-strategy-description
](appconfig-deployment-strategy-description.md)
+ [

# appconfig-deployment-strategy-minimum-final-bake-time
](appconfig-deployment-strategy-minimum-final-bake-time.md)
+ [

# appconfig-deployment-strategy-replicate-to-ssm
](appconfig-deployment-strategy-replicate-to-ssm.md)
+ [

# appconfig-deployment-strategy-tagged
](appconfig-deployment-strategy-tagged.md)
+ [

# appconfig-environment-description
](appconfig-environment-description.md)
+ [

# appconfig-environment-tagged
](appconfig-environment-tagged.md)
+ [

# appconfig-extension-association-tagged
](appconfig-extension-association-tagged.md)
+ [

# appconfig-freeform-profile-config-storage
](appconfig-freeform-profile-config-storage.md)
+ [

# appconfig-hosted-configuration-version-description
](appconfig-hosted-configuration-version-description.md)
+ [

# appflow-flow-tagged
](appflow-flow-tagged.md)
+ [

# appflow-flow-trigger-type-check
](appflow-flow-trigger-type-check.md)
+ [

# appintegrations-application-approved-origins-check
](appintegrations-application-approved-origins-check.md)
+ [

# appintegrations-application-tagged
](appintegrations-application-tagged.md)
+ [

# appintegrations-event-integration-description
](appintegrations-event-integration-description.md)
+ [

# appintegrations-event-integration-tagged
](appintegrations-event-integration-tagged.md)
+ [

# appmesh-gateway-route-tagged
](appmesh-gateway-route-tagged.md)
+ [

# appmesh-mesh-deny-tcp-forwarding
](appmesh-mesh-deny-tcp-forwarding.md)
+ [

# appmesh-mesh-ip-pref-check
](appmesh-mesh-ip-pref-check.md)
+ [

# appmesh-mesh-tagged
](appmesh-mesh-tagged.md)
+ [

# appmesh-route-tagged
](appmesh-route-tagged.md)
+ [

# appmesh-virtual-gateway-backend-defaults-tls
](appmesh-virtual-gateway-backend-defaults-tls.md)
+ [

# appmesh-virtual-gateway-listeners-health-check-enabled
](appmesh-virtual-gateway-listeners-health-check-enabled.md)
+ [

# appmesh-virtual-gateway-logging-file-path-exists
](appmesh-virtual-gateway-logging-file-path-exists.md)
+ [

# appmesh-virtual-gateway-tagged
](appmesh-virtual-gateway-tagged.md)
+ [

# appmesh-virtual-node-backend-defaults-tls-on
](appmesh-virtual-node-backend-defaults-tls-on.md)
+ [

# appmesh-virtual-node-cloud-map-ip-pref-check
](appmesh-virtual-node-cloud-map-ip-pref-check.md)
+ [

# appmesh-virtual-node-dns-ip-pref-check
](appmesh-virtual-node-dns-ip-pref-check.md)
+ [

# appmesh-virtual-node-listeners-health-check-enabled
](appmesh-virtual-node-listeners-health-check-enabled.md)
+ [

# appmesh-virtual-node-listeners-outlier-detect-enabled
](appmesh-virtual-node-listeners-outlier-detect-enabled.md)
+ [

# appmesh-virtual-node-logging-file-path-exists
](appmesh-virtual-node-logging-file-path-exists.md)
+ [

# appmesh-virtual-node-service-backends-tls-enforced
](appmesh-virtual-node-service-backends-tls-enforced.md)
+ [

# appmesh-virtual-node-tagged
](appmesh-virtual-node-tagged.md)
+ [

# appmesh-virtual-router-tagged
](appmesh-virtual-router-tagged.md)
+ [

# appmesh-virtual-service-tagged
](appmesh-virtual-service-tagged.md)
+ [

# approved-amis-by-id
](approved-amis-by-id.md)
+ [

# approved-amis-by-tag
](approved-amis-by-tag.md)
+ [

# apprunner-service-in-vpc
](apprunner-service-in-vpc.md)
+ [

# apprunner-service-ip-address-type-check
](apprunner-service-ip-address-type-check.md)
+ [

# apprunner-service-max-unhealthy-threshold
](apprunner-service-max-unhealthy-threshold.md)
+ [

# apprunner-service-no-public-access
](apprunner-service-no-public-access.md)
+ [

# apprunner-service-observability-enabled
](apprunner-service-observability-enabled.md)
+ [

# apprunner-service-tagged
](apprunner-service-tagged.md)
+ [

# apprunner-vpc-connector-tagged
](apprunner-vpc-connector-tagged.md)
+ [

# appstream-fleet-in-vpc
](appstream-fleet-in-vpc.md)
+ [

# appsync-associated-with-waf
](appsync-associated-with-waf.md)
+ [

# appsync-authorization-check
](appsync-authorization-check.md)
+ [

# appsync-cache-ct-encryption-at-rest
](appsync-cache-ct-encryption-at-rest.md)
+ [

# appsync-cache-ct-encryption-in-transit
](appsync-cache-ct-encryption-in-transit.md)
+ [

# appsync-cache-encryption-at-rest
](appsync-cache-encryption-at-rest.md)
+ [

# appsync-graphql-api-xray-enabled
](appsync-graphql-api-xray-enabled.md)
+ [

# appsync-logging-enabled
](appsync-logging-enabled.md)
+ [

# aps-rule-groups-namespace-tagged
](aps-rule-groups-namespace-tagged.md)
+ [

# athena-data-catalog-description
](athena-data-catalog-description.md)
+ [

# athena-prepared-statement-description
](athena-prepared-statement-description.md)
+ [

# athena-workgroup-description
](athena-workgroup-description.md)
+ [

# athena-workgroup-encrypted-at-rest
](athena-workgroup-encrypted-at-rest.md)
+ [

# athena-workgroup-enforce-workgroup-configuration
](athena-workgroup-enforce-workgroup-configuration.md)
+ [

# athena-workgroup-engine-version-auto-upgrade
](athena-workgroup-engine-version-auto-upgrade.md)
+ [

# athena-workgroup-logging-enabled
](athena-workgroup-logging-enabled.md)
+ [

# auditmanager-assessment-tagged
](auditmanager-assessment-tagged.md)
+ [

# aurora-global-database-encryption-at-rest
](aurora-global-database-encryption-at-rest.md)
+ [

# aurora-last-backup-recovery-point-created
](aurora-last-backup-recovery-point-created.md)
+ [

# aurora-meets-restore-time-target
](aurora-meets-restore-time-target.md)
+ [

# aurora-mysql-backtracking-enabled
](aurora-mysql-backtracking-enabled.md)
+ [

# aurora-mysql-cluster-audit-logging
](aurora-mysql-cluster-audit-logging.md)
+ [

# aurora-resources-in-logically-air-gapped-vault
](aurora-resources-in-logically-air-gapped-vault.md)
+ [

# aurora-resources-protected-by-backup-plan
](aurora-resources-protected-by-backup-plan.md)
+ [

# autoscaling-capacity-rebalancing
](autoscaling-capacity-rebalancing.md)
+ [

# autoscaling-group-elb-healthcheck-required
](autoscaling-group-elb-healthcheck-required.md)
+ [

# autoscaling-launchconfig-requires-imdsv2
](autoscaling-launchconfig-requires-imdsv2.md)
+ [

# autoscaling-launch-config-hop-limit
](autoscaling-launch-config-hop-limit.md)
+ [

# autoscaling-launch-config-public-ip-disabled
](autoscaling-launch-config-public-ip-disabled.md)
+ [

# autoscaling-launch-template
](autoscaling-launch-template.md)
+ [

# autoscaling-multiple-az
](autoscaling-multiple-az.md)
+ [

# autoscaling-multiple-instance-types
](autoscaling-multiple-instance-types.md)
+ [

# backup-plan-min-frequency-and-min-retention-check
](backup-plan-min-frequency-and-min-retention-check.md)
+ [

# backup-recovery-point-encrypted
](backup-recovery-point-encrypted.md)
+ [

# backup-recovery-point-manual-deletion-disabled
](backup-recovery-point-manual-deletion-disabled.md)
+ [

# backup-recovery-point-minimum-retention-check
](backup-recovery-point-minimum-retention-check.md)
+ [

# batch-compute-environment-enabled
](batch-compute-environment-enabled.md)
+ [

# batch-compute-environment-managed
](batch-compute-environment-managed.md)
+ [

# batch-compute-environment-tagged
](batch-compute-environment-tagged.md)
+ [

# batch-job-queue-enabled
](batch-job-queue-enabled.md)
+ [

# batch-job-queue-tagged
](batch-job-queue-tagged.md)
+ [

# batch-managed-compute-environment-using-launch-template
](batch-managed-compute-environment-using-launch-template.md)
+ [

# batch-managed-compute-env-allocation-strategy-check
](batch-managed-compute-env-allocation-strategy-check.md)
+ [

# batch-managed-compute-env-compute-resources-tagged
](batch-managed-compute-env-compute-resources-tagged.md)
+ [

# batch-managed-spot-compute-environment-max-bid
](batch-managed-spot-compute-environment-max-bid.md)
+ [

# batch-scheduling-policy-tagged
](batch-scheduling-policy-tagged.md)
+ [

# beanstalk-enhanced-health-reporting-enabled
](beanstalk-enhanced-health-reporting-enabled.md)
+ [

# cassandra-keyspace-tagged
](cassandra-keyspace-tagged.md)
+ [

# clb-desync-mode-check
](clb-desync-mode-check.md)
+ [

# clb-multiple-az
](clb-multiple-az.md)
+ [

# cloudformation-stack-drift-detection-check
](cloudformation-stack-drift-detection-check.md)
+ [

# cloudformation-stack-notification-check
](cloudformation-stack-notification-check.md)
+ [

# cloudformation-stack-service-role-check
](cloudformation-stack-service-role-check.md)
+ [

# cloudformation-termination-protection-check
](cloudformation-termination-protection-check.md)
+ [

# cloudfront-accesslogs-enabled
](cloudfront-accesslogs-enabled.md)
+ [

# cloudfront-associated-with-waf
](cloudfront-associated-with-waf.md)
+ [

# cloudfront-custom-ssl-certificate
](cloudfront-custom-ssl-certificate.md)
+ [

# cloudfront-default-root-object-configured
](cloudfront-default-root-object-configured.md)
+ [

# cloudfront-distribution-key-group-enabled
](cloudfront-distribution-key-group-enabled.md)
+ [

# cloudfront-no-deprecated-ssl-protocols
](cloudfront-no-deprecated-ssl-protocols.md)
+ [

# cloudfront-origin-access-identity-enabled
](cloudfront-origin-access-identity-enabled.md)
+ [

# cloudfront-origin-failover-enabled
](cloudfront-origin-failover-enabled.md)
+ [

# cloudfront-origin-lambda-url-oac-enabled
](cloudfront-origin-lambda-url-oac-enabled.md)
+ [

# cloudfront-s3-origin-access-control-enabled
](cloudfront-s3-origin-access-control-enabled.md)
+ [

# cloudfront-s3-origin-non-existent-bucket
](cloudfront-s3-origin-non-existent-bucket.md)
+ [

# cloudfront-security-policy-check
](cloudfront-security-policy-check.md)
+ [

# cloudfront-sni-enabled
](cloudfront-sni-enabled.md)
+ [

# cloudfront-ssl-policy-check
](cloudfront-ssl-policy-check.md)
+ [

# cloudfront-traffic-to-origin-encrypted
](cloudfront-traffic-to-origin-encrypted.md)
+ [

# cloudfront-viewer-policy-https
](cloudfront-viewer-policy-https.md)
+ [

# cloudtrail-all-read-s3-data-event-check
](cloudtrail-all-read-s3-data-event-check.md)
+ [

# cloudtrail-all-write-s3-data-event-check
](cloudtrail-all-write-s3-data-event-check.md)
+ [

# cloudtrail-event-data-store-multi-region
](cloudtrail-event-data-store-multi-region.md)
+ [

# cloudtrail-s3-bucket-access-logging
](cloudtrail-s3-bucket-access-logging.md)
+ [

# cloudtrail-s3-bucket-public-access-prohibited
](cloudtrail-s3-bucket-public-access-prohibited.md)
+ [

# cloudtrail-s3-dataevents-enabled
](cloudtrail-s3-dataevents-enabled.md)
+ [

# cloudtrail-security-trail-enabled
](cloudtrail-security-trail-enabled.md)
+ [

# cloudwatch-alarm-action-check
](cloudwatch-alarm-action-check.md)
+ [

# cloudwatch-alarm-action-enabled-check
](cloudwatch-alarm-action-enabled-check.md)
+ [

# cloudwatch-alarm-description
](cloudwatch-alarm-description.md)
+ [

# cloudwatch-alarm-resource-check
](cloudwatch-alarm-resource-check.md)
+ [

# cloudwatch-alarm-settings-check
](cloudwatch-alarm-settings-check.md)
+ [

# cloudwatch-log-group-encrypted
](cloudwatch-log-group-encrypted.md)
+ [

# cloudwatch-metric-stream-tagged
](cloudwatch-metric-stream-tagged.md)
+ [

# cloud-trail-cloud-watch-logs-enabled
](cloud-trail-cloud-watch-logs-enabled.md)
+ [

# cloudtrail-enabled
](cloudtrail-enabled.md)
+ [

# cloud-trail-encryption-enabled
](cloud-trail-encryption-enabled.md)
+ [

# cloud-trail-log-file-validation-enabled
](cloud-trail-log-file-validation-enabled.md)
+ [

# cmk-backing-key-rotation-enabled
](cmk-backing-key-rotation-enabled.md)
+ [

# codeartifact-repository-tagged
](codeartifact-repository-tagged.md)
+ [

# codebuild-project-artifact-encryption
](codebuild-project-artifact-encryption.md)
+ [

# codebuild-project-environment-privileged-check
](codebuild-project-environment-privileged-check.md)
+ [

# codebuild-project-envvar-awscred-check
](codebuild-project-envvar-awscred-check.md)
+ [

# codebuild-project-logging-enabled
](codebuild-project-logging-enabled.md)
+ [

# codebuild-project-s3-logs-encrypted
](codebuild-project-s3-logs-encrypted.md)
+ [

# codebuild-project-source-repo-url-check
](codebuild-project-source-repo-url-check.md)
+ [

# codebuild-project-tagged
](codebuild-project-tagged.md)
+ [

# codebuild-report-group-encrypted-at-rest
](codebuild-report-group-encrypted-at-rest.md)
+ [

# codebuild-report-group-tagged
](codebuild-report-group-tagged.md)
+ [

# codedeploy-auto-rollback-monitor-enabled
](codedeploy-auto-rollback-monitor-enabled.md)
+ [

# codedeploy-deployment-group-auto-rollback-enabled
](codedeploy-deployment-group-auto-rollback-enabled.md)
+ [

# codedeploy-deployment-group-outdated-instances-update
](codedeploy-deployment-group-outdated-instances-update.md)
+ [

# codedeploy-ec2-minimum-healthy-hosts-configured
](codedeploy-ec2-minimum-healthy-hosts-configured.md)
+ [

# codedeploy-lambda-allatonce-traffic-shift-disabled
](codedeploy-lambda-allatonce-traffic-shift-disabled.md)
+ [

# codeguruprofiler-profiling-group-tagged
](codeguruprofiler-profiling-group-tagged.md)
+ [

# codegurureviewer-repository-association-tagged
](codegurureviewer-repository-association-tagged.md)
+ [

# codepipeline-deployment-count-check
](codepipeline-deployment-count-check.md)
+ [

# codepipeline-region-fanout-check
](codepipeline-region-fanout-check.md)
+ [

# cognito-identity-pool-unauthenticated-logins
](cognito-identity-pool-unauthenticated-logins.md)
+ [

# cognito-identity-pool-unauth-access-check
](cognito-identity-pool-unauth-access-check.md)
+ [

# cognito-userpool-cust-auth-threat-full-check
](cognito-userpool-cust-auth-threat-full-check.md)
+ [

# cognito-user-pool-advanced-security-enabled
](cognito-user-pool-advanced-security-enabled.md)
+ [

# cognito-user-pool-deletion-protection-enabled
](cognito-user-pool-deletion-protection-enabled.md)
+ [

# cognito-user-pool-mfa-enabled
](cognito-user-pool-mfa-enabled.md)
+ [

# cognito-user-pool-password-policy-check
](cognito-user-pool-password-policy-check.md)
+ [

# cognito-user-pool-tagged
](cognito-user-pool-tagged.md)
+ [

# connect-instance-logging-enabled
](connect-instance-logging-enabled.md)
+ [

# customerprofiles-domain-tagged
](customerprofiles-domain-tagged.md)
+ [

# customerprofiles-object-type-allow-profile-creation
](customerprofiles-object-type-allow-profile-creation.md)
+ [

# customerprofiles-object-type-tagged
](customerprofiles-object-type-tagged.md)
+ [

# custom-eventbus-policy-attached
](custom-eventbus-policy-attached.md)
+ [

# custom-schema-registry-policy-attached
](custom-schema-registry-policy-attached.md)
+ [

# cw-loggroup-retention-period-check
](cw-loggroup-retention-period-check.md)
+ [

# datasync-location-object-storage-using-https
](datasync-location-object-storage-using-https.md)
+ [

# datasync-task-data-verification-enabled
](datasync-task-data-verification-enabled.md)
+ [

# datasync-task-logging-enabled
](datasync-task-logging-enabled.md)
+ [

# datasync-task-tagged
](datasync-task-tagged.md)
+ [

# dax-encryption-enabled
](dax-encryption-enabled.md)
+ [

# dax-tls-endpoint-encryption
](dax-tls-endpoint-encryption.md)
+ [

# db-instance-backup-enabled
](db-instance-backup-enabled.md)
+ [

# desired-instance-tenancy
](desired-instance-tenancy.md)
+ [

# desired-instance-type
](desired-instance-type.md)
+ [

# devicefarm-instance-profile-tagged
](devicefarm-instance-profile-tagged.md)
+ [

# devicefarm-project-tagged
](devicefarm-project-tagged.md)
+ [

# devicefarm-test-grid-project-tagged
](devicefarm-test-grid-project-tagged.md)
+ [

# dms-auto-minor-version-upgrade-check
](dms-auto-minor-version-upgrade-check.md)
+ [

# dms-endpoint-ssl-configured
](dms-endpoint-ssl-configured.md)
+ [

# dms-endpoint-tagged
](dms-endpoint-tagged.md)
+ [

# dms-mongo-db-authentication-enabled
](dms-mongo-db-authentication-enabled.md)
+ [

# dms-neptune-iam-authorization-enabled
](dms-neptune-iam-authorization-enabled.md)
+ [

# dms-redis-tls-enabled
](dms-redis-tls-enabled.md)
+ [

# dms-replication-instance-multi-az-enabled
](dms-replication-instance-multi-az-enabled.md)
+ [

# dms-replication-not-public
](dms-replication-not-public.md)
+ [

# dms-replication-task-sourcedb-logging
](dms-replication-task-sourcedb-logging.md)
+ [

# dms-replication-task-tagged
](dms-replication-task-tagged.md)
+ [

# dms-replication-task-targetdb-logging
](dms-replication-task-targetdb-logging.md)
+ [

# docdb-cluster-audit-logging-enabled
](docdb-cluster-audit-logging-enabled.md)
+ [

# docdb-cluster-backup-retention-check
](docdb-cluster-backup-retention-check.md)
+ [

# docdb-cluster-deletion-protection-enabled
](docdb-cluster-deletion-protection-enabled.md)
+ [

# docdb-cluster-encrypted
](docdb-cluster-encrypted.md)
+ [

# docdb-cluster-encrypted-in-transit
](docdb-cluster-encrypted-in-transit.md)
+ [

# docdb-cluster-snapshot-public-prohibited
](docdb-cluster-snapshot-public-prohibited.md)
+ [

# dynamodb-autoscaling-enabled
](dynamodb-autoscaling-enabled.md)
+ [

# dynamodb-in-backup-plan
](dynamodb-in-backup-plan.md)
+ [

# dynamodb-last-backup-recovery-point-created
](dynamodb-last-backup-recovery-point-created.md)
+ [

# dynamodb-meets-restore-time-target
](dynamodb-meets-restore-time-target.md)
+ [

# dynamodb-pitr-enabled
](dynamodb-pitr-enabled.md)
+ [

# dynamodb-resources-protected-by-backup-plan
](dynamodb-resources-protected-by-backup-plan.md)
+ [

# dynamodb-table-deletion-protection-enabled
](dynamodb-table-deletion-protection-enabled.md)
+ [

# dynamodb-table-encrypted-kms
](dynamodb-table-encrypted-kms.md)
+ [

# dynamodb-table-encryption-enabled
](dynamodb-table-encryption-enabled.md)
+ [

# dynamodb-throughput-limit-check
](dynamodb-throughput-limit-check.md)
+ [

# ebs-in-backup-plan
](ebs-in-backup-plan.md)
+ [

# ebs-last-backup-recovery-point-created
](ebs-last-backup-recovery-point-created.md)
+ [

# ebs-meets-restore-time-target
](ebs-meets-restore-time-target.md)
+ [

# ebs-optimized-instance
](ebs-optimized-instance.md)
+ [

# ebs-resources-in-logically-air-gapped-vault
](ebs-resources-in-logically-air-gapped-vault.md)
+ [

# ebs-resources-protected-by-backup-plan
](ebs-resources-protected-by-backup-plan.md)
+ [

# ebs-snapshot-block-public-access
](ebs-snapshot-block-public-access.md)
+ [

# ebs-snapshot-public-restorable-check
](ebs-snapshot-public-restorable-check.md)
+ [

# ec2-capacity-reservation-tagged
](ec2-capacity-reservation-tagged.md)
+ [

# ec2-carrier-gateway-tagged
](ec2-carrier-gateway-tagged.md)
+ [

# ec2-client-vpn-connection-log-enabled
](ec2-client-vpn-connection-log-enabled.md)
+ [

# ec2-client-vpn-endpoint-tagged
](ec2-client-vpn-endpoint-tagged.md)
+ [

# ec2-client-vpn-not-authorize-all
](ec2-client-vpn-not-authorize-all.md)
+ [

# ec2-dhcp-options-tagged
](ec2-dhcp-options-tagged.md)
+ [

# ec2-ebs-encryption-by-default
](ec2-ebs-encryption-by-default.md)
+ [

# ec2-enis-source-destination-check-enabled
](ec2-enis-source-destination-check-enabled.md)
+ [

# ec2-fleet-tagged
](ec2-fleet-tagged.md)
+ [

# ec2-imdsv2-check
](ec2-imdsv2-check.md)
+ [

# ec2-instance-detailed-monitoring-enabled
](ec2-instance-detailed-monitoring-enabled.md)
+ [

# ec2-instance-launched-with-allowed-ami
](ec2-instance-launched-with-allowed-ami.md)
+ [

# ec2-instance-managed-by-systems-manager
](ec2-instance-managed-by-systems-manager.md)
+ [

# ec2-instance-multiple-eni-check
](ec2-instance-multiple-eni-check.md)
+ [

# ec2-instance-no-public-ip
](ec2-instance-no-public-ip.md)
+ [

# ec2-instance-profile-attached
](ec2-instance-profile-attached.md)
+ [

# ec2-ipamscope-tagged
](ec2-ipamscope-tagged.md)
+ [

# ec2-last-backup-recovery-point-created
](ec2-last-backup-recovery-point-created.md)
+ [

# ec2-launchtemplate-ebs-encrypted
](ec2-launchtemplate-ebs-encrypted.md)
+ [

# ec2-launch-templates-ebs-volume-encrypted
](ec2-launch-templates-ebs-volume-encrypted.md)
+ [

# ec2-launch-template-imdsv2-check
](ec2-launch-template-imdsv2-check.md)
+ [

# ec2-launch-template-public-ip-disabled
](ec2-launch-template-public-ip-disabled.md)
+ [

# ec2-launch-template-tagged
](ec2-launch-template-tagged.md)
+ [

# ec2-managedinstance-applications-blacklisted
](ec2-managedinstance-applications-blacklisted.md)
+ [

# ec2-managedinstance-applications-required
](ec2-managedinstance-applications-required.md)
+ [

# ec2-managedinstance-association-compliance-status-check
](ec2-managedinstance-association-compliance-status-check.md)
+ [

# ec2-managedinstance-inventory-blacklisted
](ec2-managedinstance-inventory-blacklisted.md)
+ [

# ec2-managedinstance-patch-compliance-status-check
](ec2-managedinstance-patch-compliance-status-check.md)
+ [

# ec2-managedinstance-platform-check
](ec2-managedinstance-platform-check.md)
+ [

# ec2-meets-restore-time-target
](ec2-meets-restore-time-target.md)
+ [

# ec2-network-insights-access-scope-analysis-tagged
](ec2-network-insights-access-scope-analysis-tagged.md)
+ [

# ec2-network-insights-access-scope-tagged
](ec2-network-insights-access-scope-tagged.md)
+ [

# ec2-network-insights-analysis-tagged
](ec2-network-insights-analysis-tagged.md)
+ [

# ec2-network-insights-path-tagged
](ec2-network-insights-path-tagged.md)
+ [

# ec2-no-amazon-key-pair
](ec2-no-amazon-key-pair.md)
+ [

# ec2-paravirtual-instance-check
](ec2-paravirtual-instance-check.md)
+ [

# ec2-prefix-list-tagged
](ec2-prefix-list-tagged.md)
+ [

# ec2-resources-in-logically-air-gapped-vault
](ec2-resources-in-logically-air-gapped-vault.md)
+ [

# ec2-resources-protected-by-backup-plan
](ec2-resources-protected-by-backup-plan.md)
+ [

# ec2-security-group-attached-to-eni
](ec2-security-group-attached-to-eni.md)
+ [

# ec2-security-group-attached-to-eni-periodic
](ec2-security-group-attached-to-eni-periodic.md)
+ [

# ec2-spot-fleet-request-ct-encryption-at-rest
](ec2-spot-fleet-request-ct-encryption-at-rest.md)
+ [

# ec2-stopped-instance
](ec2-stopped-instance.md)
+ [

# ec2-token-hop-limit-check
](ec2-token-hop-limit-check.md)
+ [

# ec2-traffic-mirror-filter-description
](ec2-traffic-mirror-filter-description.md)
+ [

# ec2-traffic-mirror-filter-tagged
](ec2-traffic-mirror-filter-tagged.md)
+ [

# ec2-traffic-mirror-session-description
](ec2-traffic-mirror-session-description.md)
+ [

# ec2-traffic-mirror-session-tagged
](ec2-traffic-mirror-session-tagged.md)
+ [

# ec2-traffic-mirror-target-description
](ec2-traffic-mirror-target-description.md)
+ [

# ec2-traffic-mirror-target-tagged
](ec2-traffic-mirror-target-tagged.md)
+ [

# ec2-transit-gateway-auto-vpc-attach-disabled
](ec2-transit-gateway-auto-vpc-attach-disabled.md)
+ [

# ec2-transit-gateway-multicast-domain-tagged
](ec2-transit-gateway-multicast-domain-tagged.md)
+ [

# ec2-volume-inuse-check
](ec2-volume-inuse-check.md)
+ [

# ec2-vpn-connection-ike-version-check
](ec2-vpn-connection-ike-version-check.md)
+ [

# ec2-vpn-connection-logging-enabled
](ec2-vpn-connection-logging-enabled.md)
+ [

# ec2-vpn-connection-tagged
](ec2-vpn-connection-tagged.md)
+ [

# ecr-private-image-scanning-enabled
](ecr-private-image-scanning-enabled.md)
+ [

# ecr-private-lifecycle-policy-configured
](ecr-private-lifecycle-policy-configured.md)
+ [

# ecr-private-tag-immutability-enabled
](ecr-private-tag-immutability-enabled.md)
+ [

# ecr-repository-cmk-encryption-enabled
](ecr-repository-cmk-encryption-enabled.md)
+ [

# ecr-repository-tagged
](ecr-repository-tagged.md)
+ [

# ecs-awsvpc-networking-enabled
](ecs-awsvpc-networking-enabled.md)
+ [

# ecs-capacity-provider-tagged
](ecs-capacity-provider-tagged.md)
+ [

# ecs-capacity-provider-termination-check
](ecs-capacity-provider-termination-check.md)
+ [

# ecs-containers-nonprivileged
](ecs-containers-nonprivileged.md)
+ [

# ecs-containers-readonly-access
](ecs-containers-readonly-access.md)
+ [

# ecs-container-insights-enabled
](ecs-container-insights-enabled.md)
+ [

# ecs-fargate-latest-platform-version
](ecs-fargate-latest-platform-version.md)
+ [

# ecs-no-environment-secrets
](ecs-no-environment-secrets.md)
+ [

# ecs-service-propagate-tags-enabled
](ecs-service-propagate-tags-enabled.md)
+ [

# ecs-task-definition-efs-encryption-enabled
](ecs-task-definition-efs-encryption-enabled.md)
+ [

# ecs-task-definition-linux-user-non-root
](ecs-task-definition-linux-user-non-root.md)
+ [

# ecs-task-definition-log-configuration
](ecs-task-definition-log-configuration.md)
+ [

# ecs-task-definition-memory-hard-limit
](ecs-task-definition-memory-hard-limit.md)
+ [

# ecs-task-definition-network-mode-not-host
](ecs-task-definition-network-mode-not-host.md)
+ [

# ecs-task-definition-nonroot-user
](ecs-task-definition-nonroot-user.md)
+ [

# ecs-task-definition-pid-mode-check
](ecs-task-definition-pid-mode-check.md)
+ [

# ecs-task-definition-user-for-host-mode-check
](ecs-task-definition-user-for-host-mode-check.md)
+ [

# ecs-task-definition-windows-user-non-admin
](ecs-task-definition-windows-user-non-admin.md)
+ [

# efs-access-point-enforce-root-directory
](efs-access-point-enforce-root-directory.md)
+ [

# efs-access-point-enforce-user-identity
](efs-access-point-enforce-user-identity.md)
+ [

# efs-automatic-backups-enabled
](efs-automatic-backups-enabled.md)
+ [

# efs-encrypted-check
](efs-encrypted-check.md)
+ [

# efs-filesystem-ct-encrypted
](efs-filesystem-ct-encrypted.md)
+ [

# efs-file-system-tagged
](efs-file-system-tagged.md)
+ [

# efs-in-backup-plan
](efs-in-backup-plan.md)
+ [

# efs-last-backup-recovery-point-created
](efs-last-backup-recovery-point-created.md)
+ [

# efs-meets-restore-time-target
](efs-meets-restore-time-target.md)
+ [

# efs-mount-target-public-accessible
](efs-mount-target-public-accessible.md)
+ [

# efs-resources-in-logically-air-gapped-vault
](efs-resources-in-logically-air-gapped-vault.md)
+ [

# efs-resources-protected-by-backup-plan
](efs-resources-protected-by-backup-plan.md)
+ [

# eip-attached
](eip-attached.md)
+ [

# eks-addon-tagged
](eks-addon-tagged.md)
+ [

# eks-cluster-logging-enabled
](eks-cluster-logging-enabled.md)
+ [

# eks-cluster-log-enabled
](eks-cluster-log-enabled.md)
+ [

# eks-cluster-oldest-supported-version
](eks-cluster-oldest-supported-version.md)
+ [

# eks-cluster-secrets-encrypted
](eks-cluster-secrets-encrypted.md)
+ [

# eks-cluster-supported-version
](eks-cluster-supported-version.md)
+ [

# eks-endpoint-no-public-access
](eks-endpoint-no-public-access.md)
+ [

# eks-fargate-profile-tagged
](eks-fargate-profile-tagged.md)
+ [

# eks-nodegroup-supported-version-check
](eks-nodegroup-supported-version-check.md)
+ [

# eks-secrets-encrypted
](eks-secrets-encrypted.md)
+ [

# elasticache-automatic-backup-check-enabled
](elasticache-automatic-backup-check-enabled.md)
+ [

# elasticache-auto-minor-version-upgrade-check
](elasticache-auto-minor-version-upgrade-check.md)
+ [

# elasticache-rbac-auth-enabled
](elasticache-rbac-auth-enabled.md)
+ [

# elasticache-redis-cluster-automatic-backup-check
](elasticache-redis-cluster-automatic-backup-check.md)
+ [

# elasticache-repl-grp-auto-failover-enabled
](elasticache-repl-grp-auto-failover-enabled.md)
+ [

# elasticache-repl-grp-encrypted-at-rest
](elasticache-repl-grp-encrypted-at-rest.md)
+ [

# elasticache-repl-grp-encrypted-in-transit
](elasticache-repl-grp-encrypted-in-transit.md)
+ [

# elasticache-repl-grp-redis-auth-enabled
](elasticache-repl-grp-redis-auth-enabled.md)
+ [

# elasticache-subnet-group-check
](elasticache-subnet-group-check.md)
+ [

# elasticache-supported-engine-version
](elasticache-supported-engine-version.md)
+ [

# elasticbeanstalk-application-description
](elasticbeanstalk-application-description.md)
+ [

# elasticbeanstalk-application-version-description
](elasticbeanstalk-application-version-description.md)
+ [

# elasticbeanstalk-environment-description
](elasticbeanstalk-environment-description.md)
+ [

# elasticsearch-encrypted-at-rest
](elasticsearch-encrypted-at-rest.md)
+ [

# elasticsearch-in-vpc-only
](elasticsearch-in-vpc-only.md)
+ [

# elasticsearch-logs-to-cloudwatch
](elasticsearch-logs-to-cloudwatch.md)
+ [

# elasticsearch-node-to-node-encryption-check
](elasticsearch-node-to-node-encryption-check.md)
+ [

# elastic-beanstalk-logs-to-cloudwatch
](elastic-beanstalk-logs-to-cloudwatch.md)
+ [

# elastic-beanstalk-managed-updates-enabled
](elastic-beanstalk-managed-updates-enabled.md)
+ [

# elbv2-acm-certificate-required
](elbv2-acm-certificate-required.md)
+ [

# elbv2-listener-encryption-in-transit
](elbv2-listener-encryption-in-transit.md)
+ [

# elbv2-multiple-az
](elbv2-multiple-az.md)
+ [

# elbv2-predefined-security-policy-ssl-check
](elbv2-predefined-security-policy-ssl-check.md)
+ [

# elbv2-targetgroup-healthcheck-protocol-encrypted
](elbv2-targetgroup-healthcheck-protocol-encrypted.md)
+ [

# elbv2-targetgroup-protocol-encrypted
](elbv2-targetgroup-protocol-encrypted.md)
+ [

# elb-acm-certificate-required
](elb-acm-certificate-required.md)
+ [

# elb-cross-zone-load-balancing-enabled
](elb-cross-zone-load-balancing-enabled.md)
+ [

# elb-custom-security-policy-ssl-check
](elb-custom-security-policy-ssl-check.md)
+ [

# elb-deletion-protection-enabled
](elb-deletion-protection-enabled.md)
+ [

# elb-internal-scheme-check
](elb-internal-scheme-check.md)
+ [

# elb-logging-enabled
](elb-logging-enabled.md)
+ [

# elb-predefined-security-policy-ssl-check
](elb-predefined-security-policy-ssl-check.md)
+ [

# elb-tagged
](elb-tagged.md)
+ [

# elb-tls-https-listeners-only
](elb-tls-https-listeners-only.md)
+ [

# emr-block-public-access
](emr-block-public-access.md)
+ [

# emr-kerberos-enabled
](emr-kerberos-enabled.md)
+ [

# emr-master-no-public-ip
](emr-master-no-public-ip.md)
+ [

# emr-security-configuration-encryption-rest
](emr-security-configuration-encryption-rest.md)
+ [

# emr-security-configuration-encryption-transit
](emr-security-configuration-encryption-transit.md)
+ [

# encrypted-volumes
](encrypted-volumes.md)
+ [

# eventschemas-discoverer-tagged
](eventschemas-discoverer-tagged.md)
+ [

# eventschemas-registry-tagged
](eventschemas-registry-tagged.md)
+ [

# event-data-store-cmk-encryption-enabled
](event-data-store-cmk-encryption-enabled.md)
+ [

# evidently-launch-description
](evidently-launch-description.md)
+ [

# evidently-launch-tagged
](evidently-launch-tagged.md)
+ [

# evidently-project-description
](evidently-project-description.md)
+ [

# evidently-project-tagged
](evidently-project-tagged.md)
+ [

# evidently-segment-description
](evidently-segment-description.md)
+ [

# evidently-segment-tagged
](evidently-segment-tagged.md)
+ [

# fis-experiment-template-log-configuration-exists
](fis-experiment-template-log-configuration-exists.md)
+ [

# fis-experiment-template-tagged
](fis-experiment-template-tagged.md)
+ [

# fms-shield-resource-policy-check
](fms-shield-resource-policy-check.md)
+ [

# fms-webacl-resource-policy-check
](fms-webacl-resource-policy-check.md)
+ [

# fms-webacl-rulegroup-association-check
](fms-webacl-rulegroup-association-check.md)
+ [

# frauddetector-entity-type-tagged
](frauddetector-entity-type-tagged.md)
+ [

# frauddetector-label-tagged
](frauddetector-label-tagged.md)
+ [

# frauddetector-outcome-tagged
](frauddetector-outcome-tagged.md)
+ [

# frauddetector-variable-tagged
](frauddetector-variable-tagged.md)
+ [

# fsx-last-backup-recovery-point-created
](fsx-last-backup-recovery-point-created.md)
+ [

# fsx-lustre-copy-tags-to-backups
](fsx-lustre-copy-tags-to-backups.md)
+ [

# fsx-meets-restore-time-target
](fsx-meets-restore-time-target.md)
+ [

# fsx-ontap-deployment-type-check
](fsx-ontap-deployment-type-check.md)
+ [

# fsx-openzfs-copy-tags-enabled
](fsx-openzfs-copy-tags-enabled.md)
+ [

# fsx-openzfs-deployment-type-check
](fsx-openzfs-deployment-type-check.md)
+ [

# fsx-resources-protected-by-backup-plan
](fsx-resources-protected-by-backup-plan.md)
+ [

# fsx-windows-audit-log-configured
](fsx-windows-audit-log-configured.md)
+ [

# fsx-windows-deployment-type-check
](fsx-windows-deployment-type-check.md)
+ [

# glb-listener-tagged
](glb-listener-tagged.md)
+ [

# glb-tagged
](glb-tagged.md)
+ [

# global-endpoint-event-replication-enabled
](global-endpoint-event-replication-enabled.md)
+ [

# glue-job-logging-enabled
](glue-job-logging-enabled.md)
+ [

# glue-ml-transform-encrypted-at-rest
](glue-ml-transform-encrypted-at-rest.md)
+ [

# glue-ml-transform-tagged
](glue-ml-transform-tagged.md)
+ [

# glue-spark-job-supported-version
](glue-spark-job-supported-version.md)
+ [

# groundstation-config-tagged
](groundstation-config-tagged.md)
+ [

# groundstation-dataflowendpointgroup-tagged
](groundstation-dataflowendpointgroup-tagged.md)
+ [

# groundstation-missionprofile-tagged
](groundstation-missionprofile-tagged.md)
+ [

# guardduty-ec2-protection-runtime-enabled
](guardduty-ec2-protection-runtime-enabled.md)
+ [

# guardduty-ecs-protection-runtime-enabled
](guardduty-ecs-protection-runtime-enabled.md)
+ [

# guardduty-eks-protection-audit-enabled
](guardduty-eks-protection-audit-enabled.md)
+ [

# guardduty-eks-protection-runtime-enabled
](guardduty-eks-protection-runtime-enabled.md)
+ [

# guardduty-enabled-centralized
](guardduty-enabled-centralized.md)
+ [

# guardduty-lambda-protection-enabled
](guardduty-lambda-protection-enabled.md)
+ [

# guardduty-malware-protection-enabled
](guardduty-malware-protection-enabled.md)
+ [

# guardduty-non-archived-findings
](guardduty-non-archived-findings.md)
+ [

# guardduty-rds-protection-enabled
](guardduty-rds-protection-enabled.md)
+ [

# guardduty-runtime-monitoring-enabled
](guardduty-runtime-monitoring-enabled.md)
+ [

# guardduty-s3-protection-enabled
](guardduty-s3-protection-enabled.md)
+ [

# healthlake-fhirdatastore-tagged
](healthlake-fhirdatastore-tagged.md)
+ [

# iam-customer-policy-blocked-kms-actions
](iam-customer-policy-blocked-kms-actions.md)
+ [

# iam-external-access-analyzer-enabled
](iam-external-access-analyzer-enabled.md)
+ [

# iam-group-has-users-check
](iam-group-has-users-check.md)
+ [

# iam-inline-policy-blocked-kms-actions
](iam-inline-policy-blocked-kms-actions.md)
+ [

# iam-no-inline-policy-check
](iam-no-inline-policy-check.md)
+ [

# iam-oidc-provider-client-id-list-check
](iam-oidc-provider-client-id-list-check.md)
+ [

# iam-oidc-provider-tagged
](iam-oidc-provider-tagged.md)
+ [

# iam-password-policy
](iam-password-policy.md)
+ [

# iam-policy-blacklisted-check
](iam-policy-blacklisted-check.md)
+ [

# iam-policy-description
](iam-policy-description.md)
+ [

# iam-policy-in-use
](iam-policy-in-use.md)
+ [

# iam-policy-no-statements-with-admin-access
](iam-policy-no-statements-with-admin-access.md)
+ [

# iam-policy-no-statements-with-full-access
](iam-policy-no-statements-with-full-access.md)
+ [

# iam-role-managed-policy-check
](iam-role-managed-policy-check.md)
+ [

# iam-root-access-key-check
](iam-root-access-key-check.md)
+ [

# iam-saml-provider-tagged
](iam-saml-provider-tagged.md)
+ [

# iam-server-certificate-expiration-check
](iam-server-certificate-expiration-check.md)
+ [

# iam-server-certificate-tagged
](iam-server-certificate-tagged.md)
+ [

# iam-user-group-membership-check
](iam-user-group-membership-check.md)
+ [

# iam-user-mfa-enabled
](iam-user-mfa-enabled.md)
+ [

# iam-user-no-policies-check
](iam-user-no-policies-check.md)
+ [

# iam-user-unused-credentials-check
](iam-user-unused-credentials-check.md)
+ [

# imagebuilder-distributionconfiguration-tagged
](imagebuilder-distributionconfiguration-tagged.md)
+ [

# imagebuilder-imagepipeline-tagged
](imagebuilder-imagepipeline-tagged.md)
+ [

# imagebuilder-imagerecipe-ebs-volumes-encrypted
](imagebuilder-imagerecipe-ebs-volumes-encrypted.md)
+ [

# imagebuilder-imagerecipe-tagged
](imagebuilder-imagerecipe-tagged.md)
+ [

# imagebuilder-infrastructureconfiguration-tagged
](imagebuilder-infrastructureconfiguration-tagged.md)
+ [

# restricted-ssh
](restricted-ssh.md)
+ [

# inspector-ec2-scan-enabled
](inspector-ec2-scan-enabled.md)
+ [

# inspector-ecr-scan-enabled
](inspector-ecr-scan-enabled.md)
+ [

# inspector-lambda-code-scan-enabled
](inspector-lambda-code-scan-enabled.md)
+ [

# inspector-lambda-standard-scan-enabled
](inspector-lambda-standard-scan-enabled.md)
+ [

# ec2-instances-in-vpc
](ec2-instances-in-vpc.md)
+ [

# internet-gateway-authorized-vpc-only
](internet-gateway-authorized-vpc-only.md)
+ [

# iotdevicedefender-custom-metric-tagged
](iotdevicedefender-custom-metric-tagged.md)
+ [

# iotevents-alarm-model-tagged
](iotevents-alarm-model-tagged.md)
+ [

# iotevents-detector-model-tagged
](iotevents-detector-model-tagged.md)
+ [

# iotevents-input-tagged
](iotevents-input-tagged.md)
+ [

# iotsitewise-asset-model-tagged
](iotsitewise-asset-model-tagged.md)
+ [

# iotsitewise-dashboard-tagged
](iotsitewise-dashboard-tagged.md)
+ [

# iotsitewise-gateway-tagged
](iotsitewise-gateway-tagged.md)
+ [

# iotsitewise-portal-tagged
](iotsitewise-portal-tagged.md)
+ [

# iotsitewise-project-tagged
](iotsitewise-project-tagged.md)
+ [

# iottwinmaker-component-type-tagged
](iottwinmaker-component-type-tagged.md)
+ [

# iottwinmaker-entity-tagged
](iottwinmaker-entity-tagged.md)
+ [

# iottwinmaker-scene-tagged
](iottwinmaker-scene-tagged.md)
+ [

# iottwinmaker-sync-job-tagged
](iottwinmaker-sync-job-tagged.md)
+ [

# iottwinmaker-workspace-tagged
](iottwinmaker-workspace-tagged.md)
+ [

# iotwireless-fuota-task-tagged
](iotwireless-fuota-task-tagged.md)
+ [

# iotwireless-multicast-group-tagged
](iotwireless-multicast-group-tagged.md)
+ [

# iotwireless-service-profile-tagged
](iotwireless-service-profile-tagged.md)
+ [

# iot-authorizer-token-signing-enabled
](iot-authorizer-token-signing-enabled.md)
+ [

# iot-job-template-tagged
](iot-job-template-tagged.md)
+ [

# iot-provisioning-template-description
](iot-provisioning-template-description.md)
+ [

# iot-provisioning-template-jitp
](iot-provisioning-template-jitp.md)
+ [

# iot-provisioning-template-tagged
](iot-provisioning-template-tagged.md)
+ [

# iot-scheduled-audit-tagged
](iot-scheduled-audit-tagged.md)
+ [

# ivs-channel-playback-authorization-enabled
](ivs-channel-playback-authorization-enabled.md)
+ [

# ivs-channel-tagged
](ivs-channel-tagged.md)
+ [

# ivs-playback-key-pair-tagged
](ivs-playback-key-pair-tagged.md)
+ [

# ivs-recording-configuration-tagged
](ivs-recording-configuration-tagged.md)
+ [

# kendra-index-tagged
](kendra-index-tagged.md)
+ [

# kinesisvideo-signalingchannel-tagged
](kinesisvideo-signalingchannel-tagged.md)
+ [

# kinesisvideo-stream-tagged
](kinesisvideo-stream-tagged.md)
+ [

# kinesis-firehose-delivery-stream-encrypted
](kinesis-firehose-delivery-stream-encrypted.md)
+ [

# kinesis-stream-backup-retention-check
](kinesis-stream-backup-retention-check.md)
+ [

# kinesis-stream-encrypted
](kinesis-stream-encrypted.md)
+ [

# kinesis-video-stream-minimum-data-retention
](kinesis-video-stream-minimum-data-retention.md)
+ [

# kms-cmk-not-scheduled-for-deletion
](kms-cmk-not-scheduled-for-deletion.md)
+ [

# kms-key-policy-no-public-access
](kms-key-policy-no-public-access.md)
+ [

# kms-key-tagged
](kms-key-tagged.md)
+ [

# lambda-concurrency-check
](lambda-concurrency-check.md)
+ [

# lambda-dlq-check
](lambda-dlq-check.md)
+ [

# lambda-function-application-log-level-check
](lambda-function-application-log-level-check.md)
+ [

# lambda-function-description
](lambda-function-description.md)
+ [

# lambda-function-log-format-json
](lambda-function-log-format-json.md)
+ [

# lambda-function-public-access-prohibited
](lambda-function-public-access-prohibited.md)
+ [

# lambda-function-settings-check
](lambda-function-settings-check.md)
+ [

# lambda-function-system-log-level-check
](lambda-function-system-log-level-check.md)
+ [

# lambda-function-xray-enabled
](lambda-function-xray-enabled.md)
+ [

# lambda-inside-vpc
](lambda-inside-vpc.md)
+ [

# lambda-vpc-multi-az-check
](lambda-vpc-multi-az-check.md)
+ [

# lightsail-bucket-allow-public-overrides-disabled
](lightsail-bucket-allow-public-overrides-disabled.md)
+ [

# lightsail-bucket-object-versioning-enabled
](lightsail-bucket-object-versioning-enabled.md)
+ [

# lightsail-bucket-tagged
](lightsail-bucket-tagged.md)
+ [

# lightsail-certificate-tagged
](lightsail-certificate-tagged.md)
+ [

# lightsail-disk-tagged
](lightsail-disk-tagged.md)
+ [

# macie-auto-sensitive-data-discovery-check
](macie-auto-sensitive-data-discovery-check.md)
+ [

# macie-status-check
](macie-status-check.md)
+ [

# mariadb-publish-logs-to-cloudwatch-logs
](mariadb-publish-logs-to-cloudwatch-logs.md)
+ [

# mediapackage-packagingconfiguration-tagged
](mediapackage-packagingconfiguration-tagged.md)
+ [

# mediatailor-playbackconfiguration-tagged
](mediatailor-playbackconfiguration-tagged.md)
+ [

# memorydb-subnetgroup-tagged
](memorydb-subnetgroup-tagged.md)
+ [

# mfa-enabled-for-iam-console-access
](mfa-enabled-for-iam-console-access.md)
+ [

# mq-active-broker-ldap-authentication
](mq-active-broker-ldap-authentication.md)
+ [

# mq-active-deployment-mode
](mq-active-deployment-mode.md)
+ [

# mq-active-single-instance-broker-storage-type-efs
](mq-active-single-instance-broker-storage-type-efs.md)
+ [

# mq-automatic-minor-version-upgrade-enabled
](mq-automatic-minor-version-upgrade-enabled.md)
+ [

# mq-auto-minor-version-upgrade-enabled
](mq-auto-minor-version-upgrade-enabled.md)
+ [

# mq-broker-general-logging-enabled
](mq-broker-general-logging-enabled.md)
+ [

# mq-cloudwatch-audit-logging-enabled
](mq-cloudwatch-audit-logging-enabled.md)
+ [

# mq-cloudwatch-audit-log-enabled
](mq-cloudwatch-audit-log-enabled.md)
+ [

# mq-no-public-access
](mq-no-public-access.md)
+ [

# mq-rabbit-deployment-mode
](mq-rabbit-deployment-mode.md)
+ [

# msk-cluster-public-access-disabled
](msk-cluster-public-access-disabled.md)
+ [

# msk-cluster-tagged
](msk-cluster-tagged.md)
+ [

# msk-connect-connector-logging-enabled
](msk-connect-connector-logging-enabled.md)
+ [

# msk-enhanced-monitoring-enabled
](msk-enhanced-monitoring-enabled.md)
+ [

# msk-in-cluster-node-require-tls
](msk-in-cluster-node-require-tls.md)
+ [

# msk-unrestricted-access-check
](msk-unrestricted-access-check.md)
+ [

# multi-region-cloudtrail-enabled
](multi-region-cloudtrail-enabled.md)
+ [

# nacl-no-unrestricted-ssh-rdp
](nacl-no-unrestricted-ssh-rdp.md)
+ [

# neptune-cluster-backup-retention-check
](neptune-cluster-backup-retention-check.md)
+ [

# neptune-cluster-cloudwatch-log-export-enabled
](neptune-cluster-cloudwatch-log-export-enabled.md)
+ [

# neptune-cluster-copy-tags-to-snapshot-enabled
](neptune-cluster-copy-tags-to-snapshot-enabled.md)
+ [

# neptune-cluster-deletion-protection-enabled
](neptune-cluster-deletion-protection-enabled.md)
+ [

# neptune-cluster-encrypted
](neptune-cluster-encrypted.md)
+ [

# neptune-cluster-iam-database-authentication
](neptune-cluster-iam-database-authentication.md)
+ [

# neptune-cluster-multi-az-enabled
](neptune-cluster-multi-az-enabled.md)
+ [

# neptune-cluster-snapshot-encrypted
](neptune-cluster-snapshot-encrypted.md)
+ [

# neptune-cluster-snapshot-iam-database-auth-enabled
](neptune-cluster-snapshot-iam-database-auth-enabled.md)
+ [

# neptune-cluster-snapshot-public-prohibited
](neptune-cluster-snapshot-public-prohibited.md)
+ [

# netfw-deletion-protection-enabled
](netfw-deletion-protection-enabled.md)
+ [

# netfw-logging-enabled
](netfw-logging-enabled.md)
+ [

# netfw-multi-az-enabled
](netfw-multi-az-enabled.md)
+ [

# netfw-policy-default-action-fragment-packets
](netfw-policy-default-action-fragment-packets.md)
+ [

# netfw-policy-default-action-full-packets
](netfw-policy-default-action-full-packets.md)
+ [

# netfw-policy-rule-group-associated
](netfw-policy-rule-group-associated.md)
+ [

# netfw-stateless-rule-group-not-empty
](netfw-stateless-rule-group-not-empty.md)
+ [

# netfw-subnet-change-protection-enabled
](netfw-subnet-change-protection-enabled.md)
+ [

# nlb-cross-zone-load-balancing-enabled
](nlb-cross-zone-load-balancing-enabled.md)
+ [

# nlb-internal-scheme-check
](nlb-internal-scheme-check.md)
+ [

# nlb-listener-tagged
](nlb-listener-tagged.md)
+ [

# nlb-logging-enabled
](nlb-logging-enabled.md)
+ [

# nlb-tagged
](nlb-tagged.md)
+ [

# no-unrestricted-route-to-igw
](no-unrestricted-route-to-igw.md)
+ [

# opensearchserverless-collection-description
](opensearchserverless-collection-description.md)
+ [

# opensearchserverless-collection-standbyreplicas-enabled
](opensearchserverless-collection-standbyreplicas-enabled.md)
+ [

# opensearch-access-control-enabled
](opensearch-access-control-enabled.md)
+ [

# opensearch-audit-logging-enabled
](opensearch-audit-logging-enabled.md)
+ [

# opensearch-data-node-fault-tolerance
](opensearch-data-node-fault-tolerance.md)
+ [

# opensearch-encrypted-at-rest
](opensearch-encrypted-at-rest.md)
+ [

# opensearch-https-required
](opensearch-https-required.md)
+ [

# opensearch-in-vpc-only
](opensearch-in-vpc-only.md)
+ [

# opensearch-logs-to-cloudwatch
](opensearch-logs-to-cloudwatch.md)
+ [

# opensearch-node-to-node-encryption-check
](opensearch-node-to-node-encryption-check.md)
+ [

# opensearch-primary-node-fault-tolerance
](opensearch-primary-node-fault-tolerance.md)
+ [

# opensearch-update-check
](opensearch-update-check.md)
+ [

# panorama-package-tagged
](panorama-package-tagged.md)
+ [

# rabbit-mq-supported-version
](rabbit-mq-supported-version.md)
+ [

# rds-aurora-mysql-audit-logging-enabled
](rds-aurora-mysql-audit-logging-enabled.md)
+ [

# rds-aurora-postgresql-logs-to-cloudwatch
](rds-aurora-postgresql-logs-to-cloudwatch.md)
+ [

# rds-automatic-minor-version-upgrade-enabled
](rds-automatic-minor-version-upgrade-enabled.md)
+ [

# rds-cluster-auto-minor-version-upgrade-enable
](rds-cluster-auto-minor-version-upgrade-enable.md)
+ [

# rds-cluster-backup-retention-check
](rds-cluster-backup-retention-check.md)
+ [

# rds-cluster-default-admin-check
](rds-cluster-default-admin-check.md)
+ [

# rds-cluster-deletion-protection-enabled
](rds-cluster-deletion-protection-enabled.md)
+ [

# rds-cluster-encrypted-at-rest
](rds-cluster-encrypted-at-rest.md)
+ [

# rds-cluster-iam-authentication-enabled
](rds-cluster-iam-authentication-enabled.md)
+ [

# rds-cluster-multi-az-enabled
](rds-cluster-multi-az-enabled.md)
+ [

# rds-db-security-group-not-allowed
](rds-db-security-group-not-allowed.md)
+ [

# rds-enhanced-monitoring-enabled
](rds-enhanced-monitoring-enabled.md)
+ [

# rds-event-subscription-tagged
](rds-event-subscription-tagged.md)
+ [

# rds-global-cluster-aurora-mysql-supported-version
](rds-global-cluster-aurora-mysql-supported-version.md)
+ [

# rds-instance-default-admin-check
](rds-instance-default-admin-check.md)
+ [

# rds-instance-deletion-protection-enabled
](rds-instance-deletion-protection-enabled.md)
+ [

# rds-instance-iam-authentication-enabled
](rds-instance-iam-authentication-enabled.md)
+ [

# rds-instance-public-access-check
](rds-instance-public-access-check.md)
+ [

# rds-instance-subnet-igw-check
](rds-instance-subnet-igw-check.md)
+ [

# rds-in-backup-plan
](rds-in-backup-plan.md)
+ [

# rds-last-backup-recovery-point-created
](rds-last-backup-recovery-point-created.md)
+ [

# rds-logging-enabled
](rds-logging-enabled.md)
+ [

# rds-mariadb-instance-encrypted-in-transit
](rds-mariadb-instance-encrypted-in-transit.md)
+ [

# rds-meets-restore-time-target
](rds-meets-restore-time-target.md)
+ [

# rds-multi-az-support
](rds-multi-az-support.md)
+ [

# rds-mysql-cluster-copy-tags-to-snapshot-check
](rds-mysql-cluster-copy-tags-to-snapshot-check.md)
+ [

# rds-mysql-instance-encrypted-in-transit
](rds-mysql-instance-encrypted-in-transit.md)
+ [

# rds-option-group-tagged
](rds-option-group-tagged.md)
+ [

# rds-pgsql-cluster-copy-tags-to-snapshot-check
](rds-pgsql-cluster-copy-tags-to-snapshot-check.md)
+ [

# rds-postgresql-logs-to-cloudwatch
](rds-postgresql-logs-to-cloudwatch.md)
+ [

# rds-postgres-instance-encrypted-in-transit
](rds-postgres-instance-encrypted-in-transit.md)
+ [

# rds-proxy-tls-encryption
](rds-proxy-tls-encryption.md)
+ [

# rds-resources-protected-by-backup-plan
](rds-resources-protected-by-backup-plan.md)
+ [

# rds-snapshots-public-prohibited
](rds-snapshots-public-prohibited.md)
+ [

# rds-snapshot-encrypted
](rds-snapshot-encrypted.md)
+ [

# rds-sqlserver-encrypted-in-transit
](rds-sqlserver-encrypted-in-transit.md)
+ [

# rds-sql-server-logs-to-cloudwatch
](rds-sql-server-logs-to-cloudwatch.md)
+ [

# rds-storage-encrypted
](rds-storage-encrypted.md)
+ [

# redshift-audit-logging-enabled
](redshift-audit-logging-enabled.md)
+ [

# redshift-backup-enabled
](redshift-backup-enabled.md)
+ [

# redshift-cluster-configuration-check
](redshift-cluster-configuration-check.md)
+ [

# redshift-cluster-kms-enabled
](redshift-cluster-kms-enabled.md)
+ [

# redshift-cluster-maintenancesettings-check
](redshift-cluster-maintenancesettings-check.md)
+ [

# redshift-cluster-multi-az-enabled
](redshift-cluster-multi-az-enabled.md)
+ [

# redshift-cluster-parameter-group-tagged
](redshift-cluster-parameter-group-tagged.md)
+ [

# redshift-cluster-public-access-check
](redshift-cluster-public-access-check.md)
+ [

# redshift-cluster-subnet-group-multi-az
](redshift-cluster-subnet-group-multi-az.md)
+ [

# redshift-default-admin-check
](redshift-default-admin-check.md)
+ [

# redshift-default-db-name-check
](redshift-default-db-name-check.md)
+ [

# redshift-enhanced-vpc-routing-enabled
](redshift-enhanced-vpc-routing-enabled.md)
+ [

# redshift-require-tls-ssl
](redshift-require-tls-ssl.md)
+ [

# redshift-serverless-default-admin-check
](redshift-serverless-default-admin-check.md)
+ [

# redshift-serverless-default-db-name-check
](redshift-serverless-default-db-name-check.md)
+ [

# redshift-serverless-namespace-cmk-encryption
](redshift-serverless-namespace-cmk-encryption.md)
+ [

# redshift-serverless-publish-logs-to-cloudwatch
](redshift-serverless-publish-logs-to-cloudwatch.md)
+ [

# redshift-serverless-workgroup-encrypted-in-transit
](redshift-serverless-workgroup-encrypted-in-transit.md)
+ [

# redshift-serverless-workgroup-no-public-access
](redshift-serverless-workgroup-no-public-access.md)
+ [

# redshift-serverless-workgroup-routes-within-vpc
](redshift-serverless-workgroup-routes-within-vpc.md)
+ [

# redshift-unrestricted-port-access
](redshift-unrestricted-port-access.md)
+ [

# required-tags
](required-tags.md)
+ [

# resiliencehub-app-tagged
](resiliencehub-app-tagged.md)
+ [

# resiliencehub-resiliencypolicy-tagged
](resiliencehub-resiliencypolicy-tagged.md)
+ [

# restricted-common-ports
](restricted-common-ports.md)
+ [

# root-account-hardware-mfa-enabled
](root-account-hardware-mfa-enabled.md)
+ [

# root-account-mfa-enabled
](root-account-mfa-enabled.md)
+ [

# route53-health-check-tagged
](route53-health-check-tagged.md)
+ [

# route53-hosted-zone-tagged
](route53-hosted-zone-tagged.md)
+ [

# route53-query-logging-enabled
](route53-query-logging-enabled.md)
+ [

# route53-recovery-control-cluster-tagged
](route53-recovery-control-cluster-tagged.md)
+ [

# route53-recovery-readiness-cell-tagged
](route53-recovery-readiness-cell-tagged.md)
+ [

# route53-recovery-readiness-readiness-check-tagged
](route53-recovery-readiness-readiness-check-tagged.md)
+ [

# route53-recovery-readiness-recovery-group-tagged
](route53-recovery-readiness-recovery-group-tagged.md)
+ [

# route53-recovery-readiness-resource-set-tagged
](route53-recovery-readiness-resource-set-tagged.md)
+ [

# route53-resolver-firewall-domain-list-tagged
](route53-resolver-firewall-domain-list-tagged.md)
+ [

# route53-resolver-firewall-rule-group-association-tagged
](route53-resolver-firewall-rule-group-association-tagged.md)
+ [

# route53-resolver-firewall-rule-group-tagged
](route53-resolver-firewall-rule-group-tagged.md)
+ [

# route53-resolver-resolver-endpoint-tagged
](route53-resolver-resolver-endpoint-tagged.md)
+ [

# route53-resolver-resolver-rule-tagged
](route53-resolver-resolver-rule-tagged.md)
+ [

# rum-app-monitor-cloudwatch-logs-enabled
](rum-app-monitor-cloudwatch-logs-enabled.md)
+ [

# rum-app-monitor-tagged
](rum-app-monitor-tagged.md)
+ [

# s3express-dir-bucket-lifecycle-rules-check
](s3express-dir-bucket-lifecycle-rules-check.md)
+ [

# s3-access-point-in-vpc-only
](s3-access-point-in-vpc-only.md)
+ [

# s3-access-point-public-access-blocks
](s3-access-point-public-access-blocks.md)
+ [

# s3-account-level-public-access-blocks
](s3-account-level-public-access-blocks.md)
+ [

# s3-account-level-public-access-blocks-periodic
](s3-account-level-public-access-blocks-periodic.md)
+ [

# s3-bucket-acl-prohibited
](s3-bucket-acl-prohibited.md)
+ [

# s3-bucket-blacklisted-actions-prohibited
](s3-bucket-blacklisted-actions-prohibited.md)
+ [

# s3-bucket-cross-region-replication-enabled
](s3-bucket-cross-region-replication-enabled.md)
+ [

# s3-bucket-default-lock-enabled
](s3-bucket-default-lock-enabled.md)
+ [

# s3-bucket-level-public-access-prohibited
](s3-bucket-level-public-access-prohibited.md)
+ [

# s3-bucket-logging-enabled
](s3-bucket-logging-enabled.md)
+ [

# s3-bucket-mfa-delete-enabled
](s3-bucket-mfa-delete-enabled.md)
+ [

# s3-bucket-policy-grantee-check
](s3-bucket-policy-grantee-check.md)
+ [

# s3-bucket-policy-not-more-permissive
](s3-bucket-policy-not-more-permissive.md)
+ [

# s3-bucket-public-read-prohibited
](s3-bucket-public-read-prohibited.md)
+ [

# s3-bucket-public-write-prohibited
](s3-bucket-public-write-prohibited.md)
+ [

# s3-bucket-replication-enabled
](s3-bucket-replication-enabled.md)
+ [

# s3-bucket-server-side-encryption-enabled
](s3-bucket-server-side-encryption-enabled.md)
+ [

# s3-bucket-ssl-requests-only
](s3-bucket-ssl-requests-only.md)
+ [

# s3-bucket-tagged
](s3-bucket-tagged.md)
+ [

# s3-bucket-versioning-enabled
](s3-bucket-versioning-enabled.md)
+ [

# s3-default-encryption-kms
](s3-default-encryption-kms.md)
+ [

# s3-directory-bucket-lifecycle-policy-rule-check
](s3-directory-bucket-lifecycle-policy-rule-check.md)
+ [

# s3-event-notifications-enabled
](s3-event-notifications-enabled.md)
+ [

# s3-last-backup-recovery-point-created
](s3-last-backup-recovery-point-created.md)
+ [

# s3-lifecycle-policy-check
](s3-lifecycle-policy-check.md)
+ [

# s3-meets-restore-time-target
](s3-meets-restore-time-target.md)
+ [

# s3-resources-in-logically-air-gapped-vault
](s3-resources-in-logically-air-gapped-vault.md)
+ [

# s3-resources-protected-by-backup-plan
](s3-resources-protected-by-backup-plan.md)
+ [

# s3-version-lifecycle-policy-check
](s3-version-lifecycle-policy-check.md)
+ [

# sagemaker-app-image-config-tagged
](sagemaker-app-image-config-tagged.md)
+ [

# sagemaker-data-quality-job-encrypt-in-transit
](sagemaker-data-quality-job-encrypt-in-transit.md)
+ [

# sagemaker-data-quality-job-isolation
](sagemaker-data-quality-job-isolation.md)
+ [

# sagemaker-domain-in-vpc
](sagemaker-domain-in-vpc.md)
+ [

# sagemaker-domain-tagged
](sagemaker-domain-tagged.md)
+ [

# sagemaker-endpoint-configuration-kms-key-configured
](sagemaker-endpoint-configuration-kms-key-configured.md)
+ [

# sagemaker-endpoint-config-prod-instance-count
](sagemaker-endpoint-config-prod-instance-count.md)
+ [

# sagemaker-featuregroup-description
](sagemaker-featuregroup-description.md)
+ [

# sagemaker-featuregroup-encryption-at-rest
](sagemaker-featuregroup-encryption-at-rest.md)
+ [

# sagemaker-feature-group-tagged
](sagemaker-feature-group-tagged.md)
+ [

# sagemaker-image-description
](sagemaker-image-description.md)
+ [

# sagemaker-image-tagged
](sagemaker-image-tagged.md)
+ [

# sagemaker-inferenceexperiment-tagged
](sagemaker-inferenceexperiment-tagged.md)
+ [

# sagemaker-model-bias-job-encrypt-in-transit
](sagemaker-model-bias-job-encrypt-in-transit.md)
+ [

# sagemaker-model-bias-job-isolation
](sagemaker-model-bias-job-isolation.md)
+ [

# sagemaker-model-explainability-job-encrypt-in-transit
](sagemaker-model-explainability-job-encrypt-in-transit.md)
+ [

# sagemaker-model-in-vpc
](sagemaker-model-in-vpc.md)
+ [

# sagemaker-model-isolation-enabled
](sagemaker-model-isolation-enabled.md)
+ [

# sagemaker-model-private-registry-required
](sagemaker-model-private-registry-required.md)
+ [

# sagemaker-model-quality-job-encrypt-in-transit
](sagemaker-model-quality-job-encrypt-in-transit.md)
+ [

# sagemaker-monitoring-schedule-isolation
](sagemaker-monitoring-schedule-isolation.md)
+ [

# sagemaker-notebook-instance-inside-vpc
](sagemaker-notebook-instance-inside-vpc.md)
+ [

# sagemaker-notebook-instance-kms-key-configured
](sagemaker-notebook-instance-kms-key-configured.md)
+ [

# sagemaker-notebook-instance-platform-version
](sagemaker-notebook-instance-platform-version.md)
+ [

# sagemaker-notebook-instance-root-access-check
](sagemaker-notebook-instance-root-access-check.md)
+ [

# sagemaker-notebook-no-direct-internet-access
](sagemaker-notebook-no-direct-internet-access.md)
+ [

# secretsmanager-rotation-enabled-check
](secretsmanager-rotation-enabled-check.md)
+ [

# secretsmanager-scheduled-rotation-success-check
](secretsmanager-scheduled-rotation-success-check.md)
+ [

# secretsmanager-secret-periodic-rotation
](secretsmanager-secret-periodic-rotation.md)
+ [

# secretsmanager-secret-unused
](secretsmanager-secret-unused.md)
+ [

# secretsmanager-using-cmk
](secretsmanager-using-cmk.md)
+ [

# securityhub-enabled
](securityhub-enabled.md)
+ [

# security-account-information-provided
](security-account-information-provided.md)
+ [

# service-catalog-portfolio-tagged
](service-catalog-portfolio-tagged.md)
+ [

# service-catalog-shared-within-organization
](service-catalog-shared-within-organization.md)
+ [

# service-vpc-endpoint-enabled
](service-vpc-endpoint-enabled.md)
+ [

# ses-malware-scanning-enabled
](ses-malware-scanning-enabled.md)
+ [

# ses-sending-tls-required
](ses-sending-tls-required.md)
+ [

# shield-advanced-enabled-autorenew
](shield-advanced-enabled-autorenew.md)
+ [

# shield-drt-access
](shield-drt-access.md)
+ [

# signer-signingprofile-tagged
](signer-signingprofile-tagged.md)
+ [

# sns-encrypted-kms
](sns-encrypted-kms.md)
+ [

# sns-topic-message-delivery-notification-enabled
](sns-topic-message-delivery-notification-enabled.md)
+ [

# sns-topic-no-public-access
](sns-topic-no-public-access.md)
+ [

# sqs-queue-dlq-check
](sqs-queue-dlq-check.md)
+ [

# sqs-queue-no-public-access
](sqs-queue-no-public-access.md)
+ [

# sqs-queue-policy-full-access-check
](sqs-queue-policy-full-access-check.md)
+ [

# ssm-automation-block-public-sharing
](ssm-automation-block-public-sharing.md)
+ [

# ssm-automation-logging-enabled
](ssm-automation-logging-enabled.md)
+ [

# ssm-document-not-public
](ssm-document-not-public.md)
+ [

# ssm-document-tagged
](ssm-document-tagged.md)
+ [

# stepfunctions-state-machine-tagged
](stepfunctions-state-machine-tagged.md)
+ [

# step-functions-state-machine-logging-enabled
](step-functions-state-machine-logging-enabled.md)
+ [

# storagegateway-last-backup-recovery-point-created
](storagegateway-last-backup-recovery-point-created.md)
+ [

# storagegateway-resources-in-logically-air-gapped-vault
](storagegateway-resources-in-logically-air-gapped-vault.md)
+ [

# storagegateway-resources-protected-by-backup-plan
](storagegateway-resources-protected-by-backup-plan.md)
+ [

# subnet-auto-assign-public-ip-disabled
](subnet-auto-assign-public-ip-disabled.md)
+ [

# transfer-agreement-description
](transfer-agreement-description.md)
+ [

# transfer-agreement-tagged
](transfer-agreement-tagged.md)
+ [

# transfer-certificate-description
](transfer-certificate-description.md)
+ [

# transfer-certificate-tagged
](transfer-certificate-tagged.md)
+ [

# transfer-connector-as2-encryption-algorithm-check
](transfer-connector-as2-encryption-algorithm-check.md)
+ [

# transfer-connector-as2-mdn-signing-algorithm-check
](transfer-connector-as2-mdn-signing-algorithm-check.md)
+ [

# transfer-connector-as2-signing-algorithm-check
](transfer-connector-as2-signing-algorithm-check.md)
+ [

# transfer-connector-logging-enabled
](transfer-connector-logging-enabled.md)
+ [

# transfer-connector-tagged
](transfer-connector-tagged.md)
+ [

# transfer-family-server-no-ftp
](transfer-family-server-no-ftp.md)
+ [

# transfer-profile-tagged
](transfer-profile-tagged.md)
+ [

# transfer-workflow-description
](transfer-workflow-description.md)
+ [

# transfer-workflow-tagged
](transfer-workflow-tagged.md)
+ [

# virtualmachine-last-backup-recovery-point-created
](virtualmachine-last-backup-recovery-point-created.md)
+ [

# virtualmachine-resources-in-logically-air-gapped-vault
](virtualmachine-resources-in-logically-air-gapped-vault.md)
+ [

# virtualmachine-resources-protected-by-backup-plan
](virtualmachine-resources-protected-by-backup-plan.md)
+ [

# vpc-default-security-group-closed
](vpc-default-security-group-closed.md)
+ [

# vpc-endpoint-enabled
](vpc-endpoint-enabled.md)
+ [

# vpc-flow-logs-enabled
](vpc-flow-logs-enabled.md)
+ [

# vpc-network-acl-unused-check
](vpc-network-acl-unused-check.md)
+ [

# vpc-peering-dns-resolution-check
](vpc-peering-dns-resolution-check.md)
+ [

# vpc-sg-open-only-to-authorized-ports
](vpc-sg-open-only-to-authorized-ports.md)
+ [

# vpc-sg-port-restriction-check
](vpc-sg-port-restriction-check.md)
+ [

# vpc-vpn-2-tunnels-up
](vpc-vpn-2-tunnels-up.md)
+ [

# wafv2-logging-enabled
](wafv2-logging-enabled.md)
+ [

# wafv2-rulegroup-logging-enabled
](wafv2-rulegroup-logging-enabled.md)
+ [

# wafv2-rulegroup-not-empty
](wafv2-rulegroup-not-empty.md)
+ [

# wafv2-webacl-not-empty
](wafv2-webacl-not-empty.md)
+ [

# waf-classic-logging-enabled
](waf-classic-logging-enabled.md)
+ [

# waf-global-rulegroup-not-empty
](waf-global-rulegroup-not-empty.md)
+ [

# waf-global-rule-not-empty
](waf-global-rule-not-empty.md)
+ [

# waf-global-webacl-not-empty
](waf-global-webacl-not-empty.md)
+ [

# waf-regional-rulegroup-not-empty
](waf-regional-rulegroup-not-empty.md)
+ [

# waf-regional-rule-not-empty
](waf-regional-rule-not-empty.md)
+ [

# waf-regional-webacl-not-empty
](waf-regional-webacl-not-empty.md)
+ [

# workspaces-connection-alias-tagged
](workspaces-connection-alias-tagged.md)
+ [

# workspaces-root-volume-encryption-enabled
](workspaces-root-volume-encryption-enabled.md)
+ [

# workspaces-user-volume-encryption-enabled
](workspaces-user-volume-encryption-enabled.md)
+ [

# workspaces-workspace-tagged
](workspaces-workspace-tagged.md)

# access-keys-rotated
<a name="access-keys-rotated"></a>

Checks if active IAM access keys are rotated (changed) within the number of days specified in `maxAccessKeyAge`. The rule is NON\$1COMPLIANT if access keys are not rotated within the specified time period. The default value is 90 days.

**Warning**  
Do not provide your access keys to unauthorized parties, even to help [find your account identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html). By doing this, you might give someone permanent access to your account. The security [best practice](https://docs.aws.amazon.com/accounts/latest/reference/best-practices.html) is to remove passwords and access keys when users no longer need them.

**Note**  
**Resource Type Marked as Noncompliant in the Console**  
If this rule finds that any of your access keys are noncompliant, the `AWS::IAM::User` resource type will also be marked as noncompliant in the AWS console.  
**Managed Rules and Global IAM Resource Types**  
The global IAM resource types onboarded before February 2022 (`AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, and `AWS::IAM::User`) can only be recorded by AWS Config in AWS Regions where AWS Config was available before February 2022. These resource types cannot be recorded in Regions supported by AWS Config after February 2022. For a list of those Regions, see [Recording AWS Resources \$1 Global Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all).  
If you record a global IAM resource type in at least one Region, periodic rules that report compliance on the global IAM resource type will run evaluations in all Regions where the periodic rule is added, even if you have not enabled the recording of the global IAM resource type in the Region where the periodic rule was added.  
To avoid unnecessary evaluations, you should only deploy periodic rules that report compliance on a global IAM resource type to one of the supported Regions. For a list of which managed rules are supported in which Regions, see [List of AWS Config Managed Rules by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html).  
**Limitations**  
This rule does not apply to AWS account root user access keys. To delete or rotate your root user access keys, use your root user credentials to sign in to the My Security Credentials page in the AWS Management Console at [https://aws.amazon.com/console/](https://aws.amazon.com/console/).



**Identifier:** ACCESS\$1KEYS\$1ROTATED

**Resource Types:** AWS::IAM::User

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

maxAccessKeyAgeType: intDefault: 90  
Maximum number of days without rotation. Default 90.

## AWS CloudFormation template
<a name="w2aac20c16c17b7b1c23"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# account-part-of-organizations
<a name="account-part-of-organizations"></a>

Checks if an AWS account is part of AWS Organizations. The rule is NON\$1COMPLIANT if an AWS account is not part of AWS Organizations or AWS Organizations master account ID does not match rule parameter `MasterAccountId`.

**Note**  
**Managed Rules and Global IAM Resource Types**  
The global IAM resource types onboarded before February 2022 (`AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, and `AWS::IAM::User`) can only be recorded by AWS Config in AWS Regions where AWS Config was available before February 2022. These resource types cannot be recorded in Regions supported by AWS Config after February 2022. For a list of those Regions, see [Recording AWS Resources \$1 Global Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all).  
If you record a global IAM resource type in at least one Region, periodic rules that report compliance on the global IAM resource type will run evaluations in all Regions where the periodic rule is added, even if you have not enabled the recording of the global IAM resource type in the Region where the periodic rule was added.  
To avoid unnecessary evaluations, you should only deploy periodic rules that report compliance on a global IAM resource type to one of the supported Regions. For a list of which managed rules are supported in which Regions, see [List of AWS Config Managed Rules by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html).



**Identifier:** ACCOUNT\$1PART\$1OF\$1ORGANIZATIONS

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except China (Beijing) Region

**Parameters:**

MasterAccountId (Optional)Type: String  
The master account ID for an AWS account.

## AWS CloudFormation template
<a name="w2aac20c16c17b7b3c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# acmpca-certificate-authority-tagged
<a name="acmpca-certificate-authority-tagged"></a>

Checks if AWS Private CA certificate authorities have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** ACMPCA\$1CERTIFICATE\$1AUTHORITY\$1TAGGED

**Resource Types:** AWS::ACMPCA::CertificateAuthority

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7b5c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# acm-certificate-expiration-check
<a name="acm-certificate-expiration-check"></a>

Checks if AWS Certificate Manager Certificates in your account are marked for expiration within the specified number of days. Certificates provided by ACM are automatically renewed. ACM does not automatically renew certificates that you import. The rule is NON\$1COMPLIANT if your certificates are about to expire.



**Identifier:** ACM\$1CERTIFICATE\$1EXPIRATION\$1CHECK

**Resource Types:** AWS::ACM::Certificate

**Trigger type:** Configuration changes and Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

daysToExpiration (Optional)Type: intDefault: 14  
Specify the number of days before the rule flags the ACM Certificate as noncompliant.

## AWS CloudFormation template
<a name="w2aac20c16c17b7b7c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# acm-certificate-rsa-check
<a name="acm-certificate-rsa-check"></a>

Checks if RSA certificates managed by AWS Certificate Manager (ACM) have a key length of at least '2048' bits.The rule is NON\$1COMPLIANT if the minimum key length is less than 2048 bits. 



**Identifier:** ACM\$1CERTIFICATE\$1RSA\$1CHECK

**Resource Types:** AWS::ACM::Certificate

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7b9c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# acm-certificate-transparent-logging-enabled
<a name="acm-certificate-transparent-logging-enabled"></a>

Checks if AWS Certificate Manager certificates have certificate transparency logging enabled. The rule is NON\$1COMPLIANT if CertificateTransparencyLoggingPreference is explicitly set DISABLED. 



**Identifier:** ACM\$1CERTIFICATE\$1TRANSPARENT\$1LOGGING\$1ENABLED

**Resource Types:** AWS::ACM::Certificate

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), AWS GovCloud (US-East), AWS GovCloud (US-West), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c11c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# acm-pca-root-ca-disabled
<a name="acm-pca-root-ca-disabled"></a>

Checks if AWS Private Certificate Authority (AWS Private CA) has a root CA that is disabled. The rule is NON\$1COMPLIANT for root CAs with status that is not DISABLED. 



**Identifier:** ACM\$1PCA\$1ROOT\$1CA\$1DISABLED

**Resource Types:** AWS::ACMPCA::CertificateAuthority

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

exemptedCAArns (Optional)Type: CSV  
Comma-separated list of Amazon Resource Names (ARN) of CA's that can be enabled. This value can be supplied for other CAs, like specific root CAs or intermediate CA's that can be enabled.

## AWS CloudFormation template
<a name="w2aac20c16c17b7c13c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# active-mq-supported-version
<a name="active-mq-supported-version"></a>

 Checks if an Amazon MQ ActiveMQ broker is running on a specified minimum supported engine version. The rule is NON\$1COMPLIANT if the ActiveMQ broker is not running on the minimum supported engine version that you specify. 



**Identifier:** ACTIVE\$1MQ\$1SUPPORTED\$1VERSION

**Resource Types:** AWS::AmazonMQ::Broker

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

supportedEngineVersionType: String  
String value for the rule to check the minimum supported engine version for the ActiveMQ broker. ActiveMQ brokers use semantic versioning specification: X.Y.Z. X denotes the major version, Y represents the minor version, and Z denotes the patch version.

## AWS CloudFormation template
<a name="w2aac20c16c17b7c15c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# alb-desync-mode-check
<a name="alb-desync-mode-check"></a>

Checks if an Application Load Balancer (ALB) is configured with a user defined desync mitigation mode. The rule is NON\$1COMPLIANT if ALB desync mitigation mode does not match with the user defined desync mitigation mode. 



**Identifier:** ALB\$1DESYNC\$1MODE\$1CHECK

**Resource Types:** AWS::ElasticLoadBalancingV2::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

desyncModeType: CSV  
Comma-separated list, in which customers can choose max 2 values among - 'defensive', 'strictest', and 'monitor'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7c17c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# alb-http-drop-invalid-header-enabled
<a name="alb-http-drop-invalid-header-enabled"></a>

Checks if rule evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop http headers. The rule is NON\$1COMPLIANT if the value of routing.http.drop\$1invalid\$1header\$1fields.enabled is set to false 



**Identifier:** ALB\$1HTTP\$1DROP\$1INVALID\$1HEADER\$1ENABLED

**Resource Types:** AWS::ElasticLoadBalancingV2::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c19c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# alb-http-to-https-redirection-check
<a name="alb-http-to-https-redirection-check"></a>

Checks if HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The rule is NON\$1COMPLIANT if one or more HTTP listeners of Application Load Balancer do not have HTTP to HTTPS redirection configured. The rule is also NON\$1COMPLIANT if one of more HTTP listeners have forwarding to an HTTP listener instead of redirection.



**Identifier:** ALB\$1HTTP\$1TO\$1HTTPS\$1REDIRECTION\$1CHECK

**Resource Types:** AWS::ElasticLoadBalancingV2::LoadBalancer

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c21c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# alb-internal-scheme-check
<a name="alb-internal-scheme-check"></a>

Checks if an Application Load Balancer scheme is internal. The rule is NON\$1COMPLIANT if configuration.scheme is not set to internal. 



**Identifier:** ALB\$1INTERNAL\$1SCHEME\$1CHECK

**Resource Types:** AWS::ElasticLoadBalancingV2::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c23c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# alb-listener-tagged
<a name="alb-listener-tagged"></a>

Checks if Application Load Balancer listeners have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** ALB\$1LISTENER\$1TAGGED

**Resource Types:** AWS::ElasticLoadBalancingV2::Listener

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7c25c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# alb-tagged
<a name="alb-tagged"></a>

Checks if Application Load Balancers have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** ALB\$1TAGGED

**Resource Types:** AWS::ElasticLoadBalancingV2::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7c27c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# alb-waf-enabled
<a name="alb-waf-enabled"></a>

Checks if Web Application Firewall (WAF) is enabled on Application Load Balancers (ALBs). This rule is NON\$1COMPLIANT if key: waf.enabled is set to false. 



**Identifier:** ALB\$1WAF\$1ENABLED

**Resource Types:** AWS::ElasticLoadBalancingV2::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

wafWebAclIds (Optional)Type: CSV  
Comma separated list of web ACL ID (for WAF) or web ACL ARN (for WAFV2) checking for ALB association

## AWS CloudFormation template
<a name="w2aac20c16c17b7c29c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# amplify-app-branch-auto-deletion-enabled
<a name="amplify-app-branch-auto-deletion-enabled"></a>

Checks if AWS Amplify apps automatically disconnect a branch in Amplify Hosting when you delete a branch from your Git repository. The rule is NON\$1COMPLIANT if configuration.EnableBranchAutoDeletion is false. 



**Identifier:** AMPLIFY\$1APP\$1BRANCH\$1AUTO\$1DELETION\$1ENABLED

**Resource Types:** AWS::Amplify::App

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c31c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# amplify-app-build-spec-configured
<a name="amplify-app-build-spec-configured"></a>

Checks if AWS Amplify apps have a build specification configured. The rule is NON\$1COMPLIANT if configuration.BuildSpec does not exist. 



**Identifier:** AMPLIFY\$1APP\$1BUILD\$1SPEC\$1CONFIGURED

**Resource Types:** AWS::Amplify::App

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c33c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# amplify-app-description
<a name="amplify-app-description"></a>

Checks if AWS Amplify apps have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist or is an empty string. 



**Identifier:** AMPLIFY\$1APP\$1DESCRIPTION

**Resource Types:** AWS::Amplify::App

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c35c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# amplify-app-no-environment-variables
<a name="amplify-app-no-environment-variables"></a>

Checks that AWS Amplify apps do not contain environment variables. The rule is NON\$1COMPLIANT if configuration.EnvironmentVariables is not an empty list. 



**Identifier:** AMPLIFY\$1APP\$1NO\$1ENVIRONMENT\$1VARIABLES

**Resource Types:** AWS::Amplify::App

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c37c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# amplify-app-platform-check
<a name="amplify-app-platform-check"></a>

Checks if AWS Amplify apps are configured with the specified platform. The rule is NON\$1COMPLIANT if configuration.Platform is a value not specified in the required rule parameter. 



**Identifier:** AMPLIFY\$1APP\$1PLATFORM\$1CHECK

**Resource Types:** AWS::Amplify::App

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

approvedPlatformType: String  
The approved platform for the rule to check. The rule is NON\$1COMPLIANT if configuration.Platform is a value not specified in this parameter. Valid values include: 'WEB', 'WEB\$1DYNAMIC', and 'WEB\$1COMPUTE'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7c39c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# amplify-app-tagged
<a name="amplify-app-tagged"></a>

Checks if AWS Amplify apps have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** AMPLIFY\$1APP\$1TAGGED

**Resource Types:** AWS::Amplify::App

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7c41c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# amplify-branch-auto-build-enabled
<a name="amplify-branch-auto-build-enabled"></a>

Checks if AWS Amplify branches have auto build enabled. The rule is NON\$1COMPLIANT if configuration.EnableAutoBuild is false. 



**Identifier:** AMPLIFY\$1BRANCH\$1AUTO\$1BUILD\$1ENABLED

**Resource Types:** AWS::Amplify::Branch

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c43c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# amplify-branch-build-spec-configured
<a name="amplify-branch-build-spec-configured"></a>

Checks if AWS Amplify branches have a build specification configured. The rule is NON\$1COMPLIANT if configuration.BuildSpec does not exist. 



**Identifier:** AMPLIFY\$1BRANCH\$1BUILD\$1SPEC\$1CONFIGURED

**Resource Types:** AWS::Amplify::Branch

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c45c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# amplify-branch-description
<a name="amplify-branch-description"></a>

Checks if AWS Amplify branches have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist or is an empty string. 



**Identifier:** AMPLIFY\$1BRANCH\$1DESCRIPTION

**Resource Types:** AWS::Amplify::Branch

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c47c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# amplify-branch-framework-configured
<a name="amplify-branch-framework-configured"></a>

Checks if AWS Amplify branches have a framework configured. The rule is NON\$1COMPLIANT if configuration.Framework does not exist. 



**Identifier:** AMPLIFY\$1BRANCH\$1FRAMEWORK\$1CONFIGURED

**Resource Types:** AWS::Amplify::Branch

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

approvedFrameworks (Optional)Type: CSV  
Comma-separated list of approved frameworks for the rule to check. If provided, the rule is NON\$1COMPLIANT if configuration.Framework is a value not specified in this parameter.

## AWS CloudFormation template
<a name="w2aac20c16c17b7c49c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# amplify-branch-performance-mode-enabled
<a name="amplify-branch-performance-mode-enabled"></a>

Checks if AWS Amplify branches have performance mode enabled. The rule is NON\$1COMPLIANT if configuration.EnablePerformanceMode is false. 



**Identifier:** AMPLIFY\$1BRANCH\$1PERFORMANCE\$1MODE\$1ENABLED

**Resource Types:** AWS::Amplify::Branch

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c51c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# amplify-branch-pull-request-preview-enabled
<a name="amplify-branch-pull-request-preview-enabled"></a>

Checks if AWS Amplify branches have pull request preview enabled. The rule is NON\$1COMPLIANT if configuration.EnablePullRequestPreview is false. 



**Identifier:** AMPLIFY\$1BRANCH\$1PULL\$1REQUEST\$1PREVIEW\$1ENABLED

**Resource Types:** AWS::Amplify::Branch

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c53c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# amplify-branch-tagged
<a name="amplify-branch-tagged"></a>

Checks if AWS Amplify branches have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** AMPLIFY\$1BRANCH\$1TAGGED

**Resource Types:** AWS::Amplify::Branch

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7c55c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# apigatewayv2-integration-private-https-enabled
<a name="apigatewayv2-integration-private-https-enabled"></a>

Checks if Amazon API Gateway V2 private integration traffic for HTTP APIs uses the HTTPS protocol. The rule is NON\$1COMPLIANT if configuration.TlsConfig does not exist. 



**Identifier:** APIGATEWAYV2\$1INTEGRATION\$1PRIVATE\$1HTTPS\$1ENABLED

**Resource Types:** AWS::ApiGatewayV2::Integration

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c57c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# apigatewayv2-stage-description
<a name="apigatewayv2-stage-description"></a>

Checks if Amazon API Gateway V2 stages have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist or is an empty string. 



**Identifier:** APIGATEWAYV2\$1STAGE\$1DESCRIPTION

**Resource Types:** AWS::ApiGatewayV2::Stage

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), AWS GovCloud (US-East), AWS GovCloud (US-West), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c59c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# apigateway-domain-name-tls-check
<a name="apigateway-domain-name-tls-check"></a>

Checks if Amazon API Gateway domain names are configured with TLS 1.2 or higher. The rule is NON\$1COMPLIANT if configuration.SecurityPolicy is 'TLS\$11\$10'. 



**Identifier:** APIGATEWAY\$1DOMAIN\$1NAME\$1TLS\$1CHECK

**Resource Types:** AWS::ApiGateway::DomainName

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), AWS GovCloud (US-East), AWS GovCloud (US-West), China (Ningxia) Region

**Parameters:**

allowedSecurityPolicies (Optional)Type: CSV  
Comma-separated list of allowed security policies for the rule to check. If provided, the rule is NON\$1COMPLIANT if configuration.SecurityPolicy is configured with a value not specified in this parameter. Valid values include: 'TLS\$11\$10', 'TLS\$11\$12', 'SecurityPolicy\$1TLS13\$11\$13\$12025\$109', 'SecurityPolicy\$1TLS13\$11\$13\$1FIPS\$12025\$109', 'SecurityPolicy\$1TLS13\$11\$12\$1PFS\$1PQ\$12025\$109', 'SecurityPolicy\$1TLS13\$11\$12\$1FIPS\$1PQ\$12025\$109', 'SecurityPolicy\$1TLS13\$11\$12\$1PQ\$12025\$109', 'SecurityPolicy\$1TLS13\$11\$12\$12021\$106', 'SecurityPolicy\$1TLS13\$12025\$1EDGE', 'SecurityPolicy\$1TLS12\$1PFS\$12025\$1EDGE', and 'SecurityPolicy\$1TLS12\$12018\$1EDGE'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7c61c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# apigateway-stage-access-logs-enabled
<a name="apigateway-stage-access-logs-enabled"></a>

Checks if Amazon API Gateway stages have access logging enabled. The rule is NON\$1COMPLIANT if 'accessLogSettings' is not present in Stage configuration. 



**Identifier:** APIGATEWAY\$1STAGE\$1ACCESS\$1LOGS\$1ENABLED

**Resource Types:** AWS::ApiGateway::Stage

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c63c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# apigateway-stage-description
<a name="apigateway-stage-description"></a>

Checks if Amazon API Gateway stages have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist or is an empty string. 



**Identifier:** APIGATEWAY\$1STAGE\$1DESCRIPTION

**Resource Types:** AWS::ApiGateway::Stage

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), AWS GovCloud (US-East), AWS GovCloud (US-West), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c65c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# api-gwv2-access-logs-enabled
<a name="api-gwv2-access-logs-enabled"></a>

Checks if Amazon API Gateway V2 stages have access logging enabled. The rule is NON\$1COMPLIANT if 'accessLogSettings' is not present in Stage configuration. 



**Identifier:** API\$1GWV2\$1ACCESS\$1LOGS\$1ENABLED

**Resource Types:** AWS::ApiGatewayV2::Stage

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c67c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# api-gwv2-authorization-type-configured
<a name="api-gwv2-authorization-type-configured"></a>

Checks if Amazon API Gatewayv2 API routes have an authorization type set. This rule is NON\$1COMPLIANT if the authorization type is NONE. 



**Identifier:** API\$1GWV2\$1AUTHORIZATION\$1TYPE\$1CONFIGURED

**Resource Types:** AWS::ApiGatewayV2::Route

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

authorizationType (Optional)Type: String  
Parameter to check API routes' authorization types against. String parameters matching CUSTOM, AWS\$1IAM, JWT are valid.

## AWS CloudFormation template
<a name="w2aac20c16c17b7c69c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# api-gwv2-stage-default-route-detailed-metrics-enabled
<a name="api-gwv2-stage-default-route-detailed-metrics-enabled"></a>

Checks if the default route settings for Amazon API Gateway V2 stages have detailed metrics enabled. The rule is NON\$1COMPLIANT if configuration.defaultRouteSettings.detailedMetricsEnabled is false. 



**Identifier:** API\$1GWV2\$1STAGE\$1DEFAULT\$1ROUTE\$1DETAILED\$1METRICS\$1ENABLED

**Resource Types:** AWS::ApiGatewayV2::Stage

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), AWS GovCloud (US-East), AWS GovCloud (US-West), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c71c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# api-gw-associated-with-waf
<a name="api-gw-associated-with-waf"></a>

Checks if an Amazon API Gateway API stage is using an AWS WAF web access control list (web ACL). The rule is NON\$1COMPLIANT if an AWS WAF Web ACL is not used or if a used AWS Web ACL does not match what is listed in the rule parameter. 



**Identifier:** API\$1GW\$1ASSOCIATED\$1WITH\$1WAF

**Resource Types:** AWS::ApiGateway::Stage

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Taipei) Region

**Parameters:**

WebAclArns (Optional)Type: CSV  
Comma-separated list of web ACL Amazon Resource Names (ARNs)

## AWS CloudFormation template
<a name="w2aac20c16c17b7c73c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# api-gw-cache-enabled-and-encrypted
<a name="api-gw-cache-enabled-and-encrypted"></a>

Checks if all methods in Amazon API Gateway stages have cache enabled and cache encrypted. The rule is NON\$1COMPLIANT if any method in an Amazon API Gateway stage is not configured to cache or the cache is not encrypted. 



**Identifier:** API\$1GW\$1CACHE\$1ENABLED\$1AND\$1ENCRYPTED

**Resource Types:** AWS::ApiGateway::Stage

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c75c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# api-gw-endpoint-type-check
<a name="api-gw-endpoint-type-check"></a>

Checks if Amazon API Gateway APIs are of the type specified in the rule parameter `endpointConfigurationType`. The rule returns NON\$1COMPLIANT if the REST API does not match the endpoint type configured in the rule parameter.



**Identifier:** API\$1GW\$1ENDPOINT\$1TYPE\$1CHECK

**Resource Types:** AWS::ApiGateway::RestApi

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Taipei) Region

**Parameters:**

endpointConfigurationTypesType: CSV  
Comma-separated list of allowed endpointConfigurationTypes. Allowed values are REGIONAL, PRIVATE and EDGE.

## AWS CloudFormation template
<a name="w2aac20c16c17b7c77c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# api-gw-execution-logging-enabled
<a name="api-gw-execution-logging-enabled"></a>

Checks if all methods in Amazon API Gateway stages have logging enabled. The rule is NON\$1COMPLIANT if logging is not enabled, or if `loggingLevel` is neither ERROR nor INFO. 



**Identifier:** API\$1GW\$1EXECUTION\$1LOGGING\$1ENABLED

**Resource Types:** AWS::ApiGateway::Stage, AWS::ApiGatewayV2::Stage

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Taipei) Region

**Parameters:**

loggingLevel (Optional)Type: StringDefault: ERROR,INFO  
Comma-separated list of specific logging levels (for example, ERROR, INFO or ERROR,INFO).

## AWS CloudFormation template
<a name="w2aac20c16c17b7c79c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# api-gw-rest-api-tagged
<a name="api-gw-rest-api-tagged"></a>

Checks if AWS ApiGateway REST API resources resources have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** API\$1GW\$1REST\$1API\$1TAGGED

**Resource Types:** AWS::ApiGateway::RestApi

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7c81c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# api-gw-ssl-enabled
<a name="api-gw-ssl-enabled"></a>

Checks if a REST API stage uses an SSL certificate. The rule is NON\$1COMPLIANT if the REST API stage does not have an associated SSL certificate. 

**Note**  
This rule returns `NOT_APPLICABLE` if the [GetIntegration](https://docs.aws.amazon.com/apigateway/latest/api/API_GetIntegration.html) API returns an integration type other than `HTTP` as [type](https://docs.aws.amazon.com/apigateway/latest/api/API_GetIntegration.html#apigw-GetIntegration-response-type). This rule evaluates the SSL certificate configuration in API Gateway stage settings, not the actual deployed state.

**Identifier:** API\$1GW\$1SSL\$1ENABLED

**Resource Types:** AWS::ApiGateway::Stage

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Taipei) Region

**Parameters:**

CertificateIDs (Optional)Type: CSV  
Comma-separated list of client certificate IDs configured on a REST API stage.

## AWS CloudFormation template
<a name="w2aac20c16c17b7c83c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# api-gw-stage-tagged
<a name="api-gw-stage-tagged"></a>

Checks if AWS ApiGateway stage resources resources have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** API\$1GW\$1STAGE\$1TAGGED

**Resource Types:** AWS::ApiGateway::Stage

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7c85c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# api-gw-xray-enabled
<a name="api-gw-xray-enabled"></a>

Checks if AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON\$1COMPLIANT otherwise. 



**Identifier:** API\$1GW\$1XRAY\$1ENABLED

**Resource Types:** AWS::ApiGateway::Stage

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Taipei) Region

**Parameters:**

None  

## Proactive Evaluation
<a name="w2aac20c16c17b7c87c19"></a>

 For steps on how to run this rule in proactive mode, see [Evaluating Your Resources with AWS Config Rules](./evaluating-your-resources.html#evaluating-your-resources-proactive). For this rule to return COMPLIANT in proactive mode, the resource configuration schema for the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API needs to include the following inputs, encoded as a string: 

```
"ResourceConfiguration":
...
{
   "TracingEnabled": BOOLEAN,
   "RestApiId": "my-rest-api-Id",
} 
...
```

 For more information on proactive evaluation, see [Evaluation Mode](./evaluate-config-rules.html). 

## AWS CloudFormation template
<a name="w2aac20c16c17b7c87c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appconfig-application-description
<a name="appconfig-application-description"></a>

Checks if AWS AppConfig applications have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist or is an empty string. 



**Identifier:** APPCONFIG\$1APPLICATION\$1DESCRIPTION

**Resource Types:** AWS::AppConfig::Application

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c89c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appconfig-application-tagged
<a name="appconfig-application-tagged"></a>

Checks if AWS AppConfig applications have tags. Optionally, you can specify tag keys for the rule to check. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** APPCONFIG\$1APPLICATION\$1TAGGED

**Resource Types:** AWS::AppConfig::Application

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7c91c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appconfig-configuration-profile-tagged
<a name="appconfig-configuration-profile-tagged"></a>

Checks if AWS AppConfig configuration profiles have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** APPCONFIG\$1CONFIGURATION\$1PROFILE\$1TAGGED

**Resource Types:** AWS::AppConfig::ConfigurationProfile

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7c93c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appconfig-configuration-profile-validators-not-empty
<a name="appconfig-configuration-profile-validators-not-empty"></a>

Checks if an AWS AppConfig configuration profile includes at least one validator for syntactic or semantic check to ensure the configuration deploy functions as intended. The rule is NON\$1COMPLIANT if the Validators property is an empty array. 



**Identifier:** APPCONFIG\$1CONFIGURATION\$1PROFILE\$1VALIDATORS\$1NOT\$1EMPTY

**Resource Types:** AWS::AppConfig::ConfigurationProfile

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c95c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appconfig-deployment-strategy-description
<a name="appconfig-deployment-strategy-description"></a>

Checks if AWS AppConfig deployment strategies have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist or is an empty string. 



**Identifier:** APPCONFIG\$1DEPLOYMENT\$1STRATEGY\$1DESCRIPTION

**Resource Types:** AWS::AppConfig::DeploymentStrategy

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7c97c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appconfig-deployment-strategy-minimum-final-bake-time
<a name="appconfig-deployment-strategy-minimum-final-bake-time"></a>

Checks if an AWS AppConfig deployment strategy requires the specified minimum bake time. The rule is NON\$1COMPLIANT if the deployment strategy has a final bake time less than value specified in the rule parameter. The default value is 30 minutes. 



**Identifier:** APPCONFIG\$1DEPLOYMENT\$1STRATEGY\$1MINIMUM\$1FINAL\$1BAKE\$1TIME

**Resource Types:** AWS::AppConfig::DeploymentStrategy

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

minBakeTime (Optional)Type: intDefault: 30  
The minimum bake time in minutes of the AWS AppConfig deployment strategy for the rule to check. The rule is NON\$1COMPLIANT if the bake time is less than the value specified in this parameter. Valid values are 0 to 1440. The default value is 30.

## AWS CloudFormation template
<a name="w2aac20c16c17b7c99c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appconfig-deployment-strategy-replicate-to-ssm
<a name="appconfig-deployment-strategy-replicate-to-ssm"></a>

Checks if AWS AppConfig deployment strategies save the deployment strategy to an AWS Systems Manager (SSM) document. The rule is NON\$1COMPLIANT if configuration.ReplicateTo is not 'SSM\$1DOCUMENT'. 



**Identifier:** APPCONFIG\$1DEPLOYMENT\$1STRATEGY\$1REPLICATE\$1TO\$1SSM

**Resource Types:** AWS::AppConfig::DeploymentStrategy

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d101c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appconfig-deployment-strategy-tagged
<a name="appconfig-deployment-strategy-tagged"></a>

Checks if AWS AppConfig deployment strategies have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** APPCONFIG\$1DEPLOYMENT\$1STRATEGY\$1TAGGED

**Resource Types:** AWS::AppConfig::DeploymentStrategy

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

includePredefinedSystemResourcesType: booleanDefault: False  
A boolean that specifies whether to include predefined deployment strategies for the rule to check. The default value is false.

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d103c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appconfig-environment-description
<a name="appconfig-environment-description"></a>

Checks if AWS AppConfig environments have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist or is an empty string. 



**Identifier:** APPCONFIG\$1ENVIRONMENT\$1DESCRIPTION

**Resource Types:** AWS::AppConfig::Environment

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d105c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appconfig-environment-tagged
<a name="appconfig-environment-tagged"></a>

Checks if AWS AppConfig environments have tags. Optionally, you can specify tag keys for the rule to check. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** APPCONFIG\$1ENVIRONMENT\$1TAGGED

**Resource Types:** AWS::AppConfig::Environment

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d107c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appconfig-extension-association-tagged
<a name="appconfig-extension-association-tagged"></a>

Checks if AWS AppConfig extension associations have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** APPCONFIG\$1EXTENSION\$1ASSOCIATION\$1TAGGED

**Resource Types:** AWS::AppConfig::ExtensionAssociation

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d109c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appconfig-freeform-profile-config-storage
<a name="appconfig-freeform-profile-config-storage"></a>

Checks if freeform configuration profiles for AWS AppConfig store their configuration data in AWS Secrets Manager or AWS AppConfig hosted configuration store. The rule is NON\$1COMPLIANT if configuration.LocationUri is not secretsmanager or hosted. 



**Identifier:** APPCONFIG\$1FREEFORM\$1PROFILE\$1CONFIG\$1STORAGE

**Resource Types:** AWS::AppConfig::ConfigurationProfile

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d111c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appconfig-hosted-configuration-version-description
<a name="appconfig-hosted-configuration-version-description"></a>

Checks if AWS AppConfig hosted configuration versions have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist or is an empty string. 



**Identifier:** APPCONFIG\$1HOSTED\$1CONFIGURATION\$1VERSION\$1DESCRIPTION

**Resource Types:** AWS::AppConfig::HostedConfigurationVersion

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d113c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appflow-flow-tagged
<a name="appflow-flow-tagged"></a>

Checks if Amazon AppFlow flows have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** APPFLOW\$1FLOW\$1TAGGED

**Resource Types:** AWS::AppFlow::Flow

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Africa (Cape Town), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d115c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appflow-flow-trigger-type-check
<a name="appflow-flow-trigger-type-check"></a>

Checks if an Amazon AppFlow flow runs using the specified trigger type. The rule is NON\$1COMPLAINT if the flow does not run using the flow type specified in the required rule parameter. 



**Identifier:** APPFLOW\$1FLOW\$1TRIGGER\$1TYPE\$1CHECK

**Resource Types:** AWS::AppFlow::Flow

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Africa (Cape Town), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

triggerTypeType: CSV  
Comma-separated list of trigger types for the rule to check. Valid values include: 'Scheduled', 'Event', and 'OnDemand'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d117c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appintegrations-application-approved-origins-check
<a name="appintegrations-application-approved-origins-check"></a>

Checks that Amazon AppIntegrations applications do not contain approved origins. The rule is NON\$1COMPLIANT if configuration.ApplicationSourceConfig.ExternalUrlConfig.ApprovedOrigins is not an empty list. 



**Identifier:** APPINTEGRATIONS\$1APPLICATION\$1APPROVED\$1ORIGINS\$1CHECK

**Resource Types:** AWS::AppIntegrations::Application

**Trigger type:** Configuration changes

**AWS Region:** Only available in Africa (Cape Town), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

allowedApprovedOrigins (Optional)Type: CSV  
Comma-separated list of approved origins that are allowed to access the application. If provided, the rule is NON\$1COMPLIANT if configuration.ApplicationSourceConfig.ExternalUrlConfig.ApprovedOrigins contains origins not specified in this parameter.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d119c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appintegrations-application-tagged
<a name="appintegrations-application-tagged"></a>

Checks if AWS AppIntegrations application resources have tags. Optionally, required tag keys can be specified. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys aren't present. The rule doesn't check for tags starting with 'aws:'. 



**Identifier:** APPINTEGRATIONS\$1APPLICATION\$1TAGGED

**Resource Types:** AWS::AppIntegrations::Application

**Trigger type:** Configuration changes

**AWS Region:** Only available in Africa (Cape Town), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d121c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appintegrations-event-integration-description
<a name="appintegrations-event-integration-description"></a>

Checks if Amazon AppIntegrations event integrations have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist. 



**Identifier:** APPINTEGRATIONS\$1EVENT\$1INTEGRATION\$1DESCRIPTION

**Resource Types:** AWS::AppIntegrations::EventIntegration

**Trigger type:** Configuration changes

**AWS Region:** Only available in Africa (Cape Town), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d123c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appintegrations-event-integration-tagged
<a name="appintegrations-event-integration-tagged"></a>

Checks if Amazon AppIntegrations event integrations have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** APPINTEGRATIONS\$1EVENT\$1INTEGRATION\$1TAGGED

**Resource Types:** AWS::AppIntegrations::EventIntegration

**Trigger type:** Configuration changes

**AWS Region:** Only available in Africa (Cape Town), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d125c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appmesh-gateway-route-tagged
<a name="appmesh-gateway-route-tagged"></a>

Checks if AWS App Mesh gateway routes have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** APPMESH\$1GATEWAY\$1ROUTE\$1TAGGED

**Resource Types:** AWS::AppMesh::GatewayRoute

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d127c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appmesh-mesh-deny-tcp-forwarding
<a name="appmesh-mesh-deny-tcp-forwarding"></a>

Checks if proxies for AWS App Mesh service meshes do not forward TCP traffic directly to services that aren't deployed with a proxy that is defined in the mesh. The rule is NON\$1COMPLIANT if configuration.Spec.EgressFilter.Type is set to 'ALLOW\$1ALL'. 



**Identifier:** APPMESH\$1MESH\$1DENY\$1TCP\$1FORWARDING

**Resource Types:** AWS::AppMesh::Mesh

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d129c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appmesh-mesh-ip-pref-check
<a name="appmesh-mesh-ip-pref-check"></a>

Checks if an AWS App Mesh mesh is configured with the specified IP preference for traffic control. The rule is NON\$1COMPLIANT if the App Mesh mesh is not configured with the IP preference specified in the required rule parameter. 



**Identifier:** APPMESH\$1MESH\$1IP\$1PREF\$1CHECK

**Resource Types:** AWS::AppMesh::Mesh

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

ipPreferenceType: String  
The IP preference value for the rule to check. The rule is NON\$1COMPLIANT if an App Mesh mesh is configured with a value that does not match this value. Valid values include: 'IPv6\$1PREFERRED', 'IPv4\$1PREFERRED', 'IPv4\$1ONLY', and 'IPv6\$1ONLY'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d131c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appmesh-mesh-tagged
<a name="appmesh-mesh-tagged"></a>

Checks if AWS App Mesh meshes have tags. Optionally, you can specify tag keys for the rule to check. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** APPMESH\$1MESH\$1TAGGED

**Resource Types:** AWS::AppMesh::Mesh

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d133c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appmesh-route-tagged
<a name="appmesh-route-tagged"></a>

Checks if AWS App Mesh routes have tags. Optionally, you can specify tag keys for the rule to check. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** APPMESH\$1ROUTE\$1TAGGED

**Resource Types:** AWS::AppMesh::Route

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d135c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appmesh-virtual-gateway-backend-defaults-tls
<a name="appmesh-virtual-gateway-backend-defaults-tls"></a>

Checks if backend defaults for AWS App Mesh virtual gateways require the virtual gateways to communicate with all ports using TLS. The rule is NON\$1COMPLIANT if configuration.Spec.BackendDefaults.ClientPolicy.Tls.Enforce is false. 



**Identifier:** APPMESH\$1VIRTUAL\$1GATEWAY\$1BACKEND\$1DEFAULTS\$1TLS

**Resource Types:** AWS::AppMesh::VirtualGateway

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d137c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appmesh-virtual-gateway-listeners-health-check-enabled
<a name="appmesh-virtual-gateway-listeners-health-check-enabled"></a>

Checks if listeners for AWS App Mesh virtual gateways have health check enabled. The rule is NON\$1COMPLIANT if configuration.Spec.Listeners[].HealthCheck does not exist in one or more listeners. 



**Identifier:** APPMESH\$1VIRTUAL\$1GATEWAY\$1LISTENERS\$1HEALTH\$1CHECK\$1ENABLED

**Resource Types:** AWS::AppMesh::VirtualGateway

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d139c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appmesh-virtual-gateway-logging-file-path-exists
<a name="appmesh-virtual-gateway-logging-file-path-exists"></a>

Checks if AWS App Mesh virtual gateways have a file path to write access logs to. The rule is NON\$1COMPLIANT if configuration.Spec.Logging.AccessLog.File.Path does not exist. 



**Identifier:** APPMESH\$1VIRTUAL\$1GATEWAY\$1LOGGING\$1FILE\$1PATH\$1EXISTS

**Resource Types:** AWS::AppMesh::VirtualGateway

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d141c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appmesh-virtual-gateway-tagged
<a name="appmesh-virtual-gateway-tagged"></a>

Checks if AWS App Mesh virtual gateways have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** APPMESH\$1VIRTUAL\$1GATEWAY\$1TAGGED

**Resource Types:** AWS::AppMesh::VirtualGateway

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d143c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appmesh-virtual-node-backend-defaults-tls-on
<a name="appmesh-virtual-node-backend-defaults-tls-on"></a>

Checks if backend defaults for AWS App Mesh virtual nodes require the virtual nodes to communicate with all ports using TLS. The rule is NON\$1COMPLIANT if configuration.Spec.BackendDefaults.ClientPolicy.Tls.Enforce is false. 



**Identifier:** APPMESH\$1VIRTUAL\$1NODE\$1BACKEND\$1DEFAULTS\$1TLS\$1ON

**Resource Types:** AWS::AppMesh::VirtualNode

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d145c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appmesh-virtual-node-cloud-map-ip-pref-check
<a name="appmesh-virtual-node-cloud-map-ip-pref-check"></a>

Checks if an AWS App Mesh virtual node is configured with the specified IP preference for AWS Cloud Map service discovery. The rule is NON\$1COMPLIANT if the virtual node is not configured with the IP preference specified in the required rule parameter. 



**Identifier:** APPMESH\$1VIRTUAL\$1NODE\$1CLOUD\$1MAP\$1IP\$1PREF\$1CHECK

**Resource Types:** AWS::AppMesh::VirtualNode

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

ipPreferenceType: String  
The IP preference value for AWS Cloud Map service discovery. The rule is NON\$1COMPLIANT if a virtual node is configured with a value that does not match this value. Valid values include: 'IPv6\$1PREFERRED', 'IPv4\$1PREFERRED', 'IPv4\$1ONLY', and 'IPv6\$1ONLY'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d147c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appmesh-virtual-node-dns-ip-pref-check
<a name="appmesh-virtual-node-dns-ip-pref-check"></a>

Checks if an AWS App Mesh virtual node is configured with the specified IP preference for DNS service discovery. The rule is NON\$1COMPLIANT if the virtual node is not configured with the IP preference specified in the required rule parameter. 



**Identifier:** APPMESH\$1VIRTUAL\$1NODE\$1DNS\$1IP\$1PREF\$1CHECK

**Resource Types:** AWS::AppMesh::VirtualNode

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

ipPreferenceType: String  
The IP preference value for DNS service discovery. The rule is NON\$1COMPLIANT if a virtual node is configured with a value that does not match this value. Valid values include: 'IPv6\$1PREFERRED', 'IPv4\$1PREFERRED', 'IPv4\$1ONLY', and 'IPv6\$1ONLY'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d149c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appmesh-virtual-node-listeners-health-check-enabled
<a name="appmesh-virtual-node-listeners-health-check-enabled"></a>

Checks if listeners for AWS App Mesh virtual nodes have health check enabled. The rule is NON\$1COMPLIANT if configuration.Spec.Listeners[].HealthCheck does not exist in one or more listeners. 



**Identifier:** APPMESH\$1VIRTUAL\$1NODE\$1LISTENERS\$1HEALTH\$1CHECK\$1ENABLED

**Resource Types:** AWS::AppMesh::VirtualNode

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d151c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appmesh-virtual-node-listeners-outlier-detect-enabled
<a name="appmesh-virtual-node-listeners-outlier-detect-enabled"></a>

Checks if listeners for AWS App Mesh virtual nodes have outlier detection enabled. The rule is NON\$1COMPLIANT if configuration.Spec.Listeners[].OutlierDetection does not exist in one or more listeners. 



**Identifier:** APPMESH\$1VIRTUAL\$1NODE\$1LISTENERS\$1OUTLIER\$1DETECT\$1ENABLED

**Resource Types:** AWS::AppMesh::VirtualNode

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d153c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appmesh-virtual-node-logging-file-path-exists
<a name="appmesh-virtual-node-logging-file-path-exists"></a>

Checks if AWS App Mesh virtual nodes have a file path to write access logs to. The rule is NON\$1COMPLIANT if configuration.Spec.Logging.AccessLog.File.Path does not exist. 



**Identifier:** APPMESH\$1VIRTUAL\$1NODE\$1LOGGING\$1FILE\$1PATH\$1EXISTS

**Resource Types:** AWS::AppMesh::VirtualNode

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d155c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appmesh-virtual-node-service-backends-tls-enforced
<a name="appmesh-virtual-node-service-backends-tls-enforced"></a>

Checks if service backends for AWS App Mesh virtual nodes require the virtual nodes to communicate with all ports using TLS. The rule is NON\$1COMPLIANT if any configuration.Spec.Backends[].ClientPolicy.Tls.Enforce is false. 



**Identifier:** APPMESH\$1VIRTUAL\$1NODE\$1SERVICE\$1BACKENDS\$1TLS\$1ENFORCED

**Resource Types:** AWS::AppMesh::VirtualNode

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d157c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appmesh-virtual-node-tagged
<a name="appmesh-virtual-node-tagged"></a>

Checks if AWS App Mesh virtual nodes have tags. Optionally, you can specify tag keys for the rule to check. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** APPMESH\$1VIRTUAL\$1NODE\$1TAGGED

**Resource Types:** AWS::AppMesh::VirtualNode

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d159c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appmesh-virtual-router-tagged
<a name="appmesh-virtual-router-tagged"></a>

Checks if AWS App Mesh virtual routers have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** APPMESH\$1VIRTUAL\$1ROUTER\$1TAGGED

**Resource Types:** AWS::AppMesh::VirtualRouter

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d161c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appmesh-virtual-service-tagged
<a name="appmesh-virtual-service-tagged"></a>

Checks if AWS App Mesh virtual services have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** APPMESH\$1VIRTUAL\$1SERVICE\$1TAGGED

**Resource Types:** AWS::AppMesh::VirtualService

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d163c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# approved-amis-by-id
<a name="approved-amis-by-id"></a>

Checks if EC2 instances are using specified Amazon Machine Images (AMIs). Specify a list of approved AMI IDs. Running instances with AMIs that are not on this list are NON\$1COMPLIANT. 



**Identifier:** APPROVED\$1AMIS\$1BY\$1ID

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

amiIdsType: CSV  
Comma-separated list of AMI IDs. There is a 1024 characters limit.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d165c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# approved-amis-by-tag
<a name="approved-amis-by-tag"></a>

Checks if EC2 instances are using specified Amazon Machine Images (AMIs). Specify the tags that identify the AMIs. Running instances with AMIs that don't have at least one of the specified tags are NON\$1COMPLIANT. 



**Identifier:** APPROVED\$1AMIS\$1BY\$1TAG

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

amisByTagKeyAndValueType: StringMapDefault: tag-key:tag-value,other-tag-key  
Comma-separated list of up to 10 AMIs tags (tag-key:tag-value). For example, tag-key1 matches AMIs with tag-key1; tag-key2:value2 matches tag-key2 with the value 2.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d167c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# apprunner-service-in-vpc
<a name="apprunner-service-in-vpc"></a>

Checks if AWS App Runner services route egress traffic through custom VPC. The rule is NON\$1COMPLIANT if configuration.NetworkConfiguration.EgressConfiguration.EgressType is equal to DEFAULT. 



**Identifier:** APPRUNNER\$1SERVICE\$1IN\$1VPC

**Resource Types:** AWS::AppRunner::Service

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d169c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# apprunner-service-ip-address-type-check
<a name="apprunner-service-ip-address-type-check"></a>

Checks if an AWS App Runner service is configured with the specified IP address type for incoming public network configuration. The rule is NON\$1COMPLIANT if the service is not configured with the IP address type specified in the required rule parameter. 



**Identifier:** APPRUNNER\$1SERVICE\$1IP\$1ADDRESS\$1TYPE\$1CHECK

**Resource Types:** AWS::AppRunner::Service

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

ipAddressTypeType: String  
The IP address type value for the rule to check. The rule is NON\$1COMPLIANT if an AWS App Runner service is configured with a value that does not match this value. Valid values include: 'IPV4', 'DUAL\$1STACK'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d171c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# apprunner-service-max-unhealthy-threshold
<a name="apprunner-service-max-unhealthy-threshold"></a>

Checks if an AWS App Runner service is configured to have an unhealthy threshold less than or equal to the specified value. The rule is NON\$1COMPLIANT if the unhealthy threshold is greater than the value specified in the required rule parameter. 



**Identifier:** APPRUNNER\$1SERVICE\$1MAX\$1UNHEALTHY\$1THRESHOLD

**Resource Types:** AWS::AppRunner::Service

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

maxUnhealthyThresholdType: int  
The maximum unhealthy threshold value for the rule to check. The rule is NON\$1COMPLIANT if an AWS App Runner service is configured with an unhealthy threshold greater than this value. Valid values are 1 to 20

## AWS CloudFormation template
<a name="w2aac20c16c17b7d173c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# apprunner-service-no-public-access
<a name="apprunner-service-no-public-access"></a>

Checks if AWS AppRunner Services are not publicly accessible. The rule is NON\$1COMPLIANT if service.configuration.NetworkConfiguration.IngressConfiguration.IsPubliclyAccessible is False. 



**Identifier:** APPRUNNER\$1SERVICE\$1NO\$1PUBLIC\$1ACCESS

**Resource Types:** AWS::AppRunner::Service

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d175c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# apprunner-service-observability-enabled
<a name="apprunner-service-observability-enabled"></a>

Checks if AWS App Runner services have observability enabled. The rule is NON\$1COMPLIANT if configuration.ObservabilityConfiguration.ObservabilityEnabled is false'. 



**Identifier:** APPRUNNER\$1SERVICE\$1OBSERVABILITY\$1ENABLED

**Resource Types:** AWS::AppRunner::Service

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d177c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# apprunner-service-tagged
<a name="apprunner-service-tagged"></a>

Checks if AWS App Runner services have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** APPRUNNER\$1SERVICE\$1TAGGED

**Resource Types:** AWS::AppRunner::Service

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d179c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# apprunner-vpc-connector-tagged
<a name="apprunner-vpc-connector-tagged"></a>

Checks if AWS App Runner VPC connectors have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** APPRUNNER\$1VPC\$1CONNECTOR\$1TAGGED

**Resource Types:** AWS::AppRunner::VpcConnector

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d181c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appstream-fleet-in-vpc
<a name="appstream-fleet-in-vpc"></a>

Checks if Amazon AppStream 2.0 fleets use an Amazon Virtual Private Cloud (Amazon VPC). The rule is NON\$1COMPLIANT if configuration.VpcConfig does not exist. The rule does not check Elastic fleets. 



**Identifier:** APPSTREAM\$1FLEET\$1IN\$1VPC

**Resource Types:** AWS::AppStream::Fleet

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d183c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appsync-associated-with-waf
<a name="appsync-associated-with-waf"></a>

Checks if AWS AppSync APIs are associated with AWS WAFv2 web access control lists (ACLs). The rule is NON\$1COMPLIANT for an AWS AppSync API if it is not associated with a web ACL. 



**Identifier:** APPSYNC\$1ASSOCIATED\$1WITH\$1WAF

**Resource Types:** AWS::AppSync::GraphQLApi

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

wafWebAclARNs (Optional)Type: CSV  
Comma-separated list of Amazon Resource Names (ARNs) for authorized web ACLs.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d185c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appsync-authorization-check
<a name="appsync-authorization-check"></a>

Checks if an AWS AppSync API is using allowed authorization mechanisms. The rule is NON\$1COMPLIANT if an unapproved authorization mechanism is being used. 



**Identifier:** APPSYNC\$1AUTHORIZATION\$1CHECK

**Resource Types:** AWS::AppSync::GraphQLApi

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

AllowedAuthorizationTypesType: CSV  
Comma-separated list of allowed AWS AppSync authorization mechanisms. Allowed values are: 'API\$1KEY', 'AWS\$1LAMBDA', 'AWS\$1IAM', 'OPENID\$1CONNECT', 'AMAZON\$1COGNITO\$1USER\$1POOLS'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d187c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appsync-cache-ct-encryption-at-rest
<a name="appsync-cache-ct-encryption-at-rest"></a>

Checks if an AWS AppSync API cache has encryption at rest enabled. This rule is NON\$1COMPLIANT if 'AtRestEncryptionEnabled' is false. 



**Identifier:** APPSYNC\$1CACHE\$1CT\$1ENCRYPTION\$1AT\$1REST

**Resource Types:** AWS::AppSync::ApiCache

**Trigger type:** Configuration changes

**AWS Region:** Only available in Middle East (Bahrain), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d189c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appsync-cache-ct-encryption-in-transit
<a name="appsync-cache-ct-encryption-in-transit"></a>

Checks if an AWS AppSync API cache has encryption in transit enabled. The rule is NON\$1COMPLIANT if 'TransitEncryptionEnabled' is false. 



**Identifier:** APPSYNC\$1CACHE\$1CT\$1ENCRYPTION\$1IN\$1TRANSIT

**Resource Types:** AWS::AppSync::ApiCache

**Trigger type:** Configuration changes

**AWS Region:** Only available in Middle East (Bahrain), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d191c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appsync-cache-encryption-at-rest
<a name="appsync-cache-encryption-at-rest"></a>

Checks if an AWS AppSync API cache has encryption at rest enabled. This rule is NON\$1COMPLIANT if 'AtRestEncryptionEnabled' is false. 



**Identifier:** APPSYNC\$1CACHE\$1ENCRYPTION\$1AT\$1REST

**Resource Types:** AWS::AppSync::GraphQLApi

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d193c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appsync-graphql-api-xray-enabled
<a name="appsync-graphql-api-xray-enabled"></a>

Checks if AWS AppSync GraphQL APIs have AWS X-Ray tracing enabled. The rule is NON\$1COMPLIANT if configuration.XrayEnabled is false. 



**Identifier:** APPSYNC\$1GRAPHQL\$1API\$1XRAY\$1ENABLED

**Resource Types:** AWS::AppSync::GraphQLApi

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d195c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# appsync-logging-enabled
<a name="appsync-logging-enabled"></a>

Checks if an AWS AppSync API has field level logging enabled. The rule is NON\$1COMPLIANT if field level logging is not enabled, or if the field logging levels for the AppSync API do not match the values specified in the '`fieldLoggingLevel`' parameter. 



**Identifier:** APPSYNC\$1LOGGING\$1ENABLED

**Resource Types:** AWS::AppSync::GraphQLApi

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

fieldLoggingLevel (Optional)Type: CSV  
Comma-separated list of field logging levels for the rule to check. For example, "ERROR, INFO".

## AWS CloudFormation template
<a name="w2aac20c16c17b7d197c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# aps-rule-groups-namespace-tagged
<a name="aps-rule-groups-namespace-tagged"></a>

Checks if Amazon Managed Service for Prometheus rule groups namepaces have tags. You can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** APS\$1RULE\$1GROUPS\$1NAMESPACE\$1TAGGED

**Resource Types:** AWS::APS::RuleGroupsNamespace

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d199c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# athena-data-catalog-description
<a name="athena-data-catalog-description"></a>

Checks if Amazon Athena data catalogs have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist. 



**Identifier:** ATHENA\$1DATA\$1CATALOG\$1DESCRIPTION

**Resource Types:** AWS::Athena::DataCatalog

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d201c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# athena-prepared-statement-description
<a name="athena-prepared-statement-description"></a>

Checks if Amazon Athena prepared statements have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist. 



**Identifier:** ATHENA\$1PREPARED\$1STATEMENT\$1DESCRIPTION

**Resource Types:** AWS::Athena::PreparedStatement

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d203c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# athena-workgroup-description
<a name="athena-workgroup-description"></a>

Checks if Amazon Athena workgroups have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist or is an empty string. 



**Identifier:** ATHENA\$1WORKGROUP\$1DESCRIPTION

**Resource Types:** AWS::Athena::WorkGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d205c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# athena-workgroup-encrypted-at-rest
<a name="athena-workgroup-encrypted-at-rest"></a>

Checks if an Amazon Athena workgroup is encrypted at rest. The rule is NON\$1COMPLIANT if encryption of data at rest is not enabled for an Athena workgroup. 



**Identifier:** ATHENA\$1WORKGROUP\$1ENCRYPTED\$1AT\$1REST

**Resource Types:** AWS::Athena::WorkGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d207c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# athena-workgroup-enforce-workgroup-configuration
<a name="athena-workgroup-enforce-workgroup-configuration"></a>

Checks if Amazon Athena workgroups using Athena engine enforce workgroup configuration to override client-side settings. The rule is NON\$1COMPLIANT if configuration.WorkGroupConfiguration.EnforceWorkGroupConfiguration is false. 



**Identifier:** ATHENA\$1WORKGROUP\$1ENFORCE\$1WORKGROUP\$1CONFIGURATION

**Resource Types:** AWS::Athena::WorkGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d209c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# athena-workgroup-engine-version-auto-upgrade
<a name="athena-workgroup-engine-version-auto-upgrade"></a>

Checks if Amazon Athena workgroups using Athena engine are configured to auto upgrade. The rule is NON\$1COMPLIANT if configuration.WorkGroupConfiguration.EngineVersion.SelectedEngineVersion is not 'AUTO'. 



**Identifier:** ATHENA\$1WORKGROUP\$1ENGINE\$1VERSION\$1AUTO\$1UPGRADE

**Resource Types:** AWS::Athena::WorkGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d211c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# athena-workgroup-logging-enabled
<a name="athena-workgroup-logging-enabled"></a>

Checks if Amazon Athena WorkGroup publishes usage metrics to Amazon CloudWatch. The rule is NON\$1COMPLIANT if an Amazon Athena WorkGroup 'PublishCloudWatchMetricsEnabled' is set to false. 



**Identifier:** ATHENA\$1WORKGROUP\$1LOGGING\$1ENABLED

**Resource Types:** AWS::Athena::WorkGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d213c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# auditmanager-assessment-tagged
<a name="auditmanager-assessment-tagged"></a>

Checks if AWS Audit Manager assessments have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** AUDITMANAGER\$1ASSESSMENT\$1TAGGED

**Resource Types:** AWS::AuditManager::Assessment

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d215c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# aurora-global-database-encryption-at-rest
<a name="aurora-global-database-encryption-at-rest"></a>

Checks if Amazon Aurora Global Databases have storage encryption enabled. This rule is NON\$1COMPLIANT if an Amazon Aurora Global Database does not have storage encryption enabled. 



**Identifier:** AURORA\$1GLOBAL\$1DATABASE\$1ENCRYPTION\$1AT\$1REST

**Resource Types:** AWS::RDS::GlobalCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d217c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# aurora-last-backup-recovery-point-created
<a name="aurora-last-backup-recovery-point-created"></a>

Checks if a recovery point was created for Amazon Aurora DB clusters. The rule is NON\$1COMPLIANT if the Amazon Relational Database Service (Amazon RDS) DB Cluster does not have a corresponding recovery point created within the specified time period. 



**Identifier:** AURORA\$1LAST\$1BACKUP\$1RECOVERY\$1POINT\$1CREATED

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags of Aurora DB clusters for the rule to check, in JSON format `{"tagkey" : "tagValue"}`.

resourceId (Optional)Type: String  
ID of Aurora DB cluster for the rule to check.

recoveryPointAgeValue (Optional)Type: intDefault: 1  
Numerical value for maximum allowed age. No more than 744 for hours, 31 for days.

recoveryPointAgeUnit (Optional)Type: StringDefault: days  
Unit of time for maximum allowed age. Accepted values: 'hours', 'days'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d219c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# aurora-meets-restore-time-target
<a name="aurora-meets-restore-time-target"></a>

Checks if the restore time of Amazon Aurora DB clusters meets the specified duration. The rule is NON\$1COMPLIANT if LatestRestoreExecutionTimeMinutes of an Aurora DB Cluster is greater than maxRestoreTime minutes. 



**Identifier:** AURORA\$1MEETS\$1RESTORE\$1TIME\$1TARGET

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

maxRestoreTimeType: int  
Numerical value for the maximum allowed restore runtime.

resourceTags (Optional)Type: String  
Tags of Aurora DB clusters for the rule to check, in JSON format.

resourceId (Optional)Type: String  
ID of Aurora DB cluster for the rule to check.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d221c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# aurora-mysql-backtracking-enabled
<a name="aurora-mysql-backtracking-enabled"></a>

Checks if an Amazon Aurora MySQL cluster has backtracking enabled. The rule is NON\$1COMPLIANT if the Aurora cluster uses MySQL and it does not have backtracking enabled. 



**Identifier:** AURORA\$1MYSQL\$1BACKTRACKING\$1ENABLED

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Europe (Stockholm), Middle East (Bahrain), China (Beijing), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), South America (Sao Paulo), Asia Pacific (Hong Kong), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), Israel (Tel Aviv), Canada West (Calgary), Europe (Spain) Region

**Parameters:**

BacktrackWindowInHours (Optional)Type: double  
Amount of time in hours (up to 72) to backtrack your Aurora MySQL cluster.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d223c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# aurora-mysql-cluster-audit-logging
<a name="aurora-mysql-cluster-audit-logging"></a>

Checks if Amazon Aurora MySQL DB clusters have audit logging enabled. The rule is NON\$1COMPLIANT if a DB cluster does not have audit logging enabled. 



**Identifier:** AURORA\$1MYSQL\$1CLUSTER\$1AUDIT\$1LOGGING

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d225c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# aurora-resources-in-logically-air-gapped-vault
<a name="aurora-resources-in-logically-air-gapped-vault"></a>

Checks if Amazon Aurora DB clusters are in a logically air-gapped vault. The rule is NON\$1COMPLIANT if an Amazon Aurora DB cluster is not in a logically air-gapped vault within the specified time period. 



**Identifier:** AURORA\$1RESOURCES\$1IN\$1LOGICALLY\$1AIR\$1GAPPED\$1VAULT

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags of Aurora DB clusters for the rule to check, in JSON format.

resourceId (Optional)Type: String  
ID of Aurora DB cluster for the rule to check.

recoveryPointAgeValue (Optional)Type: intDefault: 1  
Numerical value for maximum allowed age. No more than 2184 for hours, 91 for days.

recoveryPointAgeUnit (Optional)Type: StringDefault: days  
Unit of time for maximum allowed age. Accepted values: 'hours', 'days'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d227c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# aurora-resources-protected-by-backup-plan
<a name="aurora-resources-protected-by-backup-plan"></a>

Checks if Amazon Aurora DB clusters are protected by a backup plan. The rule is NON\$1COMPLIANT if the Amazon Relational Database Service (Amazon RDS) Database Cluster is not protected by a backup plan. 



**Identifier:** AURORA\$1RESOURCES\$1PROTECTED\$1BY\$1BACKUP\$1PLAN

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags of Aurora DB clusters for the rule to check, in JSON format `{"tagkey" : "tagValue"}`.

resourceId (Optional)Type: String  
ID of Aurora DB cluster for the rule to check.

crossRegionList (Optional)Type: String  
Comma-separated list of destination regions for the cross-region backup copy to be kept

crossAccountList (Optional)Type: String  
Comma-separated list of destination accounts for cross-account backup copy to be kept

maxRetentionDays (Optional)Type: int  
The maximum retention period in days for the Backup Vault Lock

minRetentionDays (Optional)Type: int  
The minimum retention period in days for the Backup Vault Lock

backupVaultLockCheck (Optional)Type: String  
Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault

## AWS CloudFormation template
<a name="w2aac20c16c17b7d229c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# autoscaling-capacity-rebalancing
<a name="autoscaling-capacity-rebalancing"></a>

Checks if Capacity Rebalancing is enabled for Amazon EC2 Auto Scaling groups that use multiple instance types. The rule is NON\$1COMPLIANT if capacity Rebalancing is not enabled. 



**Identifier:** AUTOSCALING\$1CAPACITY\$1REBALANCING

**Resource Types:** AWS::AutoScaling::AutoScalingGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d231c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# autoscaling-group-elb-healthcheck-required
<a name="autoscaling-group-elb-healthcheck-required"></a>

Checks if your Amazon EC2 Auto Scaling groups that are associated with an Elastic Load Balancer use Elastic Load Balancing health checks. The rule is NON\$1COMPLIANT if the Amazon EC2 Auto Scaling groups are not using Elastic Load Balancing health checks. 



**Identifier:** AUTOSCALING\$1GROUP\$1ELB\$1HEALTHCHECK\$1REQUIRED

**Resource Types:** AWS::AutoScaling::AutoScalingGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## Proactive Evaluation
<a name="w2aac20c16c17b7d233c19"></a>

 For steps on how to run this rule in proactive mode, see [Evaluating Your Resources with AWS Config Rules](./evaluating-your-resources.html#evaluating-your-resources-proactive). For this rule to return COMPLIANT in proactive mode, the resource configuration schema for the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API needs to include the following inputs, encoded as a string: 

```
"ResourceConfiguration":
...
{
   "LoadBalancerNames": "[my-load-balancer-1, my-load-balancer-2, my-load-balancer-3, ...]",
   "HealthCheckType": HealthCheckType*"
} 
...
```

\$1The valid values are `EC2` (default), `ELB`, and `VPC_LATTICE`. The `VPC_LATTICE` health check type is reserved for use with VPC Lattice, which is in preview release and is subject to change. For more information, see [Health checks for Auto Scaling instances](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-health-checks.html) in the Amazon EC2 Auto Scaling User Guide.

 For more information on proactive evaluation, see [Evaluation Mode](./evaluate-config-rules.html). 

## AWS CloudFormation template
<a name="w2aac20c16c17b7d233c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# autoscaling-launchconfig-requires-imdsv2
<a name="autoscaling-launchconfig-requires-imdsv2"></a>

Checks whether only IMDSv2 is enabled. This rule is NON\$1COMPLIANT if the Metadata version is not included in the launch configuration or if both Metadata V1 and V2 are enabled. 



**Identifier:** AUTOSCALING\$1LAUNCHCONFIG\$1REQUIRES\$1IMDSV2

**Resource Types:** AWS::AutoScaling::LaunchConfiguration

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d235c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# autoscaling-launch-config-hop-limit
<a name="autoscaling-launch-config-hop-limit"></a>

Checks the number of network hops that the metadata token can travel. This rule is NON\$1COMPLIANT if the Metadata response hop limit is greater than 1. 



**Identifier:** AUTOSCALING\$1LAUNCH\$1CONFIG\$1HOP\$1LIMIT

**Resource Types:** AWS::AutoScaling::LaunchConfiguration

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d237c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# autoscaling-launch-config-public-ip-disabled
<a name="autoscaling-launch-config-public-ip-disabled"></a>

Checks if Amazon EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations. The rule is NON\$1COMPLIANT if the Launch Configuration for an Amazon EC2 Auto Scaling group has AssociatePublicIpAddress set to 'true'. 



**Identifier:** AUTOSCALING\$1LAUNCH\$1CONFIG\$1PUBLIC\$1IP\$1DISABLED

**Resource Types:** AWS::AutoScaling::LaunchConfiguration

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d239c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# autoscaling-launch-template
<a name="autoscaling-launch-template"></a>

Checks if an Amazon Elastic Compute Cloud (EC2) Auto Scaling group is created from an EC2 launch template. The rule is NON\$1COMPLIANT if the scaling group is not created from an EC2 launch template. 



**Identifier:** AUTOSCALING\$1LAUNCH\$1TEMPLATE

**Resource Types:** AWS::AutoScaling::AutoScalingGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d241c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# autoscaling-multiple-az
<a name="autoscaling-multiple-az"></a>

Checks if the Auto Scaling group spans multiple Availability Zones. The rule is NON\$1COMPLIANT if the Auto Scaling group does not span multiple Availability Zones. 



**Identifier:** AUTOSCALING\$1MULTIPLE\$1AZ

**Resource Types:** AWS::AutoScaling::AutoScalingGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

minAvailabilityZones (Optional)Type: int  
Minimum number of expected Availability zones.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d243c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# autoscaling-multiple-instance-types
<a name="autoscaling-multiple-instance-types"></a>

Checks if an Amazon EC2 Auto Scaling group uses multiple instance types. The rule is NON\$1COMPLIANT if the Amazon EC2 Auto Scaling group has only one instance type defined. This rule does not evaluate attribute-based instance types. 



**Identifier:** AUTOSCALING\$1MULTIPLE\$1INSTANCE\$1TYPES

**Resource Types:** AWS::AutoScaling::AutoScalingGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d245c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# backup-plan-min-frequency-and-min-retention-check
<a name="backup-plan-min-frequency-and-min-retention-check"></a>

Checks if a backup plan has a backup rule that satisfies the required frequency and retention period. The rule is NON\$1COMPLIANT if recovery points are not created at least as often as the specified frequency or expire before the specified period. 



**Identifier:** BACKUP\$1PLAN\$1MIN\$1FREQUENCY\$1AND\$1MIN\$1RETENTION\$1CHECK

**Resource Types:** AWS::Backup::BackupPlan

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredFrequencyValue (Optional)Type: intDefault: 1  
Numerical value for required backup frequency. Maximum of 24 for hours, 31 for days.

requiredRetentionDays (Optional)Type: intDefault: 35  
Required retention period in days.

requiredFrequencyUnit (Optional)Type: StringDefault: days  
Unit of time for required backup frequency. Accepted values: 'hours', 'days'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d247c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# backup-recovery-point-encrypted
<a name="backup-recovery-point-encrypted"></a>

Checks if a recovery point is encrypted. The rule is NON\$1COMPLIANT if the recovery point is not encrypted. 



**Identifier:** BACKUP\$1RECOVERY\$1POINT\$1ENCRYPTED

**Resource Types:** AWS::Backup::RecoveryPoint

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d249c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# backup-recovery-point-manual-deletion-disabled
<a name="backup-recovery-point-manual-deletion-disabled"></a>

Checks if a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is NON\$1COMPLIANT if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement (statement with backup:DeleteRecoveryPoint, backup:UpdateRecoveryPointLifecycle, and backup:PutBackupVaultAccessPolicy permissions). 

**Note**  
**Wildcard required for `"Resource"` and `"Principal"` of the Deny statement**  
The rule requires that the `"Resource"` and `"Principal"` of the Deny statement must have a wildcard in the [vault access policy](https://docs.aws.amazon.com/aws-backup/latest/devguide/create-a-vault-access-policy.html). Otherwise, the rule returns NON\$1COMPLIANT.

**Identifier:** BACKUP\$1RECOVERY\$1POINT\$1MANUAL\$1DELETION\$1DISABLED

**Resource Types:** AWS::Backup::BackupVault

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

principalArnList (Optional)Type: CSV  
Comma-separated list of AWS Identity and Access Management (IAM) Amazon Resource Names (ARNs) for the rule to NOT check.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d251c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# backup-recovery-point-minimum-retention-check
<a name="backup-recovery-point-minimum-retention-check"></a>

Checks if a recovery point expires no earlier than after the specified period. The rule is NON\$1COMPLIANT if the recovery point has a retention point that is less than the required retention period. 



**Identifier:** BACKUP\$1RECOVERY\$1POINT\$1MINIMUM\$1RETENTION\$1CHECK

**Resource Types:** AWS::Backup::RecoveryPoint

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredRetentionDays (Optional)Type: intDefault: 35  
Required retention period in days.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d253c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# batch-compute-environment-enabled
<a name="batch-compute-environment-enabled"></a>

Checks if AWS Batch compute environments are enabled. The rule is NON\$1COMPLIANT if configuration.State is 'DISABLED'. 



**Identifier:** BATCH\$1COMPUTE\$1ENVIRONMENT\$1ENABLED

**Resource Types:** AWS::Batch::ComputeEnvironment

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d255c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# batch-compute-environment-managed
<a name="batch-compute-environment-managed"></a>

Checks if AWS Batch compute environments are managed. The rule is NON\$1COMPLIANT if configuration.Type is 'UNMANAGED'. 



**Identifier:** BATCH\$1COMPUTE\$1ENVIRONMENT\$1MANAGED

**Resource Types:** AWS::Batch::ComputeEnvironment

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d257c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# batch-compute-environment-tagged
<a name="batch-compute-environment-tagged"></a>

Checks if AWS Batch compute environments have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** BATCH\$1COMPUTE\$1ENVIRONMENT\$1TAGGED

**Resource Types:** AWS::Batch::ComputeEnvironment

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d259c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# batch-job-queue-enabled
<a name="batch-job-queue-enabled"></a>

Checks if AWS Batch job queues are enabled. The rule is NON\$1COMPLIANT if configuration.State is 'DISABLED'. 



**Identifier:** BATCH\$1JOB\$1QUEUE\$1ENABLED

**Resource Types:** AWS::Batch::JobQueue

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d261c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# batch-job-queue-tagged
<a name="batch-job-queue-tagged"></a>

Checks if AWS Batch job queues have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** BATCH\$1JOB\$1QUEUE\$1TAGGED

**Resource Types:** AWS::Batch::JobQueue

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d263c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# batch-managed-compute-environment-using-launch-template
<a name="batch-managed-compute-environment-using-launch-template"></a>

Checks if AWS Batch managed compute environments are configured using a launch template. The rule is NON\$1COMPLIANT if configuration.ComputeResources.LaunchTemplate does not exist. 



**Identifier:** BATCH\$1MANAGED\$1COMPUTE\$1ENVIRONMENT\$1USING\$1LAUNCH\$1TEMPLATE

**Resource Types:** AWS::Batch::ComputeEnvironment

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d265c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# batch-managed-compute-env-allocation-strategy-check
<a name="batch-managed-compute-env-allocation-strategy-check"></a>

Checks if an AWS Batch managed compute environment is configured with a specified allocation strategy. The rule is NON\$1COMPLIANT if the compute environment is not configured with an allocation strategy specified in the required rule parameter. 



**Identifier:** BATCH\$1MANAGED\$1COMPUTE\$1ENV\$1ALLOCATION\$1STRATEGY\$1CHECK

**Resource Types:** AWS::Batch::ComputeEnvironment

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

allocationStrategyType: CSV  
Comma-separated list of allocation strategies for the rule to check. Valid values include: 'BEST\$1FIT', 'BEST\$1FIT\$1PROGRESSIVE', 'SPOT\$1CAPACITY\$1OPTIMIZED', and 'SPOT\$1PRICE\$1CAPACITY\$1OPTIMIZED'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d267c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# batch-managed-compute-env-compute-resources-tagged
<a name="batch-managed-compute-env-compute-resources-tagged"></a>

Checks if AWS Batch managed compute environments compute resources have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. Tags starting with 'aws:' are not checked. 



**Identifier:** BATCH\$1MANAGED\$1COMPUTE\$1ENV\$1COMPUTE\$1RESOURCES\$1TAGGED

**Resource Types:** AWS::Batch::ComputeEnvironment

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d269c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# batch-managed-spot-compute-environment-max-bid
<a name="batch-managed-spot-compute-environment-max-bid"></a>

Checks if an AWS Batch managed Spot compute environment is configured to have a bid percentage less than or equal to the specified value. The rule is NON\$1COMPLIANT if the bid percentage is greater than the value specified in the required rule parameter. 



**Identifier:** BATCH\$1MANAGED\$1SPOT\$1COMPUTE\$1ENVIRONMENT\$1MAX\$1BID

**Resource Types:** AWS::Batch::ComputeEnvironment

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

maxBidPercentageType: int  
The maximum bid percentage value for the rule to check. The rule is NON\$1COMPLIANT if an AWS Batch managed Spot compute environment is configured with a bid percentage greater than this value. Valid values are 1 to 100.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d271c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# batch-scheduling-policy-tagged
<a name="batch-scheduling-policy-tagged"></a>

Checks if AWS Batch scheduling policies have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** BATCH\$1SCHEDULING\$1POLICY\$1TAGGED

**Resource Types:** AWS::Batch::SchedulingPolicy

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d273c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# beanstalk-enhanced-health-reporting-enabled
<a name="beanstalk-enhanced-health-reporting-enabled"></a>

Checks if an AWS Elastic Beanstalk environment is configured for enhanced health reporting. The rule is COMPLIANT if the environment is configured for enhanced health reporting. The rule is NON\$1COMPLIANT if the environment is configured for basic health reporting.



**Identifier:** BEANSTALK\$1ENHANCED\$1HEALTH\$1REPORTING\$1ENABLED

**Resource Types:** AWS::ElasticBeanstalk::Environment

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d275c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cassandra-keyspace-tagged
<a name="cassandra-keyspace-tagged"></a>

Checks if Amazon Keyspaces (for Apache Cassandra) keyspaces have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** CASSANDRA\$1KEYSPACE\$1TAGGED

**Resource Types:** AWS::Cassandra::Keyspace

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Middle East (Bahrain), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d277c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# clb-desync-mode-check
<a name="clb-desync-mode-check"></a>

Checks if Classic Load Balancers (CLB) are configured with a user defined Desync mitigation mode. The rule is NON\$1COMPLIANT if CLB Desync mitigation mode does not match with user defined Desync mitigation mode. 



**Identifier:** CLB\$1DESYNC\$1MODE\$1CHECK

**Resource Types:** AWS::ElasticLoadBalancing::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

desyncModeType: CSV  
Comma-separated list of values. You can select a max of two. Valid values include 'Defensive', 'Strictest', and 'Monitor'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d279c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# clb-multiple-az
<a name="clb-multiple-az"></a>

Checks if a Classic Load Balancer spans multiple Availability Zones (AZs). The rule is NON\$1COMPLIANT if a Classic Load Balancer spans less than 2 AZs or does not span number of AZs mentioned in the `minAvailabilityZones` parameter (if provided). 



**Identifier:** CLB\$1MULTIPLE\$1AZ

**Resource Types:** AWS::ElasticLoadBalancing::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

minAvailabilityZones (Optional)Type: int  
Desired minimum number of expected AZs. Valid values are between 2 and 10, both inclusive. Default value is 2 if parameter is not specified.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d281c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudformation-stack-drift-detection-check
<a name="cloudformation-stack-drift-detection-check"></a>

Checks if the actual configuration of a AWS CloudFormation (CloudFormation) stack differs, or has drifted, from the expected configuration. A stack is considered to have drifted if one or more of its resources differ from their expected configuration. The rule and the stack are COMPLIANT when the stack drift status is IN\$1SYNC. The rule is NON\$1COMPLIANT if the stack drift status is DRIFTED.

**Note**  
This rule performs the DetectStackDrift operation on each stack in your account. The DetectStackDrift operation can take up to several minutes, depending on the number of resources contained within the stack. Given that the maximum execution time of this rule is limited to 15 mins, it is possible that the rule times out before it completes the evaluation of all the stacks in your account.  
If you encounter this issue, it is suggested that you to restrict the number of stacks in-scope for the rule, using tags. You can do the following:  
Divide your stacks into groups, each with a different tag.
Apply the same tag to all the stacks in that group.
Have multiple instances of this rule in your account, each scoped by a different tag. This allows each instance of the rule to only process the stacks which have the corresponding tag mentioned in its scope.



**Identifier:** CLOUDFORMATION\$1STACK\$1DRIFT\$1DETECTION\$1CHECK

**Resource Types:** AWS::CloudFormation::Stack

**Trigger type:** Configuration changes and Periodic

**AWS Region:** All supported AWS regions except Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Israel (Tel Aviv), Europe (Spain) Region

**Parameters:**

cloudformationRoleArnType: String  
 The Amazon Resource Name (ARN) of the IAM role with policy permissions to detect drift for CloudFormation stacks. For information on required IAM permissions for the role, see [Detecting unmanaged configuration changes to stacks and resources \$1 Considerations when detecting drift](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html#drift-considerations) in the *CloudFormation User Guide*. 

## AWS CloudFormation template
<a name="w2aac20c16c17b7d283c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudformation-stack-notification-check
<a name="cloudformation-stack-notification-check"></a>

Checks if your CloudFormation stacks send event notifications to an Amazon SNS topic. Optionally checks if specified Amazon SNS topics are used. The rule is NON\$1COMPLIANT if CloudFormation stacks do not send notifications. 



**Identifier:** CLOUDFORMATION\$1STACK\$1NOTIFICATION\$1CHECK

**Resource Types:** AWS::CloudFormation::Stack

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Israel (Tel Aviv), Europe (Spain) Region

**Parameters:**

snsTopic2 (Optional)Type: String  
SNS topic ARN.

snsTopic1 (Optional)Type: String  
SNS topic ARN.

snsTopic5 (Optional)Type: String  
SNS topic ARN.

snsTopic4 (Optional)Type: String  
SNS topic ARN.

snsTopic3 (Optional)Type: String  
SNS topic ARN.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d285c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudformation-stack-service-role-check
<a name="cloudformation-stack-service-role-check"></a>

Checks if AWS CloudFormation stacks are using service roles. The rule is NON\$1COMPLIANT if a CloudFormation stack does not have service role associated with it. 



**Identifier:** CLOUDFORMATION\$1STACK\$1SERVICE\$1ROLE\$1CHECK

**Resource Types:** AWS::CloudFormation::Stack

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d287c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudformation-termination-protection-check
<a name="cloudformation-termination-protection-check"></a>

Checks if an AWS CloudFormation stack has termination protection enabled. This rule is NON\$1COMPLIANT if termination protection is not enabled on a CloudFormation stack. 



**Identifier:** CLOUDFORMATION\$1TERMINATION\$1PROTECTION\$1CHECK

**Resource Types:** AWS::CloudFormation::Stack

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d289c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudfront-accesslogs-enabled
<a name="cloudfront-accesslogs-enabled"></a>

Checks if Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket using standard logging (legacy). The rule is NON\$1COMPLIANT if a CloudFront distribution does not have legacy logging configured. 



**Identifier:** CLOUDFRONT\$1ACCESSLOGS\$1ENABLED

**Resource Types:** AWS::CloudFront::Distribution

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

S3BucketName (Optional)Type: String  
The name of the Amazon S3 bucket for storing server access logs

## AWS CloudFormation template
<a name="w2aac20c16c17b7d291c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudfront-associated-with-waf
<a name="cloudfront-associated-with-waf"></a>

Checks if Amazon CloudFront distributions are associated with either web application firewall (WAF) or WAFv2 web access control lists (ACLs). The rule is NON\$1COMPLIANT if a CloudFront distribution is not associated with a WAF web ACL. 



**Identifier:** CLOUDFRONT\$1ASSOCIATED\$1WITH\$1WAF

**Resource Types:** AWS::CloudFront::Distribution

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

wafWebAclIds (Optional)Type: CSV  
Comma-separated list of web ACL IDs for WAF or web ACL Amazon Resource Names (ARNs) for WAFV2

## AWS CloudFormation template
<a name="w2aac20c16c17b7d293c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudfront-custom-ssl-certificate
<a name="cloudfront-custom-ssl-certificate"></a>

Checks if the certificate associated with an Amazon CloudFront distribution is the default SSL certificate. The rule is NON\$1COMPLIANT if a CloudFront distribution uses the default SSL certificate. Multi-tenant distributions are not applicable. 



**Identifier:** CLOUDFRONT\$1CUSTOM\$1SSL\$1CERTIFICATE

**Resource Types:** AWS::CloudFront::Distribution

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d295c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudfront-default-root-object-configured
<a name="cloudfront-default-root-object-configured"></a>

Checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The rule is NON\$1COMPLIANT if Amazon CloudFront distribution does not have a default root object configured. 



**Identifier:** CLOUDFRONT\$1DEFAULT\$1ROOT\$1OBJECT\$1CONFIGURED

**Resource Types:** AWS::CloudFront::Distribution

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d297c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudfront-distribution-key-group-enabled
<a name="cloudfront-distribution-key-group-enabled"></a>

Checks if Amazon CloudFront distributions are configured to use only trusted key groups for signed URL or signed cookie authentication for all cache behaviors. The rule is NON\$1COMPLIANT if any cache behavior in the distribution is using trusted signers. 



**Identifier:** CLOUDFRONT\$1DISTRIBUTION\$1KEY\$1GROUP\$1ENABLED

**Resource Types:** AWS::CloudFront::Distribution

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d299c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudfront-no-deprecated-ssl-protocols
<a name="cloudfront-no-deprecated-ssl-protocols"></a>

Checks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins. This rule is NON\$1COMPLIANT for a CloudFront distribution if any ‘OriginSslProtocols’ includes ‘SSLv3’. 



**Identifier:** CLOUDFRONT\$1NO\$1DEPRECATED\$1SSL\$1PROTOCOLS

**Resource Types:** AWS::CloudFront::Distribution

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d301c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudfront-origin-access-identity-enabled
<a name="cloudfront-origin-access-identity-enabled"></a>

Checks if CloudFront distribution with Amazon S3 Origin type has origin access identity configured. The rule is NON\$1COMPLIANT if the CloudFront distribution is backed by S3 and any origin type is not OAI configured, or the origin is not an S3 bucket. 

**Note**  
The rule does not return `NOT_APPLICABLE` if the origin is not an S3 bucket.

**Identifier:** CLOUDFRONT\$1ORIGIN\$1ACCESS\$1IDENTITY\$1ENABLED

**Resource Types:** AWS::CloudFront::Distribution

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d303c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudfront-origin-failover-enabled
<a name="cloudfront-origin-failover-enabled"></a>

Checks if an origin group is configured for the distribution of at least two origins in the origin group for Amazon CloudFront. The rule is NON\$1COMPLIANT if there are no origin groups for the distribution. 



**Identifier:** CLOUDFRONT\$1ORIGIN\$1FAILOVER\$1ENABLED

**Resource Types:** AWS::CloudFront::Distribution

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d305c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudfront-origin-lambda-url-oac-enabled
<a name="cloudfront-origin-lambda-url-oac-enabled"></a>

Checks if Amazon CloudFront distributions with Amazon Lambda Function URL origins have origin access control (OAC) enabled. The rule is NON\$1COMPLIANT if any Lambda Function URL origin in a CloudFront distribution does not have OAC enabled. 



**Identifier:** CLOUDFRONT\$1ORIGIN\$1LAMBDA\$1URL\$1OAC\$1ENABLED

**Resource Types:** AWS::CloudFront::Distribution

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d307c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudfront-s3-origin-access-control-enabled
<a name="cloudfront-s3-origin-access-control-enabled"></a>

Checks if an Amazon CloudFront distribution with an Amazon Simple Storage Service (Amazon S3) Origin type has origin access control (OAC) enabled. The rule is NON\$1COMPLIANT for CloudFront distributions with Amazon S3 origins that don't have OAC enabled. 



**Identifier:** CLOUDFRONT\$1S3\$1ORIGIN\$1ACCESS\$1CONTROL\$1ENABLED

**Resource Types:** AWS::CloudFront::Distribution

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d309c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudfront-s3-origin-non-existent-bucket
<a name="cloudfront-s3-origin-non-existent-bucket"></a>

Checks if Amazon CloudFront distributions point to a non-existent S3 bucket. The rule is NON\$1COMPLIANT if `S3OriginConfig` for a CloudFront distribution points to a non-existent S3 bucket. The rule does not evaluate S3 buckets with static website hosting. 



**Identifier:** CLOUDFRONT\$1S3\$1ORIGIN\$1NON\$1EXISTENT\$1BUCKET

**Resource Types:** AWS::CloudFront::Distribution

**Trigger type:** Periodic

**AWS Region:** Only available in China (Beijing), US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d311c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudfront-security-policy-check
<a name="cloudfront-security-policy-check"></a>

Checks if Amazon CloudFront distributions are using a minimum security policy and cipher suite of TLSv1.2 or greater for viewer connections. This rule is NON\$1COMPLIANT for a CloudFront distribution if the minimumProtocolVersion is below TLSv1.2\$12018. 



**Identifier:** CLOUDFRONT\$1SECURITY\$1POLICY\$1CHECK

**Resource Types:** AWS::CloudFront::Distribution

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d313c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudfront-sni-enabled
<a name="cloudfront-sni-enabled"></a>

Checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests. The rule is NON\$1COMPLIANT if a custom SSL certificate is associated but the SSL support method is a dedicated IP address. 



**Identifier:** CLOUDFRONT\$1SNI\$1ENABLED

**Resource Types:** AWS::CloudFront::Distribution

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d315c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudfront-ssl-policy-check
<a name="cloudfront-ssl-policy-check"></a>

Checks if Amazon CloudFront distributions are configured with the specified security policies.The rule is NON\$1COMPLIANT if a CloudFront Distribution is not configured with security policies that you specify. 



**Identifier:** CLOUDFRONT\$1SSL\$1POLICY\$1CHECK

**Resource Types:** AWS::CloudFront::Distribution

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

securityPoliciesType: CSV  
Comma-separated list of CloudFront distribution security policies for the rule to check. For example: "TLSv1.2\$12018, TLSv1.2\$12019, TLSv1.2\$12021". For a list of valid value, see the Amazon CloudFront Developer Guide.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d317c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudfront-traffic-to-origin-encrypted
<a name="cloudfront-traffic-to-origin-encrypted"></a>

Checks if Amazon CloudFront distributions are encrypting traffic to custom origins. The rule is NON\$1COMPLIANT if ‘OriginProtocolPolicy’ is ‘http-only’ or if ‘OriginProtocolPolicy’ is ‘match-viewer’ and ‘ViewerProtocolPolicy’ is ‘allow-all’. 



**Identifier:** CLOUDFRONT\$1TRAFFIC\$1TO\$1ORIGIN\$1ENCRYPTED

**Resource Types:** AWS::CloudFront::Distribution

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d319c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudfront-viewer-policy-https
<a name="cloudfront-viewer-policy-https"></a>

Checks whether your Amazon CloudFront distributions use HTTPS (directly or via a redirection). The rule is NON\$1COMPLIANT if the value of ViewerProtocolPolicy is set to 'allow-all' for the defaultCacheBehavior or for the CacheBehaviors. 



**Identifier:** CLOUDFRONT\$1VIEWER\$1POLICY\$1HTTPS

**Resource Types:** AWS::CloudFront::Distribution

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d321c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudtrail-all-read-s3-data-event-check
<a name="cloudtrail-all-read-s3-data-event-check"></a>

Checks if an AWS CloudTrail multi-Region trail is enabled and logs all read S3 data events for your buckets. The rule is NON\$1COMPLIANT if no multi-Region trail logs all read S3 data event types for all current and future S3 buckets. 



**Identifier:** CLOUDTRAIL\$1ALL\$1READ\$1S3\$1DATA\$1EVENT\$1CHECK

**Resource Types:** AWS::::Account

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d323c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudtrail-all-write-s3-data-event-check
<a name="cloudtrail-all-write-s3-data-event-check"></a>

Checks if an AWS CloudTrail multi-Region trail is enabled and logs all write S3 data events for your buckets. The rule is NON\$1COMPLIANT if no multi-Region trail logs all write S3 data event types for all current and future S3 buckets. 



**Identifier:** CLOUDTRAIL\$1ALL\$1WRITE\$1S3\$1DATA\$1EVENT\$1CHECK

**Resource Types:** AWS::::Account

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d325c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudtrail-event-data-store-multi-region
<a name="cloudtrail-event-data-store-multi-region"></a>

Checks if AWS CloudTrail event data stores have multi-region enabled when ingesting live events. The rule is NON\$1COMPLIANT if configuration.MultiRegionEnabled is false. 



**Identifier:** CLOUDTRAIL\$1EVENT\$1DATA\$1STORE\$1MULTI\$1REGION

**Resource Types:** AWS::CloudTrail::EventDataStore

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d327c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudtrail-s3-bucket-access-logging
<a name="cloudtrail-s3-bucket-access-logging"></a>

Checks if the S3 bucket configurations for your AWS CloudTrail logs have Amazon S3 server access logging enabled. The rule is NON\$1COMPLIANT if at least one S3 bucket for a CloudTrail trail does not have S3 server access logging enabled. 



**Identifier:** CLOUDTRAIL\$1S3\$1BUCKET\$1ACCESS\$1LOGGING

**Resource Types:** AWS::CloudTrail::Trail

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d329c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudtrail-s3-bucket-public-access-prohibited
<a name="cloudtrail-s3-bucket-public-access-prohibited"></a>

Checks if the S3 bucket configurations for your AWS CloudTrail logs block public access. The rule is NON\$1COMPLIANT if at least one S3 bucket for a CloudTrail trail is publicly accessible. 



**Identifier:** CLOUDTRAIL\$1S3\$1BUCKET\$1PUBLIC\$1ACCESS\$1PROHIBITED

**Resource Types:** AWS::CloudTrail::Trail

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d331c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudtrail-s3-dataevents-enabled
<a name="cloudtrail-s3-dataevents-enabled"></a>

Checks if at least one AWS CloudTrail trail is logging Amazon Simple Storage Service (Amazon S3) data events for all S3 buckets. The rule is NON\$1COMPLIANT if there are trails or if no trails record S3 data events. 



**Identifier:** CLOUDTRAIL\$1S3\$1DATAEVENTS\$1ENABLED

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

S3BucketNames (Optional)Type: String  
Comma-separated list of S3 bucket names for which data events logging should be enabled. Default behavior checks for all S3 buckets.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d333c17"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudtrail-security-trail-enabled
<a name="cloudtrail-security-trail-enabled"></a>

Checks that there is at least one AWS CloudTrail trail defined with security best practices. This rule is COMPLIANT if there is at least one trail that meets all of the following:
+ records global service events
+ is a multi-region trail
+ has Log file validation enabled
+ encrypted with a KMS key
+ records events for reads and writes
+ records management events
+ does not exclude any management events

This rule is NON\$1COMPLIANT if no trails meet all of the criteria mentioned above.



**Identifier:** CLOUDTRAIL\$1SECURITY\$1TRAIL\$1ENABLED

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d335c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudwatch-alarm-action-check
<a name="cloudwatch-alarm-action-check"></a>

Checks if CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT\$1DATA, or OK state. Optionally checks if any actions match a named ARN. The rule is NON\$1COMPLIANT if there is no action specified for the alarm or optional parameter. 



**Identifier:** CLOUDWATCH\$1ALARM\$1ACTION\$1CHECK

**Resource Types:** AWS::CloudWatch::Alarm

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

okActionRequiredType: StringDefault: false  
Alarms have at least one action when the alarm transitions to an OK state from any other state.

insufficientDataActionRequiredType: StringDefault: true  
Alarms have at least one action when the alarm transitions to the INSUFFICIENT\$1DATA state from any other state.

alarmActionRequiredType: StringDefault: true  
Alarms have at least one action.

action1 (Optional)Type: String  
The action to execute, specified as an ARN.

action2 (Optional)Type: String  
The action to execute, specified as an ARN.

action3 (Optional)Type: String  
The action to execute, specified as an ARN.

action4 (Optional)Type: String  
The action to execute, specified as an ARN.

action5 (Optional)Type: String  
The action to execute, specified as an ARN.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d337c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudwatch-alarm-action-enabled-check
<a name="cloudwatch-alarm-action-enabled-check"></a>

Checks if Amazon CloudWatch alarms actions are in enabled state. The rule is NON\$1COMPLIANT if the CloudWatch alarms actions are not in enabled state. 



**Identifier:** CLOUDWATCH\$1ALARM\$1ACTION\$1ENABLED\$1CHECK

**Resource Types:** AWS::CloudWatch::Alarm

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d339c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudwatch-alarm-description
<a name="cloudwatch-alarm-description"></a>

Checks if AWS CloudWatch Alarm resources contain an alarm description. The rule is NON\$1COMPLIANT if the CloudWatch Alarm resource does not contain an AlarmDescription field or the AlarmDescription is empty. 



**Identifier:** CLOUDWATCH\$1ALARM\$1DESCRIPTION

**Resource Types:** AWS::CloudWatch::Alarm

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), AWS GovCloud (US-East), AWS GovCloud (US-West), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d341c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudwatch-alarm-resource-check
<a name="cloudwatch-alarm-resource-check"></a>

Checks if a resource type has a CloudWatch alarm for the named metric. For resource type, you can specify EBS volumes, EC2 instances, Amazon RDS clusters, or S3 buckets. The rule is COMPLIANT if the named metric has a resource ID and CloudWatch alarm. 



**Identifier:** CLOUDWATCH\$1ALARM\$1RESOURCE\$1CHECK

**Resource Types:** AWS::EC2::Instance, AWS::RDS::DBCluster, AWS::S3::Bucket, AWS::EC2::Volume

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

resourceTypeType: String  
AWS resource type. The value can be one of the following: AWS::EC2::Volume, AWS::EC2::Instance, AWS::RDS::DBCluster, or AWS::S3::Bucket.

metricNameType: String  
The name for the metric associated with the alarm (for example, 'CPUUtilization' for EC2 instances).

## AWS CloudFormation template
<a name="w2aac20c16c17b7d343c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudwatch-alarm-settings-check
<a name="cloudwatch-alarm-settings-check"></a>

Checks whether CloudWatch alarms with the given metric name have the specified settings. 



**Identifier:** CLOUDWATCH\$1ALARM\$1SETTINGS\$1CHECK

**Resource Types:** AWS::CloudWatch::Alarm

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

metricNameType: String  
The name for the metric associated with the alarm.

period (Optional)Type: intDefault: 300  
The period, in seconds, during which the specified statistic is applied.

statistic (Optional)Type: String  
The statistic for the metric associated with the alarm (for example, 'Average' or 'Sum').

comparisonOperator (Optional)Type: String  
The operation for comparing the specified statistic and threshold (for example, 'GreaterThanThreshold').

threshold (Optional)Type: int  
The value against which the specified statistic is compared.

evaluationPeriods (Optional)Type: int  
The number of periods over which data is compared to the specified threshold.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d345c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudwatch-log-group-encrypted
<a name="cloudwatch-log-group-encrypted"></a>

Checks if Amazon CloudWatch Log Groups are encrypted with any AWS KMS key or a specified AWS KMS key Id. The rule is NON\$1COMPLIANT if a CloudWatch Log Group is not encrypted with a KMS key or is encrypted with a KMS key not supplied in the rule parameter. 



**Identifier:** CLOUDWATCH\$1LOG\$1GROUP\$1ENCRYPTED

**Resource Types:** AWS::Logs::LogGroup

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

KmsKeyId (Optional)Type: String  
Amazon Resource Name (ARN) of the ID for the KMS key that is used to encrypt the log group.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d347c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudwatch-metric-stream-tagged
<a name="cloudwatch-metric-stream-tagged"></a>

Checks if Amazon CloudWatch metric streams have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** CLOUDWATCH\$1METRIC\$1STREAM\$1TAGGED

**Resource Types:** AWS::CloudWatch::MetricStream

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d349c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloud-trail-cloud-watch-logs-enabled
<a name="cloud-trail-cloud-watch-logs-enabled"></a>

Checks if AWS CloudTrail trails are configured to send logs to CloudWatch logs. The trail is NON\$1COMPLIANT if the CloudWatchLogsLogGroupArn property of the trail is empty. 



**Identifier:** CLOUD\$1TRAIL\$1CLOUD\$1WATCH\$1LOGS\$1ENABLED

**Resource Types:** AWS::CloudTrail::Trail

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

expectedDeliveryWindowAge (Optional)Type: int  
Maximum age in hours of the most recent delivery to CloudWatch logs that satisfies compliance.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d351c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloudtrail-enabled
<a name="cloudtrail-enabled"></a>

**Important**  
For this rule, the rule identifier (CLOUD\$1TRAIL\$1ENABLED) and rule name (cloudtrail-enabled) are different.

Checks if an AWS CloudTrail trail is enabled in your AWS account. The rule is NON\$1COMPLIANT if a trail is not enabled. Optionally, the rule checks a specific S3 bucket, Amazon Simple Notification Service (Amazon SNS) topic, and CloudWatch log group.



**Identifier:** CLOUD\$1TRAIL\$1ENABLED

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

s3BucketName (Optional)Type: String  
Name of S3 bucket for CloudTrail to deliver log files to.

snsTopicArn (Optional)Type: String  
SNS topic ARN for CloudTrail to use for notifications.

cloudWatchLogsLogGroupArn (Optional)Type: String  
CloudWatch log group ARN for CloudTrail to send data to.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d353c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloud-trail-encryption-enabled
<a name="cloud-trail-encryption-enabled"></a>

Checks if AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) encryption. The rule is COMPLIANT if the KmsKeyId is defined. 



**Identifier:** CLOUD\$1TRAIL\$1ENCRYPTION\$1ENABLED

**Resource Types:** AWS::CloudTrail::Trail

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d355c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cloud-trail-log-file-validation-enabled
<a name="cloud-trail-log-file-validation-enabled"></a>

Checks if AWS CloudTrail creates a signed digest file with logs. AWS recommends that the file validation must be enabled on all trails. The rule is NON\$1COMPLIANT if the validation is not enabled. 



**Identifier:** CLOUD\$1TRAIL\$1LOG\$1FILE\$1VALIDATION\$1ENABLED

**Resource Types:** AWS::CloudTrail::Trail

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d357c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cmk-backing-key-rotation-enabled
<a name="cmk-backing-key-rotation-enabled"></a>

Checks if automatic key rotation is enabled for each key and matches to the key ID of the customer created AWS KMS key. The rule is NON\$1COMPLIANT if the AWS Config recorder role for a resource does not have the kms:DescribeKey permission. 

**Note**  
Automatic key rotation is not supported for asymmetric KMS keys, HMAC KMS keys, KMS keys with imported key material, or KMS keys in custom key stores.

**Identifier:** CMK\$1BACKING\$1KEY\$1ROTATION\$1ENABLED

**Resource Types:** AWS::KMS::Key

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d359c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# codeartifact-repository-tagged
<a name="codeartifact-repository-tagged"></a>

Checks if AWS CodeArtifact repository resources have tags. Optionally, required tag keys can be specified. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** CODEARTIFACT\$1REPOSITORY\$1TAGGED

**Resource Types:** AWS::CodeArtifact::Repository

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Europe (London), Europe (Milan), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d361c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# codebuild-project-artifact-encryption
<a name="codebuild-project-artifact-encryption"></a>

Checks if an AWS CodeBuild project has encryption enabled for all of its artifacts. The rule is NON\$1COMPLIANT if 'encryptionDisabled' is set to 'true' for any primary or secondary (if present) artifact configurations. 



**Identifier:** CODEBUILD\$1PROJECT\$1ARTIFACT\$1ENCRYPTION

**Resource Types:** AWS::CodeBuild::Project

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d363c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# codebuild-project-environment-privileged-check
<a name="codebuild-project-environment-privileged-check"></a>

Checks if an AWS CodeBuild project environment has privileged mode enabled. The rule is NON\$1COMPLIANT for a CodeBuild project if ‘privilegedMode’ is set to ‘true’. 



**Identifier:** CODEBUILD\$1PROJECT\$1ENVIRONMENT\$1PRIVILEGED\$1CHECK

**Resource Types:** AWS::CodeBuild::Project

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

exemptedProjects (Optional)Type: CSV  
Comma-separated list of CodeBuild project names that are allowed to have ‘privilegedMode’ with value ‘true’.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d365c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# codebuild-project-envvar-awscred-check
<a name="codebuild-project-envvar-awscred-check"></a>

Checks if the project contains environment variables AWS\$1ACCESS\$1KEY\$1ID and AWS\$1SECRET\$1ACCESS\$1KEY. The rule is NON\$1COMPLIANT when the project environment variables contains plaintext credentials. 



**Identifier:** CODEBUILD\$1PROJECT\$1ENVVAR\$1AWSCRED\$1CHECK

**Resource Types:** AWS::CodeBuild::Project

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d367c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# codebuild-project-logging-enabled
<a name="codebuild-project-logging-enabled"></a>

Checks if an AWS CodeBuild project environment has at least one log option enabled. The rule is NON\$1COMPLIANT if the status of all present log configurations is set to 'DISABLED'. 



**Identifier:** CODEBUILD\$1PROJECT\$1LOGGING\$1ENABLED

**Resource Types:** AWS::CodeBuild::Project

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

s3BucketNames (Optional)Type: String  
Comma-separated list of Amazon S3 bucket names that logs should be sent to if S3 logs are configured.

cloudWatchGroupNames (Optional)Type: String  
Comma-separated list of Amazon CloudWatch log group names that logs should be be sent to if CloudWatch logs are configured.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d369c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# codebuild-project-s3-logs-encrypted
<a name="codebuild-project-s3-logs-encrypted"></a>

Checks if a AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs. The rule is NON\$1COMPLIANT if ‘encryptionDisabled’ is set to ‘true’ in a S3LogsConfig of a CodeBuild project. 



**Identifier:** CODEBUILD\$1PROJECT\$1S3\$1LOGS\$1ENCRYPTED

**Resource Types:** AWS::CodeBuild::Project

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

exemptedProjects (Optional)Type: CSV  
Comma-separated list of CodeBuild project names that are allowed to output unencrypted logs.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d371c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# codebuild-project-source-repo-url-check
<a name="codebuild-project-source-repo-url-check"></a>

Checks if the Bitbucket source repository URL contains sign-in credentials or not. The rule is NON\$1COMPLIANT if the URL contains any sign-in information and COMPLIANT if it doesn't. 



**Identifier:** CODEBUILD\$1PROJECT\$1SOURCE\$1REPO\$1URL\$1CHECK

**Resource Types:** AWS::CodeBuild::Project

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d373c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# codebuild-project-tagged
<a name="codebuild-project-tagged"></a>

Checks if AWS CodeBuild projects have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** CODEBUILD\$1PROJECT\$1TAGGED

**Resource Types:** AWS::CodeBuild::Project

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d375c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# codebuild-report-group-encrypted-at-rest
<a name="codebuild-report-group-encrypted-at-rest"></a>

Checks if an AWS CodeBuild report group has encryption at rest setting enabled. The rule is NON\$1COMPLIANT if 'EncryptionDisabled' is 'true'. 



**Identifier:** CODEBUILD\$1REPORT\$1GROUP\$1ENCRYPTED\$1AT\$1REST

**Resource Types:** AWS::CodeBuild::ReportGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d377c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# codebuild-report-group-tagged
<a name="codebuild-report-group-tagged"></a>

Checks if AWS CodeBuild report groups have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** CODEBUILD\$1REPORT\$1GROUP\$1TAGGED

**Resource Types:** AWS::CodeBuild::ReportGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d379c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# codedeploy-auto-rollback-monitor-enabled
<a name="codedeploy-auto-rollback-monitor-enabled"></a>

Checks if the deployment group is configured with automatic deployment rollback and deployment monitoring with alarms attached. The rule is NON\$1COMPLIANT if AutoRollbackConfiguration or AlarmConfiguration has not been configured or is not enabled. 



**Identifier:** CODEDEPLOY\$1AUTO\$1ROLLBACK\$1MONITOR\$1ENABLED

**Resource Types:** AWS::CodeDeploy::DeploymentGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d381c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# codedeploy-deployment-group-auto-rollback-enabled
<a name="codedeploy-deployment-group-auto-rollback-enabled"></a>

Checks if AWS CodeDeploy deployment groups have auto rollback configuration enabled. The rule is NON\$1COMPLIANT if configuration.autoRollbackConfiguration.enabled is false or does not exist. 



**Identifier:** CODEDEPLOY\$1DEPLOYMENT\$1GROUP\$1AUTO\$1ROLLBACK\$1ENABLED

**Resource Types:** AWS::CodeDeploy::DeploymentGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d383c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# codedeploy-deployment-group-outdated-instances-update
<a name="codedeploy-deployment-group-outdated-instances-update"></a>

Checks if AWS CodeDeploy deployment groups automatically update outdated instances. The rule is NON\$1COMPLIANT if configuration.outdatedInstancesStrategy is 'IGNORE'. 



**Identifier:** CODEDEPLOY\$1DEPLOYMENT\$1GROUP\$1OUTDATED\$1INSTANCES\$1UPDATE

**Resource Types:** AWS::CodeDeploy::DeploymentGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d385c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# codedeploy-ec2-minimum-healthy-hosts-configured
<a name="codedeploy-ec2-minimum-healthy-hosts-configured"></a>

Checks if the deployment group for EC2/On-Premises Compute Platform is configured with a minimum healthy hosts fleet percentage or host count greater than or equal to the input threshold. The rule is NON\$1COMPLIANT if either is below the threshold. 



**Identifier:** CODEDEPLOY\$1EC2\$1MINIMUM\$1HEALTHY\$1HOSTS\$1CONFIGURED

**Resource Types:** AWS::CodeDeploy::DeploymentGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

minimumHealthyHostsFleetPercent (Optional)Type: intDefault: 66  
Minimum percentage of healthy hosts fleet during deployment. Default value is set to 66 percent.

minimumHealthyHostsHostCount (Optional)Type: intDefault: 1  
Minimum number of healthy hosts in fleet during deployment. Default value is set to 1.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d387c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# codedeploy-lambda-allatonce-traffic-shift-disabled
<a name="codedeploy-lambda-allatonce-traffic-shift-disabled"></a>

Checks if the deployment group for Lambda Compute Platform is not using the default deployment configuration. The rule is NON\$1COMPLIANT if the deployment group is using the deployment configuration 'CodeDeployDefault.LambdaAllAtOnce'. 



**Identifier:** CODEDEPLOY\$1LAMBDA\$1ALLATONCE\$1TRAFFIC\$1SHIFT\$1DISABLED

**Resource Types:** AWS::CodeDeploy::DeploymentGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d389c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# codeguruprofiler-profiling-group-tagged
<a name="codeguruprofiler-profiling-group-tagged"></a>

Checks if Amazon CodeGuru Profiler profiling groups have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** CODEGURUPROFILER\$1PROFILING\$1GROUP\$1TAGGED

**Resource Types:** AWS::CodeGuruProfiler::ProfilingGroup

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d391c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# codegurureviewer-repository-association-tagged
<a name="codegurureviewer-repository-association-tagged"></a>

Checks if Amazon CodeGuru Reviewer repository associations have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** CODEGURUREVIEWER\$1REPOSITORY\$1ASSOCIATION\$1TAGGED

**Resource Types:** AWS::CodeGuruReviewer::RepositoryAssociation

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d393c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# codepipeline-deployment-count-check
<a name="codepipeline-deployment-count-check"></a>

Checks if the first deployment stage of AWS CodePipeline performs more than one deployment. Optionally checks if each of the subsequent remaining stages deploy to more than the specified number of deployments (`deploymentLimit`). 



**Identifier:** CODEPIPELINE\$1DEPLOYMENT\$1COUNT\$1CHECK

**Resource Types:** AWS::CodePipeline::Pipeline

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Middle East (Bahrain), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

deploymentLimit (Optional)Type: int  
The maximum number of deployments each stage can perform.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d395c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# codepipeline-region-fanout-check
<a name="codepipeline-region-fanout-check"></a>

Checks if each stage in the AWS CodePipeline deploys to more than N times the number of the regions the AWS CodePipeline has deployed in all the previous combined stages, where N is the region fanout number. The first deployment stage can deploy to a maximum of one region and the second deployment stage can deploy to a maximum number specified in the `regionFanoutFactor`. If you do not provide a `regionFanoutFactor`, by default the value is three. For example: If 1st deployment stage deploys to one region and 2nd deployment stage deploys to three regions, 3rd deployment stage can deploy to 12 regions, that is, sum of previous stages multiplied by the region fanout (three) number. The rule is NON\$1COMPLIANT if the deployment is in more than one region in 1st stage or three regions in 2nd stage or 12 regions in 3rd stage.



**Identifier:** CODEPIPELINE\$1REGION\$1FANOUT\$1CHECK

**Resource Types:** AWS::CodePipeline::Pipeline

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Middle East (Bahrain), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

regionFanoutFactor (Optional)Type: intDefault: 3  
The number of regions the AWS CodePipeline has deployed to in all previous stages is the acceptable number of regions any stage can deploy to.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d397c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cognito-identity-pool-unauthenticated-logins
<a name="cognito-identity-pool-unauthenticated-logins"></a>

Checks if Amazon Cognito identity pools disallow unauthenticated logins. The rule is NON\$1COMPLIANT if configuration.AllowUnauthenticatedIdentities is true. 



**Identifier:** COGNITO\$1IDENTITY\$1POOL\$1UNAUTHENTICATED\$1LOGINS

**Resource Types:** AWS::Cognito::IdentityPool

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d399c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cognito-identity-pool-unauth-access-check
<a name="cognito-identity-pool-unauth-access-check"></a>

Checks if Amazon Cognito Identity Pool allows unauthenticated identities. The rule is NON\$1COMPLIANT if the Identity Pool is configured to allow unauthenticated identities. 



**Identifier:** COGNITO\$1IDENTITY\$1POOL\$1UNAUTH\$1ACCESS\$1CHECK

**Resource Types:** AWS::Cognito::IdentityPool

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d401c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cognito-userpool-cust-auth-threat-full-check
<a name="cognito-userpool-cust-auth-threat-full-check"></a>

Checks if Amazon Cognito user pools have threat protection enabled with full-function enforcement mode for custom authentication. This rule is NON\$1COMPLIANT if threat protection for custom authentication is not set to full-function enforcement mode. 



**Identifier:** COGNITO\$1USERPOOL\$1CUST\$1AUTH\$1THREAT\$1FULL\$1CHECK

**Resource Types:** AWS::Cognito::UserPool

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d403c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cognito-user-pool-advanced-security-enabled
<a name="cognito-user-pool-advanced-security-enabled"></a>

Checks if an Amazon Cognito user pool has advanced security enabled for standard authentication. The rule is NON\$1COMPLIANT if advanced security is not enabled. Optionally, you can specify an advanced security mode for the rule to check. 



**Identifier:** COGNITO\$1USER\$1POOL\$1ADVANCED\$1SECURITY\$1ENABLED

**Resource Types:** AWS::Cognito::UserPool

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hong Kong), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

SecurityMode (Optional)Type: String  
String value of the advanced security mode for the rule to check. If provided, the rule is NON\$1COMPLIANT if the advanced security mode for user pools does not match this parameter value. Valid values are AUDIT and ENFORCED

## AWS CloudFormation template
<a name="w2aac20c16c17b7d405c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cognito-user-pool-deletion-protection-enabled
<a name="cognito-user-pool-deletion-protection-enabled"></a>

Checks whether Amazon Cognito user pools has deletion protection enabled. This rule is NON\$1COMPLIANT if a user pool has deletion protection disabled. 



**Identifier:** COGNITO\$1USER\$1POOL\$1DELETION\$1PROTECTION\$1ENABLED

**Resource Types:** AWS::Cognito::UserPool

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d407c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cognito-user-pool-mfa-enabled
<a name="cognito-user-pool-mfa-enabled"></a>

Checks if Amazon Cognito user pools configured with a PASSWORD-only sign-in policy have Multi-Factor Authentication (MFA) enabled. This rule is NON\$1COMPLIANT if the Cognito user pool configured with PASSWORD only sign in policy does not have MFA enabled. 



**Identifier:** COGNITO\$1USER\$1POOL\$1MFA\$1ENABLED

**Resource Types:** AWS::Cognito::UserPool

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d409c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cognito-user-pool-password-policy-check
<a name="cognito-user-pool-password-policy-check"></a>

Checks if the password policy for Amazon cognito user pool meets the specified requirements indicated in the parameters. The rule is NON\$1COMPLIANT if the user pool password policy does not meet the specified requirements. 



**Identifier:** COGNITO\$1USER\$1POOL\$1PASSWORD\$1POLICY\$1CHECK

**Resource Types:** AWS::Cognito::UserPool

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requireSymbols (Optional)Type: booleanDefault: True  
Whether to require at least one symbol in password.

temporaryPasswordValidity (Optional)Type: intDefault: 7  
Number of days a temporary password remains valid. Valid values are 1 to 365.

minLength (Optional)Type: intDefault: 8  
Minimum length required for user pool password. Valid values are 5 to 128.

requireNumbers (Optional)Type: booleanDefault: True  
Whether to require at least one number in password.

requireUppercase (Optional)Type: booleanDefault: True  
Whether to require at least one uppercase letter in password.

requireLowercase (Optional)Type: booleanDefault: True  
Whether to require at least one lowercase letter in password.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d411c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cognito-user-pool-tagged
<a name="cognito-user-pool-tagged"></a>

Checks if Amazon Cognito user pools have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** COGNITO\$1USER\$1POOL\$1TAGGED

**Resource Types:** AWS::Cognito::UserPool

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d413c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# connect-instance-logging-enabled
<a name="connect-instance-logging-enabled"></a>

Checks if Amazon Connect instances have flow logs enabled in an Amazon CloudWatch log group. The rule is NON\$1COMPLIANT if an Amazon Connect instance does not have flow logs enabled. 



**Identifier:** CONNECT\$1INSTANCE\$1LOGGING\$1ENABLED

**Resource Types:** AWS::Connect::Instance

**Trigger type:** Configuration changes

**AWS Region:** Only available in Africa (Cape Town), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d415c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# customerprofiles-domain-tagged
<a name="customerprofiles-domain-tagged"></a>

Checks if Amazon Connect Customer Profiles domains have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** CUSTOMERPROFILES\$1DOMAIN\$1TAGGED

**Resource Types:** AWS::CustomerProfiles::Domain

**Trigger type:** Configuration changes

**AWS Region:** Only available in Africa (Cape Town), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d417c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# customerprofiles-object-type-allow-profile-creation
<a name="customerprofiles-object-type-allow-profile-creation"></a>

Checks if Amazon Connect Customer Profiles object types allow the creation of a new standard profile if one does not exist. The rule is NON\$1COMPLIANT if configuration.AllowProfileCreation is false. 



**Identifier:** CUSTOMERPROFILES\$1OBJECT\$1TYPE\$1ALLOW\$1PROFILE\$1CREATION

**Resource Types:** AWS::CustomerProfiles::ObjectType

**Trigger type:** Configuration changes

**AWS Region:** Only available in Africa (Cape Town), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d419c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# customerprofiles-object-type-tagged
<a name="customerprofiles-object-type-tagged"></a>

Checks if Amazon Connect Customer Profiles object types have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** CUSTOMERPROFILES\$1OBJECT\$1TYPE\$1TAGGED

**Resource Types:** AWS::CustomerProfiles::ObjectType

**Trigger type:** Configuration changes

**AWS Region:** Only available in Africa (Cape Town), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d421c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# custom-eventbus-policy-attached
<a name="custom-eventbus-policy-attached"></a>

Checks if Amazon EventBridge custom event buses have a resource-based policy attached. The rule is NON\$1COMPLIANT if a custom event bus policy does not have an attached resource-based policy. 



**Identifier:** CUSTOM\$1EVENTBUS\$1POLICY\$1ATTACHED

**Resource Types:** AWS::Events::EventBus

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d423c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# custom-schema-registry-policy-attached
<a name="custom-schema-registry-policy-attached"></a>

Checks if custom Amazon EventBridge schema registries have a resource policy attached. The rule is NON\$1COMPLIANT for custom schema registries without a resource policy attached. 



**Identifier:** CUSTOM\$1SCHEMA\$1REGISTRY\$1POLICY\$1ATTACHED

**Resource Types:** AWS::EventSchemas::Registry

**Trigger type:** Periodic

**AWS Region:** Only available in Europe (Stockholm), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d425c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# cw-loggroup-retention-period-check
<a name="cw-loggroup-retention-period-check"></a>

Checks if an Amazon CloudWatch LogGroup retention period is set to greater than 365 days or else a specified retention period. The rule is NON\$1COMPLIANT if the retention period is less than `MinRetentionTime`, if specified, or else 365 days. 

**Note**  
If the retention setting is "Never expire" for a log group, the rule is marked as COMPLIANT.

**Identifier:** CW\$1LOGGROUP\$1RETENTION\$1PERIOD\$1CHECK

**Resource Types:** AWS::Logs::LogGroup

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

LogGroupNames (Optional)Type: CSV  
A comma-separated list of Log Group name prefixes to check the retention period.

MinRetentionTime (Optional)Type: int  
Specify the retention time in days. Valid values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. The default retention period is 365 days.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d427c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# datasync-location-object-storage-using-https
<a name="datasync-location-object-storage-using-https"></a>

Checks if AWS DataSync location object storage servers use the HTTPS protocol to communicate. The rule is NON\$1COMPLIANT if configuration.ServerProtocol is not 'HTTPS'. 



**Identifier:** DATASYNC\$1LOCATION\$1OBJECT\$1STORAGE\$1USING\$1HTTPS

**Resource Types:** AWS::DataSync::LocationObjectStorage

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d429c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# datasync-task-data-verification-enabled
<a name="datasync-task-data-verification-enabled"></a>

Checks if AWS DataSync tasks have data verification enabled to perform additional verification at the end of your transfer. The rule is NON\$1COMPLIANT if configuration.Options.VerifyMode is 'NONE'. 



**Identifier:** DATASYNC\$1TASK\$1DATA\$1VERIFICATION\$1ENABLED

**Resource Types:** AWS::DataSync::Task

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d431c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# datasync-task-logging-enabled
<a name="datasync-task-logging-enabled"></a>

Checks if an AWS DataSync task has Amazon CloudWatch logging enabled. The rule is NON\$1COMPLIANT if an AWS DataSync task does not have Amazon CloudWatch logging enabled or if the logging level is not equivalent to the logging level that you specify. 



**Identifier:** DATASYNC\$1TASK\$1LOGGING\$1ENABLED

**Resource Types:** AWS::DataSync::Task

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

logLevel (Optional)Type: String  
String value for the logging level. Valid values include: 'BASIC' and 'TRANSFER'. If not specified, the default value is 'BASIC'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d433c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# datasync-task-tagged
<a name="datasync-task-tagged"></a>

Checks if AWS DataSync tasks have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** DATASYNC\$1TASK\$1TAGGED

**Resource Types:** AWS::DataSync::Task

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d435c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dax-encryption-enabled
<a name="dax-encryption-enabled"></a>

Checks if Amazon DynamoDB Accelerator (DAX) clusters are encrypted. The rule is NON\$1COMPLIANT if a DAX cluster is not encrypted. 



**Identifier:** DAX\$1ENCRYPTION\$1ENABLED

**Resource Types:** AWS::DAX::Cluster

**Trigger type:** Periodic

**AWS Region:** Only available in Europe (Stockholm), China (Beijing), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Europe (Spain), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d437c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dax-tls-endpoint-encryption
<a name="dax-tls-endpoint-encryption"></a>

Checks if your Amazon DynamoDB Accelerator (DAX) cluster has ClusterEndpointEncryptionType set to TLS. The rule is NON\$1COMPLIANT if a DAX cluster is not encrypted by transport layer security (TLS). 



**Identifier:** DAX\$1TLS\$1ENDPOINT\$1ENCRYPTION

**Resource Types:** AWS::DAX::Cluster

**Trigger type:** Periodic

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d439c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# db-instance-backup-enabled
<a name="db-instance-backup-enabled"></a>

Checks if RDS DB instances have backups enabled. Optionally, the rule checks the backup retention period and the backup window.



**Identifier:** DB\$1INSTANCE\$1BACKUP\$1ENABLED

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

backupRetentionMinimum (Optional)Type: int  
Minimum retention period for backups.

backupRetentionPeriod (Optional)Type: int  
Retention period for backups.

checkReadReplicas (Optional)Type: boolean  
Checks whether RDS DB instances have backups enabled for read replicas.

preferredBackupWindow (Optional)Type: String  
Time range in which backups are created.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d441c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# desired-instance-tenancy
<a name="desired-instance-tenancy"></a>

Checks EC2 instances for a 'tenancy' value. Also checks if AMI IDs are specified to be launched from those AMIs or if Host IDs are launched on those Dedicated Hosts. The rule is COMPLIANT if the instance matches a host and an AMI, if specified, in a list. 



**Identifier:** DESIRED\$1INSTANCE\$1TENANCY

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

tenancyType: String  
Desired tenancy of the instances. Valid values are DEDICATED, HOST and DEFAULT

imageId (Optional)Type: CSV  
The rule evaluates instances launched only from AMIs with the specified IDs. Separate multiple AMI IDs with commas

hostId (Optional)Type: CSV  
The IDs of the EC2 Dedicated Hosts on which the instances are meant to be launched. Separate multiple Host IDs with commas

## AWS CloudFormation template
<a name="w2aac20c16c17b7d443c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# desired-instance-type
<a name="desired-instance-type"></a>

Checks if your EC2 instances are of a specific instance type. The rule is NON\$1COMPLIANT if an EC2 instance is not specified in the parameter list. For a list of supported EC2 instance types, see Instance types in the EC2 User Guide for Linux Instances. 



**Identifier:** DESIRED\$1INSTANCE\$1TYPE

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

instanceTypeType: CSV  
 Comma-separated list of EC2 instance types (for example, "t2.small, m4.large, i2.xlarge").

## AWS CloudFormation template
<a name="w2aac20c16c17b7d445c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# devicefarm-instance-profile-tagged
<a name="devicefarm-instance-profile-tagged"></a>

Checks if AWS Device Farm instance profiles have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** DEVICEFARM\$1INSTANCE\$1PROFILE\$1TAGGED

**Resource Types:** AWS::DeviceFarm::InstanceProfile

**Trigger type:** Configuration changes

**AWS Region:** Only available in US West (Oregon) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d447c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# devicefarm-project-tagged
<a name="devicefarm-project-tagged"></a>

Checks if AWS Device Farm projects have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** DEVICEFARM\$1PROJECT\$1TAGGED

**Resource Types:** AWS::DeviceFarm::Project

**Trigger type:** Configuration changes

**AWS Region:** Only available in US West (Oregon) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d449c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# devicefarm-test-grid-project-tagged
<a name="devicefarm-test-grid-project-tagged"></a>

Checks if AWS Device Farm test grid projects have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** DEVICEFARM\$1TEST\$1GRID\$1PROJECT\$1TAGGED

**Resource Types:** AWS::DeviceFarm::TestGridProject

**Trigger type:** Configuration changes

**AWS Region:** Only available in US West (Oregon) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d451c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dms-auto-minor-version-upgrade-check
<a name="dms-auto-minor-version-upgrade-check"></a>

Checks if an AWS Database Migration Service (AWS DMS) replication instance has automatic minor version upgrades enabled. The rule is NON\$1COMPLIANT if an AWS DMS replication instance is not configured with automatic minor version upgrades. 



**Identifier:** DMS\$1AUTO\$1MINOR\$1VERSION\$1UPGRADE\$1CHECK

**Resource Types:** AWS::DMS::ReplicationInstance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d453c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dms-endpoint-ssl-configured
<a name="dms-endpoint-ssl-configured"></a>

Checks if AWS Database Migration Service (AWS DMS) endpoints are configured with an SSL connection. The rule is NON\$1COMPLIANT if AWS DMS does not have an SSL connection configured. 

**Context**: SSL/TLS connections provide one layer of security by encrypting data that moves between your client and a DB instance. Using server certificate provides an extra layer of security by validating that the connection is being made to an Amazon RDS DB instance. It does so by checking the server certificate that is automatically installed on all DB instances that you provision. By enabling SSL connection on AWS DMS, you protect the confidentiality of the data during the migration.

To configure SSL connection for AWS DMS, see [Using SSL/TLS to encrypt a connection to a DB instance or cluster](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) in the *Amazon Relational Database Service User Guide*.

**Identifier:** DMS\$1ENDPOINT\$1SSL\$1CONFIGURED

**Resource Types:** AWS::DMS::Endpoint

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d455c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dms-endpoint-tagged
<a name="dms-endpoint-tagged"></a>

Checks if AWS DMS endpoints have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** DMS\$1ENDPOINT\$1TAGGED

**Resource Types:** AWS::DMS::Endpoint

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d457c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dms-mongo-db-authentication-enabled
<a name="dms-mongo-db-authentication-enabled"></a>

Checks if AWS Database Migration Service (AWS DMS) endpoints for MongoDb data stores are enabled for password-based authentication and access control. The rule is NON\$1COMPLIANT if password-based authentication and access control is not enabled. 



**Identifier:** DMS\$1MONGO\$1DB\$1AUTHENTICATION\$1ENABLED

**Resource Types:** AWS::DMS::Endpoint

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d459c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dms-neptune-iam-authorization-enabled
<a name="dms-neptune-iam-authorization-enabled"></a>

Checks if an AWS Database Migration Service (AWS DMS) endpoint for Amazon Neptune databases is configured with IAM authorization. The rule is NON\$1COMPLIANT if an AWS DMS endpoint where Neptune is the target has IamAuthEnabled set to false. 



**Identifier:** DMS\$1NEPTUNE\$1IAM\$1AUTHORIZATION\$1ENABLED

**Resource Types:** AWS::DMS::Endpoint

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Europe (Milan), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d461c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dms-redis-tls-enabled
<a name="dms-redis-tls-enabled"></a>

Checks if AWS Database Migration Service (AWS DMS) endpoints for Redis data stores are enabled for TLS/SSL encryption of data communicated with other endpoints. The rule is NON\$1COMPLIANT if TLS/SSL encryption is not enabled. 



**Identifier:** DMS\$1REDIS\$1TLS\$1ENABLED

**Resource Types:** AWS::DMS::Endpoint

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d463c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dms-replication-instance-multi-az-enabled
<a name="dms-replication-instance-multi-az-enabled"></a>

Checks if AWS Database Migration Service (DMS) replication instances are configured with multiple Availability Zones. The rule is NON\$1COMPLIANT if a DMS replication instance is not configured to use multiple Availability Zones. 



**Identifier:** DMS\$1REPLICATION\$1INSTANCE\$1MULTI\$1AZ\$1ENABLED

**Resource Types:** AWS::DMS::ReplicationInstance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d465c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dms-replication-not-public
<a name="dms-replication-not-public"></a>

Checks if AWS Database Migration Service (AWS DMS) replication instances are public. The rule is NON\$1COMPLIANT if PubliclyAccessible field is set to true. 



**Identifier:** DMS\$1REPLICATION\$1NOT\$1PUBLIC

**Resource Types:** AWS::DMS::ReplicationInstance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d467c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dms-replication-task-sourcedb-logging
<a name="dms-replication-task-sourcedb-logging"></a>

Checks if logging is enabled with a valid severity level for AWS DMS replication tasks of a source database. The rule is NON\$1COMPLIANT if logging is not enabled or logs for DMS replication tasks of a source database have a severity level that is not valid. 



**Identifier:** DMS\$1REPLICATION\$1TASK\$1SOURCEDB\$1LOGGING

**Resource Types:** AWS::DMS::ReplicationTask

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d469c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dms-replication-task-tagged
<a name="dms-replication-task-tagged"></a>

Checks if AWS DMS replication tasks have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** DMS\$1REPLICATION\$1TASK\$1TAGGED

**Resource Types:** AWS::DMS::ReplicationTask

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d471c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dms-replication-task-targetdb-logging
<a name="dms-replication-task-targetdb-logging"></a>

Checks if logging is enabled with a valid severity level for AWS DMS replication task events of a target database. The rule is NON\$1COMPLIANT if logging is not enabled or replication task logging of a target database has a severity level that is not valid. 



**Identifier:** DMS\$1REPLICATION\$1TASK\$1TARGETDB\$1LOGGING

**Resource Types:** AWS::DMS::ReplicationTask

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d473c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# docdb-cluster-audit-logging-enabled
<a name="docdb-cluster-audit-logging-enabled"></a>

Checks if an Amazon DocumentDB (with MongoDB compatibility) instance cluster has CloudWatch log export enabled for audit logs. The rule is NON\$1COMPLIANT if an Amazon DocumentDB instance cluster does not have CloudWatch log export enabled for audit logs. 



**Identifier:** DOCDB\$1CLUSTER\$1AUDIT\$1LOGGING\$1ENABLED

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Middle East (UAE), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), Asia Pacific (Hyderabad), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Europe (Milan), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d475c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# docdb-cluster-backup-retention-check
<a name="docdb-cluster-backup-retention-check"></a>

Checks if an Amazon Document DB cluster retention period is set to specific number of days. The rule is NON\$1COMPLIANT if the retention period is less than the value specified by the parameter. 



**Identifier:** DOCDB\$1CLUSTER\$1BACKUP\$1RETENTION\$1CHECK

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Middle East (UAE), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), Asia Pacific (Hyderabad), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Europe (Milan), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central), China (Ningxia) Region

**Parameters:**

minimumBackupRetentionPeriod (Optional)Type: int  
Minimum days backups should be kept. Valid values 1 to 35, default value is 7. This rule is NON\$1COMPLIANT if value is greater than 'backupRetentionPeriod'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d477c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# docdb-cluster-deletion-protection-enabled
<a name="docdb-cluster-deletion-protection-enabled"></a>

Checks if an Amazon DocumentDB (with MongoDB compatibility) cluster has deletion protection enabled. The rule is NON\$1COMPLIANT if an Amazon DocumentDB cluster has the deletionProtection field set to false. 



**Identifier:** DOCDB\$1CLUSTER\$1DELETION\$1PROTECTION\$1ENABLED

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Middle East (UAE), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), Asia Pacific (Hyderabad), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Europe (Milan), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d479c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# docdb-cluster-encrypted
<a name="docdb-cluster-encrypted"></a>

Checks if storage encryption is enabled for your Amazon DocumentDB (with MongoDB compatibility) clusters. The rule is NON\$1COMPLIANT if storage encryption is not enabled. 



**Identifier:** DOCDB\$1CLUSTER\$1ENCRYPTED

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Middle East (UAE), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), Asia Pacific (Hyderabad), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Europe (Milan), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central), China (Ningxia) Region

**Parameters:**

kmsKeyArns (Optional)Type: CSV  
A comma-separated list of KMS key ARNs to compare with the KmsKeyID of the encrypted cluster.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d481c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# docdb-cluster-encrypted-in-transit
<a name="docdb-cluster-encrypted-in-transit"></a>

Checks if connections to Amazon DocumentDB clusters are configured to use encryption in transit. The rule is NON\$1COMPLIANT if the parameter group is not "in-sync", or the TLS parameter is set to either "disabled" or a value in `excludeTlsParameters`. 



**Identifier:** DOCDB\$1CLUSTER\$1ENCRYPTED\$1IN\$1TRANSIT

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Europe (Stockholm), Middle East (Bahrain), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), US West (N. California), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

excludeTlsParameters (Optional)Type: CSV  
Comma-separated list of TLS cluster parameters for the rule to NOT check. Default value: 'disabled'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d483c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# docdb-cluster-snapshot-public-prohibited
<a name="docdb-cluster-snapshot-public-prohibited"></a>

Checks if Amazon DocumentDB manual cluster snapshots are public. The rule is NON\$1COMPLIANT if any Amazon DocumentDB manual cluster snapshots are public. 



**Identifier:** DOCDB\$1CLUSTER\$1SNAPSHOT\$1PUBLIC\$1PROHIBITED

**Resource Types:** AWS::RDS::DBClusterSnapshot

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Middle East (UAE), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), Asia Pacific (Hyderabad), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Europe (Milan), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d485c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dynamodb-autoscaling-enabled
<a name="dynamodb-autoscaling-enabled"></a>

Checks if Amazon DynamoDB tables or global secondary indexes can process read/write capacity using on-demand mode or provisioned mode with auto scaling enabled. The rule is NON\$1COMPLIANT if either mode is used without auto scaling enabled 



**Identifier:** DYNAMODB\$1AUTOSCALING\$1ENABLED

**Resource Types:** AWS::DynamoDB::Table

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

minProvisionedReadCapacity (Optional)Type: int  
The minimum number of units that should be provisioned with read capacity in the Auto Scaling group.

maxProvisionedReadCapacity (Optional)Type: int  
The maximum number of units that should be provisioned with read capacity in the Auto Scaling group.

targetReadUtilization (Optional)Type: double  
The target utilization percentage for read capacity. Target utilization is expressed in terms of the ratio of consumed capacity to provisioned capacity.

minProvisionedWriteCapacity (Optional)Type: int  
The minimum number of units that should be provisioned with write capacity in the Auto Scaling group.

maxProvisionedWriteCapacity (Optional)Type: int  
The maximum number of units that should be provisioned with write capacity in the Auto Scaling group.

targetWriteUtilization (Optional)Type: double  
The target utilization percentage for write capacity. Target utilization is expressed in terms of the ratio of consumed capacity to provisioned capacity.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d487c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dynamodb-in-backup-plan
<a name="dynamodb-in-backup-plan"></a>

Checks if an Amazon DynamoDB table is present in AWS Backup plans. The rule is NON\$1COMPLIANT if DynamoDB tables are not present in any AWS Backup plan. 



**Identifier:** DYNAMODB\$1IN\$1BACKUP\$1PLAN

**Resource Types:** AWS::DynamoDB::Table

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d489c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dynamodb-last-backup-recovery-point-created
<a name="dynamodb-last-backup-recovery-point-created"></a>

Checks if a recovery point was created for Amazon DynamoDB Tables within the specified period. The rule is NON\$1COMPLIANT if the DynamoDB Table does not have a corresponding recovery point created within the specified time period. 



**Identifier:** DYNAMODB\$1LAST\$1BACKUP\$1RECOVERY\$1POINT\$1CREATED

**Resource Types:** AWS::DynamoDB::Table

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags of the DynamoDB Tables for the rule to check, in JSON format `{"tagkey" : "tagValue"}`.

resourceId (Optional)Type: String  
Name of DynamoDB Table for the rule to check.

recoveryPointAgeValue (Optional)Type: intDefault: 1  
Numerical value for maximum allowed age. No more than 744 for hours, 31 for days.

recoveryPointAgeUnit (Optional)Type: StringDefault: days  
Unit of time for maximum allowed age. Accepted values: 'hours', 'days'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d491c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dynamodb-meets-restore-time-target
<a name="dynamodb-meets-restore-time-target"></a>

Checks if the restore time of Amazon DynamoDB Tables meets the specified duration. The rule is NON\$1COMPLIANT if LatestRestoreExecutionTimeMinutes of a DynamoDB Table is greater than maxRestoreTime minutes. 



**Identifier:** DYNAMODB\$1MEETS\$1RESTORE\$1TIME\$1TARGET

**Resource Types:** AWS::DynamoDB::Table

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

maxRestoreTimeType: int  
Numerical value for the maximum allowed restore runtime.

resourceTags (Optional)Type: String  
Tags of the DynamoDB Tables for the rule to check, in JSON format.

resourceId (Optional)Type: String  
Name of DynamoDB Table for the rule to check.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d493c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dynamodb-pitr-enabled
<a name="dynamodb-pitr-enabled"></a>

Checks if point-in-time recovery (PITR) is enabled for Amazon DynamoDB tables. The rule is NON\$1COMPLIANT if PITR is not enabled for DynamoDB tables. 



**Identifier:** DYNAMODB\$1PITR\$1ENABLED

**Resource Types:** AWS::DynamoDB::Table

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d495c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dynamodb-resources-protected-by-backup-plan
<a name="dynamodb-resources-protected-by-backup-plan"></a>

Checks if Amazon DynamoDB tables are protected by a backup plan. The rule is NON\$1COMPLIANT if the DynamoDB Table is not covered by a backup plan. 



**Identifier:** DYNAMODB\$1RESOURCES\$1PROTECTED\$1BY\$1BACKUP\$1PLAN

**Resource Types:** AWS::DynamoDB::Table

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags for DynamoDB tables for the rule to check, in JSON format `{"tagkey" : "tagValue"}`.

resourceId (Optional)Type: String  
Name of DynamoDB table for the rule to check.

crossRegionList (Optional)Type: String  
Comma-separated list of destination regions for the cross-region backup copy to be kept

crossAccountList (Optional)Type: String  
Comma-separated list of destination accounts for cross-account backup copy to be kept

maxRetentionDays (Optional)Type: int  
The maximum retention period in days for the Backup Vault Lock

minRetentionDays (Optional)Type: int  
The minimum retention period in days for the Backup Vault Lock

backupVaultLockCheck (Optional)Type: String  
Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault

## AWS CloudFormation template
<a name="w2aac20c16c17b7d497c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dynamodb-table-deletion-protection-enabled
<a name="dynamodb-table-deletion-protection-enabled"></a>

Checks if an Amazon DynamoDB table have deletion protection set to enabled. The rule is NON\$1COMPLIANT if the table have deletion protection set to disabled. 



**Identifier:** DYNAMODB\$1TABLE\$1DELETION\$1PROTECTION\$1ENABLED

**Resource Types:** AWS::DynamoDB::Table

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d499c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dynamodb-table-encrypted-kms
<a name="dynamodb-table-encrypted-kms"></a>

Checks if Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS). The rule is NON\$1COMPLIANT if Amazon DynamoDB table is not encrypted with AWS KMS. The rule is also NON\$1COMPLIANT if the encrypted AWS KMS key is not present in `kmsKeyArns` input parameter.



**Identifier:** DYNAMODB\$1TABLE\$1ENCRYPTED\$1KMS

**Resource Types:** AWS::DynamoDB::Table

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

kmsKeyArns (Optional)Type: CSV  
Comma separated list of AWS KMS key ARNs allowed for encrypting Amazon DynamoDB Tables

## AWS CloudFormation template
<a name="w2aac20c16c17b7d501c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dynamodb-table-encryption-enabled
<a name="dynamodb-table-encryption-enabled"></a>

Checks if the Amazon DynamoDB tables are encrypted and checks their status. The rule is COMPLIANT if the status is enabled or enabling.



**Identifier:** DYNAMODB\$1TABLE\$1ENCRYPTION\$1ENABLED

**Resource Types:** AWS::DynamoDB::Table

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d503c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# dynamodb-throughput-limit-check
<a name="dynamodb-throughput-limit-check"></a>

Checks if provisioned DynamoDB throughput is approaching the maximum limit for your account. By default, the rule checks if provisioned throughput exceeds a threshold of 80 percent of your account limits.



**Identifier:** DYNAMODB\$1THROUGHPUT\$1LIMIT\$1CHECK

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

accountRCUThresholdPercentage (Optional)Type: intDefault: 80  
Percentage of provisioned read capacity units for your account. When this value is reached, the rule is marked as noncompliant.

accountWCUThresholdPercentage (Optional)Type: intDefault: 80  
Percentage of provisioned write capacity units for your account. When this value is reached, the rule is marked as noncompliant.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d505c17"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ebs-in-backup-plan
<a name="ebs-in-backup-plan"></a>

Check if Amazon Elastic Block Store (Amazon EBS) volumes are added in backup plans of AWS Backup. The rule is NON\$1COMPLIANT if Amazon EBS volumes are not included in backup plans. 



**Identifier:** EBS\$1IN\$1BACKUP\$1PLAN

**Resource Types:** AWS::EC2::Volume

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d507c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ebs-last-backup-recovery-point-created
<a name="ebs-last-backup-recovery-point-created"></a>

Checks if a recovery point was created for Amazon Elastic Block Store (Amazon EBS). The rule is NON\$1COMPLIANT if the Amazon EBS volume does not have a corresponding recovery point created within the specified time period. 



**Identifier:** EBS\$1LAST\$1BACKUP\$1RECOVERY\$1POINT\$1CREATED

**Resource Types:** AWS::EC2::Volume

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags of Amazon EBS volumes for the rule to check, in JSON format `{"tagkey" : "tagValue"}`.

resourceId (Optional)Type: String  
ID of Amazon EBS volume for the rule to check.

recoveryPointAgeValue (Optional)Type: intDefault: 1  
Numerical value for maximum allowed age. No more than 744 for hours, 31 for days.

recoveryPointAgeUnit (Optional)Type: StringDefault: days  
Unit of time for maximum allowed age. Accepted values: 'hours', 'days'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d509c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ebs-meets-restore-time-target
<a name="ebs-meets-restore-time-target"></a>

Checks if the restore time of Amazon Elastic Block Store (Amazon EBS) volumes meets the specified duration. The rule is NON\$1COMPLIANT if LatestRestoreExecutionTimeMinutes of an Amazon EBS volume is greater than maxRestoreTime minutes. 



**Identifier:** EBS\$1MEETS\$1RESTORE\$1TIME\$1TARGET

**Resource Types:** AWS::EC2::Volume

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

maxRestoreTimeType: int  
Numerical value for the maximum allowed restore runtime.

resourceTags (Optional)Type: String  
Tags for Amazon EBS volumes for the rule to check, in JSON format.

resourceId (Optional)Type: String  
ID of Amazon EBS volume for the rule to check.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d511c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ebs-optimized-instance
<a name="ebs-optimized-instance"></a>

Checks if Amazon EBS optimization is enabled for your Amazon Elastic Compute Cloud (Amazon EC2) instances that can be Amazon EBS-optimized. The rule is NON\$1COMPLIANT if EBS optimization is not enabled for an Amazon EC2 instance that can be EBS-optimized. 

**Note**  
EC2 instances which are EBS-optimized by default always result in rule evaluations returning `COMPLIANT`.

**Identifier:** EBS\$1OPTIMIZED\$1INSTANCE

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d513c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ebs-resources-in-logically-air-gapped-vault
<a name="ebs-resources-in-logically-air-gapped-vault"></a>

Checks if Amazon Elastic Block Store (Amazon EBS) volumes are in a logically air-gapped vault. The rule is NON\$1COMPLIANT if an Amazon EBS volume is not in a logically air-gapped vault within the specified time period. 



**Identifier:** EBS\$1RESOURCES\$1IN\$1LOGICALLY\$1AIR\$1GAPPED\$1VAULT

**Resource Types:** AWS::EC2::Volume

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags of Amazon EBS volumes for the rule to check, in JSON format.

resourceId (Optional)Type: String  
ID of Amazon EBS volume for the rule to check.

recoveryPointAgeValue (Optional)Type: intDefault: 1  
Numerical value for maximum allowed age. No more than 2184 for hours, 91 for days.

recoveryPointAgeUnit (Optional)Type: StringDefault: days  
Unit of time for maximum allowed age. Accepted values: 'hours', 'days'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d515c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ebs-resources-protected-by-backup-plan
<a name="ebs-resources-protected-by-backup-plan"></a>

Checks if Amazon Elastic Block Store (Amazon EBS) volumes are protected by a backup plan. The rule is NON\$1COMPLIANT if the Amazon EBS volume is not covered by a backup plan. 



**Identifier:** EBS\$1RESOURCES\$1PROTECTED\$1BY\$1BACKUP\$1PLAN

**Resource Types:** AWS::EC2::Volume

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags for Amazon EBS volumes for the rule to check, in JSON format `{"tagkey" : "tagValue"}`.

resourceId (Optional)Type: String  
ID of Amazon EBS volume for the rule to check.

crossRegionList (Optional)Type: String  
Comma-separated list of destination regions for the cross-region backup copy to be kept

crossAccountList (Optional)Type: String  
Comma-separated list of destination accounts for cross-account backup copy to be kept

maxRetentionDays (Optional)Type: int  
The maximum retention period in days for the Backup Vault Lock

minRetentionDays (Optional)Type: int  
The minimum retention period in days for the Backup Vault Lock

backupVaultLockCheck (Optional)Type: String  
Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault

## AWS CloudFormation template
<a name="w2aac20c16c17b7d517c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ebs-snapshot-block-public-access
<a name="ebs-snapshot-block-public-access"></a>

Checks if block public access is enabled for Amazon EBS snapshots in an AWS Region. The rule is NON\$1COMPLIANT if block public access is not enabled for all public sharing of EBS snapshots in an AWS Region. 



**Identifier:** EBS\$1SNAPSHOT\$1BLOCK\$1PUBLIC\$1ACCESS

**Resource Types:** AWS::EC2::SnapshotBlockPublicAccess

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d519c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ebs-snapshot-public-restorable-check
<a name="ebs-snapshot-public-restorable-check"></a>

Checks if Amazon Elastic Block Store (Amazon EBS) snapshots are not publicly restorable. The rule is NON\$1COMPLIANT if one or more individual snapshots with RestorableByUserIds field are set to all. 



**Identifier:** EBS\$1SNAPSHOT\$1PUBLIC\$1RESTORABLE\$1CHECK

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Europe (Spain) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d521c17"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-capacity-reservation-tagged
<a name="ec2-capacity-reservation-tagged"></a>

Checks if Amazon EC2 capacity reservations have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EC2\$1CAPACITY\$1RESERVATION\$1TAGGED

**Resource Types:** AWS::EC2::CapacityReservation

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d523c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-carrier-gateway-tagged
<a name="ec2-carrier-gateway-tagged"></a>

Checks if Amazon EC2 carrier gateways have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EC2\$1CARRIER\$1GATEWAY\$1TAGGED

**Resource Types:** AWS::EC2::CarrierGateway

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d525c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-client-vpn-connection-log-enabled
<a name="ec2-client-vpn-connection-log-enabled"></a>

Checks if AWS Client VPN endpoint has client connection logging enabled. The rule is NON\$1COMPLIANT if 'Configuration.ConnectionLogOptions.Enabled' is set to false. 



**Identifier:** EC2\$1CLIENT\$1VPN\$1CONNECTION\$1LOG\$1ENABLED

**Resource Types:** AWS::EC2::ClientVpnEndpoint

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d527c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-client-vpn-endpoint-tagged
<a name="ec2-client-vpn-endpoint-tagged"></a>

Checks if Amazon EC2 client VPN endpoints have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EC2\$1CLIENT\$1VPN\$1ENDPOINT\$1TAGGED

**Resource Types:** AWS::EC2::ClientVpnEndpoint

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d529c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-client-vpn-not-authorize-all
<a name="ec2-client-vpn-not-authorize-all"></a>

Checks if the AWS Client VPN authorization rules authorizes connection access for all clients. The rule is NON\$1COMPLIANT if 'AccessAll' is present and set to true. 



**Identifier:** EC2\$1CLIENT\$1VPN\$1NOT\$1AUTHORIZE\$1ALL

**Resource Types:** AWS::EC2::ClientVpnEndpoint

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d531c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-dhcp-options-tagged
<a name="ec2-dhcp-options-tagged"></a>

Checks if Amazon EC2 DHCP options have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EC2\$1DHCP\$1OPTIONS\$1TAGGED

**Resource Types:** AWS::EC2::DHCPOptions

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d533c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-ebs-encryption-by-default
<a name="ec2-ebs-encryption-by-default"></a>

Checks if Amazon Elastic Block Store (EBS) encryption is enabled by default. The rule is NON\$1COMPLIANT if the encryption is not enabled. 



**Identifier:** EC2\$1EBS\$1ENCRYPTION\$1BY\$1DEFAULT

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d535c17"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-enis-source-destination-check-enabled
<a name="ec2-enis-source-destination-check-enabled"></a>

Checks if EC2 ENIs managed by users have source/destination check enabled. The rule is NON\$1COMPLIANT if source/destination check is disabled on these ENIs for 'lambda', 'aws\$1codestar\$1connections\$1managed', 'branch', 'efa', 'interface', and 'quicksight'. 



**Identifier:** EC2\$1ENIS\$1SOURCE\$1DESTINATION\$1CHECK\$1ENABLED

**Resource Types:** AWS::EC2::NetworkInterface

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d537c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-fleet-tagged
<a name="ec2-fleet-tagged"></a>

Checks if Amazon EC2 fleets have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EC2\$1FLEET\$1TAGGED

**Resource Types:** AWS::EC2::EC2Fleet

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d539c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-imdsv2-check
<a name="ec2-imdsv2-check"></a>

Checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The rule is NON\$1COMPLIANT if the HttpTokens is set to optional. 



**Identifier:** EC2\$1IMDSV2\$1CHECK

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d541c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-instance-detailed-monitoring-enabled
<a name="ec2-instance-detailed-monitoring-enabled"></a>

Checks if detailed monitoring is enabled for EC2 instances. The rule is NON\$1COMPLIANT if detailed monitoring is not enabled.



**Identifier:** EC2\$1INSTANCE\$1DETAILED\$1MONITORING\$1ENABLED

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d543c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-instance-launched-with-allowed-ami
<a name="ec2-instance-launched-with-allowed-ami"></a>

Checks if running or stopped EC2 instances were launched with Amazon Machine Images (AMIs) that meet your Allowed AMIs criteria. The rule is NON\$1COMPLIANT if an AMI doesn't meet the Allowed AMIs criteria and the Allowed AMIs settings isn't disabled. 



**Identifier:** EC2\$1INSTANCE\$1LAUNCHED\$1WITH\$1ALLOWED\$1AMI

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Configuration changes and Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

InstanceStateNameList (Optional)Type: CSV  
Comma-separate list of Amazon EC2 instance states for the rule to check. Valid values are "running" and "stopped".

## AWS CloudFormation template
<a name="w2aac20c16c17b7d545c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-instance-managed-by-systems-manager
<a name="ec2-instance-managed-by-systems-manager"></a>

**Important**  
For this rule, the rule identifier (EC2\$1INSTANCE\$1MANAGED\$1BY\$1SSM) and rule name (ec2-instance-managed-by-systems-manager) are different.

Checks if your Amazon EC2 instances are managed by AWS Systems Manager Agent (SSM Agent). The rule is NON\$1COMPLIANT if an EC2 instance is running and the SSM Agent is stopped, or if an EC2 instance is running and the SSM Agent is terminated.

**Note**  
The rule will not return NON\$1COMPLIANT if an EC2 instance is stopped and the SSM Agent is running.



**Identifier:** EC2\$1INSTANCE\$1MANAGED\$1BY\$1SSM

**Resource Types:** AWS::EC2::Instance, AWS::SSM::ManagedInstanceInventory

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d547c23"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-instance-multiple-eni-check
<a name="ec2-instance-multiple-eni-check"></a>

Checks if Amazon Elastic Compute Cloud (Amazon EC2) uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs). The rule is NON\$1COMPLIANT an Amazon EC2 instance use multiple network interfaces. 



**Identifier:** EC2\$1INSTANCE\$1MULTIPLE\$1ENI\$1CHECK

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

NetworkInterfaceIds (Optional)Type: CSV  
Comma-separated list of network instance IDs

## Proactive Evaluation
<a name="w2aac20c16c17b7d549c19"></a>

 For steps on how to run this rule in proactive mode, see [Evaluating Your Resources with AWS Config Rules](./evaluating-your-resources.html#evaluating-your-resources-proactive). For this rule to return COMPLIANT in proactive mode, the resource configuration schema for the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API needs to include the following inputs, encoded as a string: 

```
"ResourceConfiguration":
...
{
   "NetworkInterfaces": "[NetworkInterfaceId-1, NetworkInterfaceId-2, NetworkInterfaceId-3, ...]"
} 
...
```

 For more information on proactive evaluation, see [Evaluation Mode](./evaluate-config-rules.html). 

## AWS CloudFormation template
<a name="w2aac20c16c17b7d549c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-instance-no-public-ip
<a name="ec2-instance-no-public-ip"></a>

Checks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association. The rule is NON\$1COMPLIANT if the publicIp field is present in the Amazon EC2 instance configuration item. This rule applies only to IPv4. 

**Context**: Public IP addresses can make EC2 instances directly accessible from the internet, which might not always be desirable from a security or compliance standpoint:
+ **Security**: In many cases, you might not want your EC2 instances to have public IP addresses unless they need to be publicly accessible. Having a public IP address can expose your EC2 instance to potential security risks, such as unauthorized access or attacks.
+ **Compliance**: Various compliance standards such as PCI, DSS, or HIPAA have specific requirements regarding network segmentation and access controls. Ensuring that EC2 instances do not have unnecessary public IP addresses can help ensure compliance with these requirements.
+ **Cost Management**: Public IP addresses can incur additional costs, especially if there are EC2 instances continuously associated with them. By identifying EC2 instances with public IPs which do not need them, you can potentially reduce costs.

**Identifier:** EC2\$1INSTANCE\$1NO\$1PUBLIC\$1IP

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d551c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-instance-profile-attached
<a name="ec2-instance-profile-attached"></a>

Checks if an EC2 instance has an AWS Identity and Access Management (IAM) profile attached to it. The rule is NON\$1COMPLIANT if no IAM profile is attached to the EC2 instance. 



**Identifier:** EC2\$1INSTANCE\$1PROFILE\$1ATTACHED

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

IamInstanceProfileArnList (Optional)Type: CSV  
Comma-separated list of IAM profile Amazon Resource Names (ARNs) that can be attached to Amazon EC2 instances.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d553c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-ipamscope-tagged
<a name="ec2-ipamscope-tagged"></a>

Checks if Amazon EC2 IPAM Scopes have tags. Optionally, required tag keys can be specified. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EC2\$1IPAMSCOPE\$1TAGGED

**Resource Types:** AWS::EC2::IPAMScope

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d555c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-last-backup-recovery-point-created
<a name="ec2-last-backup-recovery-point-created"></a>

Checks if a recovery point was created for Amazon Elastic Compute Cloud (Amazon EC2) instances. The rule is NON\$1COMPLIANT if the Amazon EC2 instance does not have a corresponding recovery point created within the specified time period. 



**Identifier:** EC2\$1LAST\$1BACKUP\$1RECOVERY\$1POINT\$1CREATED

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags of Amazon EC2 instances for the rule to check, in JSON format `{"tagkey" : "tagValue"}`.

resourceId (Optional)Type: String  
ID of Amazon EC2 instance for the rule to check.

recoveryPointAgeValue (Optional)Type: intDefault: 1  
Numerical value for maximum allowed age. No more than 744 for hours, 31 for days.

recoveryPointAgeUnit (Optional)Type: StringDefault: days  
Unit of time for maximum allowed age. Accepted values: 'hours', 'days'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d557c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-launchtemplate-ebs-encrypted
<a name="ec2-launchtemplate-ebs-encrypted"></a>

Checks if Amazon EC2 launch template resources have encrypted EBS volumes. The rule is NON\$1COMPLIANT if any EBS volumes are not encrypted. The rule will only check the default version of the LaunchTemplate. 



**Identifier:** EC2\$1LAUNCHTEMPLATE\$1EBS\$1ENCRYPTED

**Resource Types:** AWS::EC2::LaunchTemplate

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d559c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-launch-templates-ebs-volume-encrypted
<a name="ec2-launch-templates-ebs-volume-encrypted"></a>

Checks whether Amazon EC2 launch templates have encryption enabled for all attached EBS volumes.The rule is NON\$1COMPLIANT if encryption is set to False for any EBS volume configured in the launch template. 



**Identifier:** EC2\$1LAUNCH\$1TEMPLATES\$1EBS\$1VOLUME\$1ENCRYPTED

**Resource Types:** AWS::EC2::LaunchTemplate

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d561c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-launch-template-imdsv2-check
<a name="ec2-launch-template-imdsv2-check"></a>

Checks if the currently set default version of an Amazon EC2 Launch Template requires new launched instances to use V2 of the Amazon EC2 Instance Metadata Service (IMDSv2). The rule is NON\$1COMPLIANT if 'Metadata version' is not specified as V2 (IMDSv2). 



**Identifier:** EC2\$1LAUNCH\$1TEMPLATE\$1IMDSV2\$1CHECK

**Resource Types:** AWS::EC2::LaunchTemplate

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d563c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-launch-template-public-ip-disabled
<a name="ec2-launch-template-public-ip-disabled"></a>

Checks if Amazon EC2 Launch Templates are set to assign public IP addresses to Network Interfaces. The rule is NON\$1COMPLIANT if the default version of an EC2 Launch Template has at least 1 Network Interface with 'AssociatePublicIpAddress' set to 'true'. 



**Identifier:** EC2\$1LAUNCH\$1TEMPLATE\$1PUBLIC\$1IP\$1DISABLED

**Resource Types:** AWS::EC2::LaunchTemplate

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

exemptedLaunchTemplates (Optional)Type: CSV  
Comma-separated list of exempted EC2 Launch Template IDs that are allowed to have Network Interfaces with the AssociatePublicIpAddress value set to 'true'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d565c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-launch-template-tagged
<a name="ec2-launch-template-tagged"></a>

Checks if Amazon EC2 launch templates have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EC2\$1LAUNCH\$1TEMPLATE\$1TAGGED

**Resource Types:** AWS::EC2::LaunchTemplate

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d567c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-managedinstance-applications-blacklisted
<a name="ec2-managedinstance-applications-blacklisted"></a>

Checks if none of the specified applications are installed on the instance. Optionally, specify the version. Newer versions will not be denylisted. Optionally, specify the platform to apply the rule only to instances running that platform. 



**Identifier:** EC2\$1MANAGEDINSTANCE\$1APPLICATIONS\$1BLACKLISTED

**Resource Types:** AWS::SSM::ManagedInstanceInventory

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

applicationNamesType: CSV  
Comma-separated list of application names. Optionally, specify versions appended with ':' (for example, 'Chrome:0.5.3, Firefox').  
The application names must be an exact match. For example, use **firefox** on Linux or **firefox-compat** on Amazon Linux. In addition, AWS Config does not currently support wildcards for the *applicationNames* parameter (for example, **firefox\$1**).

platformType (Optional)Type: String  
Platform type (for example, 'Linux' or 'Windows').

## AWS CloudFormation template
<a name="w2aac20c16c17b7d569c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-managedinstance-applications-required
<a name="ec2-managedinstance-applications-required"></a>

Checks if all of the specified applications are installed on the instance. Optionally, specify the minimum acceptable version. You can also specify the platform to apply the rule only to instances running that platform.

**Note**  
Ensure that SSM agent is running on the EC2 instance and an association to gather application software inventory is created. The rule returns `NOT_APPLICABLE` if SSM agent is not installed or an association is not yet created or running.



**Identifier:** EC2\$1MANAGEDINSTANCE\$1APPLICATIONS\$1REQUIRED

**Resource Types:** AWS::SSM::ManagedInstanceInventory

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

applicationNamesType: CSV  
Comma-separated list of application names. Optionally, specify versions appended with ':' (for example, 'Chrome:0.5.3, Firefox').  
The application names must be an exact match. For example, use **firefox** on Linux or **firefox-compat** on Amazon Linux. In addition, AWS Config does not currently support wildcards for the *applicationNames* parameter (for example, **firefox\$1**).

platformType (Optional)Type: String  
Platform type (for example, 'Linux' or 'Windows').

## AWS CloudFormation template
<a name="w2aac20c16c17b7d571c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-managedinstance-association-compliance-status-check
<a name="ec2-managedinstance-association-compliance-status-check"></a>

Checks if the status of the AWS Systems Manager association compliance is COMPLIANT or NON\$1COMPLIANT after the association execution on the instance. The rule is compliant if the field status is COMPLIANT. For more information about associations, see [What is an association?](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-state.html#state-manager-association-what-is).



**Identifier:** EC2\$1MANAGEDINSTANCE\$1ASSOCIATION\$1COMPLIANCE\$1STATUS\$1CHECK

**Resource Types:** AWS::SSM::AssociationCompliance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Osaka), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d573c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-managedinstance-inventory-blacklisted
<a name="ec2-managedinstance-inventory-blacklisted"></a>

Checks whether instances managed by Amazon EC2 Systems Manager are configured to collect blacklisted inventory types. 



**Identifier:** EC2\$1MANAGEDINSTANCE\$1INVENTORY\$1BLACKLISTED

**Resource Types:** AWS::SSM::ManagedInstanceInventory

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

inventoryNamesType: CSV  
Comma separated list of Systems Manager inventory types (for example, 'AWS:Network, AWS:WindowsUpdate').

platformType (Optional)Type: String  
Platform type (for example, 'Linux').

## AWS CloudFormation template
<a name="w2aac20c16c17b7d575c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-managedinstance-patch-compliance-status-check
<a name="ec2-managedinstance-patch-compliance-status-check"></a>

Checks if the compliance status of the AWS Systems Manager patch compliance is COMPLIANT or NON\$1COMPLIANT after the patch installation on the instance. The rule is compliant if the field status is COMPLIANT. 



**Identifier:** EC2\$1MANAGEDINSTANCE\$1PATCH\$1COMPLIANCE\$1STATUS\$1CHECK

**Resource Types:** AWS::SSM::PatchCompliance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (Osaka), Europe (Milan) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d577c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-managedinstance-platform-check
<a name="ec2-managedinstance-platform-check"></a>

Checks whether EC2 managed instances have the desired configurations. 



**Identifier:** EC2\$1MANAGEDINSTANCE\$1PLATFORM\$1CHECK

**Resource Types:** AWS::SSM::ManagedInstanceInventory

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

platformTypeType: String  
Platform type (for example, 'Linux').

platformVersion (Optional)Type: String  
Platform version (for example, '2016.09').

agentVersion (Optional)Type: String  
Agent version (for example, '2.0.433.0').

platformName (Optional)Type: String  
The name of the platform (for example, 'Amazon Linux')

## AWS CloudFormation template
<a name="w2aac20c16c17b7d579c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-meets-restore-time-target
<a name="ec2-meets-restore-time-target"></a>

Checks if the restore time of Amazon Elastic Compute Cloud (Amazon EC2) instances meets the specified duration. The rule is NON\$1COMPLIANT if LatestRestoreExecutionTimeMinutes of an Amazon EC2 instance is greater than maxRestoreTime minutes. 



**Identifier:** EC2\$1MEETS\$1RESTORE\$1TIME\$1TARGET

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

maxRestoreTimeType: int  
Numerical value for the maximum allowed restore runtime.

resourceTags (Optional)Type: String  
Tags of Amazon EC2 instances for the rule to check, in JSON format.

resourceId (Optional)Type: String  
ID of Amazon EC2 instance for the rule to check.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d581c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-network-insights-access-scope-analysis-tagged
<a name="ec2-network-insights-access-scope-analysis-tagged"></a>

Checks if Amazon EC2 network insights access scope analyses have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EC2\$1NETWORK\$1INSIGHTS\$1ACCESS\$1SCOPE\$1ANALYSIS\$1TAGGED

**Resource Types:** AWS::EC2::NetworkInsightsAccessScopeAnalysis

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d583c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-network-insights-access-scope-tagged
<a name="ec2-network-insights-access-scope-tagged"></a>

Checks if Amazon EC2 network insights access scopes have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EC2\$1NETWORK\$1INSIGHTS\$1ACCESS\$1SCOPE\$1TAGGED

**Resource Types:** AWS::EC2::NetworkInsightsAccessScope

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d585c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-network-insights-analysis-tagged
<a name="ec2-network-insights-analysis-tagged"></a>

Checks if Amazon EC2 network insights analyses have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EC2\$1NETWORK\$1INSIGHTS\$1ANALYSIS\$1TAGGED

**Resource Types:** AWS::EC2::NetworkInsightsAnalysis

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d587c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-network-insights-path-tagged
<a name="ec2-network-insights-path-tagged"></a>

Checks if Amazon EC2 network insights paths have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EC2\$1NETWORK\$1INSIGHTS\$1PATH\$1TAGGED

**Resource Types:** AWS::EC2::NetworkInsightsPath

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d589c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-no-amazon-key-pair
<a name="ec2-no-amazon-key-pair"></a>

Checks if running Amazon Elastic Compute Cloud (EC2) instances are launched using amazon key pairs. The rule is NON\$1COMPLIANT if a running EC2 instance is launched with a key pair. 



**Identifier:** EC2\$1NO\$1AMAZON\$1KEY\$1PAIR

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d591c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-paravirtual-instance-check
<a name="ec2-paravirtual-instance-check"></a>

Checks if the virtualization type of an EC2 instance is paravirtual. This rule is NON\$1COMPLIANT for an EC2 instance if 'virtualizationType' is set to 'paravirtual'. 



**Identifier:** EC2\$1PARAVIRTUAL\$1INSTANCE\$1CHECK

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Configuration changes

**AWS Region:** Only available in China (Beijing), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d593c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-prefix-list-tagged
<a name="ec2-prefix-list-tagged"></a>

Checks if Amazon EC2 managed prefix lists have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EC2\$1PREFIX\$1LIST\$1TAGGED

**Resource Types:** AWS::EC2::PrefixList

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d595c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-resources-in-logically-air-gapped-vault
<a name="ec2-resources-in-logically-air-gapped-vault"></a>

Checks if Amazon Elastic Compute Cloud (Amazon EC2) instances are in a logically air-gapped vault. The rule is NON\$1COMPLIANT if an Amazon EC2 instance is not in a logically air-gapped vault within the specified time period. 



**Identifier:** EC2\$1RESOURCES\$1IN\$1LOGICALLY\$1AIR\$1GAPPED\$1VAULT

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags of Amazon EC2 instances for the rule to check, in JSON format.

resourceId (Optional)Type: String  
ID of Amazon EC2 instance for the rule to check.

recoveryPointAgeValue (Optional)Type: intDefault: 1  
Numerical value for maximum allowed age. No more than 2184 for hours, 91 for days.

recoveryPointAgeUnit (Optional)Type: StringDefault: days  
Unit of time for maximum allowed age. Accepted values: 'hours', 'days'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d597c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-resources-protected-by-backup-plan
<a name="ec2-resources-protected-by-backup-plan"></a>

Checks if Amazon Elastic Compute Cloud (Amazon EC2) instances are protected by a backup plan. The rule is NON\$1COMPLIANT if the Amazon EC2 instance is not covered by a backup plan. 

**Note**  
This rule is only applicable to running Amazon EC2 instances and not to instances that are powered down.

**Identifier:** EC2\$1RESOURCES\$1PROTECTED\$1BY\$1BACKUP\$1PLAN

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags for Amazon EC2 instances for the rule to check, in JSON format `{"tagkey" : "tagValue"}`.

resourceId (Optional)Type: String  
ID of Amazon EC2 instance for the rule to check.

crossRegionList (Optional)Type: String  
Comma-separated list of destination regions for the cross-region backup copy to be kept

crossAccountList (Optional)Type: String  
Comma-separated list of destination accounts for cross-account backup copy to be kept

maxRetentionDays (Optional)Type: int  
The maximum retention period in days for the Backup Vault Lock

minRetentionDays (Optional)Type: int  
The minimum retention period in days for the Backup Vault Lock

backupVaultLockCheck (Optional)Type: String  
Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault

## AWS CloudFormation template
<a name="w2aac20c16c17b7d599c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-security-group-attached-to-eni
<a name="ec2-security-group-attached-to-eni"></a>

Checks if non-default security groups are attached to elastic network interfaces. The rule is NON\$1COMPLIANT if the security group is not associated with a network interface. 



**Identifier:** EC2\$1SECURITY\$1GROUP\$1ATTACHED\$1TO\$1ENI

**Resource Types:** AWS::EC2::SecurityGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d601c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-security-group-attached-to-eni-periodic
<a name="ec2-security-group-attached-to-eni-periodic"></a>

Checks if non-default security groups are attached to Elastic network interfaces (ENIs). The rule is NON\$1COMPLIANT if the security group is not associated with an ENI. Security groups not owned by the calling account evaluate as NOT\$1APPLICABLE. 

**Note**  
This rule reports on the `AWS::EC2::SecurityGroup` resource type. However, in order for the rule to run effectively, you must enable the recording of the `AWS::EC2::NetworkInterface` resource type.

**Identifier:** EC2\$1SECURITY\$1GROUP\$1ATTACHED\$1TO\$1ENI\$1PERIODIC

**Resource Types:** AWS::EC2::SecurityGroup

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d603c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-spot-fleet-request-ct-encryption-at-rest
<a name="ec2-spot-fleet-request-ct-encryption-at-rest"></a>

Checks if Amazon EC2 Spot Fleet request launch parameters set encrypted to True for attached EBS volumes. The rule is NON\$1COMPLIANT if any EBS volumes has encrypted set to False. The rule does not evaluate spot fleet requests using launch templates. 



**Identifier:** EC2\$1SPOT\$1FLEET\$1REQUEST\$1CT\$1ENCRYPTION\$1AT\$1REST

**Resource Types:** AWS::EC2::SpotFleet

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d605c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-stopped-instance
<a name="ec2-stopped-instance"></a>

Checks if there are Amazon Elastic Compute Cloud (Amazon EC2) instances stopped for more than the allowed number of days. The rule is NON\$1COMPLIANT if the state of an Amazon EC2 instance has been stopped for longer than the allowed number of days, or if the amount of time cannot be determined.



**Identifier:** EC2\$1STOPPED\$1INSTANCE

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

AllowedDays (Optional)Type: intDefault: 30  
The number of days an Amazon EC2 instance can be stopped before the rule is NON\$1COMPLIANT. The default number of days is 30.  
The number of days selected needs to be less than the configured retention period since this rule relies on the historical data collected. For more information about historical data retention, see [Deleting AWS Config Data](https://docs.aws.amazon.com/config/latest/developerguide/delete-config-data-with-retention-period.html).

## AWS CloudFormation template
<a name="w2aac20c16c17b7d607c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-token-hop-limit-check
<a name="ec2-token-hop-limit-check"></a>

Checks if an Amazon Elastic Compute Cloud (EC2) instance metadata has a specified token hop limit that is below the desired limit. The rule is NON\$1COMPLIANT for an instance if it has a hop limit value above the intended limit. 



**Identifier:** EC2\$1TOKEN\$1HOP\$1LIMIT\$1CHECK

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

tokenHopLimit (Optional)Type: int  
The desired token hop limit. Valid values are between 1 and 64, both inclusive. Default value is 1 if parameter is not specified.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d609c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-traffic-mirror-filter-description
<a name="ec2-traffic-mirror-filter-description"></a>

Checks if Amazon EC2 traffic mirror filters have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist. 



**Identifier:** EC2\$1TRAFFIC\$1MIRROR\$1FILTER\$1DESCRIPTION

**Resource Types:** AWS::EC2::TrafficMirrorFilter

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d611c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-traffic-mirror-filter-tagged
<a name="ec2-traffic-mirror-filter-tagged"></a>

Checks if Amazon EC2 traffic mirror filters have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EC2\$1TRAFFIC\$1MIRROR\$1FILTER\$1TAGGED

**Resource Types:** AWS::EC2::TrafficMirrorFilter

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d613c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-traffic-mirror-session-description
<a name="ec2-traffic-mirror-session-description"></a>

Checks if Amazon EC2 traffic mirror sessions have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist. 



**Identifier:** EC2\$1TRAFFIC\$1MIRROR\$1SESSION\$1DESCRIPTION

**Resource Types:** AWS::EC2::TrafficMirrorSession

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d615c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-traffic-mirror-session-tagged
<a name="ec2-traffic-mirror-session-tagged"></a>

Checks if Amazon EC2 traffic mirror sessions have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EC2\$1TRAFFIC\$1MIRROR\$1SESSION\$1TAGGED

**Resource Types:** AWS::EC2::TrafficMirrorSession

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d617c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-traffic-mirror-target-description
<a name="ec2-traffic-mirror-target-description"></a>

Checks if Amazon EC2 traffic mirror targets have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist. 



**Identifier:** EC2\$1TRAFFIC\$1MIRROR\$1TARGET\$1DESCRIPTION

**Resource Types:** AWS::EC2::TrafficMirrorTarget

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d619c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-traffic-mirror-target-tagged
<a name="ec2-traffic-mirror-target-tagged"></a>

Checks if Amazon EC2 traffic mirror targets have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EC2\$1TRAFFIC\$1MIRROR\$1TARGET\$1TAGGED

**Resource Types:** AWS::EC2::TrafficMirrorTarget

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d621c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-transit-gateway-auto-vpc-attach-disabled
<a name="ec2-transit-gateway-auto-vpc-attach-disabled"></a>

Checks if Amazon Elastic Compute Cloud (Amazon EC2) Transit Gateways have 'AutoAcceptSharedAttachments' enabled. The rule is NON\$1COMPLIANT for a Transit Gateway if 'AutoAcceptSharedAttachments' is set to 'enable'. 



**Identifier:** EC2\$1TRANSIT\$1GATEWAY\$1AUTO\$1VPC\$1ATTACH\$1DISABLED

**Resource Types:** AWS::EC2::TransitGateway

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d623c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-transit-gateway-multicast-domain-tagged
<a name="ec2-transit-gateway-multicast-domain-tagged"></a>

Checks if Amazon EC2 transit gateway multicast domains have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EC2\$1TRANSIT\$1GATEWAY\$1MULTICAST\$1DOMAIN\$1TAGGED

**Resource Types:** AWS::EC2::TransitGatewayMulticastDomain

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d625c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-volume-inuse-check
<a name="ec2-volume-inuse-check"></a>

Checks if EBS volumes are attached to EC2 instances. Optionally checks if EBS volumes are marked for deletion when an instance is terminated.

The rule is COMPLIANT if an EBS volume is attached to running or stopped EC2 instances.

The rule is NON\$1COMPLIANT if an EBS volume is not attached to any EC2 instance or is attached to a terminated EC2 instance.



**Identifier:** EC2\$1VOLUME\$1INUSE\$1CHECK

**Resource Types:** AWS::EC2::Volume

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

deleteOnTermination (Optional)Type: boolean  
EBS volumes are marked for deletion when an instance is terminated. Possible values: True or False (other input values are marked as NON\$1COMPLIANT). If set to `True`, the rule is NON\$1COMPLIANT if a terminated EBS volume is not marked for deletion.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d627c23"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-vpn-connection-ike-version-check
<a name="ec2-vpn-connection-ike-version-check"></a>

Checks if an Amazon EC2 VPN connection is configured to use only IKEv2 protocol. The rule is NON\$1COMPLIANT if the VPN connection's tunnel allows IKE versions other than IKEv2. 



**Identifier:** EC2\$1VPN\$1CONNECTION\$1IKE\$1VERSION\$1CHECK

**Resource Types:** AWS::EC2::VPNConnection

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Middle East (Bahrain), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d629c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-vpn-connection-logging-enabled
<a name="ec2-vpn-connection-logging-enabled"></a>

Checks if AWS Site-to-Site VPN connections have Amazon CloudWatch logging enabled for both tunnels. The rule is NON\$1COMPLIANT if a Site-to-Site VPN connection does not have CloudWatch logging enabled for either or both tunnels. 



**Identifier:** EC2\$1VPN\$1CONNECTION\$1LOGGING\$1ENABLED

**Resource Types:** AWS::EC2::VPNConnection

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d631c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-vpn-connection-tagged
<a name="ec2-vpn-connection-tagged"></a>

Checks if Amazon EC2 VPN connections have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EC2\$1VPN\$1CONNECTION\$1TAGGED

**Resource Types:** AWS::EC2::VPNConnection

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d633c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecr-private-image-scanning-enabled
<a name="ecr-private-image-scanning-enabled"></a>

Checks if a private Amazon Elastic Container Registry (Amazon ECR) repository has image scanning enabled. The rule is NON\$1COMPLIANT if the private Amazon ECR repository's scan frequency is not on scan on push or continuous scan. For more information on enabling image scanning, see [Image scanning](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html) in the *Amazon ECR User Guide*.



**Identifier:** ECR\$1PRIVATE\$1IMAGE\$1SCANNING\$1ENABLED

**Resource Types:** AWS::ECR::Repository

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d635c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecr-private-lifecycle-policy-configured
<a name="ecr-private-lifecycle-policy-configured"></a>

Checks if a private Amazon Elastic Container Registry (ECR) repository has at least one lifecycle policy configured. The rule is NON\$1COMPLIANT if no lifecycle policy is configured for the ECR private repository. 



**Identifier:** ECR\$1PRIVATE\$1LIFECYCLE\$1POLICY\$1CONFIGURED

**Resource Types:** AWS::ECR::Repository

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d637c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecr-private-tag-immutability-enabled
<a name="ecr-private-tag-immutability-enabled"></a>

Checks if a private Amazon Elastic Container Registry (ECR) repository has tag immutability enabled. This rule is NON\$1COMPLIANT if tag immutability is not enabled for the private ECR repository. 



**Identifier:** ECR\$1PRIVATE\$1TAG\$1IMMUTABILITY\$1ENABLED

**Resource Types:** AWS::ECR::Repository

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d639c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecr-repository-cmk-encryption-enabled
<a name="ecr-repository-cmk-encryption-enabled"></a>

Checks if ECR repository is encrypted at rest using customer-managed KMS key. This rule is NON\$1COMPLIANT if the repository is encrypted using AES256 or the default KMS key ('aws/ecr'). 



**Identifier:** ECR\$1REPOSITORY\$1CMK\$1ENCRYPTION\$1ENABLED

**Resource Types:** AWS::ECR::Repository

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

kmsKeyArns (Optional)Type: CSV  
Comma-separated list of KMS key Amazon Resource Names (ARNs) intended to encrypt the ECR repository.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d641c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecr-repository-tagged
<a name="ecr-repository-tagged"></a>

Checks if Amazon ECR repositories have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** ECR\$1REPOSITORY\$1TAGGED

**Resource Types:** AWS::ECR::Repository

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d643c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecs-awsvpc-networking-enabled
<a name="ecs-awsvpc-networking-enabled"></a>

Checks if the networking mode for active ECSTaskDefinitions is set to ‘awsvpc’. This rule is NON\$1COMPLIANT if active ECSTaskDefinitions is not set to ‘awsvpc’. 

**Note**  
This rule only evaluates the latest active revision of an Amazon ECS task definition.

**Identifier:** ECS\$1AWSVPC\$1NETWORKING\$1ENABLED

**Resource Types:** AWS::ECS::TaskDefinition

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d645c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecs-capacity-provider-tagged
<a name="ecs-capacity-provider-tagged"></a>

Checks if Amazon ECS capacity providers have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** ECS\$1CAPACITY\$1PROVIDER\$1TAGGED

**Resource Types:** AWS::ECS::CapacityProvider

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d647c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecs-capacity-provider-termination-check
<a name="ecs-capacity-provider-termination-check"></a>

Checks if an Amazon ECS Capacity provider containing Auto Scaling groups has managed termination protection enabled. This rule is NON\$1COMPLIANT if managed termination protection is disabled on the ECS Capacity Provider. 



**Identifier:** ECS\$1CAPACITY\$1PROVIDER\$1TERMINATION\$1CHECK

**Resource Types:** AWS::ECS::CapacityProvider

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d649c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecs-containers-nonprivileged
<a name="ecs-containers-nonprivileged"></a>

Checks if the privileged parameter in the container definition of ECSTaskDefinitions is set to ‘true’. The rule is NON\$1COMPLIANT if the privileged parameter is ‘true’. 

**Note**  
This rule only evaluates the latest active revision of an Amazon ECS task definition.

**Identifier:** ECS\$1CONTAINERS\$1NONPRIVILEGED

**Resource Types:** AWS::ECS::TaskDefinition

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d651c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecs-containers-readonly-access
<a name="ecs-containers-readonly-access"></a>

Checks if Amazon Elastic Container Service (Amazon ECS) Containers only have read-only access to its root filesystems. The rule is NON\$1COMPLIANT if the readonlyRootFilesystem parameter in the container definition of ECSTaskDefinitions is set to ‘false’. 

**Note**  
This rule only evaluates the latest active revision of an Amazon ECS task definition.

**Identifier:** ECS\$1CONTAINERS\$1READONLY\$1ACCESS

**Resource Types:** AWS::ECS::TaskDefinition

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d653c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecs-container-insights-enabled
<a name="ecs-container-insights-enabled"></a>

Checks if Amazon Elastic Container Service clusters have container insights enabled. The rule is NON\$1COMPLIANT if container insights are not enabled. 



**Identifier:** ECS\$1CONTAINER\$1INSIGHTS\$1ENABLED

**Resource Types:** AWS::ECS::Cluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d655c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecs-fargate-latest-platform-version
<a name="ecs-fargate-latest-platform-version"></a>

Checks if ECS Fargate services is set to the latest platform version. The rule is NON\$1COMPLIANT if PlatformVersion for the Fargate launch type is not set to LATEST, or if neither latestLinuxVersion nor `latestWindowsVersion` are provided as parameters. 



**Identifier:** ECS\$1FARGATE\$1LATEST\$1PLATFORM\$1VERSION

**Resource Types:** AWS::ECS::Service

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

latestLinuxVersion (Optional)Type: String  
Latest Linux supported 'PlatformVersion' in semantic versioning (SemVer) format. Parameter may be needed if Fargate was deployed and the 'PlatformVersion' was explicitly specified or CodeDeploy is used as the 'DeploymentController'

latestWindowsVersion (Optional)Type: String  
Latest Windows supported 'PlatformVersion' in semantic versioning (SemVer) format. Parameter may be needed if Fargate was deployed and the 'PlatformVersion' was explicitly specified or CodeDeploy is used as the 'DeploymentController'

## AWS CloudFormation template
<a name="w2aac20c16c17b7d657c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecs-no-environment-secrets
<a name="ecs-no-environment-secrets"></a>

Checks if secrets are passed as container environment variables. The rule is NON\$1COMPLIANT if 1 or more environment variable key matches a key listed in the '`secretKeys`' parameter (excluding environmental variables from other locations such as Amazon S3). 

**Note**  
This rule only evaluates the latest active revision of an Amazon ECS task definition.

**Identifier:** ECS\$1NO\$1ENVIRONMENT\$1SECRETS

**Resource Types:** AWS::ECS::TaskDefinition

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

secretKeysType: CSV  
Comma-separated list of key names to search for in the environment variables of container definitions within Task Definitions. Extra spaces will be removed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d659c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecs-service-propagate-tags-enabled
<a name="ecs-service-propagate-tags-enabled"></a>

Checks if AWS ECS Service has property PropagateTags with value of either SERVICE or TASK\$1DEFINITION. The rule is NON\$1COMPLIANT if the property does not exist or is NONE. 



**Identifier:** ECS\$1SERVICE\$1PROPAGATE\$1TAGS\$1ENABLED

**Resource Types:** AWS::ECS::Service

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), AWS GovCloud (US-East), AWS GovCloud (US-West), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d661c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecs-task-definition-efs-encryption-enabled
<a name="ecs-task-definition-efs-encryption-enabled"></a>

Checks if Amazon ECS Task Definitions with EFS volumes have in-transit encryption enabled. The rule is NON\$1COMPLIANT if an ECS Task Definition contains an EFS volume without transit encryption enabled. 



**Identifier:** ECS\$1TASK\$1DEFINITION\$1EFS\$1ENCRYPTION\$1ENABLED

**Resource Types:** AWS::ECS::TaskDefinition

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d663c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecs-task-definition-linux-user-non-root
<a name="ecs-task-definition-linux-user-non-root"></a>

Checks if the latest active revision of an Amazon ECS task definition configures Linux containers to run as non-root users.The rule is NON\$1COMPLIANT if root user is specified or user configuration is absent for any container. 



**Identifier:** ECS\$1TASK\$1DEFINITION\$1LINUX\$1USER\$1NON\$1ROOT

**Resource Types:** AWS::ECS::TaskDefinition

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d665c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecs-task-definition-log-configuration
<a name="ecs-task-definition-log-configuration"></a>

Checks if logConfiguration is set on active ECS Task Definitions. This rule is NON\$1COMPLIANT if an active ECSTaskDefinition does not have the logConfiguration resource defined or the value for logConfiguration is null in at least one container definition. 

**Note**  
This rule only evaluates the latest active revision of an Amazon ECS task definition.

**Identifier:** ECS\$1TASK\$1DEFINITION\$1LOG\$1CONFIGURATION

**Resource Types:** AWS::ECS::TaskDefinition

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d667c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecs-task-definition-memory-hard-limit
<a name="ecs-task-definition-memory-hard-limit"></a>

Checks if Amazon Elastic Container Service (ECS) task definitions have a set memory limit for its container definitions. The rule is NON\$1COMPLIANT for a task definition if the ‘memory’ parameter is absent for one container definition. 

**Warning**  
As of April 3, 2026, AWS Config has discontinued support for this managed rule. Evaluation results will no longer be generated.

**Identifier:** ECS\$1TASK\$1DEFINITION\$1MEMORY\$1HARD\$1LIMIT

**Resource Types:** AWS::ECS::TaskDefinition

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d669c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecs-task-definition-network-mode-not-host
<a name="ecs-task-definition-network-mode-not-host"></a>

Checks if the latest active revision of Amazon ECS task definitions use host network mode. The rule is NON\$1COMPLIANT if the latest active revision of the ECS task definition uses host network mode. 



**Identifier:** ECS\$1TASK\$1DEFINITION\$1NETWORK\$1MODE\$1NOT\$1HOST

**Resource Types:** AWS::ECS::TaskDefinition

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d671c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecs-task-definition-nonroot-user
<a name="ecs-task-definition-nonroot-user"></a>

Checks if ECSTaskDefinitions specify a user for Amazon Elastic Container Service (Amazon ECS) EC2 launch type containers to run on. The rule is NON\$1COMPLIANT if the ‘user’ parameter is not present or set to ‘root’. 

**Note**  
This rule only evaluates the latest active revision of an Amazon ECS task definition.

**Identifier:** ECS\$1TASK\$1DEFINITION\$1NONROOT\$1USER

**Resource Types:** AWS::ECS::TaskDefinition

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d673c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecs-task-definition-pid-mode-check
<a name="ecs-task-definition-pid-mode-check"></a>

Checks if ECSTaskDefinitions are configured to share a host’s process namespace with its Amazon Elastic Container Service (Amazon ECS) containers. The rule is NON\$1COMPLIANT if the pidMode parameter is set to ‘host’. 

**Note**  
This rule only evaluates the latest active revision of an Amazon ECS task definition.

**Identifier:** ECS\$1TASK\$1DEFINITION\$1PID\$1MODE\$1CHECK

**Resource Types:** AWS::ECS::TaskDefinition

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d675c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecs-task-definition-user-for-host-mode-check
<a name="ecs-task-definition-user-for-host-mode-check"></a>

Checks if Amazon ECS task definitions with host network mode have privileged OR nonroot in the container definition. The rule is NON\$1COMPLIANT if the latest active revision of a task definition has privileged=false (or is null) AND user=root (or is null). 

**Important**  
**Only one condition needs to be met for the rule to return compliant**  
The rule is COMPLIANT in any of following scenarios:  
If the network mode is not set to host,
If the latest active revision of a task definition has privileged=true,
If the latest active revision of a task definition has a user that is not the root.
This means that only one of these conditions need to be met for the rule to return compliant. To check specifically if a task definition has privileged=true, see [ecs-containers-nonprivileged](https://docs.aws.amazon.com/config/latest/developerguide/ecs-containers-nonprivileged.html). To check specifically if a task definition has a user that is not the root, see [ecs-task-definition-nonroot-user](https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-nonroot-user.html).

**Identifier:** ECS\$1TASK\$1DEFINITION\$1USER\$1FOR\$1HOST\$1MODE\$1CHECK

**Resource Types:** AWS::ECS::TaskDefinition

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

SkipInactiveTaskDefinitions (Optional)Type: boolean  
Boolean flag to not check INACTIVE Amazon EC2 task definitions. If set to 'true', the rule won't evaluate INACTIVE Amazon EC2 task definitions. If set to 'false', the rule will evaluate the latest revision of INACTIVE Amazon EC2 task definitions.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d677c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ecs-task-definition-windows-user-non-admin
<a name="ecs-task-definition-windows-user-non-admin"></a>

Checks if the latest active revision of an Amazon ECS task definition configures Windows containers to run as non-administrator users. The rule is NON\$1COMPLIANT if default administrator user is specified or user configuration is absent for any container. 



**Identifier:** ECS\$1TASK\$1DEFINITION\$1WINDOWS\$1USER\$1NON\$1ADMIN

**Resource Types:** AWS::ECS::TaskDefinition

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d679c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# efs-access-point-enforce-root-directory
<a name="efs-access-point-enforce-root-directory"></a>

Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a root directory. The rule is NON\$1COMPLIANT if the value of 'Path' is set to '/' (default root directory of the file system). 



**Identifier:** EFS\$1ACCESS\$1POINT\$1ENFORCE\$1ROOT\$1DIRECTORY

**Resource Types:** AWS::EFS::AccessPoint

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

approvedDirectories (Optional)Type: CSV  
Comma-separated list of subdirectory paths that are approved for Amazon EFS access point root directory enforcement.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d681c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# efs-access-point-enforce-user-identity
<a name="efs-access-point-enforce-user-identity"></a>

Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a user identity. The rule is NON\$1COMPLIANT if 'PosixUser' is not defined or if parameters are provided and there is no match in the corresponding parameter. 



**Identifier:** EFS\$1ACCESS\$1POINT\$1ENFORCE\$1USER\$1IDENTITY

**Resource Types:** AWS::EFS::AccessPoint

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

approvedUids (Optional)Type: CSV  
Comma-separated list of POSIX user ID that are approved for EFS access point user enforcement.

approvedGids (Optional)Type: CSV  
Comma-separated list of POSIX group IDs that are approved for EFS access point user enforcement.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d683c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# efs-automatic-backups-enabled
<a name="efs-automatic-backups-enabled"></a>

Checks if an Amazon Elastic File System (Amazon EFS) file system has automatic backups enabled. The rule is NON\$1COMPLIANT if `BackupPolicy.Status` is set to DISABLED. 



**Identifier:** EFS\$1AUTOMATIC\$1BACKUPS\$1ENABLED

**Resource Types:** AWS::EFS::FileSystem

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d685c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# efs-encrypted-check
<a name="efs-encrypted-check"></a>

Checks if Amazon Elastic File System (Amazon EFS) is configured to encrypt the file data using AWS Key Management Service (AWS KMS). The rule is NON\$1COMPLIANT if the encrypted key is set to false on `DescribeFileSystems` or if the `KmsKeyId` key on `DescribeFileSystems` does not match the `KmsKeyId` parameter.



**Identifier:** EFS\$1ENCRYPTED\$1CHECK

**Resource Types:** AWS::EFS::FileSystem

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

KmsKeyId (Optional)Type: String  
Amazon Resource Name (ARN) of the KMS key that is used to encrypt the EFS file system.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d687c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# efs-filesystem-ct-encrypted
<a name="efs-filesystem-ct-encrypted"></a>

Checks if Amazon Elastic File System (Amazon EFS) encrypts data with AWS Key Management Service (AWS KMS). The rule is NON\$1COMPLIANT if a file system is not encrypted. Optionally, you can check if a file system is not encrypted with specified KMS keys. 



**Identifier:** EFS\$1FILESYSTEM\$1CT\$1ENCRYPTED

**Resource Types:** AWS::EFS::FileSystem

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

kmsKeyArns (Optional)Type: String  
(Optional) Comma-separated list of Amazon Resource Names (ARNs) for AWS KMS keys. If provided, the rule checks if the specified KMS keys do not encrypt an Amazon EFS file system.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d689c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# efs-file-system-tagged
<a name="efs-file-system-tagged"></a>

Checks if Amazon Elastic File System file systems have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EFS\$1FILE\$1SYSTEM\$1TAGGED

**Resource Types:** AWS::EFS::FileSystem

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d691c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# efs-in-backup-plan
<a name="efs-in-backup-plan"></a>

Checks if Amazon Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup. The rule is NON\$1COMPLIANT if EFS file systems are not included in the backup plans. 



**Identifier:** EFS\$1IN\$1BACKUP\$1PLAN

**Resource Types:** AWS::EFS::FileSystem

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d693c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# efs-last-backup-recovery-point-created
<a name="efs-last-backup-recovery-point-created"></a>

Checks if a recovery point was created for Amazon Elastic File System (Amazon EFS) File Systems. The rule is NON\$1COMPLIANT if the Amazon EFS File System does not have a corresponding Recovery Point created within the specified time period. 



**Identifier:** EFS\$1LAST\$1BACKUP\$1RECOVERY\$1POINT\$1CREATED

**Resource Types:** AWS::EFS::FileSystem

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags of Amazon EFS File Systems for the rule to check, in JSON format `{"tagkey" : "tagValue"}`.

resourceId (Optional)Type: String  
ID of EFS File System for the rule to check.

recoveryPointAgeValue (Optional)Type: intDefault: 1  
Numerical value for maximum allowed age. No more than 744 for hours, 31 for days.

recoveryPointAgeUnit (Optional)Type: StringDefault: days  
Unit of time for maximum allowed age. Accepted values: 'hours', 'days'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d695c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# efs-meets-restore-time-target
<a name="efs-meets-restore-time-target"></a>

Checks if the restore time of Amazon Elastic File System (Amazon EFS) File Systems meets the specified duration. The rule is NON\$1COMPLIANT if LatestRestoreExecutionTimeMinutes of an Amazon EFS File System is greater than maxRestoreTime minutes. 



**Identifier:** EFS\$1MEETS\$1RESTORE\$1TIME\$1TARGET

**Resource Types:** AWS::EFS::FileSystem

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

maxRestoreTimeType: int  
Numerical value for the maximum allowed restore runtime.

resourceTags (Optional)Type: String  
Tags of Amazon EFS File Systems for the rule to check, in JSON format.

resourceId (Optional)Type: String  
ID of EFS File System for the rule to check.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d697c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# efs-mount-target-public-accessible
<a name="efs-mount-target-public-accessible"></a>

Checks if an Amazon Elastic File System (Amazon EFS) is associated with subnets that assign public IP addresses on launch. The rule is NON\$1COMPLIANT if the Amazon EFS mount target is associated with subnets that assign public IP addresses on launch. 



**Identifier:** EFS\$1MOUNT\$1TARGET\$1PUBLIC\$1ACCESSIBLE

**Resource Types:** AWS::EFS::FileSystem

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d699c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# efs-resources-in-logically-air-gapped-vault
<a name="efs-resources-in-logically-air-gapped-vault"></a>

Checks if Amazon Elastic File System (Amazon EFS) File Systems are in a logically air-gapped vault. The rule is NON\$1COMPLIANT if an Amazon EFS File System is not in a logically air-gapped vault within the specified time period. 



**Identifier:** EFS\$1RESOURCES\$1IN\$1LOGICALLY\$1AIR\$1GAPPED\$1VAULT

**Resource Types:** AWS::EFS::FileSystem

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags of Amazon EFS File Systems for the rule to check, in JSON format.

resourceId (Optional)Type: String  
ID of EFS File System for the rule to check.

recoveryPointAgeValue (Optional)Type: intDefault: 1  
Numerical value for maximum allowed age. No more than 2184 for hours, 91 for days.

recoveryPointAgeUnit (Optional)Type: StringDefault: days  
Unit of time for maximum allowed age. Accepted values: 'hours', 'days'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d701c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# efs-resources-protected-by-backup-plan
<a name="efs-resources-protected-by-backup-plan"></a>

Checks if Amazon Elastic File System (Amazon EFS) File Systems are protected by a backup plan. The rule is NON\$1COMPLIANT if the EFS File System is not covered by a backup plan. 



**Identifier:** EFS\$1RESOURCES\$1PROTECTED\$1BY\$1BACKUP\$1PLAN

**Resource Types:** AWS::EFS::FileSystem

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags for EFS File Systems for the rule to check, in JSON format `{"tagkey" : "tagValue"}`.

resourceId (Optional)Type: String  
ID of the EFS File System for the rule to check.

crossRegionList (Optional)Type: String  
Comma-separated list of destination regions for the cross-region backup copy to be kept

crossAccountList (Optional)Type: String  
Comma-separated list of destination accounts for cross-account backup copy to be kept

maxRetentionDays (Optional)Type: int  
The maximum retention period in days for the Backup Vault Lock

minRetentionDays (Optional)Type: int  
The minimum retention period in days for the Backup Vault Lock

backupVaultLockCheck (Optional)Type: String  
Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault

## AWS CloudFormation template
<a name="w2aac20c16c17b7d703c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# eip-attached
<a name="eip-attached"></a>

Checks if all Elastic IP addresses that are allocated to an AWS account are attached to EC2 instances or in-use elastic network interfaces. The rule is NON\$1COMPLIANT if the 'AssociationId' is null for the Elastic IP address. 

**Note**  
Results might take up to 6 hours to become available after an evaluation occurs.

**Identifier:** EIP\$1ATTACHED

**Resource Types:** AWS::EC2::EIP

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## Proactive Evaluation
<a name="w2aac20c16c17b7d705c19"></a>

 For steps on how to run this rule in proactive mode, see [Evaluating Your Resources with AWS Config Rules](./evaluating-your-resources.html#evaluating-your-resources-proactive). For this rule to return COMPLIANT in proactive mode, the resource configuration schema for the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API needs to include the following inputs, encoded as a string: 

```
"ResourceConfiguration":
...
{
   "InstanceId": "my-instance-Id"
} 
...
```

 For more information on proactive evaluation, see [Evaluation Mode](./evaluate-config-rules.html). 

## AWS CloudFormation template
<a name="w2aac20c16c17b7d705c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# eks-addon-tagged
<a name="eks-addon-tagged"></a>

Checks if Amazon EKS add-ons have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EKS\$1ADDON\$1TAGGED

**Resource Types:** AWS::EKS::Addon

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d707c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# eks-cluster-logging-enabled
<a name="eks-cluster-logging-enabled"></a>

Checks if an Amazon Elastic Kubernetes Service (Amazon EKS) cluster is configured with logging enabled. The rule is NON\$1COMPLIANT if logging for Amazon EKS clusters is not enabled for all log types. 



**Identifier:** EKS\$1CLUSTER\$1LOGGING\$1ENABLED

**Resource Types:** AWS::EKS::Cluster

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d709c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# eks-cluster-log-enabled
<a name="eks-cluster-log-enabled"></a>

Checks if an Amazon Elastic Kubernetes Service (Amazon EKS) cluster is configured with logging enabled. The rule is NON\$1COMPLIANT if logging for Amazon EKS clusters is not enabled or if logging is not enabled with the log type mentioned. 



**Identifier:** EKS\$1CLUSTER\$1LOG\$1ENABLED

**Resource Types:** AWS::EKS::Cluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

logTypes (Optional)Type: CSV  
Comma-separated list of EKS Cluster control plane log types for the rule to check. Valid values: "api", "audit", "authenticator", "controllerManager", "scheduler

## AWS CloudFormation template
<a name="w2aac20c16c17b7d711c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# eks-cluster-oldest-supported-version
<a name="eks-cluster-oldest-supported-version"></a>

Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running the oldest supported version. The rule is NON\$1COMPLIANT if an EKS cluster is running oldest supported version (equal to the parameter '`oldestVersionSupported`'). 



**Identifier:** EKS\$1CLUSTER\$1OLDEST\$1SUPPORTED\$1VERSION

**Resource Types:** AWS::EKS::Cluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

oldestVersionSupportedType: String  
Value of the oldest version of Kubernetes supported on AWS.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d713c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# eks-cluster-secrets-encrypted
<a name="eks-cluster-secrets-encrypted"></a>

Checks if Amazon EKS clusters are configured to have Kubernetes secrets encrypted using AWS KMS. The rule is NON\$1COMPLIANT if an EKS cluster does not have an encryptionConfig resource or if encryptionConfig does not name secrets as a resource. 



**Identifier:** EKS\$1CLUSTER\$1SECRETS\$1ENCRYPTED

**Resource Types:** AWS::EKS::Cluster

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

kmsKeyArns (Optional)Type: CSV  
Comma-separated list of KMS key Amazon Resource Names (ARNs) that are approved for EKS usage.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d715c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# eks-cluster-supported-version
<a name="eks-cluster-supported-version"></a>

Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running a supported Kubernetes version. This rule is NON\$1COMPLIANT if an EKS cluster is running an unsupported version (less than the parameter '`oldestVersionSupported`'). 



**Identifier:** EKS\$1CLUSTER\$1SUPPORTED\$1VERSION

**Resource Types:** AWS::EKS::Cluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

oldestVersionSupportedType: String  
Value of the oldest version of Kubernetes supported on AWS.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d717c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# eks-endpoint-no-public-access
<a name="eks-endpoint-no-public-access"></a>

Checks if the Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible. The rule is NON\$1COMPLIANT if the endpoint is publicly accessible. 



**Identifier:** EKS\$1ENDPOINT\$1NO\$1PUBLIC\$1ACCESS

**Resource Types:** AWS::EKS::Cluster

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d719c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# eks-fargate-profile-tagged
<a name="eks-fargate-profile-tagged"></a>

Checks if Amazon EKS fargate profiles have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EKS\$1FARGATE\$1PROFILE\$1TAGGED

**Resource Types:** AWS::EKS::FargateProfile

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d721c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# eks-nodegroup-supported-version-check
<a name="eks-nodegroup-supported-version-check"></a>

Checks if an Amazon Elastic Kubernetes Service (EKS) nodegroup is running the oldest supported version. 



**Identifier:** EKS\$1NODEGROUP\$1SUPPORTED\$1VERSION\$1CHECK

**Resource Types:** AWS::EKS::Nodegroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Middle East (Bahrain), Asia Pacific (Thailand), Middle East (UAE), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

oldestVersionSupportedType: String  
Value of the oldest version of Kubernetes supported on AWS.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d723c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# eks-secrets-encrypted
<a name="eks-secrets-encrypted"></a>

Checks if Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys.
+ This rule is COMPLIANT if an EKS cluster has an encryptionConfig with secrets as one of the resources.
+ This rule is also COMPLIANT if the key used to encrypt EKS secrets matches with the parameter.
+ This rule is NON\$1COMPLIANT if an EKS cluster does not have an encryptionConfig or if the encryptionConfig resources do not include secrets.
+ This rule is also NON\$1COMPLIANT if the key used to encrypt EKS secrets does not match with the parameter.



**Identifier:** EKS\$1SECRETS\$1ENCRYPTED

**Resource Types:** AWS::EKS::Cluster

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand) Region

**Parameters:**

kmsKeyArns (Optional)Type: CSV  
Comma separated list of Amazon Resource Name (ARN) of the KMS key that should be used for encrypted secrets in an EKS cluster.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d725c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elasticache-automatic-backup-check-enabled
<a name="elasticache-automatic-backup-check-enabled"></a>

Checks if Amazon ElastiCache clusters (Valkey or Redis OSS) have automatic backup turned on. The rule is NON\$1COMPLIANT if automated backup is not enabled or the SnapshotRetentionLimit for a cluster is less than the specified `snapshotRetentionPeriod`. 



**Identifier:** ELASTICACHE\$1AUTOMATIC\$1BACKUP\$1CHECK\$1ENABLED

**Resource Types:** AWS::ElastiCache::CacheCluster

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

snapshotRetentionPeriod (Optional)Type: int  
Minimum snapshot retention period in days for Valkey or Redis OSS. Valid values are 1 to 35. Default value is 1.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d727c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elasticache-auto-minor-version-upgrade-check
<a name="elasticache-auto-minor-version-upgrade-check"></a>

Checks if Amazon ElastiCache clusters have auto minor version upgrades enabled. The rule is NON\$1COMPLIANT for an ElastiCache cluster if it is using the Redis or Valkey engine and 'AutoMinorVersionUpgrade' is not set to 'true'. 



**Identifier:** ELASTICACHE\$1AUTO\$1MINOR\$1VERSION\$1UPGRADE\$1CHECK

**Resource Types:** AWS::ElastiCache::CacheCluster

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d729c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elasticache-rbac-auth-enabled
<a name="elasticache-rbac-auth-enabled"></a>

Checks if Amazon ElastiCache replication groups have RBAC authentication enabled. The rule is NON\$1COMPLIANT if the Redis version is 6 or above and ‘UserGroupIds’ is missing, empty, or does not match an entry provided by the '`allowedUserGroupIDs`' parameter. 



**Identifier:** ELASTICACHE\$1RBAC\$1AUTH\$1ENABLED

**Resource Types:** AWS::ElastiCache::ReplicationGroup

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

allowedUserGroupIDs (Optional)Type: CSV  
A comma-separated list of User Group IDs that are approved for ElastiCache replication group access.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d731c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elasticache-redis-cluster-automatic-backup-check
<a name="elasticache-redis-cluster-automatic-backup-check"></a>

Check if the Amazon ElastiCache Redis clusters have automatic backup turned on. The rule is NON\$1COMPLIANT if the SnapshotRetentionLimit for Redis cluster is less than the SnapshotRetentionPeriod parameter. For example: If the parameter is 15 then the rule is non-compliant if the snapshotRetentionPeriod is between 0-15. 



**Identifier:** ELASTICACHE\$1REDIS\$1CLUSTER\$1AUTOMATIC\$1BACKUP\$1CHECK

**Resource Types:** AWS::ElastiCache::CacheCluster, AWS::ElastiCache::ReplicationGroup

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (Taipei) Region

**Parameters:**

snapshotRetentionPeriod (Optional)Type: intDefault: 15  
Minimum snapshot retention period in days for Redis cluster. Default is 15 days.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d733c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elasticache-repl-grp-auto-failover-enabled
<a name="elasticache-repl-grp-auto-failover-enabled"></a>

Checks if Amazon ElastiCache Redis replication groups have automatic failover enabled. The rule is NON\$1COMPLIANT for an ElastiCache replication group if ‘AutomaticFailover’ is not set to ‘enabled’. 



**Identifier:** ELASTICACHE\$1REPL\$1GRP\$1AUTO\$1FAILOVER\$1ENABLED

**Resource Types:** AWS::ElastiCache::ReplicationGroup

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d735c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elasticache-repl-grp-encrypted-at-rest
<a name="elasticache-repl-grp-encrypted-at-rest"></a>

Checks if Amazon ElastiCache replication groups have encryption-at-rest enabled. The rule is NON\$1COMPLIANT for an ElastiCache replication group if 'AtRestEncryptionEnabled' is disabled or if the KMS key ARN does not match the approvedKMSKeyArns parameter. 



**Identifier:** ELASTICACHE\$1REPL\$1GRP\$1ENCRYPTED\$1AT\$1REST

**Resource Types:** AWS::ElastiCache::ReplicationGroup

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

approvedKMSKeyIds (Optional)Type: CSV  
Comma-separated list of KMS Key IDs that are approved for ElastiCache usage.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d737c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elasticache-repl-grp-encrypted-in-transit
<a name="elasticache-repl-grp-encrypted-in-transit"></a>

Checks if Amazon ElastiCache replication groups have encryption-in-transit enabled. The rule is NON\$1COMPLIANT for an ElastiCache replication group if ‘TransitEncryptionEnabled’ is set to ‘false’. 



**Identifier:** ELASTICACHE\$1REPL\$1GRP\$1ENCRYPTED\$1IN\$1TRANSIT

**Resource Types:** AWS::ElastiCache::ReplicationGroup

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d739c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elasticache-repl-grp-redis-auth-enabled
<a name="elasticache-repl-grp-redis-auth-enabled"></a>

Checks if Amazon ElastiCache replication groups have Redis AUTH enabled. The rule is NON\$1COMPLIANT for an ElastiCache replication group if the Redis version of its nodes is below 6 (Version 6\$1 use Redis ACLs) and ‘AuthToken’ is missing or is empty/null. 



**Identifier:** ELASTICACHE\$1REPL\$1GRP\$1REDIS\$1AUTH\$1ENABLED

**Resource Types:** AWS::ElastiCache::ReplicationGroup

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d741c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elasticache-subnet-group-check
<a name="elasticache-subnet-group-check"></a>

Checks if Amazon ElastiCache clusters are configured with a custom subnet group. The rule is NON\$1COMPLIANT for an ElastiCache cluster if it is using a default subnet group. 



**Identifier:** ELASTICACHE\$1SUBNET\$1GROUP\$1CHECK

**Resource Types:** AWS::ElastiCache::CacheCluster

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d743c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elasticache-supported-engine-version
<a name="elasticache-supported-engine-version"></a>

Checks if ElastiCache clusters are running a version greater or equal to the recommended engine version. The rule is NON\$1COMPLIANT if the 'EngineVersion' for an ElastiCache cluster is less than the specified recommended version for its given engine. 



**Identifier:** ELASTICACHE\$1SUPPORTED\$1ENGINE\$1VERSION

**Resource Types:** AWS::ElastiCache::CacheCluster

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

latestMemcachedVersionType: String  
The latest recommended engine version for Memcached. Valid values are in semantic versioning (SemVer) format with 3-component number for major, minor, and patch versions (for example, 1.6.6, not 1.6).

latestRedisVersionType: String  
The latest recommended engine version for Redis. Valid values are in semantic versioning (SemVer) format with 3-component number for major, minor, and patch versions (for example, 7.0.5, not 7.0).

## AWS CloudFormation template
<a name="w2aac20c16c17b7d745c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elasticbeanstalk-application-description
<a name="elasticbeanstalk-application-description"></a>

Checks if AWS Elastic Beanstalk applications have a description. The rule is NON\$1COMPLIANT if configuration.description does not exist or is an empty string. 



**Identifier:** ELASTICBEANSTALK\$1APPLICATION\$1DESCRIPTION

**Resource Types:** AWS::ElasticBeanstalk::Application

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d747c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elasticbeanstalk-application-version-description
<a name="elasticbeanstalk-application-version-description"></a>

Checks if AWS Elastic Beanstalk application versions have a description. The rule is NON\$1COMPLIANT if configuration.description does not exist or is an empty string. 



**Identifier:** ELASTICBEANSTALK\$1APPLICATION\$1VERSION\$1DESCRIPTION

**Resource Types:** AWS::ElasticBeanstalk::ApplicationVersion

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d749c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elasticbeanstalk-environment-description
<a name="elasticbeanstalk-environment-description"></a>

Checks if AWS Elastic Beanstalk environments have a description. The rule is NON\$1COMPLIANT if configuration.description does not exist or is an empty string. 



**Identifier:** ELASTICBEANSTALK\$1ENVIRONMENT\$1DESCRIPTION

**Resource Types:** AWS::ElasticBeanstalk::Environment

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d751c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elasticsearch-encrypted-at-rest
<a name="elasticsearch-encrypted-at-rest"></a>

Checks if Amazon OpenSearch Service (previously called Elasticsearch) domains have encryption at rest configuration enabled. The rule is NON\$1COMPLIANT if the EncryptionAtRestOptions field is not enabled. 



**Identifier:** ELASTICSEARCH\$1ENCRYPTED\$1AT\$1REST

**Resource Types:** AWS::Elasticsearch::Domain

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d753c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elasticsearch-in-vpc-only
<a name="elasticsearch-in-vpc-only"></a>

Checks if Amazon OpenSearch Service (previously called Elasticsearch) domains are in Amazon Virtual Private Cloud (Amazon VPC). The rule is NON\$1COMPLIANT if an OpenSearch Service domain endpoint is public. 



**Identifier:** ELASTICSEARCH\$1IN\$1VPC\$1ONLY

**Resource Types:** AWS::Elasticsearch::Domain

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d755c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elasticsearch-logs-to-cloudwatch
<a name="elasticsearch-logs-to-cloudwatch"></a>

Checks if OpenSearch Service (previously called Elasticsearch) domains are configured to send logs to CloudWatch Logs. The rule is COMPLIANT if a log is enabled for an OpenSearch Service domain. The rule is NON\$1COMPLIANT if logging is not configured. 



**Identifier:** ELASTICSEARCH\$1LOGS\$1TO\$1CLOUDWATCH

**Resource Types:** AWS::Elasticsearch::Domain

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

logTypes (Optional)Type: CSV  
Comma-separated list of logs that are enabled. Valid values are 'search', 'index', 'error'

## Proactive Evaluation
<a name="w2aac20c16c17b7d757c19"></a>

 For steps on how to run this rule in proactive mode, see [Evaluating Your Resources with AWS Config Rules](./evaluating-your-resources.html#evaluating-your-resources-proactive). For this rule to return COMPLIANT in proactive mode, the resource configuration schema for the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API needs to include the following inputs, encoded as a string: 

```
"ResourceConfiguration":
...
{
   "LogPublishingOptions": "{Key : Value, ...}"*
} 
...
```

\$1An object with one or more of the following keys: `SEARCH_SLOW_LOGS`, `ES_APPLICATION_LOGS`, `INDEX_SLOW_LOGS`, `AUDIT_LOGS`, depending on the types of logs you want to publish. Each key needs a valid `LogPublishingOption` value.

 For more information on proactive evaluation, see [Evaluation Mode](./evaluate-config-rules.html). 

## AWS CloudFormation template
<a name="w2aac20c16c17b7d757c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elasticsearch-node-to-node-encryption-check
<a name="elasticsearch-node-to-node-encryption-check"></a>

Check that Amazon OpenSearch Service nodes are encrypted end to end. The rule is NON\$1COMPLIANT if the node-to-node encryption is disabled on the domain. 



**Identifier:** ELASTICSEARCH\$1NODE\$1TO\$1NODE\$1ENCRYPTION\$1CHECK

**Resource Types:** AWS::Elasticsearch::Domain

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## Proactive Evaluation
<a name="w2aac20c16c17b7d759c19"></a>

 For steps on how to run this rule in proactive mode, see [Evaluating Your Resources with AWS Config Rules](./evaluating-your-resources.html#evaluating-your-resources-proactive). For this rule to return COMPLIANT in proactive mode, the resource configuration schema for the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API needs to include the following inputs, encoded as a string: 

```
"ResourceConfiguration":
...
{
   "NodeToNodeEncryptionOptions": BOOLEAN
} 
...
```

 For more information on proactive evaluation, see [Evaluation Mode](./evaluate-config-rules.html). 

## AWS CloudFormation template
<a name="w2aac20c16c17b7d759c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elastic-beanstalk-logs-to-cloudwatch
<a name="elastic-beanstalk-logs-to-cloudwatch"></a>

Checks if AWS Elastic Beanstalk environments are configured to send logs to Amazon CloudWatch Logs. The rule is NON\$1COMPLIANT if the value of `StreamLogs` is false. 



**Identifier:** ELASTIC\$1BEANSTALK\$1LOGS\$1TO\$1CLOUDWATCH

**Resource Types:** AWS::ElasticBeanstalk::Environment

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

RetentionInDays (Optional)Type: String  
Checks the number of days to keep log events before they expire. Valid values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653. The rule is NON\$1COMPLIANT if the value of `logs.RetentionInDays` does not match this parameter.

DeleteOnTerminate (Optional)Type: String  
Checks if logs are configured to be deleted upon termination of the environment. Valid values are `true` or `false`. The rule is NON\$1COMPLIANT if the value of `logs.DeleteOnTerminate` does not match this parameter.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d761c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elastic-beanstalk-managed-updates-enabled
<a name="elastic-beanstalk-managed-updates-enabled"></a>

Checks if managed platform updates in an AWS Elastic Beanstalk environment is enabled. The rule is COMPLIANT if the value for `ManagedActionsEnabled` is set to true. The rule is NON\$1COMPLIANT if the value for `ManagedActionsEnabled` is set to false, or if a parameter is provided and its value does not match the existing configurations. 



**Identifier:** ELASTIC\$1BEANSTALK\$1MANAGED\$1UPDATES\$1ENABLED

**Resource Types:** AWS::ElasticBeanstalk::Environment

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei) Region

**Parameters:**

UpdateLevel (Optional)Type: String  
Indicates whether update levels are set to 'minor' version updates or a 'patch' version updates.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d763c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elbv2-acm-certificate-required
<a name="elbv2-acm-certificate-required"></a>

Checks if Application Load Balancers and Network Load Balancers have listeners that are configured to use certificates from AWS Certificate Manager (ACM). This rule is NON\$1COMPLIANT if at least 1 load balancer has at least 1 listener that is configured without a certificate from ACM or is configured with a certificate different from an ACM certificate.



**Identifier:** ELBV2\$1ACM\$1CERTIFICATE\$1REQUIRED

**Resource Types:** AWS::ElasticLoadBalancingV2::LoadBalancer

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

AcmCertificatesAllowed (Optional)Type: CSV  
Comma-separated list of certificate Amazon Resource Names (ARNs).

## AWS CloudFormation template
<a name="w2aac20c16c17b7d765c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elbv2-listener-encryption-in-transit
<a name="elbv2-listener-encryption-in-transit"></a>

Checks if listeners for the load balancers are configured with HTTPS or TLS termination. The rule is NON\$1COMPLIANT if listeners are not configured with HTTPS or TLS termination. 



**Identifier:** ELBV2\$1LISTENER\$1ENCRYPTION\$1IN\$1TRANSIT

**Resource Types:** AWS::ElasticLoadBalancingV2::Listener

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d767c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elbv2-multiple-az
<a name="elbv2-multiple-az"></a>

Checks if an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) is mapped to multiple Availability Zones (AZs). The rule is NON\$1COMPLIANT if an Elastic Load Balancer V2 is mapped to less than 2 AZs. For more information, see [Availability Zones for your Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-subnets.html).



**Identifier:** ELBV2\$1MULTIPLE\$1AZ

**Resource Types:** AWS::ElasticLoadBalancingV2::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

minAvailabilityZones (Optional)Type: int  
Minimum number of expected AZs (between 2 and 10 inclusive).

## AWS CloudFormation template
<a name="w2aac20c16c17b7d769c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elbv2-predefined-security-policy-ssl-check
<a name="elbv2-predefined-security-policy-ssl-check"></a>

Checks if listeners for Application Load Balancers (ALBs) or Network Load Balancers (NLBs) use certain security policies. The rule is NON\$1COMPLIANT if an HTTPS listener for an ALB or a TLS listener for a NLB does not use the security policies you specify. 



**Identifier:** ELBV2\$1PREDEFINED\$1SECURITY\$1POLICY\$1SSL\$1CHECK

**Resource Types:** AWS::ElasticLoadBalancingV2::Listener

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

sslPoliciesType: CSV  
Comma-separated list of SSL security policies for the rule to check. For example, "ELBSecurityPolicy-TLS13-1-2-2021-06".

## AWS CloudFormation template
<a name="w2aac20c16c17b7d771c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elbv2-targetgroup-healthcheck-protocol-encrypted
<a name="elbv2-targetgroup-healthcheck-protocol-encrypted"></a>

Checks the target groups for load balancers healthchecks use an encrypted transport protocol. The rule is NON\$1COMPLIANT if configuration.healthCheckProtocol is not HTTPS. Lambda target types are not applicable. 



**Identifier:** ELBV2\$1TARGETGROUP\$1HEALTHCHECK\$1PROTOCOL\$1ENCRYPTED

**Resource Types:** AWS::ElasticLoadBalancingV2::TargetGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), AWS GovCloud (US-East), AWS GovCloud (US-West), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d773c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elbv2-targetgroup-protocol-encrypted
<a name="elbv2-targetgroup-protocol-encrypted"></a>

Checks the target groups for application and network load balancers use an encrypted transport protocol. The rule is NON\$1COMPLIANT if configuration.protocol is not HTTPS, TLS, or QUIC. Lambda and ALB target types are not applicable. 



**Identifier:** ELBV2\$1TARGETGROUP\$1PROTOCOL\$1ENCRYPTED

**Resource Types:** AWS::ElasticLoadBalancingV2::TargetGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), AWS GovCloud (US-East), AWS GovCloud (US-West), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d775c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elb-acm-certificate-required
<a name="elb-acm-certificate-required"></a>

Checks if the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. This rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.



**Identifier:** ELB\$1ACM\$1CERTIFICATE\$1REQUIRED

**Resource Types:** AWS::ElasticLoadBalancing::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Africa (Cape Town), Asia Pacific (Osaka), Europe (Milan), Israel (Tel Aviv), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d777c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elb-cross-zone-load-balancing-enabled
<a name="elb-cross-zone-load-balancing-enabled"></a>

Checks if cross-zone load balancing is enabled for Classic Load Balancers. The rule is NON\$1COMPLIANT if cross-zone load balancing is not enabled for Classic Load Balancers. 



**Identifier:** ELB\$1CROSS\$1ZONE\$1LOAD\$1BALANCING\$1ENABLED

**Resource Types:** AWS::ElasticLoadBalancing::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d779c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elb-custom-security-policy-ssl-check
<a name="elb-custom-security-policy-ssl-check"></a>

Checks whether your Classic Load Balancer SSL listeners are using a custom policy. The rule is only applicable if there are SSL listeners for the Classic Load Balancer. 



**Identifier:** ELB\$1CUSTOM\$1SECURITY\$1POLICY\$1SSL\$1CHECK

**Resource Types:** AWS::ElasticLoadBalancing::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

sslProtocolsAndCiphersType: String  
Comma separated list of ciphers and protocols.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d781c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elb-deletion-protection-enabled
<a name="elb-deletion-protection-enabled"></a>

Checks whether an Elastic Load Balancer has deletion protection enabled. The rule is NON\$1COMPLIANT if deletion\$1protection.enabled is false. 



**Identifier:** ELB\$1DELETION\$1PROTECTION\$1ENABLED

**Resource Types:** AWS::ElasticLoadBalancingV2::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d783c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elb-internal-scheme-check
<a name="elb-internal-scheme-check"></a>

Checks if a Classic Load Balancer scheme is internal. The rule is NON\$1COMPLIANT if configuration.scheme is not set to internal. 



**Identifier:** ELB\$1INTERNAL\$1SCHEME\$1CHECK

**Resource Types:** AWS::ElasticLoadBalancing::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d785c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elb-logging-enabled
<a name="elb-logging-enabled"></a>

Checks if the Application Load Balancer and the Classic Load Balancer have logging enabled. The rule is NON\$1COMPLIANT if the `access_logs.s3.enabled` is false or `access_logs.S3.bucket` is not equal to the s3BucketName that you provided.

**Note**  
The rule does not apply to Network Load Balancers or Gateway Load Balancers.

**Identifier:** ELB\$1LOGGING\$1ENABLED

**Resource Types:** AWS::ElasticLoadBalancing::LoadBalancer, AWS::ElasticLoadBalancingV2::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

s3BucketNames (Optional)Type: CSV  
Comma-separated list of Amazon S3 bucket names for Amazon ELB to deliver the log files.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d787c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elb-predefined-security-policy-ssl-check
<a name="elb-predefined-security-policy-ssl-check"></a>

Checks if your Classic Load Balancer SSL listeners use a predefined policy. The rule is NON\$1COMPLIANT if the Classic Load Balancer HTTPS/SSL listener's policy does not equal the value of the parameter '`predefinedPolicyName`'. 



**Identifier:** ELB\$1PREDEFINED\$1SECURITY\$1POLICY\$1SSL\$1CHECK

**Resource Types:** AWS::ElasticLoadBalancing::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

predefinedPolicyNameType: String  
Name of the predefined policy.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d789c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elb-tagged
<a name="elb-tagged"></a>

Checks if Classic Load Balancers have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** ELB\$1TAGGED

**Resource Types:** AWS::ElasticLoadBalancing::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d791c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# elb-tls-https-listeners-only
<a name="elb-tls-https-listeners-only"></a>

Checks if your Classic Load Balancer is configured with SSL or HTTPS listeners. The rule is NON\$1COMPLIANT if a listener is not configured with SSL or HTTPS. 
+ If the Classic Load Balancer does not have a listener configured, then the rule returns `NOT_APPLICABLE`.
+ The rule is COMPLIANT if the Classic Load Balancer listeners are configured with SSL or HTTPS.
+ The rule is NON\$1COMPLIANT if a listener is not configured with SSL or HTTPS.

**Identifier:** ELB\$1TLS\$1HTTPS\$1LISTENERS\$1ONLY

**Resource Types:** AWS::ElasticLoadBalancing::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d793c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# emr-block-public-access
<a name="emr-block-public-access"></a>

Checks if an account with Amazon EMR has block public access settings enabled. The rule is NON\$1COMPLIANT if BlockPublicSecurityGroupRules is false, or if true, ports other than Port 22 are listed in PermittedPublicSecurityGroupRuleRanges. 



**Identifier:** EMR\$1BLOCK\$1PUBLIC\$1ACCESS

**Resource Types:** AWS::::Account

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d795c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# emr-kerberos-enabled
<a name="emr-kerberos-enabled"></a>

Checks if Amazon EMR clusters have Kerberos enabled. The rule is NON\$1COMPLIANT if a security configuration is not attached to the cluster or the security configuration does not satisfy the specified rule parameters.



**Identifier:** EMR\$1KERBEROS\$1ENABLED

**Resource Types:** AWS::EMR::Cluster

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

TicketLifetimeInHours (Optional)Type: int  
Period for which Kerberos ticket issued by cluster's KDC is valid.

Realm (Optional)Type: String  
Kereberos realm name of the other realm in the trust relationship.

Domain (Optional)Type: String  
Domain name of the other realm in the trust relationship.

AdminServer (Optional)Type: String  
Fully qualified domain of the admin server in the other realm of the trust relationship.

KdcServer (Optional)Type: String  
Fully qualified domain of the KDC server in the other realm of the trust relationship.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d797c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# emr-master-no-public-ip
<a name="emr-master-no-public-ip"></a>

Checks if Amazon EMR clusters' master nodes have public IPs. The rule is NON\$1COMPLIANT if the master node has a public IP. 

**Note**  
This rule checks clusters that are in RUNNING or WAITING state. This rule requires you to enable recording for the `AWS::EC2::Instance` resource type in order to have an accurate evaluation.

**Identifier:** EMR\$1MASTER\$1NO\$1PUBLIC\$1IP

**Resource Types:** AWS::EMR::Cluster, AWS::EC2::Instance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d799c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# emr-security-configuration-encryption-rest
<a name="emr-security-configuration-encryption-rest"></a>

Checks if an Amazon EMR security configuration has encryption at rest enabled. The rule is NON\$1COMPLIANT if configuration.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false. 



**Identifier:** EMR\$1SECURITY\$1CONFIGURATION\$1ENCRYPTION\$1REST

**Resource Types:** AWS::EMR::SecurityConfiguration

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d801c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# emr-security-configuration-encryption-transit
<a name="emr-security-configuration-encryption-transit"></a>

Checks if an Amazon EMR security configuration has encryption in transit enabled. The rule is NON\$1COMPLIANT if configuration.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false. 



**Identifier:** EMR\$1SECURITY\$1CONFIGURATION\$1ENCRYPTION\$1TRANSIT

**Resource Types:** AWS::EMR::SecurityConfiguration

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d803c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# encrypted-volumes
<a name="encrypted-volumes"></a>

Checks if attached Amazon EBS volumes are encrypted and optionally are encrypted with a specified KMS key. The rule is NON\$1COMPLIANT if attached EBS volumes are unencrypted or are encrypted with a KMS key not in the supplied parameters. 



**Identifier:** ENCRYPTED\$1VOLUMES

**Resource Types:** AWS::EC2::Volume

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

kmsId (Optional)Type: String  
ID or ARN of the KMS key that is used to encrypt the volume.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d805c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# eventschemas-discoverer-tagged
<a name="eventschemas-discoverer-tagged"></a>

Checks if AWS EventSchemas discoverer resources have tags. Optionally, required tag keys can be specified. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not consider tags starting with `aws:`. 



**Identifier:** EVENTSCHEMAS\$1DISCOVERER\$1TAGGED

**Resource Types:** AWS::EventSchemas::Discoverer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with `aws:` are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d807c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# eventschemas-registry-tagged
<a name="eventschemas-registry-tagged"></a>

Checks if Amazon EventBridge Schema Registry resources have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EVENTSCHEMAS\$1REGISTRY\$1TAGGED

**Resource Types:** AWS::EventSchemas::Registry

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d809c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# event-data-store-cmk-encryption-enabled
<a name="event-data-store-cmk-encryption-enabled"></a>

Checks if AWS Cloud Trail event data stores have customer managed AWS KMS keys enabled. The rule is NON\$1COMPLIANT if an event data store has disabled customer managed KMS keys. Optionally, you can specify a list of KMS keys for the rule to check. 



**Identifier:** EVENT\$1DATA\$1STORE\$1CMK\$1ENCRYPTION\$1ENABLED

**Resource Types:** AWS::CloudTrail::EventDataStore

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

kmsKeyArns (Optional)Type: CSV  
Comma-separated list of Amazon Resource Names (ARNs) of AWS KMS keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if an AWS Cloud Trail event data store is not encrypted with one of these KMS keys.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d811c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# evidently-launch-description
<a name="evidently-launch-description"></a>

Checks if Amazon CloudWatch Evidently launches have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist or is an empty string. 



**Identifier:** EVIDENTLY\$1LAUNCH\$1DESCRIPTION

**Resource Types:** AWS::Evidently::Launch

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d813c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# evidently-launch-tagged
<a name="evidently-launch-tagged"></a>

Checks if Amazon CloudWatch Evidently launches have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EVIDENTLY\$1LAUNCH\$1TAGGED

**Resource Types:** AWS::Evidently::Launch

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d815c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# evidently-project-description
<a name="evidently-project-description"></a>

Checks if Amazon CloudWatch Evidently projects have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist or is an empty string. 



**Identifier:** EVIDENTLY\$1PROJECT\$1DESCRIPTION

**Resource Types:** AWS::Evidently::Project

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d817c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# evidently-project-tagged
<a name="evidently-project-tagged"></a>

Checks if Amazon CloudWatch Evidently projects have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EVIDENTLY\$1PROJECT\$1TAGGED

**Resource Types:** AWS::Evidently::Project

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d819c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# evidently-segment-description
<a name="evidently-segment-description"></a>

Checks if Amazon CloudWatch Evidently segments have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist or is an empty string. 



**Identifier:** EVIDENTLY\$1SEGMENT\$1DESCRIPTION

**Resource Types:** AWS::Evidently::Segment

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d821c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# evidently-segment-tagged
<a name="evidently-segment-tagged"></a>

Checks if Amazon CloudWatch Evidently segments have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** EVIDENTLY\$1SEGMENT\$1TAGGED

**Resource Types:** AWS::Evidently::Segment

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d823c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# fis-experiment-template-log-configuration-exists
<a name="fis-experiment-template-log-configuration-exists"></a>

Checks if AWS FIS experiment templates have experiment logging configured. The rule is NON\$1COMPLIANT if configuration.LogConfiguration does not exist. 



**Identifier:** FIS\$1EXPERIMENT\$1TEMPLATE\$1LOG\$1CONFIGURATION\$1EXISTS

**Resource Types:** AWS::FIS::ExperimentTemplate

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d825c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# fis-experiment-template-tagged
<a name="fis-experiment-template-tagged"></a>

Checks if AWS FIS experiment templates have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** FIS\$1EXPERIMENT\$1TEMPLATE\$1TAGGED

**Resource Types:** AWS::FIS::ExperimentTemplate

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d827c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# fms-shield-resource-policy-check
<a name="fms-shield-resource-policy-check"></a>

**Note**  
This rule is currently in the deprecation process. We do not recommend that you use them directly.

Checks if resources that AWS Shield Advanced can protect are protected by Shield Advanced. The rule is NON\$1COMPLIANT if a specified resource is not protected.



**Identifier:** FMS\$1SHIELD\$1RESOURCE\$1POLICY\$1CHECK

**Resource Types:** AWS::CloudFront::Distribution, AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::WAFRegional::WebACL, AWS::EC2::EIP, AWS::ElasticLoadBalancing::LoadBalancer, AWS::ShieldRegional::Protection, AWS::Shield::Protection

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

webACLIdType: String  
A unique identifier for a Web ACL.

resourceTypesType: String  
The resource types you specify for the rule to check.

resourceTags (Optional)Type: String  
The resource tags you specify for the rule to check. For example, \$1 "tagKey1" : ["tagValue1"], "tagKey2" : ["tagValue2", "tagValue3"] \$1.

excludeResourceTags (Optional)Type: boolean  
If true, the rule excludes the resources specified in resourceTags. If false, the rule includes all the resources specified in resourceTags.

fmsManagedToken (Optional)Type: String  
A token generated by AWS Firewall Manager when creating the rule in your account. AWS Config ignores this parameter when you create this rule.

fmsRemediationEnabled (Optional)Type: boolean  
If true, AWS Firewall Manager will update NON\$1COMPLIANT resources according to FMS policy. AWS Config ignores this parameter when you create this rule.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d829c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# fms-webacl-resource-policy-check
<a name="fms-webacl-resource-policy-check"></a>

**Note**  
This rule is currently in the deprecation process. We do not recommend that you use them directly.

Checks if the web ACL is associated with an Application Load Balancer, API Gateway stage, or Amazon CloudFront distributions. When AWS Firewall Manager creates this rule, the FMS policy owner specifies the `WebACLId` in the FMS policy and can optionally enable remediation.



**Identifier:** FMS\$1WEBACL\$1RESOURCE\$1POLICY\$1CHECK

**Resource Types:** AWS::CloudFront::Distribution, AWS::ApiGateway::Stage, AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::WAFRegional::WebACL

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

webACLIdType: String  
The WebACLId of the web ACL.

resourceTags (Optional)Type: String  
The resource tags (ApplicationLoadBalancer, ApiGatewayStage and CloudFront distributions) that the rule should be associated with. (for example, \$1 "tagKey1" : ["tagValue1"], "tagKey2" : ["tagValue2", "tagValue3"] \$1)

excludeResourceTags (Optional)Type: boolean  
If true, exclude resources that match resourceTags.

fmsManagedToken (Optional)Type: String  
A token generated by AWS Firewall Manager when creating the rule in customer account. AWS Config ignores this parameter when customer creates this rule.

fmsRemediationEnabled (Optional)Type: boolean  
If true, AWS Firewall Manager will update non-compliant resources according to FMS policy. AWS Config ignores this parameter when customer creates this rule.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d831c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# fms-webacl-rulegroup-association-check
<a name="fms-webacl-rulegroup-association-check"></a>

**Note**  
This rule is currently in the deprecation process. We do not recommend that you use them directly.

Checks if the rule groups associate with the web ACL at the correct priority. The correct priority is decided by the rank of the rule groups in the ruleGroups parameter. When AWS Firewall Manager creates this rule, it assigns the highest priority 0 followed by 1, 2, and so on. The FMS policy owner specifies the `ruleGroups` rank in the FMS policy and can optionally enable remediation.



**Identifier:** FMS\$1WEBACL\$1RULEGROUP\$1ASSOCIATION\$1CHECK

**Resource Types:** AWS::WAF::WebACL, AWS::WAFRegional::WebACL

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

ruleGroupsType: String  
Comma-separated list of RuleGroupIds and WafOverrideAction pairs. (for example, ruleGroupId-1:NONE, ruleGroupId2:COUNT)

fmsManagedToken (Optional)Type: String  
A token generated by AWS Firewall Manager when creating the rule in customer account. AWS Config ignores this parameter when customer creates this rule.

fmsRemediationEnabled (Optional)Type: boolean  
If true, AWS Firewall Manager will update non-compliant resources according to FMS policy. AWS Config ignores this parameter when customer creates this rule.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d833c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# frauddetector-entity-type-tagged
<a name="frauddetector-entity-type-tagged"></a>

Checks if Amazon Fraud Detector entity types have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** FRAUDDETECTOR\$1ENTITY\$1TYPE\$1TAGGED

**Resource Types:** AWS::FraudDetector::EntityType

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (Ohio), Europe (Ireland), US East (N. Virginia), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d835c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# frauddetector-label-tagged
<a name="frauddetector-label-tagged"></a>

Checks if Amazon Fraud Detector labels have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** FRAUDDETECTOR\$1LABEL\$1TAGGED

**Resource Types:** AWS::FraudDetector::Label

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (Ohio), Europe (Ireland), US East (N. Virginia), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d837c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# frauddetector-outcome-tagged
<a name="frauddetector-outcome-tagged"></a>

Checks if Amazon Fraud Detector outcomes have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** FRAUDDETECTOR\$1OUTCOME\$1TAGGED

**Resource Types:** AWS::FraudDetector::Outcome

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (Ohio), Europe (Ireland), US East (N. Virginia), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d839c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# frauddetector-variable-tagged
<a name="frauddetector-variable-tagged"></a>

Checks if Amazon Fraud Detector variables have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** FRAUDDETECTOR\$1VARIABLE\$1TAGGED

**Resource Types:** AWS::FraudDetector::Variable

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (Ohio), Europe (Ireland), US East (N. Virginia), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d841c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# fsx-last-backup-recovery-point-created
<a name="fsx-last-backup-recovery-point-created"></a>

Checks if a recovery point was created for Amazon FSx File Systems. The rule is NON\$1COMPLIANT if the Amazon FSx File System does not have a corresponding recovery point created within the specified time period. 



**Identifier:** FSX\$1LAST\$1BACKUP\$1RECOVERY\$1POINT\$1CREATED

**Resource Types:** AWS::FSx::FileSystem

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags of Amazon FSx File Systems for the rule to check, in JSON format `{"tagkey" : "tagValue"}`.

resourceId (Optional)Type: String  
ID of Amazon FSx File System for the rule to check.

recoveryPointAgeValue (Optional)Type: intDefault: 1  
Numerical value for maximum allowed age. No more than 744 for hours, 31 for days.

recoveryPointAgeUnit (Optional)Type: StringDefault: days  
Unit of time for maximum allowed age. Accepted values: 'hours', 'days'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d843c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# fsx-lustre-copy-tags-to-backups
<a name="fsx-lustre-copy-tags-to-backups"></a>

Checks if the Amazon FSx for Lustre file systems are configured to copy tags to backups. The rule is NON\$1COMPLIANT if Lustre file systems are not configured to copy tags to backups. 



**Identifier:** FSX\$1LUSTRE\$1COPY\$1TAGS\$1TO\$1BACKUPS

**Resource Types:** AWS::FSx::FileSystem

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d845c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# fsx-meets-restore-time-target
<a name="fsx-meets-restore-time-target"></a>

Checks if the restore time of Amazon FSx File Systems meets the specified duration. The rule is NON\$1COMPLIANT if LatestRestoreExecutionTimeMinutes of an Amazon FSx File System is greater than maxRestoreTime minutes. 



**Identifier:** FSX\$1MEETS\$1RESTORE\$1TIME\$1TARGET

**Resource Types:** AWS::FSx::FileSystem

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

maxRestoreTimeType: int  
Numerical value for the maximum allowed restore runtime.

resourceTags (Optional)Type: String  
Tags of Amazon FSx File Systems for the rule to check, in JSON format.

resourceId (Optional)Type: String  
ID of Amazon FSx File System for the rule to check.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d847c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# fsx-ontap-deployment-type-check
<a name="fsx-ontap-deployment-type-check"></a>

Checks if Amazon FSx for NetApp ONTAP file systems are configured with certain deployment types. The rule is NON\$1COMPLIANT if the Amazon FSx for NetApp ONTAP file systems are not configured with the deployment types you specify. 



**Identifier:** FSX\$1ONTAP\$1DEPLOYMENT\$1TYPE\$1CHECK

**Resource Types:** AWS::FSx::FileSystem

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

deploymentTypesType: CSV  
Comma-separated list of allowed Deployment types for the rule to check. 

## AWS CloudFormation template
<a name="w2aac20c16c17b7d849c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# fsx-openzfs-copy-tags-enabled
<a name="fsx-openzfs-copy-tags-enabled"></a>

Checks if the Amazon FSx for OpenZFS file systems are configured to copy tags to backups and volumes. The rule is NON\$1COMPLIANT if FSx for OpenZFS file systems are not configured to copy tags to backups and volumes. 



**Identifier:** FSX\$1OPENZFS\$1COPY\$1TAGS\$1ENABLED

**Resource Types:** AWS::FSx::FileSystem

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d851c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# fsx-openzfs-deployment-type-check
<a name="fsx-openzfs-deployment-type-check"></a>

Checks if the Amazon FSx for OpenZFS file systems are configured with certain deployment types. The rule is NON\$1COMPLIANT if FSx for OpenZFS file systems are not configured with the deployment types you specify. 



**Identifier:** FSX\$1OPENZFS\$1DEPLOYMENT\$1TYPE\$1CHECK

**Resource Types:** AWS::FSx::FileSystem

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

deploymentTypesType: CSV  
Comma-separated list of allowed Deployment types for the rule to check. 

## AWS CloudFormation template
<a name="w2aac20c16c17b7d853c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# fsx-resources-protected-by-backup-plan
<a name="fsx-resources-protected-by-backup-plan"></a>

Checks if Amazon FSx File Systems are protected by a backup plan. The rule is NON\$1COMPLIANT if the Amazon FSx File System is not covered by a backup plan. 



**Identifier:** FSX\$1RESOURCES\$1PROTECTED\$1BY\$1BACKUP\$1PLAN

**Resource Types:** AWS::FSx::FileSystem

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags of Amazon FSx File Systems for the rule to check, in JSON format `{"tagkey" : "tagValue"}`.

resourceId (Optional)Type: String  
ID of the Amazon FSx File System for the rule to check.

crossRegionList (Optional)Type: String  
Comma-separated list of destination regions for the cross-region backup copy to be kept

crossAccountList (Optional)Type: String  
Comma-separated list of destination accounts for cross-account backup copy to be kept

maxRetentionDays (Optional)Type: int  
The maximum retention period in days for the Backup Vault Lock

minRetentionDays (Optional)Type: int  
The minimum retention period in days for the Backup Vault Lock

backupVaultLockCheck (Optional)Type: String  
Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault

## AWS CloudFormation template
<a name="w2aac20c16c17b7d855c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# fsx-windows-audit-log-configured
<a name="fsx-windows-audit-log-configured"></a>

Checks if the Amazon FSx for Windows File Server file systems have file access auditing enabled. The rule is NON\$1COMPLIANT if the FSx for Windows File Server file systems do not have file access auditing enabled. 



**Identifier:** FSX\$1WINDOWS\$1AUDIT\$1LOG\$1CONFIGURED

**Resource Types:** AWS::FSx::FileSystem

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d857c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# fsx-windows-deployment-type-check
<a name="fsx-windows-deployment-type-check"></a>

Checks if the Amazon FSx for WINDOWS file systems are configured with certain deployment types. The rule is NON\$1COMPLIANT if FSx for WINDOWS file systems are not configured with the deployment types you specify. 



**Identifier:** FSX\$1WINDOWS\$1DEPLOYMENT\$1TYPE\$1CHECK

**Resource Types:** AWS::FSx::FileSystem

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

deploymentTypesType: CSV  
Comma-separated list of allowed Deployment types for the rule to check. 

## AWS CloudFormation template
<a name="w2aac20c16c17b7d859c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# glb-listener-tagged
<a name="glb-listener-tagged"></a>

Checks if Gateway Load Balancer listeners have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** GLB\$1LISTENER\$1TAGGED

**Resource Types:** AWS::ElasticLoadBalancingV2::Listener

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d861c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# glb-tagged
<a name="glb-tagged"></a>

Checks if Gateway Load Balancers have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** GLB\$1TAGGED

**Resource Types:** AWS::ElasticLoadBalancingV2::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d863c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# global-endpoint-event-replication-enabled
<a name="global-endpoint-event-replication-enabled"></a>

Checks if event replication is enabled for Amazon EventBridge global endpoints. The rule is NON\$1COMPLIANT if event replication is not enabled. 



**Identifier:** GLOBAL\$1ENDPOINT\$1EVENT\$1REPLICATION\$1ENABLED

**Resource Types:** AWS::Events::Endpoint

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Osaka), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d865c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# glue-job-logging-enabled
<a name="glue-job-logging-enabled"></a>

Checks if an AWS Glue job has logging enabled. The rule is NON\$1COMPLIANT if an AWS Glue job does not have Amazon CloudWatch logs enabled. 



**Identifier:** GLUE\$1JOB\$1LOGGING\$1ENABLED

**Resource Types:** AWS::Glue::Job

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d867c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# glue-ml-transform-encrypted-at-rest
<a name="glue-ml-transform-encrypted-at-rest"></a>

Checks if an AWS Glue ML Transform has encryption at rest enabled. The rule is NON\$1COMPLIANT if `MLUserDataEncryptionMode` is set to `DISABLED`. 



**Identifier:** GLUE\$1ML\$1TRANSFORM\$1ENCRYPTED\$1AT\$1REST

**Resource Types:** AWS::Glue::MLTransform

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d869c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# glue-ml-transform-tagged
<a name="glue-ml-transform-tagged"></a>

Checks if AWS Glue machine learning transforms have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** GLUE\$1ML\$1TRANSFORM\$1TAGGED

**Resource Types:** AWS::Glue::MLTransform

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d871c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# glue-spark-job-supported-version
<a name="glue-spark-job-supported-version"></a>

Checks if an AWS Glue Spark job is running on the specified minimum supported AWS Glue version. The rule is NON\$1COMPLIANT if the AWS Glue Spark job is not running on the minimum supported AWS Glue version that you specify. 



**Identifier:** GLUE\$1SPARK\$1JOB\$1SUPPORTED\$1VERSION

**Resource Types:** AWS::Glue::Job

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

minimumSupportedGlueVersionType: String  
String value you must specify of the minimum supported AWS Glue version for the rule to check.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d873c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# groundstation-config-tagged
<a name="groundstation-config-tagged"></a>

Checks if AWS GroundStation config resources resources have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** GROUNDSTATION\$1CONFIG\$1TAGGED

**Resource Types:** AWS::GroundStation::Config

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Middle East (Bahrain), US East (Ohio), Africa (Cape Town), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Seoul), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d875c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# groundstation-dataflowendpointgroup-tagged
<a name="groundstation-dataflowendpointgroup-tagged"></a>

Checks if AWS GroundStation dataflow endpoint group resources have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule doesn't check tags starting with 'aws:'. 



**Identifier:** GROUNDSTATION\$1DATAFLOWENDPOINTGROUP\$1TAGGED

**Resource Types:** AWS::GroundStation::DataflowEndpointGroup

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Middle East (Bahrain), US East (Ohio), Africa (Cape Town), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Seoul), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d877c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# groundstation-missionprofile-tagged
<a name="groundstation-missionprofile-tagged"></a>

Checks if AWS GroundStation mission profile resources have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** GROUNDSTATION\$1MISSIONPROFILE\$1TAGGED

**Resource Types:** AWS::GroundStation::MissionProfile

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Middle East (Bahrain), US East (Ohio), Africa (Cape Town), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Seoul), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d879c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# guardduty-ec2-protection-runtime-enabled
<a name="guardduty-ec2-protection-runtime-enabled"></a>

Checks if ECS Runtime Monitoring with automated agent management is enabled for Amazon GuardDuty detector. The rule is NON\$1COMPLIANT if the feature is not enabled for your account or at least one member account in your organization. 



**Identifier:** GUARDDUTY\$1EC2\$1PROTECTION\$1RUNTIME\$1ENABLED

**Resource Types:** AWS::GuardDuty::Detector

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d881c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# guardduty-ecs-protection-runtime-enabled
<a name="guardduty-ecs-protection-runtime-enabled"></a>

Checks if ECS Runtime Monitoring with automated agent management is enabled for Amazon GuardDuty detector. The rule is NON\$1COMPLIANT if the feature is not enabled for your account or at least one member account in your organization. 



**Identifier:** GUARDDUTY\$1ECS\$1PROTECTION\$1RUNTIME\$1ENABLED

**Resource Types:** AWS::GuardDuty::Detector

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d883c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# guardduty-eks-protection-audit-enabled
<a name="guardduty-eks-protection-audit-enabled"></a>

Checks if Audit Log Monitoring for Amazon Elastic Kubernetes Service (Amazon EKS) is enabled for an Amazon GuardDuty detector in your account. The rule is NON\$1COMPLIANT if the EKS Audit Log Monitoring feature is not enabled for your account. 



**Identifier:** GUARDDUTY\$1EKS\$1PROTECTION\$1AUDIT\$1ENABLED

**Resource Types:** AWS::GuardDuty::Detector

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d885c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# guardduty-eks-protection-runtime-enabled
<a name="guardduty-eks-protection-runtime-enabled"></a>

Checks if Amazon EKS Runtime Monitoring with automated agent management is enabled for GuardDuty detector in your account. The rule is NON\$1COMPLIANT if EKS Runtime Monitoring with automated agent management in GuardDuty is not enabled for your account. 



**Identifier:** GUARDDUTY\$1EKS\$1PROTECTION\$1RUNTIME\$1ENABLED

**Resource Types:** AWS::GuardDuty::Detector

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d887c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# guardduty-enabled-centralized
<a name="guardduty-enabled-centralized"></a>

Checks if Amazon GuardDuty is enabled in your AWS account and AWS Region. If you provide an AWS account for centralization, the rule evaluates the GuardDuty results in the centralized account. The rule is COMPLIANT when GuardDuty is enabled. 



**Identifier:** GUARDDUTY\$1ENABLED\$1CENTRALIZED

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

CentralMonitoringAccount (Optional)Type: String  
Comma separated list of AWS Accounts (12-digit) where Amazon GuardDuty results are allowed to be centralized.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d889c17"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# guardduty-lambda-protection-enabled
<a name="guardduty-lambda-protection-enabled"></a>

Checks if Lambda Protection is enabled for an Amazon GuardDuty detector in your account. The rule is NON\$1COMPLIANT if the Lambda Protection feature in Amazon GuardDuty is not enabled for your account. 



**Identifier:** GUARDDUTY\$1LAMBDA\$1PROTECTION\$1ENABLED

**Resource Types:** AWS::GuardDuty::Detector

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d891c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# guardduty-malware-protection-enabled
<a name="guardduty-malware-protection-enabled"></a>

Checks if Malware Protection is enabled for an Amazon GuardDuty detector in your account. The rule is NON\$1COMPLIANT if the Malware Protection feature in Amazon GuardDuty is not enabled for your account. 



**Identifier:** GUARDDUTY\$1MALWARE\$1PROTECTION\$1ENABLED

**Resource Types:** AWS::GuardDuty::Detector

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d893c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# guardduty-non-archived-findings
<a name="guardduty-non-archived-findings"></a>

Checks if Amazon GuardDuty has findings that are non-archived. The rule is NON\$1COMPLIANT if GuardDuty has non-archived low/medium/high severity findings older than the specified number in the daysLowSev/daysMediumSev/`daysHighSev` parameter. 



**Identifier:** GUARDDUTY\$1NON\$1ARCHIVED\$1FINDINGS

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

daysLowSev (Optional)Type: intDefault: 30  
The number of days Amazon GuardDuty low severity findings are allowed to stay non archived. The default is 30 days.

daysMediumSev (Optional)Type: intDefault: 7  
The number of days Amazon GuardDuty medium severity findings are allowed to stay non archived. The default is 7 days.

daysHighSev (Optional)Type: intDefault: 1  
The number of days Amazon GuardDuty high severity findings are allowed to stay non archived. The default is 1 day.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d895c17"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# guardduty-rds-protection-enabled
<a name="guardduty-rds-protection-enabled"></a>

Checks if Amazon Relational Database Service (Amazon RDS) protection is enabled for an Amazon GuardDuty detector in your account. The rule is NON\$1COMPLIANT if the Amazon RDS protection feature in Amazon GuardDuty is not enabled for you account. 



**Identifier:** GUARDDUTY\$1RDS\$1PROTECTION\$1ENABLED

**Resource Types:** AWS::GuardDuty::Detector

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d897c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# guardduty-runtime-monitoring-enabled
<a name="guardduty-runtime-monitoring-enabled"></a>

Checks if Runtime Monitoring is enabled for Amazon GuardDuty detector in your account or organization. The rule is NON\$1COMPLIANT if Runtime Monitoring in GuardDuty is not enabled for your account or at least one member account in your organization. 



**Identifier:** GUARDDUTY\$1RUNTIME\$1MONITORING\$1ENABLED

**Resource Types:** AWS::GuardDuty::Detector

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d899c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# guardduty-s3-protection-enabled
<a name="guardduty-s3-protection-enabled"></a>

Checks if S3 Protection is enabled for an Amazon GuardDuty Detector in your account. The rule is NON\$1COMPLIANT if the S3 Protection feature in Amazon GuardDuty is not enabled for your account. 



**Identifier:** GUARDDUTY\$1S3\$1PROTECTION\$1ENABLED

**Resource Types:** AWS::GuardDuty::Detector

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d901c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# healthlake-fhirdatastore-tagged
<a name="healthlake-fhirdatastore-tagged"></a>

Checks if Amazon HealthLake FHIRDatastores have tags. Optionally, required tag keys can be specified. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not consider tags starting with `aws:`. 



**Identifier:** HEALTHLAKE\$1FHIRDATASTORE\$1TAGGED

**Resource Types:** AWS::HealthLake::FHIRDatastore

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), US East (Ohio), US East (N. Virginia), US West (Oregon) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d903c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-customer-policy-blocked-kms-actions
<a name="iam-customer-policy-blocked-kms-actions"></a>

Checks if the managed AWS Identity and Access Management (IAM) policies that you create do not allow blocked KMS actions on all AWS KMS key resources. The rule is NON\$1COMPLIANT if any blocked action is allowed on all AWS KMS keys by the managed IAM policy. 

**Note**  
To be considered non-public, an IAM policy must grant access only to fixed values. This means values that don't contain a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables).

**Identifier:** IAM\$1CUSTOMER\$1POLICY\$1BLOCKED\$1KMS\$1ACTIONS

**Resource Types:** AWS::IAM::Policy

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

blockedActionsPatternsType: CSV  
Comma-separated list of blocked KMS action patterns for the rule to check. The rule is NON\$1COMPLIANT if IAM customer managed policies allow wildcard access to all resources for the actions you specify.

excludePermissionBoundaryPolicy (Optional)Type: boolean  
Boolean flag to exclude the evaluation of IAM policies used as permissions boundaries. If set to 'true', the rule will not include permissions boundaries in the evaluation. Otherwise, all IAM policies in scope are evaluated when value is set to 'false.' Default value is 'false'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d905c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-external-access-analyzer-enabled
<a name="iam-external-access-analyzer-enabled"></a>

Checks if an IAM Access Analyzer for external access is activated in your account per region. The rule is NON\$1COMPLIANT if there are no analyzers for external access in the region or if the 'status' attribute is not set to 'ACTIVE'. 



**Identifier:** IAM\$1EXTERNAL\$1ACCESS\$1ANALYZER\$1ENABLED

**Resource Types:** AWS::::Account

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d907c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-group-has-users-check
<a name="iam-group-has-users-check"></a>

Checks whether IAM groups have at least one IAM user. 



**Identifier:** IAM\$1GROUP\$1HAS\$1USERS\$1CHECK

**Resource Types:** AWS::IAM::Group

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d909c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-inline-policy-blocked-kms-actions
<a name="iam-inline-policy-blocked-kms-actions"></a>

Checks if the inline policies attached to your IAM users, roles, and groups do not allow blocked actions on all AWS KMS keys. The rule is NON\$1COMPLIANT if any blocked action is allowed on all AWS KMS keys in an inline policy. 



**Identifier:** IAM\$1INLINE\$1POLICY\$1BLOCKED\$1KMS\$1ACTIONS

**Resource Types:** AWS::IAM::Group, AWS::IAM::Role, AWS::IAM::User

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

blockedActionsPatternsType: CSV  
Comma-separated list of blocked KMS action patterns, for example, kms:\$1, kms:Decrypt, kms:ReEncrypt\$1.

excludeRoleByManagementAccount (Optional)Type: boolean  
Exclude a role if it is only assumable by organization management account.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d911c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-no-inline-policy-check
<a name="iam-no-inline-policy-check"></a>

Checks if the inline policy feature is not in use. The rule is NON\$1COMPLIANT if an AWS Identity and Access Management (IAM) user, IAM role or IAM group has any inline policy. 



**Identifier:** IAM\$1NO\$1INLINE\$1POLICY\$1CHECK

**Resource Types:** AWS::IAM::Group, AWS::IAM::Role, AWS::IAM::User

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d913c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-oidc-provider-client-id-list-check
<a name="iam-oidc-provider-client-id-list-check"></a>

Checks if AWS IAM OIDC providers are configured with approved client IDs. The rule is NON\$1COMPLIANT if configuration.ClientIdList contains IDs not specified in the required rule parameter. 



**Identifier:** IAM\$1OIDC\$1PROVIDER\$1CLIENT\$1ID\$1LIST\$1CHECK

**Resource Types:** AWS::IAM::OIDCProvider

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

allowedClientIdsType: CSV  
Comma-separated list of client IDs for the rule to check. The rule is NON\$1COMPLIANT if configuration.ClientIdList contains values not specified in this parameter.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d915c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-oidc-provider-tagged
<a name="iam-oidc-provider-tagged"></a>

Checks if AWS IAM OIDC providers have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IAM\$1OIDC\$1PROVIDER\$1TAGGED

**Resource Types:** AWS::IAM::OIDCProvider

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d917c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-password-policy
<a name="iam-password-policy"></a>

Checks if the account password policy for AWS Identity and Access Management (IAM) users meets the specified requirements indicated in the parameters. The rule is NON\$1COMPLIANT if the account password policy does not meet the specified requirements. 

**Important**  
The `true` and `false` values for the rule parameters are case-sensitive. If `true` is not provided in lowercase, it will be treated as `false.`

**Note**  
**Evaluation Result for the Default IAM Password Policy**  
This rule is marked as NON\$1COMPLIANT when the default IAM password policy is used.  
**Managed Rules and Global IAM Resource Types**  
The global IAM resource types onboarded before February 2022 (`AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, and `AWS::IAM::User`) can only be recorded by AWS Config in AWS Regions where AWS Config was available before February 2022. These resource types cannot be recorded in Regions supported by AWS Config after February 2022. For a list of those Regions, see [Recording AWS Resources \$1 Global Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all).  
If you record a global IAM resource type in at least one Region, periodic rules that report compliance on the global IAM resource type will run evaluations in all Regions where the periodic rule is added, even if you have not enabled the recording of the global IAM resource type in the Region where the periodic rule was added.  
To avoid unnecessary evaluations, you should only deploy periodic rules that report compliance on a global IAM resource type to one of the supported Regions. For a list of which managed rules are supported in which Regions, see [List of AWS Config Managed Rules by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html).

**Identifier:** IAM\$1PASSWORD\$1POLICY

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

RequireUppercaseCharacters (Optional)Type: booleanDefault: true  
Require at least one uppercase character in password.

RequireLowercaseCharacters (Optional)Type: booleanDefault: true  
Require at least one lowercase character in password.

RequireSymbols (Optional)Type: booleanDefault: true  
Require at least one symbol in password.

RequireNumbers (Optional)Type: booleanDefault: true  
Require at least one number in password.

MinimumPasswordLength (Optional)Type: intDefault: 14  
Password minimum length.

PasswordReusePrevention (Optional)Type: intDefault: 24  
Number of passwords before allowing reuse.

MaxPasswordAge (Optional)Type: intDefault: 90  
Number of days before password expiration.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d919c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-policy-blacklisted-check
<a name="iam-policy-blacklisted-check"></a>

Checks in each AWS Identity and Access Management (IAM) resource, if a policy Amazon Resource Name (ARN) in the input parameter is attached to the IAM resource. The rule is NON\$1COMPLIANT if the policy ARN is attached to the IAM resource. 



**Identifier:** IAM\$1POLICY\$1BLACKLISTED\$1CHECK

**Resource Types:** AWS::IAM::User, AWS::IAM::Group, AWS::IAM::Role

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

policyArnsType: CSVDefault: arn:aws:iam::aws:policy/AdministratorAccess  
Comma separated list of IAM policy arns which should not be attached to any IAM entity.

exceptionList (Optional)Type: CSV  
Comma separated list of resourcetypes and list of resource name pairs. For example, users:[user1;user2], groups:[group1;group2], roles:[role1;role2;role3].  
For the exception list, specify the name of the resource and not the full ARN. Not valid: `arn:aws:iam::444455556666:role/Admin`. Valid: `Admin`.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d921c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-policy-description
<a name="iam-policy-description"></a>

Checks if AWS Identity and Access Management (IAM) Policy description field exists. The rule is NON\$1COMPLIANT if the description field does not exist or is an empty string. 



**Identifier:** IAM\$1POLICY\$1DESCRIPTION

**Resource Types:** AWS::IAM::Policy

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d923c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-policy-in-use
<a name="iam-policy-in-use"></a>

Checks whether the IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity. 

**Note**  
**Managed Rules and Global IAM Resource Types**  
The global IAM resource types onboarded before February 2022 (`AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, and `AWS::IAM::User`) can only be recorded by AWS Config in AWS Regions where AWS Config was available before February 2022. These resource types cannot be recorded in Regions supported by AWS Config after February 2022. For a list of those Regions, see [Recording AWS Resources \$1 Global Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all).  
If you record a global IAM resource type in at least one Region, periodic rules that report compliance on the global IAM resource type will run evaluations in all Regions where the periodic rule is added, even if you have not enabled the recording of the global IAM resource type in the Region where the periodic rule was added.  
To avoid unnecessary evaluations, you should only deploy periodic rules that report compliance on a global IAM resource type to one of the supported Regions. For a list of which managed rules are supported in which Regions, see [List of AWS Config Managed Rules by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html).

**Identifier:** IAM\$1POLICY\$1IN\$1USE

**Resource Types:** AWS::::Account

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

policyARNType: String  
An IAM policy ARN to be checked.

policyUsageType (Optional)Type: String  
Specify whether you expect the policy to be attached to an IAM user, group or role. Valid values are IAM\$1USER, IAM\$1GROUP, IAM\$1ROLE, or ANY. Default value is ANY.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d925c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-policy-no-statements-with-admin-access
<a name="iam-policy-no-statements-with-admin-access"></a>

Checks if AWS Identity and Access Management (IAM) policies that you create have Allow statements that grant permissions to all actions on all resources. The rule is NON\$1COMPLIANT if any customer managed IAM policy statement includes "Effect": "Allow" with "Action": "\$1" over "Resource": "\$1".

**Note**  
This rule only evaluates customer managed policies. This rule does NOT evaluate inline policies or AWS managed policies. For more information on the difference, see [Managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html) in the *IAM User Guide*.

The following policy is NON\$1COMPLIANT:

```
"Statement": [
{
"Sid": "VisualEditor",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
```

The following policy is COMPLIANT:

```
"Statement": [
{
"Sid": "VisualEditor",
"Effect": "Allow",
"Action": "service:*",
"Resource": "*"
}
```



**Identifier:** IAM\$1POLICY\$1NO\$1STATEMENTS\$1WITH\$1ADMIN\$1ACCESS

**Resource Types:** AWS::IAM::Policy

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

excludePermissionBoundaryPolicy (Optional)Type: boolean  
Boolean flag to exclude the evaluation of IAM policies used as permissions boundaries. If set to 'true', the rule will not include permissions boundaries in the evaluation. Otherwise, all IAM policies in scope are evaluated when value is set to 'false.' Default value is 'false'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d927c29"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-policy-no-statements-with-full-access
<a name="iam-policy-no-statements-with-full-access"></a>

Checks if AWS Identity and Access Management (IAM) policies that you create grant permissions to all actions on individual AWS resources. The rule is NON\$1COMPLIANT if any customer managed IAM policy allows full access to at least 1 AWS service. 

**Context**: Following the principle of least privilege, it is recommended to limit the permitted actions in your IAM policies when granting permissions to AWS services. This approach helps ensure that you only grant the necessary permissions by specifying the exact actions required, avoiding the use of unrestricted wildcards for a service, such as `ec2:*`.

In some cases, you might want to permit multiple actions with a similar prefix, such as [DescribeFlowLogs](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeFlowLogs.html) and [DescribeAvailabilityZones](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html). In these cases, you can add a suffixed wildcard to the common prefix (for example, `ec2:Describe*`). Grouping related actions can help avoid hitting [IAM policy size limits](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html).

This rule will return COMPLIANT if you use prefixed actions with a suffixed wildcard (for example, `ec2:Describe*`). This rule will only return NON\$1COMPLIANT if you use unrestricted wildcards (for example, `ec2:*`).

**Note**  
This rule only evaluates customer managed policies. This rule does NOT evaluate inline policies or AWS managed policies. For more information on the difference, see [Managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html) in the *IAM User Guide*.



**Identifier:** IAM\$1POLICY\$1NO\$1STATEMENTS\$1WITH\$1FULL\$1ACCESS

**Resource Types:** AWS::IAM::Policy

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

excludePermissionBoundaryPolicy (Optional)Type: boolean  
Boolean flag to exclude the evaluation of IAM policies used as permissions boundaries. If set to 'true', the rule will not include permissions boundaries in the evaluation. Otherwise, all IAM policies in scope are evaluated when value is set to 'false.' Default value is 'false'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d929c27"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-role-managed-policy-check
<a name="iam-role-managed-policy-check"></a>

Checks if all managed policies specified in the list of managed policies are attached to the AWS Identity and Access Management (IAM) role. The rule is NON\$1COMPLIANT if a managed policy is not attached to the IAM role. 



**Identifier:** IAM\$1ROLE\$1MANAGED\$1POLICY\$1CHECK

**Resource Types:** AWS::IAM::Role

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

managedPolicyArnsType: CSV  
Comma-separated list of AWS managed policy Amazon Resource Names (ARNs). For more information, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html) and [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html) in the *IAM User Guide*.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d931c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-root-access-key-check
<a name="iam-root-access-key-check"></a>

Checks if the root user access key is available. The rule is COMPLIANT if the user access key does not exist. Otherwise, NON\$1COMPLIANT.

**Note**  
**Managed Rules and Global IAM Resource Types**  
The global IAM resource types onboarded before February 2022 (`AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, and `AWS::IAM::User`) can only be recorded by AWS Config in AWS Regions where AWS Config was available before February 2022. These resource types cannot be recorded in Regions supported by AWS Config after February 2022. For a list of those Regions, see [Recording AWS Resources \$1 Global Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all).  
If you record a global IAM resource type in at least one Region, periodic rules that report compliance on the global IAM resource type will run evaluations in all Regions where the periodic rule is added, even if you have not enabled the recording of the global IAM resource type in the Region where the periodic rule was added.  
To avoid unnecessary evaluations, you should only deploy periodic rules that report compliance on a global IAM resource type to one of the supported Regions. For a list of which managed rules are supported in which Regions, see [List of AWS Config Managed Rules by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html).



**Identifier:** IAM\$1ROOT\$1ACCESS\$1KEY\$1CHECK

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d933c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-saml-provider-tagged
<a name="iam-saml-provider-tagged"></a>

Checks if AWS IAM SAML providers have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IAM\$1SAML\$1PROVIDER\$1TAGGED

**Resource Types:** AWS::IAM::SAMLProvider

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d935c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-server-certificate-expiration-check
<a name="iam-server-certificate-expiration-check"></a>

Checks if AWS IAM SSL/TLS server certificates stored in IAM are expired. The rule is NON\$1COMPLIANT if an IAM server certificate is expired. 



**Identifier:** IAM\$1SERVER\$1CERTIFICATE\$1EXPIRATION\$1CHECK

**Resource Types:** AWS::IAM::ServerCertificate

**Trigger type:** Periodic

**AWS Region:** Only available in China (Beijing), US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d937c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-server-certificate-tagged
<a name="iam-server-certificate-tagged"></a>

Checks if AWS IAM server certificates have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IAM\$1SERVER\$1CERTIFICATE\$1TAGGED

**Resource Types:** AWS::IAM::ServerCertificate

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d939c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-user-group-membership-check
<a name="iam-user-group-membership-check"></a>

Checks whether IAM users are members of at least one IAM group. 



**Identifier:** IAM\$1USER\$1GROUP\$1MEMBERSHIP\$1CHECK

**Resource Types:** AWS::IAM::User

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

groupNames (Optional)Type: CSV  
Comma-separated list of IAM groups in which IAM users must be members.  
This rule does not support group names with commas.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d941c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-user-mfa-enabled
<a name="iam-user-mfa-enabled"></a>

Checks if the AWS Identity and Access Management (IAM) users have multi-factor authentication (MFA) enabled. The rule is NON\$1COMPLIANT if MFA is not enabled for at least one IAM user. 

**Note**  
**Managed Rules and Global IAM Resource Types**  
The global IAM resource types onboarded before February 2022 (`AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, and `AWS::IAM::User`) can only be recorded by AWS Config in AWS Regions where AWS Config was available before February 2022. These resource types cannot be recorded in Regions supported by AWS Config after February 2022. For a list of those Regions, see [Recording AWS Resources \$1 Global Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all).  
If you record a global IAM resource type in at least one Region, periodic rules that report compliance on the global IAM resource type will run evaluations in all Regions where the periodic rule is added, even if you have not enabled the recording of the global IAM resource type in the Region where the periodic rule was added.  
To avoid unnecessary evaluations, you should only deploy periodic rules that report compliance on a global IAM resource type to one of the supported Regions. For a list of which managed rules are supported in which Regions, see [List of AWS Config Managed Rules by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html).

**Identifier:** IAM\$1USER\$1MFA\$1ENABLED

**Resource Types:** AWS::IAM::User

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d943c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-user-no-policies-check
<a name="iam-user-no-policies-check"></a>

Checks if none of your AWS Identity and Access Management (IAM) users have policies attached. IAM users must inherit permissions from IAM groups or roles. The rule is NON\$1COMPLIANT if there is at least one policy that is attached to the IAM user. 



**Identifier:** IAM\$1USER\$1NO\$1POLICIES\$1CHECK

**Resource Types:** AWS::IAM::User

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d945c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iam-user-unused-credentials-check
<a name="iam-user-unused-credentials-check"></a>

Checks if your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided. The rule is NON\$1COMPLIANT if there are inactive accounts not recently used.

**Note**  
**Re-evaluation Timeline**  
Re-evaluating this rule within 4 hours of the first evaluation will have no effect on the results.  
**Managed Rules and Global IAM Resource Types**  
The global IAM resource types onboarded before February 2022 (`AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, and `AWS::IAM::User`) can only be recorded by AWS Config in AWS Regions where AWS Config was available before February 2022. These resource types cannot be recorded in Regions supported by AWS Config after February 2022. For a list of those Regions, see [Recording AWS Resources \$1 Global Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all).  
If you record a global IAM resource type in at least one Region, periodic rules that report compliance on the global IAM resource type will run evaluations in all Regions where the periodic rule is added, even if you have not enabled the recording of the global IAM resource type in the Region where the periodic rule was added.  
To avoid unnecessary evaluations, you should only deploy periodic rules that report compliance on a global IAM resource type to one of the supported Regions. For a list of which managed rules are supported in which Regions, see [List of AWS Config Managed Rules by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html).



**Identifier:** IAM\$1USER\$1UNUSED\$1CREDENTIALS\$1CHECK

**Resource Types:** AWS::IAM::User

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

maxCredentialUsageAgeType: intDefault: 90  
Maximum number of days a credential cannot be used. The default value is 90 days.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d947c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# imagebuilder-distributionconfiguration-tagged
<a name="imagebuilder-distributionconfiguration-tagged"></a>

Checks if ImageBuilder DistributionConfiguration resources have tags. Optionally, required tag keys can be specified. The rule is NON\$1COMPLIANT if there are no tags or the specified tag keys are not present. It does not consider tags starting with 'aws:'. 



**Identifier:** IMAGEBUILDER\$1DISTRIBUTIONCONFIGURATION\$1TAGGED

**Resource Types:** AWS::ImageBuilder::DistributionConfiguration

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d949c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# imagebuilder-imagepipeline-tagged
<a name="imagebuilder-imagepipeline-tagged"></a>

Checks if EC2 Image Builder image pipelines have tags. Optionally, required tag keys can be specified. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IMAGEBUILDER\$1IMAGEPIPELINE\$1TAGGED

**Resource Types:** AWS::ImageBuilder::ImagePipeline

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d951c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# imagebuilder-imagerecipe-ebs-volumes-encrypted
<a name="imagebuilder-imagerecipe-ebs-volumes-encrypted"></a>

Checks that all Amazon EBS volumes in EC2 Image Builder image recipe block device mappings have encryption enabled. The rule is NON\$1COMPLIANT if not all EBS volumes have encryption enabled, or if there are no block device mappings defined. 



**Identifier:** IMAGEBUILDER\$1IMAGERECIPE\$1EBS\$1VOLUMES\$1ENCRYPTED

**Resource Types:** AWS::ImageBuilder::ImageRecipe

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d953c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# imagebuilder-imagerecipe-tagged
<a name="imagebuilder-imagerecipe-tagged"></a>

Checks if AWS ImageBuilder image recipe resources have tags. Optionally, required tag keys can be specified. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IMAGEBUILDER\$1IMAGERECIPE\$1TAGGED

**Resource Types:** AWS::ImageBuilder::ImageRecipe

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d955c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# imagebuilder-infrastructureconfiguration-tagged
<a name="imagebuilder-infrastructureconfiguration-tagged"></a>

Checks if EC2 Image Builder infrastructure configuration resources have tags. Optionally, required tag keys can be specified. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. 



**Identifier:** IMAGEBUILDER\$1INFRASTRUCTURECONFIGURATION\$1TAGGED

**Resource Types:** AWS::ImageBuilder::InfrastructureConfiguration

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d957c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# restricted-ssh
<a name="restricted-ssh"></a>

**Important**  
For this rule, the rule identifier (INCOMING\$1SSH\$1DISABLED) and rule name (restricted-ssh) are different.

Checks if the incoming SSH traffic for the security groups is accessible. The rule is COMPLIANT if the IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0 or ::/0). Otherwise, NON\$1COMPLIANT.



**Identifier:** INCOMING\$1SSH\$1DISABLED

**Resource Types:** AWS::EC2::SecurityGroup

**Trigger type:** Configuration changes and Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d959c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# inspector-ec2-scan-enabled
<a name="inspector-ec2-scan-enabled"></a>

Checks if Amazon Inspector V2 EC2 scanning is activated for your single or multi-account environment to detect potential vulnerabilities and network reachability issues on your EC2 instances. The rule is NON\$1COMPLIANT if EC2 scanning is not activated. 



**Identifier:** INSPECTOR\$1EC2\$1SCAN\$1ENABLED

**Resource Types:** AWS::::Account

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d961c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# inspector-ecr-scan-enabled
<a name="inspector-ecr-scan-enabled"></a>

Checks if Amazon Inspector V2 ECR scanning is activated for your single or multi-account environment to detect potential software vulnerabilities in your container images. The rule is NON\$1COMPLIANT if ECR scanning is not activated. 



**Identifier:** INSPECTOR\$1ECR\$1SCAN\$1ENABLED

**Resource Types:** AWS::::Account

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d963c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# inspector-lambda-code-scan-enabled
<a name="inspector-lambda-code-scan-enabled"></a>

Checks if Amazon Inspector V2 Lambda code scanning is activated for your single or multi-account environment to detect potential code vulnerabilities. The rule is NON\$1COMPLIANT if Lambda code scanning is not activated. 



**Identifier:** INSPECTOR\$1LAMBDA\$1CODE\$1SCAN\$1ENABLED

**Resource Types:** AWS::::Account

**Trigger type:** Periodic

**AWS Region:** Only available in Europe (Stockholm), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d965c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# inspector-lambda-standard-scan-enabled
<a name="inspector-lambda-standard-scan-enabled"></a>

Checks if Amazon Inspector V2 Lambda standard scanning is activated for your single or multi-account environment to detect potential software vulnerabilities. The rule is NON\$1COMPLIANT if Lambda standard scanning is not activated. 



**Identifier:** INSPECTOR\$1LAMBDA\$1STANDARD\$1SCAN\$1ENABLED

**Resource Types:** AWS::::Account

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7d967c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ec2-instances-in-vpc
<a name="ec2-instances-in-vpc"></a>

**Important**  
For this rule, the rule identifier (INSTANCES\$1IN\$1VPC) and rule name (ec2-instances-in-vpc) are different.

Checks if your EC2 instances belong to a virtual private cloud (VPC). Optionally, you can specify the VPC ID to associate with your instances.



**Identifier:** INSTANCES\$1IN\$1VPC

**Resource Types:** AWS::EC2::Instance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

vpcId (Optional)Type: String  
VPC ID that contains these EC2 instances.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d969c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# internet-gateway-authorized-vpc-only
<a name="internet-gateway-authorized-vpc-only"></a>

Checks if internet gateways are attached to an authorized virtual private cloud (Amazon VPC). The rule is NON\$1COMPLIANT if internet gateways are attached to an unauthorized VPC. 



**Identifier:** INTERNET\$1GATEWAY\$1AUTHORIZED\$1VPC\$1ONLY

**Resource Types:** AWS::EC2::InternetGateway

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

AuthorizedVpcIds (Optional)Type: CSV  
Comma-separated list of the authorized VPC IDs with attached IGWs. If parameter is not provided all attached IGWs will be NON\$1COMPLIANT.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d971c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iotdevicedefender-custom-metric-tagged
<a name="iotdevicedefender-custom-metric-tagged"></a>

AWS IoT Device Defender custom metrics have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOTDEVICEDEFENDER\$1CUSTOM\$1METRIC\$1TAGGED

**Resource Types:** AWS::IoT::CustomMetric

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Middle East (Bahrain), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Middle East (UAE), Europe (Frankfurt), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d973c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iotevents-alarm-model-tagged
<a name="iotevents-alarm-model-tagged"></a>

Checks if AWS IoT Events alarm models have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOTEVENTS\$1ALARM\$1MODEL\$1TAGGED

**Resource Types:** AWS::IoTEvents::AlarmModel

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d975c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iotevents-detector-model-tagged
<a name="iotevents-detector-model-tagged"></a>

Checks if AWS IoT Events detector models have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOTEVENTS\$1DETECTOR\$1MODEL\$1TAGGED

**Resource Types:** AWS::IoTEvents::DetectorModel

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d977c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iotevents-input-tagged
<a name="iotevents-input-tagged"></a>

Checks if AWS IoT Events inputs have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOTEVENTS\$1INPUT\$1TAGGED

**Resource Types:** AWS::IoTEvents::Input

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d979c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iotsitewise-asset-model-tagged
<a name="iotsitewise-asset-model-tagged"></a>

Checks if AWS IoT SiteWise asset models have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOTSITEWISE\$1ASSET\$1MODEL\$1TAGGED

**Resource Types:** AWS::IoTSiteWise::AssetModel

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d981c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iotsitewise-dashboard-tagged
<a name="iotsitewise-dashboard-tagged"></a>

Checks if AWS IoT SiteWise dashboards have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOTSITEWISE\$1DASHBOARD\$1TAGGED

**Resource Types:** AWS::IoTSiteWise::Dashboard

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d983c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iotsitewise-gateway-tagged
<a name="iotsitewise-gateway-tagged"></a>

Checks if AWS IoT SiteWise gateways have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOTSITEWISE\$1GATEWAY\$1TAGGED

**Resource Types:** AWS::IoTSiteWise::Gateway

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d985c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iotsitewise-portal-tagged
<a name="iotsitewise-portal-tagged"></a>

Checks if AWS IoT SiteWise portals have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOTSITEWISE\$1PORTAL\$1TAGGED

**Resource Types:** AWS::IoTSiteWise::Portal

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d987c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iotsitewise-project-tagged
<a name="iotsitewise-project-tagged"></a>

Checks if AWS IoT SiteWise projects have tags. Optionally, you can specify tag keys for the rule. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOTSITEWISE\$1PROJECT\$1TAGGED

**Resource Types:** AWS::IoTSiteWise::Project

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d989c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iottwinmaker-component-type-tagged
<a name="iottwinmaker-component-type-tagged"></a>

Checks if AWS IoT TwinMaker component types have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOTTWINMAKER\$1COMPONENT\$1TYPE\$1TAGGED

**Resource Types:** AWS::IoTTwinMaker::ComponentType

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d991c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iottwinmaker-entity-tagged
<a name="iottwinmaker-entity-tagged"></a>

Checks if AWS IoT TwinMaker entities have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOTTWINMAKER\$1ENTITY\$1TAGGED

**Resource Types:** AWS::IoTTwinMaker::Entity

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d993c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iottwinmaker-scene-tagged
<a name="iottwinmaker-scene-tagged"></a>

Checks if AWS IoT TwinMaker scenes have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOTTWINMAKER\$1SCENE\$1TAGGED

**Resource Types:** AWS::IoTTwinMaker::Scene

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d995c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iottwinmaker-sync-job-tagged
<a name="iottwinmaker-sync-job-tagged"></a>

Checks if AWS IoT TwinMaker sync jobs have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOTTWINMAKER\$1SYNC\$1JOB\$1TAGGED

**Resource Types:** AWS::IoTTwinMaker::SyncJob

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d997c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iottwinmaker-workspace-tagged
<a name="iottwinmaker-workspace-tagged"></a>

Checks if AWS IoT TwinMaker workspaces have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOTTWINMAKER\$1WORKSPACE\$1TAGGED

**Resource Types:** AWS::IoTTwinMaker::Workspace

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d999c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iotwireless-fuota-task-tagged
<a name="iotwireless-fuota-task-tagged"></a>

Checks if AWS IoT Wireless FUOTA tasks have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOTWIRELESS\$1FUOTA\$1TASK\$1TAGGED

**Resource Types:** AWS::IoTWireless::FuotaTask

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1001c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iotwireless-multicast-group-tagged
<a name="iotwireless-multicast-group-tagged"></a>

Checks if AWS IoT Wireless multicast groups have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOTWIRELESS\$1MULTICAST\$1GROUP\$1TAGGED

**Resource Types:** AWS::IoTWireless::MulticastGroup

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1003c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iotwireless-service-profile-tagged
<a name="iotwireless-service-profile-tagged"></a>

Checks if AWS IoT Wireless service profiles have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOTWIRELESS\$1SERVICE\$1PROFILE\$1TAGGED

**Resource Types:** AWS::IoTWireless::ServiceProfile

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Sydney) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1005c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iot-authorizer-token-signing-enabled
<a name="iot-authorizer-token-signing-enabled"></a>

Checks if an AWS IoT Core authorizer has not disabled the signing requirements for validating the token signature in an authorization request. The rule is NON\$1COMPLIANT if the authorizer has configuration.SigningDisabled set to True. 



**Identifier:** IOT\$1AUTHORIZER\$1TOKEN\$1SIGNING\$1ENABLED

**Resource Types:** AWS::IoT::Authorizer

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Middle East (Bahrain), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Middle East (UAE), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1007c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iot-job-template-tagged
<a name="iot-job-template-tagged"></a>

Checks if AWS IoT job template resources resources have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOT\$1JOB\$1TEMPLATE\$1TAGGED

**Resource Types:** AWS::IoT::JobTemplate

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Middle East (Bahrain), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Middle East (UAE), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1009c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iot-provisioning-template-description
<a name="iot-provisioning-template-description"></a>

Checks if AWS IoT provisioning templates have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist or is an empty string. 



**Identifier:** IOT\$1PROVISIONING\$1TEMPLATE\$1DESCRIPTION

**Resource Types:** AWS::IoT::ProvisioningTemplate

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Middle East (Bahrain), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Middle East (UAE), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1011c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iot-provisioning-template-jitp
<a name="iot-provisioning-template-jitp"></a>

Checks if AWS IoT provisioning templates are using just-in-time provisioning (JITP). The rule is NON\$1COMPLIANT if configuration.TemplateType is not 'JITP'. 



**Identifier:** IOT\$1PROVISIONING\$1TEMPLATE\$1JITP

**Resource Types:** AWS::IoT::ProvisioningTemplate

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Middle East (Bahrain), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Middle East (UAE), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1013c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iot-provisioning-template-tagged
<a name="iot-provisioning-template-tagged"></a>

Checks if AWS IoT provisioning templates have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOT\$1PROVISIONING\$1TEMPLATE\$1TAGGED

**Resource Types:** AWS::IoT::ProvisioningTemplate

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Middle East (Bahrain), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Middle East (UAE), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1015c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# iot-scheduled-audit-tagged
<a name="iot-scheduled-audit-tagged"></a>

Checks if AWS IoT scheduled audits have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IOT\$1SCHEDULED\$1AUDIT\$1TAGGED

**Resource Types:** AWS::IoT::ScheduledAudit

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Middle East (Bahrain), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Middle East (UAE), Europe (Frankfurt), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1017c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ivs-channel-playback-authorization-enabled
<a name="ivs-channel-playback-authorization-enabled"></a>

Checks if Amazon IVS channels have playback authorization enabled. The rule is NON\$1COMPLIANT if configuration.Authorized is false. 



**Identifier:** IVS\$1CHANNEL\$1PLAYBACK\$1AUTHORIZATION\$1ENABLED

**Resource Types:** AWS::IVS::Channel

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Tokyo), US West (Oregon) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1019c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ivs-channel-tagged
<a name="ivs-channel-tagged"></a>

Checks if Amazon IVS channels have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IVS\$1CHANNEL\$1TAGGED

**Resource Types:** AWS::IVS::Channel

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Tokyo), US West (Oregon) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1021c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ivs-playback-key-pair-tagged
<a name="ivs-playback-key-pair-tagged"></a>

Checks if Amazon IVS playback key pairs have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IVS\$1PLAYBACK\$1KEY\$1PAIR\$1TAGGED

**Resource Types:** AWS::IVS::PlaybackKeyPair

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Tokyo), US West (Oregon) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1023c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ivs-recording-configuration-tagged
<a name="ivs-recording-configuration-tagged"></a>

Checks if Amazon IVS recording configurations have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** IVS\$1RECORDING\$1CONFIGURATION\$1TAGGED

**Resource Types:** AWS::IVS::RecordingConfiguration

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Tokyo), US West (Oregon) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1025c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# kendra-index-tagged
<a name="kendra-index-tagged"></a>

Checks if AWS Kendra index resources have tags. Optionally, required tag keys can be specified. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** KENDRA\$1INDEX\$1TAGGED

**Resource Types:** AWS::Kendra::Index

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), US East (Ohio), Europe (Ireland), US East (N. Virginia), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1027c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# kinesisvideo-signalingchannel-tagged
<a name="kinesisvideo-signalingchannel-tagged"></a>

Checks if AWS KinesisVideo signaling channel resources have tags. Optionally, required tag keys can be specified. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. It does not check for tags starting with 'aws:'. 



**Identifier:** KINESISVIDEO\$1SIGNALINGCHANNEL\$1TAGGED

**Resource Types:** AWS::KinesisVideo::SignalingChannel

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1029c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# kinesisvideo-stream-tagged
<a name="kinesisvideo-stream-tagged"></a>

Checks if Amazon Kinesis Video Streams streams have tags. Optionally, required tag keys can be specified. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not consider tags starting with 'aws:'. 



**Identifier:** KINESISVIDEO\$1STREAM\$1TAGGED

**Resource Types:** AWS::KinesisVideo::Stream

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1031c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# kinesis-firehose-delivery-stream-encrypted
<a name="kinesis-firehose-delivery-stream-encrypted"></a>

Checks if Amazon Kinesis Data Firehose delivery streams are encrypted at rest with server-side encryption. The rule is NON\$1COMPLIANT if a Kinesis Data Firehose delivery stream is not encrypted at rest with server-side encryption. 



**Identifier:** KINESIS\$1FIREHOSE\$1DELIVERY\$1STREAM\$1ENCRYPTED

**Resource Types:** AWS::KinesisFirehose::DeliveryStream

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

kmsKeyArns (Optional)Type: CSV  
Comma-separated list of KMS Key Arns that are approved for Kinesis Firehose usage.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1033c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# kinesis-stream-backup-retention-check
<a name="kinesis-stream-backup-retention-check"></a>

Checks if an Amazon Kinesis Data Stream has its data record retention period set to a specific number of hours. The rule is NON\$1COMPLIANT if the property `RetentionPeriodHours` is set to a value less than the value specified by the parameter. 



**Identifier:** KINESIS\$1STREAM\$1BACKUP\$1RETENTION\$1CHECK

**Resource Types:** AWS::Kinesis::Stream

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

minimumBackupRetentionPeriod (Optional)Type: String  
Minimum hours data records should be retained. Valid values are 24 to 8760, default value is 168. 

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1035c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# kinesis-stream-encrypted
<a name="kinesis-stream-encrypted"></a>

Checks if Amazon Kinesis streams are encrypted at rest with server-side encryption. The rule is NON\$1COMPLIANT for a Kinesis stream if 'StreamEncryption' is not present. 

**Context**: Server-side encryption is a feature in Amazon Kinesis Data Streams that automatically encrypts data before it's at rest by using an AWS KMS Key. Data is encrypted before it's written to the Kinesis stream storage layer, and decrypted after it's retrieved from storage. As a result, your data is encrypted at rest within the Kinesis Data Streams service. This can help you to meet regulatory requirements and enhance the security of your data. For more information, [Data Protection in Amazon Kinesis Data Streams](https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html).

**Identifier:** KINESIS\$1STREAM\$1ENCRYPTED

**Resource Types:** AWS::Kinesis::Stream

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1037c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# kinesis-video-stream-minimum-data-retention
<a name="kinesis-video-stream-minimum-data-retention"></a>

Checks if an Amazon Kinesis Video stream is configured with a value greater than or equal to the specified minimum data retention. The rule is NON\$1COMPLIANT if DataRetentionInHours is less than the value specified in the required rule parameter. 



**Identifier:** KINESIS\$1VIDEO\$1STREAM\$1MINIMUM\$1DATA\$1RETENTION

**Resource Types:** AWS::KinesisVideo::Stream

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

minDataRetentionInHoursType: int  
The minimum data retention in hours of the Amazon Kinesis Video stream for the rule to check. The rule is NON\$1COMPLIANT if the data retention in hours is less than the value specified in this parameter. Valid values are 0 to 87600.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1039c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# kms-cmk-not-scheduled-for-deletion
<a name="kms-cmk-not-scheduled-for-deletion"></a>

Checks if AWS Key Management Service (AWS KMS) keys are not scheduled for deletion in AWS KMS. The rule is NON\$1COMPLIANT if KMS keys are scheduled for deletion. 



**Identifier:** KMS\$1CMK\$1NOT\$1SCHEDULED\$1FOR\$1DELETION

**Resource Types:** AWS::KMS::Key

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Europe (Milan), Asia Pacific (Taipei) Region

**Parameters:**

kmsKeyIds (Optional)Type: String  
(Optional) Comma-separated list of specific customer managed key IDs not to be scheduled for deletion. If you do not specify any keys, the rule checks all the keys.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1041c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# kms-key-policy-no-public-access
<a name="kms-key-policy-no-public-access"></a>

Checks if the AWS KMS key policy allows public access. The rule is NON\$1COMPLIANT if the KMS key policy allows public access to the KMS key. 

**Note**  
To be considered non-public, a KMS key policy must grant access only to fixed values. This means values that don't contain a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables).

**Identifier:** KMS\$1KEY\$1POLICY\$1NO\$1PUBLIC\$1ACCESS

**Resource Types:** AWS::KMS::Key

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1043c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# kms-key-tagged
<a name="kms-key-tagged"></a>

Checks if AWS Key Management Service (KMS) keys have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** KMS\$1KEY\$1TAGGED

**Resource Types:** AWS::KMS::Key

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1045c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# lambda-concurrency-check
<a name="lambda-concurrency-check"></a>

Checks if the Lambda function is configured with a function-level concurrent execution limit. The rule is NON\$1COMPLIANT if the Lambda function is not configured with a function-level concurrent execution limit. 



**Identifier:** LAMBDA\$1CONCURRENCY\$1CHECK

**Resource Types:** AWS::Lambda::Function

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except China (Ningxia) Region

**Parameters:**

ConcurrencyLimitHigh (Optional)Type: String  
Maximum concurrency execution limit

ConcurrencyLimitLow (Optional)Type: String  
Minimum concurrency execution limit

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1047c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# lambda-dlq-check
<a name="lambda-dlq-check"></a>

Checks whether an AWS Lambda function is configured with a dead-letter queue. The rule is NON\$1COMPLIANT if the Lambda function is not configured with a dead-letter queue. 



**Identifier:** LAMBDA\$1DLQ\$1CHECK

**Resource Types:** AWS::Lambda::Function

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except China (Ningxia) Region

**Parameters:**

dlqArns (Optional)Type: CSV  
Comma-separated list of Amazon SQS and Amazon SNS ARNs that must be configured as the Lambda function dead-letter queue target

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1049c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# lambda-function-application-log-level-check
<a name="lambda-function-application-log-level-check"></a>

Checks if AWS Lambda functions with JSON structured logs are configured with a specified application log level. The rule is NON\$1COMPLIANT if configuration.loggingConfig.applicationLogLevel is not a value specified in the required rule parameter. 



**Identifier:** LAMBDA\$1FUNCTION\$1APPLICATION\$1LOG\$1LEVEL\$1CHECK

**Resource Types:** AWS::Lambda::Function

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), AWS GovCloud (US-East), AWS GovCloud (US-West), China (Ningxia) Region

**Parameters:**

logLevelType: String  
The minimum application log level for the rule to check. The rule is NON\$1COMPLIANT if configuration.loggingConfig.applicationLogLevel is configured with a value not specified in this parameter. Valid values include: 'TRACE', 'DEBUG', 'INFO', 'WARN', 'ERROR', and 'FATAL'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1051c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# lambda-function-description
<a name="lambda-function-description"></a>

Checks if AWS Lambda functions have a description. The rule is NON\$1COMPLIANT if configuration.description does not exist or is an empty string. 



**Identifier:** LAMBDA\$1FUNCTION\$1DESCRIPTION

**Resource Types:** AWS::Lambda::Function

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), AWS GovCloud (US-East), AWS GovCloud (US-West), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1053c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# lambda-function-log-format-json
<a name="lambda-function-log-format-json"></a>

Checks if AWS Lambda functions have the log format set to JSON for more control and better readability. The rule is NON\$1COMPLIANT if configuration.loggingConfig.logFormat is not 'JSON'. 



**Identifier:** LAMBDA\$1FUNCTION\$1LOG\$1FORMAT\$1JSON

**Resource Types:** AWS::Lambda::Function

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), AWS GovCloud (US-East), AWS GovCloud (US-West), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1055c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# lambda-function-public-access-prohibited
<a name="lambda-function-public-access-prohibited"></a>

Checks if the AWS Lambda function policy attached to the Lambda resource prohibits public access. If the Lambda function policy allows public access it is NON\$1COMPLIANT.

**Context**: A lambda function policy is considered to allow public access if the principal element is empty or contains a wildcard. For example, if the principal element is `“”` or `{“AWS”: “”}`. Granting public access is not recommended for security reasons. Restricting public access can help you prevent unauthorized invocations of your Lambda functions, which could compromise your data or incur unwanted costs.

To restrict access to your Lambda functions, specify the AWS account IDs or the Amazon Resource Names (ARNs) of the IAM users, roles, or services that can invoke the functions. For more information, see [Granting function access to other accounts](https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html#permissions-resource-xaccountinvoke) in the *AWS Lambda Developer Guide*.

The rule is also `NON_COMPLIANT` if a Lambda function is invoked from Amazon S3, and the policy doesn't include a condition to limit public access, such as `AWS:SourceAccount`. We recommend using other S3 conditions along with `AWS:SourceAccount` in your bucket policy for more refined access.

**Note**  
To be considered non-public, a Lambda resource-based policy must grant access only to fixed values. This means values that don't contain a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables).

**Identifier:** LAMBDA\$1FUNCTION\$1PUBLIC\$1ACCESS\$1PROHIBITED

**Resource Types:** AWS::Lambda::Function

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Europe (Spain), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1057c25"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# lambda-function-settings-check
<a name="lambda-function-settings-check"></a>

Checks if the AWS Lambda function settings for runtime, role, timeout, and memory size match the expected values. The rule ignores functions with the 'Image' package type and functions with runtime set to 'OS-only Runtime'. The rule is NON\$1COMPLIANT if the Lambda function settings do not match the expected values.



**Identifier:** LAMBDA\$1FUNCTION\$1SETTINGS\$1CHECK

**Resource Types:** AWS::Lambda::Function

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except China (Ningxia) Region

**Parameters:**

runtimeType: CSV  
Comma-separated list of AWS Lambda runtime values

role (Optional)Type: String  
Name or ARN of the AWS Lambda execution role

memorySize (Optional)Type: intDefault: 128  
AWS Lambda function size in megabytes

timeout (Optional)Type: intDefault: 3  
AWS Lambda function timeout in seconds

## Proactive Evaluation
<a name="w2aac20c16c17b7e1059c19"></a>

 For steps on how to run this rule in proactive mode, see [Evaluating Your Resources with AWS Config Rules](./evaluating-your-resources.html#evaluating-your-resources-proactive). For this rule to return COMPLIANT in proactive mode, the resource configuration schema for the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API needs to include the following inputs, encoded as a string: 

```
"ResourceConfiguration":
...
{
    "MemorySize": Integer*,
    "Role": String*,
    "Runtime": String*,
    "Timeout": Integer*
} 
...
```

\$1For more information on valid values for these inputs, see [MemorySize](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-memorysize), [Role](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-role), [Runtime](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-runtime), and [Timeout](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-timeout) in the AWS CloudFormation User Guide.

 For more information on proactive evaluation, see [Evaluation Mode](./evaluate-config-rules.html). 

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1059c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# lambda-function-system-log-level-check
<a name="lambda-function-system-log-level-check"></a>

Checks if AWS Lambda functions with JSON structured logs are configured with a specified system log level. The rule is NON\$1COMPLIANT if configuration.loggingConfig.systemLogLevel is not a value specified in the required rule parameter. 



**Identifier:** LAMBDA\$1FUNCTION\$1SYSTEM\$1LOG\$1LEVEL\$1CHECK

**Resource Types:** AWS::Lambda::Function

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), AWS GovCloud (US-East), AWS GovCloud (US-West), China (Ningxia) Region

**Parameters:**

logLevelType: String  
The minimum system log level for the rule to check. The rule is NON\$1COMPLIANT if configuration.loggingConfig.systemLogLevel is configured with a value not specified in this parameter. Valid values include: 'DEBUG', 'INFO', and 'WARN'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1061c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# lambda-function-xray-enabled
<a name="lambda-function-xray-enabled"></a>

Checks if AWS X-Ray is enabled on AWS Lambda functions.The rule is NON\$1COMPLIANT if X-Ray tracing is disabled for a Lambda function. 



**Identifier:** LAMBDA\$1FUNCTION\$1XRAY\$1ENABLED

**Resource Types:** AWS::Lambda::Function

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1063c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# lambda-inside-vpc
<a name="lambda-inside-vpc"></a>

Checks if a Lambda function is allowed access to a virtual private cloud (VPC). The rule is NON\$1COMPLIANT if the Lambda function is not VPC enabled. 



**Identifier:** LAMBDA\$1INSIDE\$1VPC

**Resource Types:** AWS::Lambda::Function

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except China (Ningxia) Region

**Parameters:**

subnetIds (Optional)Type: CSV  
Comma-separated list of subnet IDs that Lambda functions must be associated with.

## Proactive Evaluation
<a name="w2aac20c16c17b7e1065c19"></a>

 For steps on how to run this rule in proactive mode, see [Evaluating Your Resources with AWS Config Rules](./evaluating-your-resources.html#evaluating-your-resources-proactive). For this rule to return COMPLIANT in proactive mode, the resource configuration schema for the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API needs to include the following inputs, encoded as a string: 

```
"ResourceConfiguration":
...
{
   "VpcConfig": {
         "SubnetIds": "[SubnetId-1, SubnetId-2, SubnetId-3, ...]"
   }
} 
...
```

 For more information on proactive evaluation, see [Evaluation Mode](./evaluate-config-rules.html). 

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1065c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# lambda-vpc-multi-az-check
<a name="lambda-vpc-multi-az-check"></a>

Checks if Lambda has more than 1 availability zone associated. The rule is NON\$1COMPLIANT if only 1 availability zone is associated with the Lambda or the number of availability zones associated is less than number specified in the optional parameter. 



**Identifier:** LAMBDA\$1VPC\$1MULTI\$1AZ\$1CHECK

**Resource Types:** AWS::Lambda::Function

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

availabilityZones (Optional)Type: int  
Number of expected Availability zones.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1067c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# lightsail-bucket-allow-public-overrides-disabled
<a name="lightsail-bucket-allow-public-overrides-disabled"></a>

Checks if Amazon Lightsail buckets have allow public overrides disabled. The rule is NON\$1COMPLIANT if AllowPublicOverrides is true. Note: AllowPublicOverrides has no effect if GetObject is public, see lightsail-bucket-get-object-private. 



**Identifier:** LIGHTSAIL\$1BUCKET\$1ALLOW\$1PUBLIC\$1OVERRIDES\$1DISABLED

**Resource Types:** AWS::Lightsail::Bucket

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1069c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# lightsail-bucket-object-versioning-enabled
<a name="lightsail-bucket-object-versioning-enabled"></a>

Checks if Amazon Lightsail Bucket resources have object versioning enabled to protect against unintended deletions and modifications. The rule is NON\$1COMPLIANT if the bucket does not have object versioning enabled. 



**Identifier:** LIGHTSAIL\$1BUCKET\$1OBJECT\$1VERSIONING\$1ENABLED

**Resource Types:** AWS::Lightsail::Bucket

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1071c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# lightsail-bucket-tagged
<a name="lightsail-bucket-tagged"></a>

Checks if Amazon Lightsail buckets have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** LIGHTSAIL\$1BUCKET\$1TAGGED

**Resource Types:** AWS::Lightsail::Bucket

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1073c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# lightsail-certificate-tagged
<a name="lightsail-certificate-tagged"></a>

Checks if Amazon Lightsail certificates have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** LIGHTSAIL\$1CERTIFICATE\$1TAGGED

**Resource Types:** AWS::Lightsail::Certificate

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1075c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# lightsail-disk-tagged
<a name="lightsail-disk-tagged"></a>

Checks if Amazon Lightsail disks have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** LIGHTSAIL\$1DISK\$1TAGGED

**Resource Types:** AWS::Lightsail::Disk

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1077c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# macie-auto-sensitive-data-discovery-check
<a name="macie-auto-sensitive-data-discovery-check"></a>

Checks if automated sensitive data discovery is enabled for Amazon Macie. The rule is NON\$1COMPLIANT if automated sensitive data discovery is disabled. The rule is APPLICABLE for administrator accounts and NOT\$1APPLICABLE for member accounts. 



**Identifier:** MACIE\$1AUTO\$1SENSITIVE\$1DATA\$1DISCOVERY\$1CHECK

**Resource Types:** AWS::::Account

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1079c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# macie-status-check
<a name="macie-status-check"></a>

Checks if Amazon Macie is enabled in your account per region. The rule is NON\$1COMPLIANT if the 'status' attribute is not set to 'ENABLED'. 



**Identifier:** MACIE\$1STATUS\$1CHECK

**Resource Types:** AWS::::Account

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1081c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# mariadb-publish-logs-to-cloudwatch-logs
<a name="mariadb-publish-logs-to-cloudwatch-logs"></a>

Checks if Amazon MariaDB database instances are configured to publish logs to Amazon CloudWatch Logs. The rule is NON\$1COMPLIANT if a database instance is not configured to publish logs to CloudWatch Logs. 



**Identifier:** MARIADB\$1PUBLISH\$1LOGS\$1TO\$1CLOUDWATCH\$1LOGS

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

logTypes (Optional)Type: String  
Comma-separated list of log types for the rule to check. If not provided, the rule checks for the default log types: 'error' and 'audit'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1083c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# mediapackage-packagingconfiguration-tagged
<a name="mediapackage-packagingconfiguration-tagged"></a>

Checks if AWS Elemental MediaPackage packaging configuration resources have tags. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** MEDIAPACKAGE\$1PACKAGINGCONFIGURATION\$1TAGGED

**Resource Types:** AWS::MediaPackage::PackagingConfiguration

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Osaka), Europe (London), Asia Pacific (Melbourne), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1085c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# mediatailor-playbackconfiguration-tagged
<a name="mediatailor-playbackconfiguration-tagged"></a>

Checks if AWS Elemental MediaTailor playback configurations have tags. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** MEDIATAILOR\$1PLAYBACKCONFIGURATION\$1TAGGED

**Resource Types:** AWS::MediaTailor::PlaybackConfiguration

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Africa (Cape Town), Europe (Ireland), Middle East (UAE), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Osaka), Asia Pacific (Melbourne), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1087c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# memorydb-subnetgroup-tagged
<a name="memorydb-subnetgroup-tagged"></a>

Checks if Amazon MemoryDB subnet group resources have tags. Optionally, required tag keys can be specified. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** MEMORYDB\$1SUBNETGROUP\$1TAGGED

**Resource Types:** AWS::MemoryDB::SubnetGroup

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Asia Pacific (Mumbai), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1089c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# mfa-enabled-for-iam-console-access
<a name="mfa-enabled-for-iam-console-access"></a>

Checks if AWS multi-factor authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is COMPLIANT if MFA is enabled. 

**Note**  
**Re-evaluation Timeline**  
Re-evaluating this rule within 4 hours of the first evaluation will have no effect on the results.  
**Managed Rules and Global IAM Resource Types**  
The global IAM resource types onboarded before February 2022 (`AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, and `AWS::IAM::User`) can only be recorded by AWS Config in AWS Regions where AWS Config was available before February 2022. These resource types cannot be recorded in Regions supported by AWS Config after February 2022. For a list of those Regions, see [Recording AWS Resources \$1 Global Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all).  
If you record a global IAM resource type in at least one Region, periodic rules that report compliance on the global IAM resource type will run evaluations in all Regions where the periodic rule is added, even if you have not enabled the recording of the global IAM resource type in the Region where the periodic rule was added.  
To avoid unnecessary evaluations, you should only deploy periodic rules that report compliance on a global IAM resource type to one of the supported Regions. For a list of which managed rules are supported in which Regions, see [List of AWS Config Managed Rules by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html).

**Identifier:** MFA\$1ENABLED\$1FOR\$1IAM\$1CONSOLE\$1ACCESS

**Resource Types:** AWS::IAM::User

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1091c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# mq-active-broker-ldap-authentication
<a name="mq-active-broker-ldap-authentication"></a>

Checks if Amazon MQ ActiveMQ brokers use the LDAP authentication strategy to secure the broker. The rule is NON\$1COMPLIANT if configuration.AuthenticationStrategy is not 'ldap'. 



**Identifier:** MQ\$1ACTIVE\$1BROKER\$1LDAP\$1AUTHENTICATION

**Resource Types:** AWS::AmazonMQ::Broker

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1093c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# mq-active-deployment-mode
<a name="mq-active-deployment-mode"></a>

Checks the deployment mode configured for Amazon MQ ActiveMQ broker engine. The rule is NON\$1COMPLIANT if the default single-instance broker mode is being used. 



**Identifier:** MQ\$1ACTIVE\$1DEPLOYMENT\$1MODE

**Resource Types:** AWS::AmazonMQ::Broker

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1095c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# mq-active-single-instance-broker-storage-type-efs
<a name="mq-active-single-instance-broker-storage-type-efs"></a>

Checks if an Amazon MQ for ActiveMQ single-instance broker using the mq.m5 instance type family is configured with Amazon Elastic File System (EFS) for broker storage. The rule is NON\$1COMPLIANT if configuration.StorageType is not 'efs'. 



**Identifier:** MQ\$1ACTIVE\$1SINGLE\$1INSTANCE\$1BROKER\$1STORAGE\$1TYPE\$1EFS

**Resource Types:** AWS::AmazonMQ::Broker

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1097c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# mq-automatic-minor-version-upgrade-enabled
<a name="mq-automatic-minor-version-upgrade-enabled"></a>

Checks if automatic minor version upgrades are enabled for Amazon MQ brokers. The rule is NON\$1COMPLIANT if the 'AutoMinorVersionUpgrade' field is not enabled for an Amazon MQ broker. 



**Identifier:** MQ\$1AUTOMATIC\$1MINOR\$1VERSION\$1UPGRADE\$1ENABLED

**Resource Types:** AWS::AmazonMQ::Broker

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1099c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# mq-auto-minor-version-upgrade-enabled
<a name="mq-auto-minor-version-upgrade-enabled"></a>

Checks if automatic minor version upgrades are enabled for Amazon MQ brokers. The rule is NON\$1COMPLIANT if the 'AutoMinorVersionUpgrade' field is not enabled for an Amazon MQ broker. 



**Identifier:** MQ\$1AUTO\$1MINOR\$1VERSION\$1UPGRADE\$1ENABLED

**Resource Types:** AWS::AmazonMQ::Broker

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1101c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# mq-broker-general-logging-enabled
<a name="mq-broker-general-logging-enabled"></a>

Checks if Amazon MQ brokers have general logging enabled. The rule is NON\$1COMPLIANT if configuration.Logs.General is false. 



**Identifier:** MQ\$1BROKER\$1GENERAL\$1LOGGING\$1ENABLED

**Resource Types:** AWS::AmazonMQ::Broker

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1103c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# mq-cloudwatch-audit-logging-enabled
<a name="mq-cloudwatch-audit-logging-enabled"></a>

Checks if Amazon MQ brokers have Amazon CloudWatch audit logging enabled. The rule is NON\$1COMPLIANT if a broker does not have audit logging enabled. 



**Identifier:** MQ\$1CLOUDWATCH\$1AUDIT\$1LOGGING\$1ENABLED

**Resource Types:** AWS::AmazonMQ::Broker

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1105c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# mq-cloudwatch-audit-log-enabled
<a name="mq-cloudwatch-audit-log-enabled"></a>

Checks if an Amazon MQ broker has CloudWatch audit logging enabled. The rule is NON\$1COMPLIANT if the broker does not have audit logging enabled. 



**Identifier:** MQ\$1CLOUDWATCH\$1AUDIT\$1LOG\$1ENABLED

**Resource Types:** AWS::AmazonMQ::Broker

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1107c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# mq-no-public-access
<a name="mq-no-public-access"></a>

Checks if Amazon MQ brokers are not publicly accessible. The rule is NON\$1COMPLIANT if the 'PubliclyAccessible' field is set to true for an Amazon MQ broker. 



**Identifier:** MQ\$1NO\$1PUBLIC\$1ACCESS

**Resource Types:** AWS::AmazonMQ::Broker

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1109c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# mq-rabbit-deployment-mode
<a name="mq-rabbit-deployment-mode"></a>

Checks the deployment mode configured for the Amazon MQ RabbitMQ broker engine. The rule is NON\$1COMPLIANT if the default single-instance broker mode is being used. 



**Identifier:** MQ\$1RABBIT\$1DEPLOYMENT\$1MODE

**Resource Types:** AWS::AmazonMQ::Broker

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1111c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# msk-cluster-public-access-disabled
<a name="msk-cluster-public-access-disabled"></a>

Checks if public access is disabled on Amazon MSK clusters. The rule is NON\$1COMPLIANT if public access on an Amazon MSK cluster is not disabled. 



**Identifier:** MSK\$1CLUSTER\$1PUBLIC\$1ACCESS\$1DISABLED

**Resource Types:** AWS::MSK::Cluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1113c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# msk-cluster-tagged
<a name="msk-cluster-tagged"></a>

Checks if Amazon MSK clusters have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** MSK\$1CLUSTER\$1TAGGED

**Resource Types:** AWS::MSK::Cluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1115c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# msk-connect-connector-logging-enabled
<a name="msk-connect-connector-logging-enabled"></a>

Checks if Amazon MSK Connector has logging enabled to any one of the log destinations. The rule is NON\$1COMPLIANT if Amazon MSK Connector does not have logging enabled. 



**Identifier:** MSK\$1CONNECT\$1CONNECTOR\$1LOGGING\$1ENABLED

**Resource Types:** AWS::KafkaConnect::Connector

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1117c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# msk-enhanced-monitoring-enabled
<a name="msk-enhanced-monitoring-enabled"></a>

Checks if enhanced monitoring is enabled for an Amazon MSK cluster set to PER\$1TOPIC\$1PER\$1BROKER or PER\$1TOPIC\$1PER\$1PARTITION. The rule is NON\$1COMPLIANT if enhanced monitoring is enabled and set to DEFAULT or PER\$1BROKER. 



**Identifier:** MSK\$1ENHANCED\$1MONITORING\$1ENABLED

**Resource Types:** AWS::MSK::Cluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1119c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# msk-in-cluster-node-require-tls
<a name="msk-in-cluster-node-require-tls"></a>

Checks if an Amazon MSK cluster enforces encryption in transit using HTTPS (TLS) with the broker nodes of the cluster. The rule is NON\$1COMPLIANT if plain text communication is enabled for in-cluster broker node connections. 



**Identifier:** MSK\$1IN\$1CLUSTER\$1NODE\$1REQUIRE\$1TLS

**Resource Types:** AWS::MSK::Cluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1121c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# msk-unrestricted-access-check
<a name="msk-unrestricted-access-check"></a>

Checks if an Amazon MSK Cluster has unauthenticated access disabled. The rule is NON\$1COMPLIANT if Amazon MSK Cluster has unauthenticated access enabled. 



**Identifier:** MSK\$1UNRESTRICTED\$1ACCESS\$1CHECK

**Resource Types:** AWS::MSK::Cluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1123c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# multi-region-cloudtrail-enabled
<a name="multi-region-cloudtrail-enabled"></a>

**Important**  
For this rule, the rule identifier (MULTI\$1REGION\$1CLOUD\$1TRAIL\$1ENABLED) and rule name (multi-region-cloudtrail-enabled) are different.

Checks if there is at least one multi-region AWS CloudTrail. The rule is NON\$1COMPLIANT if the trails do not match input parameters. The rule is NON\$1COMPLIANT if the `ExcludeManagementEventSources` field is not empty or if AWS CloudTrail is configured to exclude management events such as AWS KMS events or Amazon RDS Data API events.



**Identifier:** MULTI\$1REGION\$1CLOUD\$1TRAIL\$1ENABLED

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

s3BucketName (Optional)Type: String  
Name of Amazon S3 bucket for AWS CloudTrail to deliver log files to.

snsTopicArn (Optional)Type: String  
Amazon SNS topic ARN for AWS CloudTrail to use for notifications.

cloudWatchLogsLogGroupArn (Optional)Type: String  
Amazon CloudWatch log group ARN for AWS CloudTrail to send data to.

includeManagementEvents (Optional)Type: boolean  
Event selector to include management events for the AWS CloudTrail.

readWriteType (Optional)Type: String  
Type of events to record. Valid values are ReadOnly, WriteOnly and ALL.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1125c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# nacl-no-unrestricted-ssh-rdp
<a name="nacl-no-unrestricted-ssh-rdp"></a>

Checks if default ports for SSH/RDP ingress traffic for network access control lists (NACLs) is unrestricted. The rule is NON\$1COMPLIANT if a NACL inbound entry allows a source TCP or UDP CIDR block for ports 22 or 3389. 



**Identifier:** NACL\$1NO\$1UNRESTRICTED\$1SSH\$1RDP

**Resource Types:** AWS::EC2::NetworkAcl

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1127c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# neptune-cluster-backup-retention-check
<a name="neptune-cluster-backup-retention-check"></a>

Checks if an Amazon Neptune DB cluster retention period is set to specific number of days. The rule is NON\$1COMPLIANT if the retention period is less than the value specified by the parameter. 



**Identifier:** NEPTUNE\$1CLUSTER\$1BACKUP\$1RETENTION\$1CHECK

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

minimumBackupRetentionPeriod (Optional)Type: int  
Minimum days backups should be kept. Valid values 1 to 35, default value is 7. The rule is NON\$1COMPLIANT if value is greater than 'backupRetentionPeriod'. The rule is COMPLIANT if value is less than or equal to 'backupRetentionPeriod'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1129c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# neptune-cluster-cloudwatch-log-export-enabled
<a name="neptune-cluster-cloudwatch-log-export-enabled"></a>

Checks if an Amazon Neptune cluster has CloudWatch log export enabled for audit logs. The rule is NON\$1COMPLIANT if a Neptune cluster does not have CloudWatch log export enabled for audit logs. 



**Identifier:** NEPTUNE\$1CLUSTER\$1CLOUDWATCH\$1LOG\$1EXPORT\$1ENABLED

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1131c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# neptune-cluster-copy-tags-to-snapshot-enabled
<a name="neptune-cluster-copy-tags-to-snapshot-enabled"></a>

Checks if an Amazon Neptune cluster is configured to copy all tags to snapshots when the snapshots are created. The rule is NON\$1COMPLIANT if 'copyTagsToSnapshot' is set to false. 



**Identifier:** NEPTUNE\$1CLUSTER\$1COPY\$1TAGS\$1TO\$1SNAPSHOT\$1ENABLED

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1133c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# neptune-cluster-deletion-protection-enabled
<a name="neptune-cluster-deletion-protection-enabled"></a>

Checks if an Amazon Neptune DB cluster has deletion protection enabled. The rule is NON\$1COMPLIANT if an Amazon Neptune cluster has the deletionProtection field set to false. 



**Identifier:** NEPTUNE\$1CLUSTER\$1DELETION\$1PROTECTION\$1ENABLED

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1135c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# neptune-cluster-encrypted
<a name="neptune-cluster-encrypted"></a>

Checks if storage encryption is enabled for your Amazon Neptune DB clusters. The rule is NON\$1COMPLIANT if storage encryption is not enabled. 



**Identifier:** NEPTUNE\$1CLUSTER\$1ENCRYPTED

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

KmsKeyArns (Optional)Type: CSV  
A comma-separated list of KMS key ARNs to compare with the KmsKeyId of the encrypted cluster.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1137c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# neptune-cluster-iam-database-authentication
<a name="neptune-cluster-iam-database-authentication"></a>

Checks if an Amazon Neptune cluster has AWS Identity and Access Management (IAM) database authentication enabled. The rule is NON\$1COMPLIANT if an Amazon Neptune cluster does not have IAM database authentication enabled. 



**Identifier:** NEPTUNE\$1CLUSTER\$1IAM\$1DATABASE\$1AUTHENTICATION

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1139c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# neptune-cluster-multi-az-enabled
<a name="neptune-cluster-multi-az-enabled"></a>

Checks if an Amazon Neptune cluster is configured with Amazon RDS Multi-AZ replication. The rule is NON\$1COMPLIANT if Multi-AZ replication is not enabled. 



**Identifier:** NEPTUNE\$1CLUSTER\$1MULTI\$1AZ\$1ENABLED

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1141c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# neptune-cluster-snapshot-encrypted
<a name="neptune-cluster-snapshot-encrypted"></a>

Checks if an Amazon Neptune DB cluster has snapshots encrypted. The rule is NON\$1COMPLIANT if a Neptune cluster does not have snapshots encrypted. 



**Identifier:** NEPTUNE\$1CLUSTER\$1SNAPSHOT\$1ENCRYPTED

**Resource Types:** AWS::RDS::DBClusterSnapshot

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1143c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# neptune-cluster-snapshot-iam-database-auth-enabled
<a name="neptune-cluster-snapshot-iam-database-auth-enabled"></a>

Checks if Amazon Neptune cluster snapshots have IAM database authentication enabled. The rule is NON\$1COMPLIANT if configuration.iamdatabaseAuthenticationEnabled is false. 



**Identifier:** NEPTUNE\$1CLUSTER\$1SNAPSHOT\$1IAM\$1DATABASE\$1AUTH\$1ENABLED

**Resource Types:** AWS::RDS::DBClusterSnapshot

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1145c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# neptune-cluster-snapshot-public-prohibited
<a name="neptune-cluster-snapshot-public-prohibited"></a>

Checks if an Amazon Neptune manual DB cluster snapshot is public. The rule is NON\$1COMPLIANT if any existing and new Neptune cluster snapshot is public. 



**Identifier:** NEPTUNE\$1CLUSTER\$1SNAPSHOT\$1PUBLIC\$1PROHIBITED

**Resource Types:** AWS::RDS::DBClusterSnapshot

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1147c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# netfw-deletion-protection-enabled
<a name="netfw-deletion-protection-enabled"></a>

Checks if AWS Network Firewall has deletion protection enabled. The rule is NON\$1COMPLIANT if Network Firewall does not have deletion protection enabled. 



**Identifier:** NETFW\$1DELETION\$1PROTECTION\$1ENABLED

**Resource Types:** AWS::NetworkFirewall::Firewall

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1149c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# netfw-logging-enabled
<a name="netfw-logging-enabled"></a>

Checks if AWS Network Firewall firewalls have logging enabled. The rule is NON\$1COMPLIANT if a logging type is not configured. You can specify which logging type you want the rule to check. 



**Identifier:** NETFW\$1LOGGING\$1ENABLED

**Resource Types:** AWS::NetworkFirewall::LoggingConfiguration

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

logType (Optional)Type: String  
logType (Optional): Log type for the rule to check for firewalls: 'alert', 'flow', or 'both'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1151c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# netfw-multi-az-enabled
<a name="netfw-multi-az-enabled"></a>

Checks if AWS Network Firewall firewalls are deployed across multiple Availability Zones. The rule is NON\$1COMPLIANT if firewalls are deployed in only one Availability Zone or in fewer zones than the number listed in the optional parameter. 



**Identifier:** NETFW\$1MULTI\$1AZ\$1ENABLED

**Resource Types:** AWS::NetworkFirewall::Firewall

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

availabilityZones (Optional)Type: int  
The number of expected Availability Zones.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1153c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# netfw-policy-default-action-fragment-packets
<a name="netfw-policy-default-action-fragment-packets"></a>

Checks if an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets. The rule is NON\$1COMPLIANT if stateless default action for fragmented packets does not match with user defined default action. 



**Identifier:** NETFW\$1POLICY\$1DEFAULT\$1ACTION\$1FRAGMENT\$1PACKETS

**Resource Types:** AWS::NetworkFirewall::FirewallPolicy

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

statelessFragmentDefaultActionsType: CSV  
Comma-separated list of values. You can select a max of two. Valid values include 'aws:pass', 'aws:drop', and 'aws:forward\$1to\$1sfe'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1155c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# netfw-policy-default-action-full-packets
<a name="netfw-policy-default-action-full-packets"></a>

Checks if an AWS Network Firewall policy is configured with a user defined default stateless action for full packets. This rule is NON\$1COMPLIANT if default stateless action for full packets does not match with user defined default stateless action. 



**Identifier:** NETFW\$1POLICY\$1DEFAULT\$1ACTION\$1FULL\$1PACKETS

**Resource Types:** AWS::NetworkFirewall::FirewallPolicy

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

statelessDefaultActionsType: CSV  
Comma-separated list of values. You can select a max of two. Valid values include 'aws:pass', 'aws:drop', and 'aws:forward\$1to\$1sfe'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1157c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# netfw-policy-rule-group-associated
<a name="netfw-policy-rule-group-associated"></a>

Check AWS Network Firewall policy is associated with stateful OR stateless rule groups. This rule is NON\$1COMPLIANT if no stateful or stateless rule groups are associated with the Network Firewall policy else COMPLIANT if any one of the rule group exists. 



**Identifier:** NETFW\$1POLICY\$1RULE\$1GROUP\$1ASSOCIATED

**Resource Types:** AWS::NetworkFirewall::FirewallPolicy

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1159c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# netfw-stateless-rule-group-not-empty
<a name="netfw-stateless-rule-group-not-empty"></a>

Checks if a Stateless Network Firewall Rule Group contains rules. The rule is NON\$1COMPLIANT if there are no rules in a Stateless Network Firewall Rule Group. 



**Identifier:** NETFW\$1STATELESS\$1RULE\$1GROUP\$1NOT\$1EMPTY

**Resource Types:** AWS::NetworkFirewall::RuleGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1161c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# netfw-subnet-change-protection-enabled
<a name="netfw-subnet-change-protection-enabled"></a>

Checks if AWS Network Firewall has subnet change protection enabled. The rule is NON\$1COMPLIANT if subnet change protection is not enabled. 



**Identifier:** NETFW\$1SUBNET\$1CHANGE\$1PROTECTION\$1ENABLED

**Resource Types:** AWS::NetworkFirewall::Firewall

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1163c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# nlb-cross-zone-load-balancing-enabled
<a name="nlb-cross-zone-load-balancing-enabled"></a>

Checks if cross-zone load balancing is enabled on Network Load Balancers (NLBs). The rule is NON\$1COMPLIANT if cross-zone load balancing is not enabled for an NLB. 



**Identifier:** NLB\$1CROSS\$1ZONE\$1LOAD\$1BALANCING\$1ENABLED

**Resource Types:** AWS::ElasticLoadBalancingV2::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1165c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# nlb-internal-scheme-check
<a name="nlb-internal-scheme-check"></a>

Checks if a Network Load Balancer scheme is internal. The rule is NON\$1COMPLIANT if configuration.scheme is not set to internal. 



**Identifier:** NLB\$1INTERNAL\$1SCHEME\$1CHECK

**Resource Types:** AWS::ElasticLoadBalancingV2::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1167c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# nlb-listener-tagged
<a name="nlb-listener-tagged"></a>

Checks if Network Load Balancer listeners have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** NLB\$1LISTENER\$1TAGGED

**Resource Types:** AWS::ElasticLoadBalancingV2::Listener

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1169c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# nlb-logging-enabled
<a name="nlb-logging-enabled"></a>

Checks if access logging is enabled for Network Load Balancers. The rule is NON\$1COMPLIANT if access logging is not enabled for a Network Load balancer. 



**Identifier:** NLB\$1LOGGING\$1ENABLED

**Resource Types:** AWS::ElasticLoadBalancingV2::LoadBalancer

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1171c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# nlb-tagged
<a name="nlb-tagged"></a>

Checks if Network Load Balancers have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** NLB\$1TAGGED

**Resource Types:** AWS::ElasticLoadBalancingV2::LoadBalancer

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1173c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# no-unrestricted-route-to-igw
<a name="no-unrestricted-route-to-igw"></a>

Checks if there are public routes in the route table to an Internet gateway (IGW). The rule is NON\$1COMPLIANT if a route to an IGW has a destination CIDR block of '0.0.0.0/0' or '::/0' or if a destination CIDR block does not match the rule parameter. 



**Identifier:** NO\$1UNRESTRICTED\$1ROUTE\$1TO\$1IGW

**Resource Types:** AWS::EC2::RouteTable

**Trigger type:** Configuration changes and Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

routeTableIds (Optional)Type: CSV  
Comma-separated list of route table IDs that can have routes to an Internet Gateway with a destination CIDR block of '0.0.0.0/0' or '::/0'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1175c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# opensearchserverless-collection-description
<a name="opensearchserverless-collection-description"></a>

Checks if Amazon OpenSearch Serverless collections have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist. 



**Identifier:** OPENSEARCHSERVERLESS\$1COLLECTION\$1DESCRIPTION

**Resource Types:** AWS::OpenSearchServerless::Collection

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1177c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# opensearchserverless-collection-standbyreplicas-enabled
<a name="opensearchserverless-collection-standbyreplicas-enabled"></a>

Checks if Amazon OpenSearch Serverless collections have standby replicas enabled. The rule is NON\$1COMPLIANT if configuration.StandbyReplicas is 'DISABLED'. 



**Identifier:** OPENSEARCHSERVERLESS\$1COLLECTION\$1STANDBYREPLICAS\$1ENABLED

**Resource Types:** AWS::OpenSearchServerless::Collection

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1179c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# opensearch-access-control-enabled
<a name="opensearch-access-control-enabled"></a>

Checks if Amazon OpenSearch Service domains have fine-grained access control enabled. The rule is NON\$1COMPLIANT if AdvancedSecurityOptions is not enabled for the OpenSearch Service domain. 



**Identifier:** OPENSEARCH\$1ACCESS\$1CONTROL\$1ENABLED

**Resource Types:** AWS::OpenSearch::Domain

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1181c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# opensearch-audit-logging-enabled
<a name="opensearch-audit-logging-enabled"></a>

Checks if Amazon OpenSearch Service domains have audit logging enabled. The rule is NON\$1COMPLIANT if an OpenSearch Service domain does not have audit logging enabled. 



**Identifier:** OPENSEARCH\$1AUDIT\$1LOGGING\$1ENABLED

**Resource Types:** AWS::OpenSearch::Domain

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

cloudWatchLogsLogGroupArnList (Optional)Type: CSV  
Comma-separated list of Amazon Resource Names (ARNs) for Amazon CloudWatch Logs log groups. The rule checks if the specified log groups are configured for audit logs.  
Valid values include: `arn:aws:logs:region:account-id:log-group:log_group_name:*` and `arn:aws:logs:region:account-id:log-group:log_group_name`.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1183c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# opensearch-data-node-fault-tolerance
<a name="opensearch-data-node-fault-tolerance"></a>

Checks if Amazon OpenSearch Service domains are configured with at least three data nodes and zoneAwarenessEnabled is true. The rule is NON\$1COMPLIANT for an OpenSearch domain if 'instanceCount' is less than 3 or 'zoneAwarenessEnabled' is set to 'false'. 



**Identifier:** OPENSEARCH\$1DATA\$1NODE\$1FAULT\$1TOLERANCE

**Resource Types:** AWS::OpenSearch::Domain

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1185c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# opensearch-encrypted-at-rest
<a name="opensearch-encrypted-at-rest"></a>

Checks if Amazon OpenSearch Service domains have encryption at rest configuration enabled. The rule is NON\$1COMPLIANT if the `EncryptionAtRestOptions` field is not enabled. 

**Note**  
The rule does not evaluate Elasticsearch domains.



**Identifier:** OPENSEARCH\$1ENCRYPTED\$1AT\$1REST

**Resource Types:** AWS::OpenSearch::Domain

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1187c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# opensearch-https-required
<a name="opensearch-https-required"></a>

Checks whether connections to OpenSearch domains are using HTTPS. The rule is NON\$1COMPLIANT if the Amazon OpenSearch domain 'EnforceHTTPS' is not 'true' or is 'true' and 'TLSSecurityPolicy' is not in '`tlsPolicies`'. 



**Identifier:** OPENSEARCH\$1HTTPS\$1REQUIRED

**Resource Types:** AWS::OpenSearch::Domain

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

tlsPolicies (Optional)Type: CSV  
Comma-separated list of TLS security policies to check against the Amazon OpensSearch domain.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1189c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# opensearch-in-vpc-only
<a name="opensearch-in-vpc-only"></a>

Checks if Amazon OpenSearch Service domains are in an Amazon Virtual Private Cloud (VPC). The rule is NON\$1COMPLIANT if an OpenSearch Service domain endpoint is public. 

**Note**  
The rule does not evaluate Elasticsearch domains.



**Identifier:** OPENSEARCH\$1IN\$1VPC\$1ONLY

**Resource Types:** AWS::OpenSearch::Domain

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1191c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# opensearch-logs-to-cloudwatch
<a name="opensearch-logs-to-cloudwatch"></a>

Checks if Amazon OpenSearch Service domains are configured to send logs to Amazon CloudWatch Logs. The rule is NON\$1COMPLIANT if logging is not configured. 

**Note**  
The rule does not evaluate Elasticsearch domains.



**Identifier:** OPENSEARCH\$1LOGS\$1TO\$1CLOUDWATCH

**Resource Types:** AWS::OpenSearch::Domain

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

logTypes (Optional)Type: CSV  
Comma-separated list of logs that are enabled. Valid values are 'search', 'index', 'error'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1193c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# opensearch-node-to-node-encryption-check
<a name="opensearch-node-to-node-encryption-check"></a>

Check if Amazon OpenSearch Service nodes are encrypted end to end. The rule is NON\$1COMPLIANT if the node-to-node encryption is not enabled on the domain 

**Note**  
The rule does not evaluate Elasticsearch domains.



**Identifier:** OPENSEARCH\$1NODE\$1TO\$1NODE\$1ENCRYPTION\$1CHECK

**Resource Types:** AWS::OpenSearch::Domain

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1195c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# opensearch-primary-node-fault-tolerance
<a name="opensearch-primary-node-fault-tolerance"></a>

Checks if Amazon OpenSearch Service domains are configured with at least three dedicated primary nodes. The rule is NON\$1COMPLIANT for an OpenSearch Service domain if 'DedicatedMasterEnabled' is set to 'false', or 'DedicatedMasterCount' is less than 3. 



**Identifier:** OPENSEARCH\$1PRIMARY\$1NODE\$1FAULT\$1TOLERANCE

**Resource Types:** AWS::OpenSearch::Domain

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1197c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# opensearch-update-check
<a name="opensearch-update-check"></a>

Checks if Amazon OpenSearch Service version updates are available but not installed. The rule is NON\$1COMPLIANT for an OpenSearch domain if the latest software updates are not installed. 



**Identifier:** OPENSEARCH\$1UPDATE\$1CHECK

**Resource Types:** AWS::OpenSearch::Domain

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1199c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# panorama-package-tagged
<a name="panorama-package-tagged"></a>

Checks if AWS Panorama package resources have tags. Optionally, required tag keys can be specified. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** PANORAMA\$1PACKAGE\$1TAGGED

**Resource Types:** AWS::Panorama::Package

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Ireland), US East (N. Virginia), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1201c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rabbit-mq-supported-version
<a name="rabbit-mq-supported-version"></a>

Checks if an Amazon MQ RabbitMQ broker is running on a specified minimum supported engine version. The rule is NON\$1COMPLIANT if the RabbitMQ broker is not running on the minimum supported engine version that you specify. 



**Identifier:** RABBIT\$1MQ\$1SUPPORTED\$1VERSION

**Resource Types:** AWS::AmazonMQ::Broker

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

supportedEngineVersionType: String  
String value for the rule to check the minimum supported engine version for the RabbitMQ broker. RabbitMQ brokers use semantic versioning specification: X.Y.Z. X denotes the major version, Y represents the minor version, and Z denotes the patch version.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1203c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-aurora-mysql-audit-logging-enabled
<a name="rds-aurora-mysql-audit-logging-enabled"></a>

Checks if Amazon Aurora MySQL-Compatible Edition clusters are configured to publish audit logs to Amazon CloudWatch Logs. The rule is NON\$1COMPLIANT if Aurora MySQL-Compatible Edition clusters do not have audit log publishing configured.



**Identifier:** RDS\$1AURORA\$1MYSQL\$1AUDIT\$1LOGGING\$1ENABLED

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1205c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-aurora-postgresql-logs-to-cloudwatch
<a name="rds-aurora-postgresql-logs-to-cloudwatch"></a>

Checks if an Amazon Aurora PostgreSQL DB cluster is configured to publish PostgreSQL logs to Amazon CloudWatch Logs. This rule is NON\$1COMPLIANT if the DB cluster is not configured to publish PostgreSQL logs to Amazon CloudWatch Logs. 



**Identifier:** RDS\$1AURORA\$1POSTGRESQL\$1LOGS\$1TO\$1CLOUDWATCH

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1207c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-automatic-minor-version-upgrade-enabled
<a name="rds-automatic-minor-version-upgrade-enabled"></a>

Checks if Amazon Relational Database Service (RDS) database instances are configured for automatic minor version upgrades. The rule is NON\$1COMPLIANT if the value of 'autoMinorVersionUpgrade' is false. 



**Identifier:** RDS\$1AUTOMATIC\$1MINOR\$1VERSION\$1UPGRADE\$1ENABLED

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## Proactive Evaluation
<a name="w2aac20c16c17b7e1209c19"></a>

 For steps on how to run this rule in proactive mode, see [Evaluating Your Resources with AWS Config Rules](./evaluating-your-resources.html#evaluating-your-resources-proactive). For this rule to return COMPLIANT in proactive mode, the resource configuration schema for the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API needs to include the following inputs, encoded as a string: 

```
"ResourceConfiguration":
...
{
    "AutoMinorVersionUpgrade": BOOLEAN*,
    "Engine": String*
} 
...
```

\$1For more information on valid values for these inputs, see [ AutoMinorVersionUpgrade ](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbinstance.html#cfn-rds-dbinstance-autominorversionupgrade) and [Engine](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbinstance.html#cfn-rds-dbinstance-engine) in the AWS CloudFormation User Guide.

 For more information on proactive evaluation, see [Evaluation Mode](./evaluate-config-rules.html). 

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1209c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-cluster-auto-minor-version-upgrade-enable
<a name="rds-cluster-auto-minor-version-upgrade-enable"></a>

Checks if automatic minor version upgrades are enabled for Amazon RDS Multi-AZ cluster deployments. The rule is NON\$1COMPLIANT if autoMinorVersionUpgrade is set to false. 



**Identifier:** RDS\$1CLUSTER\$1AUTO\$1MINOR\$1VERSION\$1UPGRADE\$1ENABLE

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), US West (N. California), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1211c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-cluster-backup-retention-check
<a name="rds-cluster-backup-retention-check"></a>

Checks if an Amazon RDS cluster automated backup retention period is set to a specific number of days. The rule is NON\$1COMPLIANT if the retention period is less than the value specified by the parameter. The default value is 7 days. 



**Identifier:** RDS\$1CLUSTER\$1BACKUP\$1RETENTION\$1CHECK

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), AWS GovCloud (US-East), AWS GovCloud (US-West), China (Ningxia) Region

**Parameters:**

minimumBackupRetentionPeriod (Optional)Type: intDefault: 7  
The minimum backup retention period in days for the rule to check. The rule is NON\$1COMPLIANT if the backup retention period is less than the value specified in this parameter. Valid values are 1 to 35. The default value is 7.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1213c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-cluster-default-admin-check
<a name="rds-cluster-default-admin-check"></a>

Checks if an Amazon Relational Database Service (Amazon RDS) database cluster has changed the admin username from its default value. The rule is NON\$1COMPLIANT if the admin username is set to the default value. 



**Identifier:** RDS\$1CLUSTER\$1DEFAULT\$1ADMIN\$1CHECK

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

validAdminUserNames (Optional)Type: CSV  
Comma-separated list of admin username(s) that Amazon RDS clusters can use. Cannot include 'postgres' or 'admin' as valid username(s) as these are default values.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1215c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-cluster-deletion-protection-enabled
<a name="rds-cluster-deletion-protection-enabled"></a>

Checks if an Amazon Relational Database Service (Amazon RDS) cluster has deletion protection enabled. This rule is NON\$1COMPLIANT if an RDS cluster does not have deletion protection enabled. 



**Identifier:** RDS\$1CLUSTER\$1DELETION\$1PROTECTION\$1ENABLED

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except China (Beijing) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1217c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-cluster-encrypted-at-rest
<a name="rds-cluster-encrypted-at-rest"></a>

Checks if an Amazon Relational Database Service (Amazon RDS) cluster is encrypted at rest. The rule is NON\$1COMPLIANT if an Amazon RDS cluster is not encrypted at rest. 



**Identifier:** RDS\$1CLUSTER\$1ENCRYPTED\$1AT\$1REST

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1219c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-cluster-iam-authentication-enabled
<a name="rds-cluster-iam-authentication-enabled"></a>

Checks if an Amazon Relational Database Service (Amazon RDS) cluster has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON\$1COMPLIANT if an Amazon RDS Cluster does not have IAM authentication enabled. 



**Identifier:** RDS\$1CLUSTER\$1IAM\$1AUTHENTICATION\$1ENABLED

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except China (Beijing) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1221c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-cluster-multi-az-enabled
<a name="rds-cluster-multi-az-enabled"></a>

Checks if Multi-Availability Zone (Multi-AZ) replication is enabled on Amazon Aurora and Multi-AZ DB clusters managed by Amazon Relational Database Service (Amazon RDS). The rule is NON\$1COMPLIANT if an Amazon RDS instance is not configured with Multi-AZ. 



**Identifier:** RDS\$1CLUSTER\$1MULTI\$1AZ\$1ENABLED

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except China (Beijing) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1223c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-db-security-group-not-allowed
<a name="rds-db-security-group-not-allowed"></a>

Checks if there are any Amazon Relational Database Service (Amazon RDS) DB security groups that are not the default DB security group. The rule is NON\$1COMPLIANT if there are any DB security groups that are not the default DB security group.



**Identifier:** RDS\$1DB\$1SECURITY\$1GROUP\$1NOT\$1ALLOWED

**Resource Types:** AWS::RDS::DBSecurityGroup

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Ireland), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1225c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-enhanced-monitoring-enabled
<a name="rds-enhanced-monitoring-enabled"></a>

Checks if enhanced monitoring is enabled for Amazon RDS instances. This rule is NON\$1COMPLIANT if '`monitoringInterval`' is '0' in the configuration item of the RDS instance, or if '`monitoringInterval`' does not match the rule parameter value. 



**Identifier:** RDS\$1ENHANCED\$1MONITORING\$1ENABLED

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

monitoringInterval (Optional)Type: int  
An integer value in seconds between points when enhanced monitoring metrics are collected for the database instance. The valid values are 1, 5, 10, 15, 30, and 60.

## Proactive Evaluation
<a name="w2aac20c16c17b7e1227c19"></a>

 For steps on how to run this rule in proactive mode, see [Evaluating Your Resources with AWS Config Rules](./evaluating-your-resources.html#evaluating-your-resources-proactive). For this rule to return COMPLIANT in proactive mode, the resource configuration schema for the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API needs to include the following inputs, encoded as a string: 

```
"ResourceConfiguration":
...
{
    "MonitoringInterval": Integer*,
    "Engine": String*
} 
...
```

\$1For more information on valid values for these inputs, see [MonitoringInterval](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbinstance.html#cfn-rds-dbinstance-monitoringinterval) and [Engine](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbinstance.html#cfn-rds-dbinstance-engine) in the AWS CloudFormation User Guide.

 For more information on proactive evaluation, see [Evaluation Mode](./evaluate-config-rules.html). 

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1227c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-event-subscription-tagged
<a name="rds-event-subscription-tagged"></a>

Checks if Amazon RDS event subscriptions have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** RDS\$1EVENT\$1SUBSCRIPTION\$1TAGGED

**Resource Types:** AWS::RDS::EventSubscription

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1229c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-global-cluster-aurora-mysql-supported-version
<a name="rds-global-cluster-aurora-mysql-supported-version"></a>

Checks if an Amazon Aurora MySQL global database is running on a specified minimum supported engine version. The rule is NON\$1COMPLIANT if the database is not running on the minimum supported engine version that you specify. 



**Identifier:** RDS\$1GLOBAL\$1CLUSTER\$1AURORA\$1MYSQL\$1SUPPORTED\$1VERSION

**Resource Types:** AWS::RDS::GlobalCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

minSupportedEngineVersionType: String  
String value for the minimum supported Aurora MySQL version for the aurora MySQL global database. Aurora MySQL database engine versions use the following syntax: 'mysql-major-version.mysql\$1aurora.aurora-mysql-version'. The 'mysql-major-version' portion represents the version of the client protocol and general level of MySQL feature support for the corresponding Aurora MySQL version. The 'aurora-mysql-version' part is a dotted value with three parts: the Aurora MySQL major version, the Aurora MySQL minor version, and the patch level.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1231c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-instance-default-admin-check
<a name="rds-instance-default-admin-check"></a>

Checks if an Amazon Relational Database Service (Amazon RDS) database has changed the admin username from its default value. This rule will only run on RDS database instances. The rule is NON\$1COMPLIANT if the admin username is set to the default value. 



**Identifier:** RDS\$1INSTANCE\$1DEFAULT\$1ADMIN\$1CHECK

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

validAdminUserNames (Optional)Type: CSV  
Comma-separated list of admin username(s) that Amazon RDS instances can use. (Cannot include 'postgres' or 'admin' as valid username(s) as these are default values.)

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1233c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-instance-deletion-protection-enabled
<a name="rds-instance-deletion-protection-enabled"></a>

Checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled. The rule is NON\$1COMPLIANT if an Amazon RDS instance does not have deletion protection enabled; for example, deletionProtection is set to false. 

**Warning**  
Some RDS DB instances within a Cluster (Aurora/DocumentDB) will show as not applicable because deletion protection is set at the cluster level.

**Identifier:** RDS\$1INSTANCE\$1DELETION\$1PROTECTION\$1ENABLED

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

databaseEngines (Optional)Type: CSV  
Comma-separated list of RDS database engines to include in the evaluation of the rule. For example, 'mysql, postgres, mariadb'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1235c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-instance-iam-authentication-enabled
<a name="rds-instance-iam-authentication-enabled"></a>

Checks if an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON\$1COMPLIANT if an Amazon RDS instance does not have IAM authentication enabled. 

**Note**  
The DB Engine should be one of 'mysql', 'postgres', 'aurora', 'aurora-mysql', or 'aurora-postgresql'. The DB instance status should be one of 'available', 'backing-up', 'storage-optimization', or 'storage-full'.

**Identifier:** RDS\$1INSTANCE\$1IAM\$1AUTHENTICATION\$1ENABLED

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1237c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-instance-public-access-check
<a name="rds-instance-public-access-check"></a>

Checks if the Amazon Relational Database Service (Amazon RDS) instances are not publicly accessible. The rule is NON\$1COMPLIANT if the publiclyAccessible field is true in the instance configuration item. 



**Identifier:** RDS\$1INSTANCE\$1PUBLIC\$1ACCESS\$1CHECK

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## Proactive Evaluation
<a name="w2aac20c16c17b7e1239c19"></a>

 For steps on how to run this rule in proactive mode, see [Evaluating Your Resources with AWS Config Rules](./evaluating-your-resources.html#evaluating-your-resources-proactive). For this rule to return COMPLIANT in proactive mode, the resource configuration schema for the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API needs to include the following inputs, encoded as a string: 

```
"ResourceConfiguration":
...
{
   "PubliclyAccessible": BOOLEAN
} 
...
```

 For more information on proactive evaluation, see [Evaluation Mode](./evaluate-config-rules.html). 

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1239c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-instance-subnet-igw-check
<a name="rds-instance-subnet-igw-check"></a>

Checks if RDS DB instances are deployed in a public subnet with a route to the internet gateway. The rule is NON\$1COMPLIANT if RDS DB instances is deployed in a public subnet 



**Identifier:** RDS\$1INSTANCE\$1SUBNET\$1IGW\$1CHECK

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1241c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-in-backup-plan
<a name="rds-in-backup-plan"></a>

Checks if Amazon Relational Database Service (Amazon RDS) databases are present in AWS Backup plans. The rule is NON\$1COMPLIANT if Amazon RDS databases are not included in any AWS Backup plan. 

**Note**  
The rule only applies to Amazon Aurora DB instances. DB clusters are not supported.

**Identifier:** RDS\$1IN\$1BACKUP\$1PLAN

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1243c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-last-backup-recovery-point-created
<a name="rds-last-backup-recovery-point-created"></a>

Checks if a recovery point was created for Amazon Relational Database Service (Amazon RDS). The rule is NON\$1COMPLIANT if the Amazon RDS instance does not have a corresponding recovery point created within the specified time period. 



**Identifier:** RDS\$1LAST\$1BACKUP\$1RECOVERY\$1POINT\$1CREATED

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags of Amazon RDS instances for the rule to check, in JSON format `{"tagkey" : "tagValue"}`.

resourceId (Optional)Type: String  
ID of Amazon RDS instance for the rule to check.

recoveryPointAgeValue (Optional)Type: intDefault: 1  
Numerical value for maximum allowed age. No more than 744 for hours, 31 for days.

recoveryPointAgeUnit (Optional)Type: StringDefault: days  
Unit of time for maximum allowed age. Accepted values: 'hours', 'days'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1245c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-logging-enabled
<a name="rds-logging-enabled"></a>

Checks if respective logs of Amazon Relational Database Service (Amazon RDS) are enabled. The rule is NON\$1COMPLIANT if any log types are not enabled. 

**Note**  
DB Instances that are not in 'available', 'backing-up', 'storage-optimization', or 'storage-full' status evaluate as `NOT_APPLICABLE`.

**Identifier:** RDS\$1LOGGING\$1ENABLED

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

additionalLogs (Optional)Type: StringMap  
Comma-separated list of engine names and log type names. For example, "additionalLogs": "oracle: general, slowquery ; aurora: alert, slowquery"

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1247c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-mariadb-instance-encrypted-in-transit
<a name="rds-mariadb-instance-encrypted-in-transit"></a>

Checks if connections to Amazon RDS for MariaDB DB instances with engine version greater than or equal to 10.5 use encryption in transit. The rule is NON\$1COMPLIANT if the DB parameter group is not in-sync or if require\$1secure\$1transport is not set to ON. 



**Identifier:** RDS\$1MARIADB\$1INSTANCE\$1ENCRYPTED\$1IN\$1TRANSIT

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1249c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-meets-restore-time-target
<a name="rds-meets-restore-time-target"></a>

Checks if the restore time of Amazon Relational Database Service (Amazon RDS) instances meets specified duration. The rule is NON\$1COMPLIANT if LatestRestoreExecutionTimeMinutes of an Amazon RDS instance is greater than maxRestoreTime minutes. 



**Identifier:** RDS\$1MEETS\$1RESTORE\$1TIME\$1TARGET

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

maxRestoreTimeType: int  
Numerical value for the maximum allowed restore runtime.

resourceTags (Optional)Type: String  
Tags of Amazon RDS instances for the rule to check, in JSON format.

resourceId (Optional)Type: String  
ID of Amazon RDS instance for the rule to check.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1251c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-multi-az-support
<a name="rds-multi-az-support"></a>

Checks whether high availability is enabled for your RDS DB instances.

In a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone. For more information, see [High Availability (Multi-AZ)](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html) in the *Amazon RDS User Guide*.

**Note**  
This rule does not evaluate Amazon Aurora DB, Amazon DocumentDB, and Amazon Neptune DB instances.



**Identifier:** RDS\$1MULTI\$1AZ\$1SUPPORT

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## Proactive Evaluation
<a name="w2aac20c16c17b7e1253c23"></a>

 For steps on how to run this rule in proactive mode, see [Evaluating Your Resources with AWS Config Rules](./evaluating-your-resources.html#evaluating-your-resources-proactive). For this rule to return COMPLIANT in proactive mode, the resource configuration schema for the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API needs to include the following inputs, encoded as a string: 

```
"ResourceConfiguration":
...
{
    "MultiAZ": BOOLEAN*,
    "Engine": String*
} 
...
```

\$1For more information on valid values for these inputs, see [MultiAZ](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbinstance.html#cfn-rds-dbinstance-multiaz) and [Engine](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbinstance.html#cfn-rds-dbinstance-engine) in the AWS CloudFormation User Guide.

 For more information on proactive evaluation, see [Evaluation Mode](./evaluate-config-rules.html). 

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1253c25"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-mysql-cluster-copy-tags-to-snapshot-check
<a name="rds-mysql-cluster-copy-tags-to-snapshot-check"></a>

Checks if Amazon Relational Database Service (Amazon RDS) MySQL DB clusters are configured to copy tags to snapshots. The rule is NON\$1COMPLIANT if an Amazon RDS MySQL DB cluster is not configured to copy tags to snapshots. 



**Identifier:** RDS\$1MYSQL\$1CLUSTER\$1COPY\$1TAGS\$1TO\$1SNAPSHOT\$1CHECK

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), US West (N. California), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1255c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-mysql-instance-encrypted-in-transit
<a name="rds-mysql-instance-encrypted-in-transit"></a>

Checks if connections to Amazon RDS for MySQL database instances are configured to use encryption in transit. The rule is NON\$1COMPLIANT if the associated database parameter group is not in-sync or if the require\$1secure\$1transport parameter is not set to 1. 

**Note**  
The rule returns `NOT_APPLICABLE` if the Amazon RDS instance is part of an RDS cluster.

**Identifier:** RDS\$1MYSQL\$1INSTANCE\$1ENCRYPTED\$1IN\$1TRANSIT

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1257c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-option-group-tagged
<a name="rds-option-group-tagged"></a>

Checks if Amazon RDS option group resources have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** RDS\$1OPTION\$1GROUP\$1TAGGED

**Resource Types:** AWS::RDS::OptionGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1259c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-pgsql-cluster-copy-tags-to-snapshot-check
<a name="rds-pgsql-cluster-copy-tags-to-snapshot-check"></a>

Checks if Amazon Relational Database Service (Amazon RDS) PostgreSQL DB clusters are configured to copy tags to snapshots. The rule is NON\$1COMPLIANT if an RDS PostgreSQL DB cluster's CopyTagsToSnapshot property is set to false. 



**Identifier:** RDS\$1PGSQL\$1CLUSTER\$1COPY\$1TAGS\$1TO\$1SNAPSHOT\$1CHECK

**Resource Types:** AWS::RDS::DBCluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), US West (N. California), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1261c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-postgresql-logs-to-cloudwatch
<a name="rds-postgresql-logs-to-cloudwatch"></a>

Checks if an Amazon PostgreSQL DB instance is configured to publish logs to Amazon CloudWatch Logs. The rule is NON\$1COMPLIANT if the DB instance is not configured to publish logs to Amazon CloudWatch Logs. 



**Identifier:** RDS\$1POSTGRESQL\$1LOGS\$1TO\$1CLOUDWATCH

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

logTypes (Optional)Type: CSV  
Comma-separated list of log types to be published to CloudWatch Logs. Valid values are: 'postgresql', 'upgrade'. Default value is 'postgresql'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1263c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-postgres-instance-encrypted-in-transit
<a name="rds-postgres-instance-encrypted-in-transit"></a>

Checks if connections to Amazon RDS PostgreSQL database instances are configured to use encryption in transit. The rule is NON\$1COMPLIANT if the associated database parameter group is not in-sync or if the rds.force\$1ssl parameter is not set to 1. 

**Note**  
The rule returns `NOT_APPLICABLE` if the Amazon RDS instance is part of an RDS cluster.

**Identifier:** RDS\$1POSTGRES\$1INSTANCE\$1ENCRYPTED\$1IN\$1TRANSIT

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1265c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-proxy-tls-encryption
<a name="rds-proxy-tls-encryption"></a>

Checks if Amazon RDS proxies enforce TLS for all connections. The rule is NON\$1COMPLIANT if an Amazon RDS proxy does not have TLS enforced for all connections. 



**Identifier:** RDS\$1PROXY\$1TLS\$1ENCRYPTION

**Resource Types:** AWS::RDS::DBProxy

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1267c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-resources-protected-by-backup-plan
<a name="rds-resources-protected-by-backup-plan"></a>

Checks if Amazon Relational Database Service (Amazon RDS) instances are protected by a backup plan. The rule is NON\$1COMPLIANT if the Amazon RDS Database instance is not covered by a backup plan. 



**Identifier:** RDS\$1RESOURCES\$1PROTECTED\$1BY\$1BACKUP\$1PLAN

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags for Amazon RDS instances for the rule to check, in JSON format `{"tagkey" : "tagValue"}`.

resourceId (Optional)Type: String  
ID of Amazon RDS instance for the rule to check.

crossRegionList (Optional)Type: String  
Comma-separated list of destination regions for the cross-region backup copy to be kept

crossAccountList (Optional)Type: String  
Comma-separated list of destination accounts for cross-account backup copy to be kept

maxRetentionDays (Optional)Type: int  
The maximum retention period in days for the Backup Vault Lock

minRetentionDays (Optional)Type: int  
The minimum retention period in days for the Backup Vault Lock

backupVaultLockCheck (Optional)Type: String  
Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1269c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-snapshots-public-prohibited
<a name="rds-snapshots-public-prohibited"></a>

Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is NON\$1COMPLIANT if any existing and new Amazon RDS snapshots are public. 

**Note**  
It can take up to 12 hours for compliance results to be captured.



**Identifier:** RDS\$1SNAPSHOTS\$1PUBLIC\$1PROHIBITED

**Resource Types:** AWS::RDS::DBClusterSnapshot, AWS::RDS::DBSnapshot

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Africa (Cape Town), Asia Pacific (Melbourne), Europe (Milan), Israel (Tel Aviv), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1271c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-snapshot-encrypted
<a name="rds-snapshot-encrypted"></a>

Checks if Amazon Relational Database Service (Amazon RDS) DB snapshots are encrypted. The rule is NON\$1COMPLIANT if the Amazon RDS DB snapshots are not encrypted. 



**Identifier:** RDS\$1SNAPSHOT\$1ENCRYPTED

**Resource Types:** AWS::RDS::DBClusterSnapshot, AWS::RDS::DBSnapshot

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1273c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-sqlserver-encrypted-in-transit
<a name="rds-sqlserver-encrypted-in-transit"></a>

Checks if connections to Amazon RDS SQL server database instances are configured to use encryption in transit. The rule is NON\$1COMPLIANT if the DB parameter force\$1ssl for the parameter group is not set to 1 or the ApplyStatus parameter is not 'in-sync'. 



**Identifier:** RDS\$1SQLSERVER\$1ENCRYPTED\$1IN\$1TRANSIT

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1275c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-sql-server-logs-to-cloudwatch
<a name="rds-sql-server-logs-to-cloudwatch"></a>

Checks if an Amazon SQL Server DB instance is configured to publish logs to Amazon CloudWatch Logs. This rule is NON\$1COMPLIANT if the DB instance is not configured to publish logs to Amazon CloudWatch Logs. 



**Identifier:** RDS\$1SQL\$1SERVER\$1LOGS\$1TO\$1CLOUDWATCH

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

logTypes (Optional)Type: CSV  
logTypes - (Optional): Comma-separated list of log types to be published to CloudWatch Logs. Valid values are: 'error', 'agent'. Default value is 'error', 'agent'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1277c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rds-storage-encrypted
<a name="rds-storage-encrypted"></a>

Checks if storage encryption is enabled for your Amazon Relational Database Service (Amazon RDS) DB instances. The rule is NON\$1COMPLIANT if storage encryption is not enabled. 



**Identifier:** RDS\$1STORAGE\$1ENCRYPTED

**Resource Types:** AWS::RDS::DBInstance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

kmsKeyId (Optional)Type: String  
KMS key ID or Amazon Resource Name (ARN) used to encrypt the storage.

## Proactive Evaluation
<a name="w2aac20c16c17b7e1279c19"></a>

 For steps on how to run this rule in proactive mode, see [Evaluating Your Resources with AWS Config Rules](./evaluating-your-resources.html#evaluating-your-resources-proactive). For this rule to return COMPLIANT in proactive mode, the resource configuration schema for the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API needs to include the following inputs, encoded as a string: 

```
"ResourceConfiguration":
...
{
   "StorageEncrypted": BOOLEAN
} 
...
```

 For more information on proactive evaluation, see [Evaluation Mode](./evaluate-config-rules.html). 

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1279c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-audit-logging-enabled
<a name="redshift-audit-logging-enabled"></a>

Checks if Amazon Redshift clusters are logging audits to a specific bucket. The rule is NON\$1COMPLIANT if audit logging is not enabled for a Redshift cluster or if the '`bucketNames`' parameter is provided but the audit logging destination does not match. 



**Identifier:** REDSHIFT\$1AUDIT\$1LOGGING\$1ENABLED

**Resource Types:** AWS::Redshift::Cluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

bucketNames (Optional)Type: CSV  
Comma-separated list of Amazon S3 bucket names for storing audit logs.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1281c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-backup-enabled
<a name="redshift-backup-enabled"></a>

Checks that Amazon Redshift automated snapshots are enabled for clusters. The rule is NON\$1COMPLIANT if the value for `automatedSnapshotRetentionPeriod` is greater than `MaxRetentionPeriod` or less than `MinRetentionPeriod` or the value is 0.



**Identifier:** REDSHIFT\$1BACKUP\$1ENABLED

**Resource Types:** AWS::Redshift::Cluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Mexico (Central) Region

**Parameters:**

MinRetentionPeriod (Optional)Type: int  
Minimum value for the retention period. Minimum value is 1.

MaxRetentionPeriod (Optional)Type: int  
Maximum value for the retention period. Maximum value is 35.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1283c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-cluster-configuration-check
<a name="redshift-cluster-configuration-check"></a>

Checks if Amazon Redshift clusters have the specified settings. The rule is NON\$1COMPLIANT if the Amazon Redshift cluster is not encrypted or encrypted with another key, or if a cluster does not have audit logging enabled. 



**Identifier:** REDSHIFT\$1CLUSTER\$1CONFIGURATION\$1CHECK

**Resource Types:** AWS::Redshift::Cluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Mexico (Central) Region

**Parameters:**

loggingEnabledType: booleanDefault: true  
Audit logging is enabled

clusterDbEncryptedType: booleanDefault: true  
Database encryption is enabled

nodeTypes (Optional)Type: CSVDefault: dc1.large  
Specify node type

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1285c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-cluster-kms-enabled
<a name="redshift-cluster-kms-enabled"></a>

Checks if Amazon Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption. The rule is COMPLIANT if encryption is enabled and the cluster is encrypted with the key provided in the `kmsKeyArn` parameter. The rule is NON\$1COMPLIANT if the cluster is not encrypted or encrypted with another key.



**Identifier:** REDSHIFT\$1CLUSTER\$1KMS\$1ENABLED

**Resource Types:** AWS::Redshift::Cluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Mexico (Central) Region

**Parameters:**

kmsKeyArns (Optional)Type: CSV  
Comma-separated list of AWS KMS key Amazon Resource Names (ARNs) used in Amazon Redshift clusters for encryption.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1287c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-cluster-maintenancesettings-check
<a name="redshift-cluster-maintenancesettings-check"></a>

Checks if Amazon Redshift clusters have the specified maintenance settings. The rule is NON\$1COMPLIANT if the automatic upgrades to major version is disabled. 



**Identifier:** REDSHIFT\$1CLUSTER\$1MAINTENANCESETTINGS\$1CHECK

**Resource Types:** AWS::Redshift::Cluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Mexico (Central) Region

**Parameters:**

allowVersionUpgradeType: booleanDefault: true  
Allow version upgrade is enabled.

preferredMaintenanceWindow (Optional)Type: String  
Scheduled maintenance window for clusters (for example, Mon:09:30-Mon:10:00).

automatedSnapshotRetentionPeriod (Optional)Type: intDefault: 1  
Number of days to retain automated snapshots.

## Proactive Evaluation
<a name="w2aac20c16c17b7e1289c19"></a>

 For steps on how to run this rule in proactive mode, see [Evaluating Your Resources with AWS Config Rules](./evaluating-your-resources.html#evaluating-your-resources-proactive). For this rule to return COMPLIANT in proactive mode, the resource configuration schema for the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API needs to include the following inputs, encoded as a string: 

```
"ResourceConfiguration":
...
{
    "AutomatedSnapshotRetentionPeriod": Integer*,
    "PreferredMaintenanceWindow": String*,
    "AllowVersionUpgrade": BOOLEAN*
} 
...
```

\$1For more information on valid values for these inputs, see [AutomatedSnapshotRetentionPeriod](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html#cfn-redshift-cluster-automatedsnapshotretentionperiod), [PreferredMaintenanceWindow](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html#cfn-redshift-cluster-preferredmaintenancewindow), and [AllowVersionUpgrade](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html#cfn-redshift-cluster-allowversionupgrade) in the AWS CloudFormation User Guide.

 For more information on proactive evaluation, see [Evaluation Mode](./evaluate-config-rules.html). 

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1289c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-cluster-multi-az-enabled
<a name="redshift-cluster-multi-az-enabled"></a>

Checks if an Amazon Redshift cluster has multiple Availability Zones deployments enabled. This rule is NON\$1COMPLIANT if Amazon Redshift cluster does not have multiple Availability Zones deployments enabled. 



**Identifier:** REDSHIFT\$1CLUSTER\$1MULTI\$1AZ\$1ENABLED

**Resource Types:** AWS::Redshift::Cluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), US West (N. California), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1291c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-cluster-parameter-group-tagged
<a name="redshift-cluster-parameter-group-tagged"></a>

Checks if Amazon Redshift cluster parameter groups have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** REDSHIFT\$1CLUSTER\$1PARAMETER\$1GROUP\$1TAGGED

**Resource Types:** AWS::Redshift::ClusterParameterGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1293c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-cluster-public-access-check
<a name="redshift-cluster-public-access-check"></a>

Checks whether Amazon Redshift clusters are not publicly accessible. The rule is NON\$1COMPLIANT if the publiclyAccessible field is true in the cluster configuration item. 



**Identifier:** REDSHIFT\$1CLUSTER\$1PUBLIC\$1ACCESS\$1CHECK

**Resource Types:** AWS::Redshift::Cluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Mexico (Central) Region

**Parameters:**

None  

## Proactive Evaluation
<a name="w2aac20c16c17b7e1295c19"></a>

 For steps on how to run this rule in proactive mode, see [Evaluating Your Resources with AWS Config Rules](./evaluating-your-resources.html#evaluating-your-resources-proactive). For this rule to return COMPLIANT in proactive mode, the resource configuration schema for the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API needs to include the following inputs, encoded as a string: 

```
"ResourceConfiguration":
...
{
   "PubliclyAccessible": BOOLEAN
} 
...
```

 For more information on proactive evaluation, see [Evaluation Mode](./evaluate-config-rules.html). 

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1295c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-cluster-subnet-group-multi-az
<a name="redshift-cluster-subnet-group-multi-az"></a>

Checks If Amazon Redshift subnet groups contain subnets from more than one Availability Zone. The rule is NON\$1COMPLIANT if an Amazon Redshift subnet group does not contain subnets from at least two different Availability Zones. 



**Identifier:** REDSHIFT\$1CLUSTER\$1SUBNET\$1GROUP\$1MULTI\$1AZ

**Resource Types:** AWS::Redshift::ClusterSubnetGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1297c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-default-admin-check
<a name="redshift-default-admin-check"></a>

Checks if an Amazon Redshift cluster has changed the admin username from its default value. The rule is NON\$1COMPLIANT if the admin username for a Redshift cluster is set to “awsuser” or if the username does not match what is listed in parameter. 



**Identifier:** REDSHIFT\$1DEFAULT\$1ADMIN\$1CHECK

**Resource Types:** AWS::Redshift::Cluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

validAdminUserNames (Optional)Type: CSV  
Comma-separated list of admin username(s) for Redshift clusters to use. Note: 'awsuser' is the default and not accepted.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1299c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-default-db-name-check
<a name="redshift-default-db-name-check"></a>

Checks if a Redshift cluster has changed its database name from the default value. The rule is NON\$1COMPLIANT if the database name for a Redshift cluster is set to “dev”, or if the optional parameter is provided and the database name does not match. 



**Identifier:** REDSHIFT\$1DEFAULT\$1DB\$1NAME\$1CHECK

**Resource Types:** AWS::Redshift::Cluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

validDatabaseNames (Optional)Type: CSV  
Comma-separated list of database name(s) for Redshift clusters.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1301c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-enhanced-vpc-routing-enabled
<a name="redshift-enhanced-vpc-routing-enabled"></a>

Checks if Amazon Redshift cluster has 'enhancedVpcRouting' enabled. The rule is NON\$1COMPLIANT if 'enhancedVpcRouting' is not enabled or if the configuration.enhancedVpcRouting field is 'false'. 



**Identifier:** REDSHIFT\$1ENHANCED\$1VPC\$1ROUTING\$1ENABLED

**Resource Types:** AWS::Redshift::Cluster

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Mexico (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1303c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-require-tls-ssl
<a name="redshift-require-tls-ssl"></a>

Checks if Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. The rule is NON\$1COMPLIANT if any Amazon Redshift cluster has parameter require\$1SSL not set to true. 



**Identifier:** REDSHIFT\$1REQUIRE\$1TLS\$1SSL

**Resource Types:** AWS::Redshift::Cluster, AWS::Redshift::ClusterParameterGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Mexico (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1305c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-serverless-default-admin-check
<a name="redshift-serverless-default-admin-check"></a>

Checks if an Amazon Redshift Serverless Namespace has changed the admin username from its default value. The rule is NON\$1COMPLIANT if the admin username for a Redshift Serverless Namespace is set to “admin”. 



**Identifier:** REDSHIFT\$1SERVERLESS\$1DEFAULT\$1ADMIN\$1CHECK

**Resource Types:** AWS::RedshiftServerless::Namespace

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Middle East (Bahrain), Asia Pacific (Thailand), Africa (Cape Town), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Europe (Milan), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1307c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-serverless-default-db-name-check
<a name="redshift-serverless-default-db-name-check"></a>

Checks if an Amazon Redshift Serverless namespace has changed its database name from the default value. The rule is NON\$1COMPLIANT if the database name for an Amazon Redshift Serverless namespace is set to `dev`. 



**Identifier:** REDSHIFT\$1SERVERLESS\$1DEFAULT\$1DB\$1NAME\$1CHECK

**Resource Types:** AWS::RedshiftServerless::Namespace

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Middle East (Bahrain), Asia Pacific (Thailand), Africa (Cape Town), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Europe (Milan), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1309c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-serverless-namespace-cmk-encryption
<a name="redshift-serverless-namespace-cmk-encryption"></a>

Checks if Amazon Redshift Serverless namespaces are encrypted by customer managed AWS KMS keys. The rule is NON\$1COMPLIANT if a namespace is not encrypted by a customer managed key. Optionally, you can specify a list of KMS keys for rule to check. 



**Identifier:** REDSHIFT\$1SERVERLESS\$1NAMESPACE\$1CMK\$1ENCRYPTION

**Resource Types:** AWS::RedshiftServerless::Namespace

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Middle East (Bahrain), Asia Pacific (Thailand), Africa (Cape Town), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Europe (Milan), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

kmsKeyArns (Optional)Type: CSV  
Comma-separated list of Amazon Resource Names (ARNs) of customer managed keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if an Amazon Redshift Serverless namespace is not encrypted with one of these KMS keys.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1311c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-serverless-publish-logs-to-cloudwatch
<a name="redshift-serverless-publish-logs-to-cloudwatch"></a>

Checks if Amazon Redshift Serverless Namespace is configured to publish the following logs to Amazon CloudWatch Logs. This rule is NON\$1COMPLIANT if the Namespace is not configured to publish the following logs to Amazon CloudWatch Logs. 



**Identifier:** REDSHIFT\$1SERVERLESS\$1PUBLISH\$1LOGS\$1TO\$1CLOUDWATCH

**Resource Types:** AWS::RedshiftServerless::Namespace

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Middle East (Bahrain), Asia Pacific (Thailand), Africa (Cape Town), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

logType (Optional)Type: CSV  
Comma-separated list of log types to be published to CloudWatch Logs. Valid values are 'connectionlog', 'userlog' Default value is 'connectionlog', 'userlog'. 

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1313c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-serverless-workgroup-encrypted-in-transit
<a name="redshift-serverless-workgroup-encrypted-in-transit"></a>

Checks if AWS Redshift Serverless workgroups have the require\$1ssl config parameter set to true. The rule is NON\$1COMPLIANT if require\$1ssl is set to false. 



**Identifier:** REDSHIFT\$1SERVERLESS\$1WORKGROUP\$1ENCRYPTED\$1IN\$1TRANSIT

**Resource Types:** AWS::RedshiftServerless::Workgroup

**Trigger type:** Periodic

**AWS Region:** Only available in Europe (Stockholm), China (Beijing), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1315c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-serverless-workgroup-no-public-access
<a name="redshift-serverless-workgroup-no-public-access"></a>

Checks if Amazon Redshift Serverless workgroups do not allow public access. The rule is NON\$1COMPLIANT if a workgroup has 'Turn on Public Accessible' enabled. 



**Identifier:** REDSHIFT\$1SERVERLESS\$1WORKGROUP\$1NO\$1PUBLIC\$1ACCESS

**Resource Types:** AWS::RedshiftServerless::Workgroup

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Middle East (Bahrain), Asia Pacific (Thailand), Africa (Cape Town), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1317c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-serverless-workgroup-routes-within-vpc
<a name="redshift-serverless-workgroup-routes-within-vpc"></a>

Checks if Amazon Redshift Serverless workgroups route the network traffic through a VPC. The rule is NON\$1COMPLIANT if workgroups have 'Turn on Enhanced VPC routing' disabled. 



**Identifier:** REDSHIFT\$1SERVERLESS\$1WORKGROUP\$1ROUTES\$1WITHIN\$1VPC

**Resource Types:** AWS::RedshiftServerless::Workgroup

**Trigger type:** Periodic

**AWS Region:** Only available in Europe (Stockholm), China (Beijing), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1319c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# redshift-unrestricted-port-access
<a name="redshift-unrestricted-port-access"></a>

Checks if security groups associated with an Amazon Redshift cluster have inbound rules that allow unrestricted incoming traffic. The rule is NON\$1COMPLIANT if there are inbound rules that allow unrestricted incoming traffic to the Redshift cluster port. 



**Identifier:** REDSHIFT\$1UNRESTRICTED\$1PORT\$1ACCESS

**Resource Types:** AWS::Redshift::Cluster

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1321c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# required-tags
<a name="required-tags"></a>

Checks if your resources have the tags that you specify. For example, you can check whether your Amazon EC2 instances have the `CostCenter` tag, while also checking if all your RDS instance have one set of Keys tag. Separate multiple values with commas. You can check up to 6 tags at a time.

The AWS-managed AWS Systems Manager automation document `AWS-SetRequiredTags` does not work as a remediation with this rule. You will need to create your own custom Systems Manager automation documentation for remediation.

**Context**: AWS allows you to assign metadata to AWS resources in the form of tags. Each tag is a label consisting of a key and an optional value to store information about the resource or data retained on that resource. For more information see, [Building your tagging strategy](https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/building-your-tagging-strategy.html).

You can use this rule to find resources in your account that were not launched with your desired configurations by specifying which resources should have tags and the expected value for each tag. You can also run remediation actions to fix tagging mistakes. However, this rule does not prevent you from creating resources with incorrect tags.

**Note**  
AWS Config does not support recording associated tags for all resource types. To verify if AWS Config records tags in the configuration item (CI) for a specific resource type:  
Check that AWS Config correctly records the current configuration for the resource, excluding tags.
Check that AWS Config refreshes the recorded configuration when a change is made to the resource.



**Identifier:** REQUIRED\$1TAGS

**Resource Types:** AWS::ACM::Certificate, AWS::AutoScaling::AutoScalingGroup, AWS::CloudFormation::Stack, AWS::CodeBuild::Project, AWS::DynamoDB::Table, AWS::EC2::CustomerGateway, AWS::EC2::Instance, AWS::EC2::InternetGateway, AWS::EC2::NetworkAcl, AWS::EC2::NetworkInterface, AWS::EC2::RouteTable, AWS::EC2::SecurityGroup, AWS::EC2::Subnet, AWS::EC2::Volume, AWS::EC2::VPC, AWS::EC2::VPNConnection, AWS::EC2::VPNGateway, AWS::ElasticLoadBalancing::LoadBalancer, AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::RDS::DBInstance, AWS::RDS::DBSecurityGroup, AWS::RDS::DBSnapshot, AWS::RDS::DBSubnetGroup, AWS::RDS::EventSubscription, AWS::Redshift::Cluster, AWS::Redshift::ClusterParameterGroup, AWS::Redshift::ClusterSecurityGroup, AWS::Redshift::ClusterSnapshot, AWS::Redshift::ClusterSubnetGroup, AWS::S3::Bucket

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

tag1KeyType: StringDefault: CostCenter  
Key of the required tag.

tag1Value (Optional)Type: CSV  
Optional value of the required tag. Separate multiple values with commas.

tag2Key (Optional)Type: String  
Key of a second required tag.

tag2Value (Optional)Type: CSV  
Optional value of the second required tag. Separate multiple values with commas.

tag3Key (Optional)Type: String  
Key of a third required tag.

tag3Value (Optional)Type: CSV  
Optional value of the third required tag. Separate multiple values with commas.

tag4Key (Optional)Type: String  
Key of a fourth required tag.

tag4Value (Optional)Type: CSV  
Optional value of the fourth required tag. Separate multiple values with commas.

tag5Key (Optional)Type: String  
Key of a fifth required tag.

tag5Value (Optional)Type: CSV  
Optional value of the fifth required tag. Separate multiple values with commas.

tag6Key (Optional)Type: String  
Key of a sixth required tag.

tag6Value (Optional)Type: CSV  
Optional value of the sixth required tag. Separate multiple values with commas.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1323c27"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# resiliencehub-app-tagged
<a name="resiliencehub-app-tagged"></a>

Checks if AWS Resilience Hub app resources have tags. Optionally, required tag keys can be specified. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** RESILIENCEHUB\$1APP\$1TAGGED

**Resource Types:** AWS::ResilienceHub::App

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1325c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# resiliencehub-resiliencypolicy-tagged
<a name="resiliencehub-resiliencypolicy-tagged"></a>

Checks if AWS Resilience Hub policy resources have tags. Optionally, required tag keys can be specified. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** RESILIENCEHUB\$1RESILIENCYPOLICY\$1TAGGED

**Resource Types:** AWS::ResilienceHub::ResiliencyPolicy

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1327c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# restricted-common-ports
<a name="restricted-common-ports"></a>

**Important**  
For this rule, the rule identifier (RESTRICTED\$1INCOMING\$1TRAFFIC) and rule name (restricted-common-ports) are different.

Checks if the security groups in use do not allow unrestricted incoming Transmission Control Protocol (TCP) traffic to specified ports. The rule is COMPLIANT if:
+ Port access is blocked to all TCP traffic.
+ Port access is open to TCP traffic through Inbound rules, where the source is either a single IPv4 address or a range of IPv4 addresses in CIDR notation which does not cover all IPv4 addresses ("0.0.0.0/0").
+ Port access is open to TCP traffic through Inbound rules, where the source is either a single IPv6 address or a range of IPv6 addresses in CIDR notation which does not cover all IPv6 addresses ("::/0)").

The rule is NON\$1COMPLIANT if IP addresses for inbound TCP connections are not restricted to specified ports.



**Identifier:** RESTRICTED\$1INCOMING\$1TRAFFIC

**Resource Types:** AWS::EC2::SecurityGroup

**Trigger type:** Configuration changes and Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

blockedPort1 (Optional)Type: intDefault: 20  
Blocked TCP port number. The default of 20 corresponds to File Transfer Protocol (FTP) Data Transfer.

blockedPort2 (Optional)Type: intDefault: 21  
Blocked TCP port number. The default of 21 corresponds to File Transfer Protocol (FTP) Command Control.

blockedPort3 (Optional)Type: intDefault: 3389  
Blocked TCP port number. The default of 3389 corresponds to Remote Desktop Protocol (RDP).

blockedPort4 (Optional)Type: intDefault: 3306  
Blocked TCP port number. The default of 3306 corresponds to MySQL protocol.

blockedPort5 (Optional)Type: intDefault: 4333  
Blocked TCP port number. Used for a specific port relevant for your environment.

blockedPorts (Optional)Type: CSV  
Comma-separated list of blocked TCP port numbers. For example: 20, 21, 3306, 3389.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1329c25"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# root-account-hardware-mfa-enabled
<a name="root-account-hardware-mfa-enabled"></a>

Checks if your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. The rule is NON\$1COMPLIANT if any virtual MFA devices are permitted for signing in with root credentials.

**Note**  
**Not Applicable for Accounts Without Root User Credentials**  
This rule returns `NOT_APPLICABLE` if root user credentials are not present.  
**Managed Rules and Global IAM Resource Types**  
The global IAM resource types onboarded before February 2022 (`AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, and `AWS::IAM::User`) can only be recorded by AWS Config in AWS Regions where AWS Config was available before February 2022. These resource types cannot be recorded in Regions supported by AWS Config after February 2022. For a list of those Regions, see [Recording AWS Resources \$1 Global Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all).  
If you record a global IAM resource type in at least one Region, periodic rules that report compliance on the global IAM resource type will run evaluations in all Regions where the periodic rule is added, even if you have not enabled the recording of the global IAM resource type in the Region where the periodic rule was added.  
To avoid unnecessary evaluations, you should only deploy periodic rules that report compliance on a global IAM resource type to one of the supported Regions. For a list of which managed rules are supported in which Regions, see [List of AWS Config Managed Rules by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html).



**Identifier:** ROOT\$1ACCOUNT\$1HARDWARE\$1MFA\$1ENABLED

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1331c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# root-account-mfa-enabled
<a name="root-account-mfa-enabled"></a>

Checks if the root user of your AWS account requires multi-factor authentication for console sign-in. The rule is NON\$1COMPLIANT if the AWS Identity and Access Management (IAM) root account user does not have multi-factor authentication (MFA) enabled. 

**Note**  
**Not Applicable for Accounts Without Root User Credentials**  
This rule returns `NOT_APPLICABLE` if root user credentials are not present.  
**Managed Rules and Global IAM Resource Types**  
The global IAM resource types onboarded before February 2022 (`AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, and `AWS::IAM::User`) can only be recorded by AWS Config in AWS Regions where AWS Config was available before February 2022. These resource types cannot be recorded in Regions supported by AWS Config after February 2022. For a list of those Regions, see [Recording AWS Resources \$1 Global Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all).  
If you record a global IAM resource type in at least one Region, periodic rules that report compliance on the global IAM resource type will run evaluations in all Regions where the periodic rule is added, even if you have not enabled the recording of the global IAM resource type in the Region where the periodic rule was added.  
To avoid unnecessary evaluations, you should only deploy periodic rules that report compliance on a global IAM resource type to one of the supported Regions. For a list of which managed rules are supported in which Regions, see [List of AWS Config Managed Rules by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html).

**Identifier:** ROOT\$1ACCOUNT\$1MFA\$1ENABLED

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1333c17"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# route53-health-check-tagged
<a name="route53-health-check-tagged"></a>

Checks if Amazon Route 53 health checks have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** ROUTE53\$1HEALTH\$1CHECK\$1TAGGED

**Resource Types:** AWS::Route53::HealthCheck

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1335c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# route53-hosted-zone-tagged
<a name="route53-hosted-zone-tagged"></a>

Checks if Amazon Route 53 hosted zones have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** ROUTE53\$1HOSTED\$1ZONE\$1TAGGED

**Resource Types:** AWS::Route53::HostedZone

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1337c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# route53-query-logging-enabled
<a name="route53-query-logging-enabled"></a>

Checks if DNS query logging is enabled for your Amazon Route 53 public hosted zones. The rule is NON\$1COMPLIANT if DNS query logging is not enabled for your Amazon Route 53 public hosted zones. 



**Identifier:** ROUTE53\$1QUERY\$1LOGGING\$1ENABLED

**Resource Types:** AWS::Route53::HostedZone

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1339c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# route53-recovery-control-cluster-tagged
<a name="route53-recovery-control-cluster-tagged"></a>

Checks if Amazon Route 53 Recovery Control clusters have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** ROUTE53\$1RECOVERY\$1CONTROL\$1CLUSTER\$1TAGGED

**Resource Types:** AWS::Route53RecoveryControl::Cluster

**Trigger type:** Configuration changes

**AWS Region:** Only available in US West (Oregon) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1341c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# route53-recovery-readiness-cell-tagged
<a name="route53-recovery-readiness-cell-tagged"></a>

Checks if Amazon Route 53 Recovery Readiness cells have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** ROUTE53\$1RECOVERY\$1READINESS\$1CELL\$1TAGGED

**Resource Types:** AWS::Route53RecoveryReadiness::Cell

**Trigger type:** Configuration changes

**AWS Region:** Only available in US West (Oregon) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1343c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# route53-recovery-readiness-readiness-check-tagged
<a name="route53-recovery-readiness-readiness-check-tagged"></a>

Checks if Amazon Route 53 Recovery Readiness readiness checks have tags. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** ROUTE53\$1RECOVERY\$1READINESS\$1READINESS\$1CHECK\$1TAGGED

**Resource Types:** AWS::Route53RecoveryReadiness::ReadinessCheck

**Trigger type:** Configuration changes

**AWS Region:** Only available in US West (Oregon) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1345c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# route53-recovery-readiness-recovery-group-tagged
<a name="route53-recovery-readiness-recovery-group-tagged"></a>

Checks if Amazon Route 53 Recovery Readiness recovery groups have tags. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** ROUTE53\$1RECOVERY\$1READINESS\$1RECOVERY\$1GROUP\$1TAGGED

**Resource Types:** AWS::Route53RecoveryReadiness::RecoveryGroup

**Trigger type:** Configuration changes

**AWS Region:** Only available in US West (Oregon) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1347c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# route53-recovery-readiness-resource-set-tagged
<a name="route53-recovery-readiness-resource-set-tagged"></a>

Checks if Amazon Route 53 Recovery Readiness resource sets have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** ROUTE53\$1RECOVERY\$1READINESS\$1RESOURCE\$1SET\$1TAGGED

**Resource Types:** AWS::Route53RecoveryReadiness::ResourceSet

**Trigger type:** Configuration changes

**AWS Region:** Only available in US West (Oregon) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1349c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# route53-resolver-firewall-domain-list-tagged
<a name="route53-resolver-firewall-domain-list-tagged"></a>

Checks if Amazon Route 53 Resolver firewall domain lists have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** ROUTE53\$1RESOLVER\$1FIREWALL\$1DOMAIN\$1LIST\$1TAGGED

**Resource Types:** AWS::Route53Resolver::FirewallDomainList

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1351c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# route53-resolver-firewall-rule-group-association-tagged
<a name="route53-resolver-firewall-rule-group-association-tagged"></a>

Checks if Amazon Route 53 Resolver firewall rule group associations have tags. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** ROUTE53\$1RESOLVER\$1FIREWALL\$1RULE\$1GROUP\$1ASSOCIATION\$1TAGGED

**Resource Types:** AWS::Route53Resolver::FirewallRuleGroupAssociation

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1353c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# route53-resolver-firewall-rule-group-tagged
<a name="route53-resolver-firewall-rule-group-tagged"></a>

Checks if Amazon Route 53 Resolver firewall rule groups have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** ROUTE53\$1RESOLVER\$1FIREWALL\$1RULE\$1GROUP\$1TAGGED

**Resource Types:** AWS::Route53Resolver::FirewallRuleGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1355c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# route53-resolver-resolver-endpoint-tagged
<a name="route53-resolver-resolver-endpoint-tagged"></a>

Checks if Amazon Route 53 Resolver resolver endpoints have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** ROUTE53\$1RESOLVER\$1RESOLVER\$1ENDPOINT\$1TAGGED

**Resource Types:** AWS::Route53Resolver::ResolverEndpoint

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1357c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# route53-resolver-resolver-rule-tagged
<a name="route53-resolver-resolver-rule-tagged"></a>

Checks if Amazon Route 53 Resolver resolver rules have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** ROUTE53\$1RESOLVER\$1RESOLVER\$1RULE\$1TAGGED

**Resource Types:** AWS::Route53Resolver::ResolverRule

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1359c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rum-app-monitor-cloudwatch-logs-enabled
<a name="rum-app-monitor-cloudwatch-logs-enabled"></a>

Checks if Amazon CloudWatch RUM app monitors have CloudWatch logs enabled. The rule is NON\$1COMPLIANT if configuration.CwLogEnabled is false. 



**Identifier:** RUM\$1APP\$1MONITOR\$1CLOUDWATCH\$1LOGS\$1ENABLED

**Resource Types:** AWS::RUM::AppMonitor

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Africa (Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1361c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# rum-app-monitor-tagged
<a name="rum-app-monitor-tagged"></a>

Checks if Amazon CloudWatch RUM app monitors have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** RUM\$1APP\$1MONITOR\$1TAGGED

**Resource Types:** AWS::RUM::AppMonitor

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Africa (Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1363c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3express-dir-bucket-lifecycle-rules-check
<a name="s3express-dir-bucket-lifecycle-rules-check"></a>

Checks if lifecycle rules are configured for an Amazon S3 Express directory bucket. The rule is NON\$1COMPLIANT if there is no active lifecycle configuration rules or the configuration does not match with the parameter values. 



**Identifier:** S3EXPRESS\$1DIR\$1BUCKET\$1LIFECYCLE\$1RULES\$1CHECK

**Resource Types:** AWS::S3Express::DirectoryBucket

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Asia Pacific (Mumbai), US East (Ohio), Europe (Ireland), US East (N. Virginia), Asia Pacific (Tokyo), US West (Oregon) Region

**Parameters:**

targetExpirationDays (Optional)Type: int  
Number of days after creation when objects are deleted from Amazon S3 Express directory buckets.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1365c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-access-point-in-vpc-only
<a name="s3-access-point-in-vpc-only"></a>

Checks if an Amazon S3 access point does not allow access from the internet (NetworkOrigin is VPC). The rule is NON\$1COMPLIANT if NetworkOrigin is Internet. 



**Identifier:** S3\$1ACCESS\$1POINT\$1IN\$1VPC\$1ONLY

**Resource Types:** AWS::S3::AccessPoint

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1367c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-access-point-public-access-blocks
<a name="s3-access-point-public-access-blocks"></a>

Checks if Amazon S3 access points have block public access settings enabled. The rule is NON\$1COMPLIANT if block public access settings are not enabled for S3 access points. 



**Identifier:** S3\$1ACCESS\$1POINT\$1PUBLIC\$1ACCESS\$1BLOCKS

**Resource Types:** AWS::S3::AccessPoint

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

excludedAccessPoints (Optional)Type: CSV  
Comma-separated list of names for allowed public Amazon S3 access points.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1369c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-account-level-public-access-blocks
<a name="s3-account-level-public-access-blocks"></a>

Checks if the required public access block settings are configured from account level. The rule is only NON\$1COMPLIANT when the fields set below do not match the corresponding fields in the configuration item.

**Note**  
If you are using this rule, ensure that S3 Block Public Access is enabled. The rule is change-triggered, so it will not be invoked unless S3 Block Public Access is enabled. If S3 Block Public Access is not enabled the rule returns INSUFFICIENT\$1DATA. This means that you still might have some public buckets. For more information about setting up S3 Block Public Access, see [Blocking public access to your Amazon S3 storage](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html).



**Identifier:** S3\$1ACCOUNT\$1LEVEL\$1PUBLIC\$1ACCESS\$1BLOCKS

**Resource Types:** AWS::S3::AccountPublicAccessBlock

**Trigger type:** Configuration changes (current status not checked, only evaluated when changes generate new events)

**Note**  
This rule is only triggered by configuration changes for the specific region where the S3 endpoint is located. In all other regions, the rule is checked periodically. If a change was made in another region, there could be a delay before the rule returns NON\$1COMPLIANT. 

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

RestrictPublicBuckets (Optional)Type: StringDefault: True  
RestrictPublicBuckets is enforced or not, default True

BlockPublicPolicy (Optional)Type: StringDefault: True  
BlockPublicPolicy is enforced or not, default True

BlockPublicAcls (Optional)Type: StringDefault: True  
BlockPublicAcls is enforced or not, default True

IgnorePublicAcls (Optional)Type: StringDefault: True  
IgnorePublicAcls is enforced or not, default True

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1371c23"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-account-level-public-access-blocks-periodic
<a name="s3-account-level-public-access-blocks-periodic"></a>

Checks if the required public access block settings are configured at the account level. The rule is NON\$1COMPLIANT if the configuration item does not match one or more settings from parameters (or default). 



**Identifier:** S3\$1ACCOUNT\$1LEVEL\$1PUBLIC\$1ACCESS\$1BLOCKS\$1PERIODIC

**Resource Types:** AWS::::Account

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

IgnorePublicAcls (Optional)Type: String  
IgnorePublicAcls is enforced or not, default True

BlockPublicPolicy (Optional)Type: String  
BlockPublicPolicy is enforced or not, default True

BlockPublicAcls (Optional)Type: String  
BlockPublicAcls is enforced or not, default True

RestrictPublicBuckets (Optional)Type: String  
RestrictPublicBuckets is enforced or not, default True

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1373c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-bucket-acl-prohibited
<a name="s3-bucket-acl-prohibited"></a>

Checks if Amazon Simple Storage Service (Amazon S3) Buckets allow user permissions through access control lists (ACLs). The rule is NON\$1COMPLIANT if ACLs are configured for user access in Amazon S3 Buckets. 



**Identifier:** S3\$1BUCKET\$1ACL\$1PROHIBITED

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1375c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-bucket-blacklisted-actions-prohibited
<a name="s3-bucket-blacklisted-actions-prohibited"></a>

Checks if an Amazon Simple Storage Service (Amazon S3) bucket policy does not allow blocklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any `s3:GetBucket*` actions and `s3:DeleteObject` on any object in the bucket. The rule is NON\$1COMPLIANT if any blocklisted actions are allowed by the Amazon S3 bucket policy.

**Note**  
The rule will only check for entities in the Principal property and does not take into account any conditionals under the Condition property in a policy



**Identifier:** S3\$1BUCKET\$1BLACKLISTED\$1ACTIONS\$1PROHIBITED

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

blacklistedActionPatternType: CSV  
Comma-separated list of blacklisted action patterns, for example, s3:GetBucket\$1 and s3:DeleteObject.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1377c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-bucket-cross-region-replication-enabled
<a name="s3-bucket-cross-region-replication-enabled"></a>

Checks if you have enabled S3 Cross-Region Replication for your Amazon S3 buckets. The rule is NON\$1COMPLIANT if there are no replication rules enabled for Cross-Region Replication. 



**Identifier:** S3\$1BUCKET\$1CROSS\$1REGION\$1REPLICATION\$1ENABLED

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1379c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-bucket-default-lock-enabled
<a name="s3-bucket-default-lock-enabled"></a>

Checks if the S3 bucket has lock enabled, by default. The rule is NON\$1COMPLIANT if the lock is not enabled. 



**Identifier:** S3\$1BUCKET\$1DEFAULT\$1LOCK\$1ENABLED

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

mode (Optional)Type: String  
mode: (optional): A mode parameter with valid values of GOVERNANCE or COMPLIANCE.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1381c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-bucket-level-public-access-prohibited
<a name="s3-bucket-level-public-access-prohibited"></a>

Checks if S3 buckets are publicly accessible. The rule is NON\$1COMPLIANT if an S3 bucket is not listed in the `excludedPublicBuckets` parameter and bucket level settings are public. 



**Identifier:** S3\$1BUCKET\$1LEVEL\$1PUBLIC\$1ACCESS\$1PROHIBITED

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

excludedPublicBuckets (Optional)Type: CSV  
Comma-separated list of known allowed public Amazon S3 bucket names.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1383c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-bucket-logging-enabled
<a name="s3-bucket-logging-enabled"></a>

Checks if logging is enabled for your S3 buckets. The rule is NON\$1COMPLIANT if logging is not enabled. 



**Identifier:** S3\$1BUCKET\$1LOGGING\$1ENABLED

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

targetPrefix (Optional)Type: String  
Prefix of the S3 bucket for storing server access logs.

targetBucket (Optional)Type: String  
Target S3 bucket for storing server access logs.

## Proactive Evaluation
<a name="w2aac20c16c17b7e1385c19"></a>

 For steps on how to run this rule in proactive mode, see [Evaluating Your Resources with AWS Config Rules](./evaluating-your-resources.html#evaluating-your-resources-proactive). For this rule to return COMPLIANT in proactive mode, the resource configuration schema for the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API needs to include the following inputs, encoded as a string: 

```
"ResourceConfiguration":
...
{
   "BucketName": "amzn-s3-demo-bucket",
   "LoggingConfiguration": {
         "DestinationBucketName": "amzn-s3-demo-destination-bucket",
         "LogFilePrefix":"my-log"
   }
}
...
```

 For more information on proactive evaluation, see [Evaluation Mode](./evaluate-config-rules.html). 

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1385c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-bucket-mfa-delete-enabled
<a name="s3-bucket-mfa-delete-enabled"></a>

Checks if MFA Delete is enabled in the Amazon Simple Storage Service (Amazon S3) bucket versioning configuration. The rule is NON\$1COMPLIANT if MFA Delete is not enabled. 



**Identifier:** S3\$1BUCKET\$1MFA\$1DELETE\$1ENABLED

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1387c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-bucket-policy-grantee-check
<a name="s3-bucket-policy-grantee-check"></a>

Checks that the access granted by the Amazon S3 bucket is restricted by any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide. The rule is COMPLIANT if a bucket policy is not present.

For example, if the input parameter to the rule is the list of two principals: `111122223333` and `444455556666` and the bucket policy specifies that only `111122223333` can access the bucket, then the rule is COMPLIANT. With the same input parameters: If the bucket policy specifies that `111122223333` and `444455556666` can access the bucket, it is also COMPLIANT.

However, if the bucket policy specifies that `999900009999` can access the bucket, the rule is NON\$1COMPLIANT. 

**Note**  
If a bucket policy contains more than one statement, each statement in the bucket policy is evaluated against this rule.



**Identifier:** S3\$1BUCKET\$1POLICY\$1GRANTEE\$1CHECK

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

awsPrincipals (Optional)Type: CSV  
Comma-separated list of principals such as IAM User ARNs, IAM Role ARNs, and AWS accounts. You must provide the full ARN or use partial matching. For example, "arn:aws:iam::*AccountID*:role/*role\$1name*" or "arn:aws:iam::*AccountID*:role/\$1". If the provided value is not an exact match with the principal ARN specified in the bucket policy, the rule is NON\$1COMPLIANT.

servicePrincipals (Optional)Type: CSV  
Comma-separated list of service principals, for example 'cloudtrail.amazonaws.com, lambda.amazonaws.com'.

federatedUsers (Optional)Type: CSV  
Comma-separated list of identity providers for web identity federation such as Amazon Cognito and SAML identity providers. For example 'cognito-identity.amazonaws.com, arn:aws:iam::111122223333:saml-provider/my-provider'.

ipAddresses (Optional)Type: CSV  
Comma-separated list of CIDR formatted IP addresses, for example '10.0.0.1, 192.168.1.0/24, 2001:db8::/32'.

vpcIds (Optional)Type: CSV  
Comma-separated list of Amazon Virtual Private Clouds (Amazon VPC) IDs, for example 'vpc-1234abc0, vpc-ab1234c0'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1389c25"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-bucket-policy-not-more-permissive
<a name="s3-bucket-policy-not-more-permissive"></a>

Checks if your Amazon Simple Storage Service bucket policies do not allow other inter-account permissions than the control Amazon S3 bucket policy that you provide.

**Note**  
If you provide an invalid parameter value, you will see the following error: Value for controlPolicy parameter must be an Amazon S3 bucket policy. 



**Identifier:** S3\$1BUCKET\$1POLICY\$1NOT\$1MORE\$1PERMISSIVE

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

controlPolicyType: String  
Amazon S3 bucket policy that defines an upper bound on the permissions of your S3 buckets. The policy can be a maximum of 1024 characters long.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1391c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-bucket-public-read-prohibited
<a name="s3-bucket-public-read-prohibited"></a>

Checks if your Amazon S3 buckets do not allow public read access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).

The rule is compliant when both of the following are true:
+ The Block Public Access setting restricts public policies or the bucket policy does not allow public read access.
+ The Block Public Access setting restricts public ACLs or the bucket ACL does not allow public read access.

The rule is noncompliant when:
+ If the Block Public Access setting does not restrict public policies, AWS Config evaluates whether the policy allows public read access. If the policy allows public read access, the rule is noncompliant.
+ If the Block Public Access setting does not restrict public bucket ACLs, AWS Config evaluates whether the bucket ACL allows public read access. If the bucket ACL allows public read access, the rule is noncompliant.

**Note**  
To be considered non-public, an S3 bucket policy must grant access only to fixed values. This means a policy is NON\$1COMPLIANT if it grants access to a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables). A fixed value containing a wildcard can still be COMPLIANT.



**Identifier:** S3\$1BUCKET\$1PUBLIC\$1READ\$1PROHIBITED

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Configuration changes and Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1393c29"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-bucket-public-write-prohibited
<a name="s3-bucket-public-write-prohibited"></a>

Checks if your Amazon S3 buckets do not allow public write access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).

The rule is compliant when both of the following are true:
+ The Block Public Access setting restricts public policies or the bucket policy does not allow public write access.
+ The Block Public Access setting restricts public ACLs or the bucket ACL does not allow public write access.

The rule is noncompliant when:
+ If the Block Public Access setting does not restrict public policies, AWS Config evaluates whether the policy allows public write access. If the policy allows public write access, the rule is noncompliant.
+ If the Block Public Access setting does not restrict public bucket ACLs, AWS Config evaluates whether the bucket ACL allows public write access. If the bucket ACL allows public write access, the rule is noncompliant.

**Note**  
This rule does not evaluate changes to account level public block access. To check if the required public access block settings are configured from the account level, see [s3-account-level-public-access-blocks](https://docs.aws.amazon.com/config/latest/developerguide/s3-account-level-public-access-blocks.html) and [s3-account-level-public-access-blocks-periodic](https://docs.aws.amazon.com/config/latest/developerguide/s3-account-level-public-access-blocks-periodic.html).

**Note**  
To be considered non-public, an S3 bucket policy must grant access only to fixed values. This means a policy is NON\$1COMPLIANT if it grants access to a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables). A fixed value containing a wildcard can still be COMPLIANT.



**Identifier:** S3\$1BUCKET\$1PUBLIC\$1WRITE\$1PROHIBITED

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Configuration changes and Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1395c31"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-bucket-replication-enabled
<a name="s3-bucket-replication-enabled"></a>

Checks if S3 buckets have replication rules enabled. The rule is NON\$1COMPLIANT if an S3 bucket does not have a replication rule or has a replication rule that is not enabled. 



**Identifier:** S3\$1BUCKET\$1REPLICATION\$1ENABLED

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

ReplicationType (Optional)Type: String  
Accepted values: 'CROSS-REGION' and 'SAME-REGION'. Enter 'CROSS-REGION' for the rule to check that all buckets have only Cross-Region Replication enabled. Enter 'SAME-REGION' for the rule to check that all buckets have only Same-Region Replication enabled.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1397c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-bucket-server-side-encryption-enabled
<a name="s3-bucket-server-side-encryption-enabled"></a>

Checks if your Amazon S3 bucket either has the Amazon S3 default encryption enabled or that the Amazon S3 bucket policy explicitly denies `put-object` requests without server side encryption that uses AES-256 or AWS Key Management Service. The rule is NON\$1COMPLIANT if your Amazon S3 bucket is not encrypted by default.



**Identifier:** S3\$1BUCKET\$1SERVER\$1SIDE\$1ENCRYPTION\$1ENABLED

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1399c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-bucket-ssl-requests-only
<a name="s3-bucket-ssl-requests-only"></a>

Checks if S3 buckets have policies that require requests to use SSL/TLS. The rule is NON\$1COMPLIANT if any S3 bucket has policies allowing HTTP requests. 



**Identifier:** S3\$1BUCKET\$1SSL\$1REQUESTS\$1ONLY

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1401c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-bucket-tagged
<a name="s3-bucket-tagged"></a>

Checks if Amazon S3 buckets have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** S3\$1BUCKET\$1TAGGED

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1403c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-bucket-versioning-enabled
<a name="s3-bucket-versioning-enabled"></a>

Checks if versioning is enabled for your S3 buckets. Optionally, the rule checks if MFA delete is enabled for your S3 buckets.



**Identifier:** S3\$1BUCKET\$1VERSIONING\$1ENABLED

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

isMfaDeleteEnabled (Optional)Type: String  
MFA delete is enabled for your S3 buckets.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1405c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-default-encryption-kms
<a name="s3-default-encryption-kms"></a>

Checks if the S3 buckets are encrypted with AWS Key Management Service (AWS KMS). The rule is NON\$1COMPLIANT if the S3 bucket is not encrypted with an AWS KMS key. 



**Identifier:** S3\$1DEFAULT\$1ENCRYPTION\$1KMS

**Resource Types:** AWS::S3::Bucket, AWS::KMS::Key

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

kmsKeyArns (Optional)Type: CSV  
Comma separated list of AWS KMS key ARNs allowed for encrypting Amazon S3 Buckets.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1407c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-directory-bucket-lifecycle-policy-rule-check
<a name="s3-directory-bucket-lifecycle-policy-rule-check"></a>

Checks if directory buckets for Amazon S3 have a lifecycle policy with at least one enabled rule. The rule is NON\$1COMPLIANT if there are no lifecycle policy rules or if none of the lifecycle policy rules have status Enabled. 



**Identifier:** S3\$1DIRECTORY\$1BUCKET\$1LIFECYCLE\$1POLICY\$1RULE\$1CHECK

**Resource Types:** AWS::S3Express::DirectoryBucket

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Asia Pacific (Mumbai), US East (Ohio), Europe (Ireland), US East (N. Virginia), Asia Pacific (Tokyo), US West (Oregon) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1409c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-event-notifications-enabled
<a name="s3-event-notifications-enabled"></a>

Checks if Amazon S3 Events Notifications are enabled on an S3 bucket. The rule is NON\$1COMPLIANT if S3 Events Notifications are not set on a bucket, or if the event type or destination do not match the `eventTypes` and destinationArn parameters. 



**Identifier:** S3\$1EVENT\$1NOTIFICATIONS\$1ENABLED

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

destinationArn (Optional)Type: String  
The Amazon Resource Name (ARN) of the destination for the event notification (Amazon SNS topic, AWS Lambda, Amazon SQS Queue).

eventTypes (Optional)Type: CSV  
Comma-separated list of the preferred Amazon S3 event types

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1411c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-last-backup-recovery-point-created
<a name="s3-last-backup-recovery-point-created"></a>

Checks if a recovery point was created for Amazon Simple Storage Service (Amazon S3). The rule is NON\$1COMPLIANT if the Amazon S3 bucket does not have a corresponding recovery point created within the specified time period. 



**Identifier:** S3\$1LAST\$1BACKUP\$1RECOVERY\$1POINT\$1CREATED

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags of Amazon S3 bucket for the rule to check, in JSON format `{"tagkey" : "tagValue"}`.

resourceId (Optional)Type: String  
Name of Amazon S3 bucket for the rule to check.

recoveryPointAgeValue (Optional)Type: intDefault: 1  
Numerical value for maximum allowed age. No more than 744 for hours, 31 for days.

recoveryPointAgeUnit (Optional)Type: StringDefault: days  
Unit of time for maximum allowed age. Accepted values: 'hours', 'days'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1413c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-lifecycle-policy-check
<a name="s3-lifecycle-policy-check"></a>

Checks if a lifecycle rule is configured for an Amazon Simple Storage Service (Amazon S3) bucket. The rule is NON\$1COMPLIANT if there is no active lifecycle configuration rules or the configuration does not match with the parameter values. 



**Identifier:** S3\$1LIFECYCLE\$1POLICY\$1CHECK

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

targetTransitionDays (Optional)Type: int  
Number of days after object creation when objects are transitioned to a specified storage class (for example, 30 days).

targetExpirationDays (Optional)Type: int  
Number of days after object creation when objects are deleted (for example, 395 days).

targetTransitionStorageClass (Optional)Type: String  
Destination storage class type. For example, Amazon S3 Standard-Infrequent Access (S3 Standard-IA). For more information, see [Understanding and managing Amazon S3 storage classes](https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html).

targetPrefix (Optional)Type: String  
Amazon S3 Object prefix to identify one or more objects.

bucketNames (Optional)Type: CSV  
Comma-separated list of Amazon S3 bucket names that have lifecycle policy enabled.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1415c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-meets-restore-time-target
<a name="s3-meets-restore-time-target"></a>

Checks if the restore time of Amazon Simple Storage Service (Amazon S3) buckets meets the specified duration. The rule is NON\$1COMPLIANT if LatestRestoreExecutionTimeMinutes of an Amazon S3 bucket is greater than maxRestoreTime minutes. 



**Identifier:** S3\$1MEETS\$1RESTORE\$1TIME\$1TARGET

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

maxRestoreTimeType: int  
Numerical value for the maximum allowed restore runtime.

resourceTags (Optional)Type: String  
Tags of Amazon S3 bucket for the rule to check, in JSON format.

resourceId (Optional)Type: String  
Name of Amazon S3 bucket for the rule to check.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1417c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-resources-in-logically-air-gapped-vault
<a name="s3-resources-in-logically-air-gapped-vault"></a>

Checks if Amazon Simple Storage Service (Amazon S3) buckets are in a logically air-gapped vault. The rule is NON\$1COMPLIANT if an Amazon S3 bucket is not in a logically air-gapped vault within the specified time period. 



**Identifier:** S3\$1RESOURCES\$1IN\$1LOGICALLY\$1AIR\$1GAPPED\$1VAULT

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Periodic

**AWS Region:** Only available in Europe (Stockholm), Middle East (Bahrain), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Osaka), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags of Amazon S3 bucket for the rule to check, in JSON format.

resourceId (Optional)Type: String  
Name of Amazon S3 bucket for the rule to check.

recoveryPointAgeValue (Optional)Type: intDefault: 1  
Numerical value for maximum allowed age. No more than 2184 for hours, 91 for days.

recoveryPointAgeUnit (Optional)Type: StringDefault: days  
Unit of time for maximum allowed age. Accepted values: 'hours', 'days'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1419c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-resources-protected-by-backup-plan
<a name="s3-resources-protected-by-backup-plan"></a>

Checks if Amazon Simple Storage Service (Amazon S3) buckets are protected by a backup plan. The rule is NON\$1COMPLIANT if the Amazon S3 bucket is not covered by a backup plan. 



**Identifier:** S3\$1RESOURCES\$1PROTECTED\$1BY\$1BACKUP\$1PLAN

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags for Amazon S3 buckets for the rule to check, in JSON format `{"tagkey" : "tagValue"}`.

resourceId (Optional)Type: String  
Name of Amazon S3 bucket for the rule to check.

crossRegionList (Optional)Type: String  
Comma-separated list of destination regions for the cross-region backup copy to be kept

crossAccountList (Optional)Type: String  
Comma-separated list of destination accounts for cross-account backup copy to be kept

maxRetentionDays (Optional)Type: int  
The maximum retention period in days for the Backup Vault Lock

minRetentionDays (Optional)Type: int  
The minimum retention period in days for the Backup Vault Lock

backupVaultLockCheck (Optional)Type: String  
Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1421c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# s3-version-lifecycle-policy-check
<a name="s3-version-lifecycle-policy-check"></a>

Checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured. The rule is NON\$1COMPLIANT if Amazon S3 lifecycle policy is not enabled. 



**Identifier:** S3\$1VERSION\$1LIFECYCLE\$1POLICY\$1CHECK

**Resource Types:** AWS::S3::Bucket

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

bucketNames (Optional)Type: CSV  
Comma-separated list of Amazon S3 bucket names that have lifecycle policy enabled.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1423c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-app-image-config-tagged
<a name="sagemaker-app-image-config-tagged"></a>

Checks if Amazon SageMaker app image configs have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** SAGEMAKER\$1APP\$1IMAGE\$1CONFIG\$1TAGGED

**Resource Types:** AWS::SageMaker::AppImageConfig

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1425c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-data-quality-job-encrypt-in-transit
<a name="sagemaker-data-quality-job-encrypt-in-transit"></a>

Checks if Amazon SageMaker data quality job definitions have inter-container traffic encryption enabled when the instance count is 2 or greater. The rule is NON\$1COMPLIANT if configuration.NetworkConfig.EnableInterContainerTrafficEncryption is false. 



**Identifier:** SAGEMAKER\$1DATA\$1QUALITY\$1JOB\$1ENCRYPT\$1IN\$1TRANSIT

**Resource Types:** AWS::SageMaker::DataQualityJobDefinition

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Middle East (Bahrain), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Osaka), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1427c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-data-quality-job-isolation
<a name="sagemaker-data-quality-job-isolation"></a>

Checks if Amazon SageMaker data quality job definitions have network isolation enabled. The rule is NON\$1COMPLIANT if configuration.NetworkConfig.EnableNetworkIsolation is false. 



**Identifier:** SAGEMAKER\$1DATA\$1QUALITY\$1JOB\$1ISOLATION

**Resource Types:** AWS::SageMaker::DataQualityJobDefinition

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Middle East (Bahrain), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Osaka), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1429c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-domain-in-vpc
<a name="sagemaker-domain-in-vpc"></a>

Checks if an Amazon SageMaker domain uses a customer owned Amazon Virtual Private Cloud (VPC) for non-EFS traffic. The rule is NON\$1COMPLIANT if configuration.AppNetworkAccessType is not set to VpcOnly. 



**Identifier:** SAGEMAKER\$1DOMAIN\$1IN\$1VPC

**Resource Types:** AWS::SageMaker::Domain

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1431c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-domain-tagged
<a name="sagemaker-domain-tagged"></a>

Checks if Amazon SageMaker domains have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** SAGEMAKER\$1DOMAIN\$1TAGGED

**Resource Types:** AWS::SageMaker::Domain

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1433c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-endpoint-configuration-kms-key-configured
<a name="sagemaker-endpoint-configuration-kms-key-configured"></a>

Checks if AWS Key Management Service (AWS KMS) key is configured for an Amazon SageMaker endpoint configuration. The rule is NON\$1COMPLIANT if 'KmsKeyId' is not specified for the Amazon SageMaker endpoint configuration. 



**Identifier:** SAGEMAKER\$1ENDPOINT\$1CONFIGURATION\$1KMS\$1KEY\$1CONFIGURED

**Resource Types:** AWS::SageMaker::EndpointConfig

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

kmsKeyArns (Optional)Type: String  
Comma-separated list of specific AWS KMS key ARNs allowed for an Amazon SageMaker endpoint configuration.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1435c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-endpoint-config-prod-instance-count
<a name="sagemaker-endpoint-config-prod-instance-count"></a>

Checks if Amazon SageMaker endpoint configurations have production variants `InitialInstanceCount` set to a value greater than 1. The rule is NON\$1COMPLIANT if production variants `InitialInstanceCount` is equal to 1. 



**Identifier:** SAGEMAKER\$1ENDPOINT\$1CONFIG\$1PROD\$1INSTANCE\$1COUNT

**Resource Types:** AWS::SageMaker::EndpointConfig

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1437c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-featuregroup-description
<a name="sagemaker-featuregroup-description"></a>

Checks if Amazon SageMaker FeatureGroup resources contain a description. The rule is NON\$1COMPLIANT if the FeatureGroup does not contain a description field or the description is empty. 



**Identifier:** SAGEMAKER\$1FEATUREGROUP\$1DESCRIPTION

**Resource Types:** AWS::SageMaker::FeatureGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1439c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-featuregroup-encryption-at-rest
<a name="sagemaker-featuregroup-encryption-at-rest"></a>

Checks if SageMaker feature groups have KMS encryption for OfflineStore. The rule is NON\$1COMPLIANT if offline store S3 storage does not have customer-managed KMS key encryption. 



**Identifier:** SAGEMAKER\$1FEATUREGROUP\$1ENCRYPTION\$1AT\$1REST

**Resource Types:** AWS::SageMaker::FeatureGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Middle East (Bahrain), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1441c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-feature-group-tagged
<a name="sagemaker-feature-group-tagged"></a>

Checks if Amazon SageMaker feature groups have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** SAGEMAKER\$1FEATURE\$1GROUP\$1TAGGED

**Resource Types:** AWS::SageMaker::FeatureGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1443c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-image-description
<a name="sagemaker-image-description"></a>

Checks if Amazon SageMaker images have a description. The rule is NON\$1COMPLIANT if configuration.ImageDescription does not exist. 



**Identifier:** SAGEMAKER\$1IMAGE\$1DESCRIPTION

**Resource Types:** AWS::SageMaker::Image

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1445c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-image-tagged
<a name="sagemaker-image-tagged"></a>

Checks if Amazon SageMaker images have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** SAGEMAKER\$1IMAGE\$1TAGGED

**Resource Types:** AWS::SageMaker::Image

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1447c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-inferenceexperiment-tagged
<a name="sagemaker-inferenceexperiment-tagged"></a>

Checks if Amazon SageMaker Inference Experiments have tags. Optionally, required tag keys can be specified. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** SAGEMAKER\$1INFERENCEEXPERIMENT\$1TAGGED

**Resource Types:** AWS::SageMaker::InferenceExperiment

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1449c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-model-bias-job-encrypt-in-transit
<a name="sagemaker-model-bias-job-encrypt-in-transit"></a>

Checks if Amazon SageMaker model bias job definitions have inter-container traffic encryption enabled when the instance count is 2 or greater. The rule is NON\$1COMPLIANT if configuration.NetworkConfig.EnableInterContainerTrafficEncryption is false. 



**Identifier:** SAGEMAKER\$1MODEL\$1BIAS\$1JOB\$1ENCRYPT\$1IN\$1TRANSIT

**Resource Types:** AWS::SageMaker::ModelBiasJobDefinition

**Trigger type:** Configuration changes

**AWS Region:** Only available in Middle East (Bahrain), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Osaka), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1451c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-model-bias-job-isolation
<a name="sagemaker-model-bias-job-isolation"></a>

Checks if Amazon SageMaker model bias job definitions have network isolation enabled. The rule is NON\$1COMPLIANT if configuration.NetworkConfig.EnableNetworkIsolation is false. 



**Identifier:** SAGEMAKER\$1MODEL\$1BIAS\$1JOB\$1ISOLATION

**Resource Types:** AWS::SageMaker::ModelBiasJobDefinition

**Trigger type:** Configuration changes

**AWS Region:** Only available in Middle East (Bahrain), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Osaka), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1453c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-model-explainability-job-encrypt-in-transit
<a name="sagemaker-model-explainability-job-encrypt-in-transit"></a>

Checks if Amazon SageMaker model explainability job definitions have inter-container traffic encryption enabled when instance count is 2 or greater. The rule is NON\$1COMPLIANT if configuration.NetworkConfig.EnableInterContainerTrafficEncryption is false. 



**Identifier:** SAGEMAKER\$1MODEL\$1EXPLAINABILITY\$1JOB\$1ENCRYPT\$1IN\$1TRANSIT

**Resource Types:** AWS::SageMaker::ModelExplainabilityJobDefinition

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Middle East (Bahrain), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Osaka), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1455c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-model-in-vpc
<a name="sagemaker-model-in-vpc"></a>

Checks if an Amazon SageMaker model uses an Amazon Virtual Private Cloud (Amazon VPC) for container traffic. The rule is NON\$1COMPLIANT if configuration.VpcConfig does not exist. 



**Identifier:** SAGEMAKER\$1MODEL\$1IN\$1VPC

**Resource Types:** AWS::SageMaker::Model

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1457c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-model-isolation-enabled
<a name="sagemaker-model-isolation-enabled"></a>

Checks if an Amazon SageMaker model has network isolation enabled. The rule is NON\$1COMPLIANT if configuration.EnableNetworkIsolation is false. 



**Identifier:** SAGEMAKER\$1MODEL\$1ISOLATION\$1ENABLED

**Resource Types:** AWS::SageMaker::Model

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1459c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-model-private-registry-required
<a name="sagemaker-model-private-registry-required"></a>

Checks if Amazon SageMaker models that use a PrimaryContainer pull container image from a private Docker registry in a VPC. The rule is NON\$1COMPLIANT if ImageConfig is missing or RepositoryAccessMode is set to Platform. 



**Identifier:** SAGEMAKER\$1MODEL\$1PRIVATE\$1REGISTRY\$1REQUIRED

**Resource Types:** AWS::SageMaker::Model

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Africa (Cape Town), Europe (Ireland), South America (Sao Paulo), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Europe (Milan), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1461c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-model-quality-job-encrypt-in-transit
<a name="sagemaker-model-quality-job-encrypt-in-transit"></a>

Checks if Amazon SageMaker model quality job definitions have inter-container traffic encryption enabled when the instance count is 2 or greater. The rule is NON\$1COMPLIANT if configuration.NetworkConfig.EnableInterContainerTrafficEncryption is false. 



**Identifier:** SAGEMAKER\$1MODEL\$1QUALITY\$1JOB\$1ENCRYPT\$1IN\$1TRANSIT

**Resource Types:** AWS::SageMaker::ModelQualityJobDefinition

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Middle East (Bahrain), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Osaka), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1463c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-monitoring-schedule-isolation
<a name="sagemaker-monitoring-schedule-isolation"></a>

Checks if Amazon SageMaker monitoring schedules have network isolation enabled. The rule is NON\$1COMPLIANT if configuration.MonitoringScheduleConfig.MonitoringJobDefinition.NetworkConfig.EnableNetworkIsolation is false. 



**Identifier:** SAGEMAKER\$1MONITORING\$1SCHEDULE\$1ISOLATION

**Resource Types:** AWS::SageMaker::MonitoringSchedule

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Stockholm), Middle East (Bahrain), Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), Asia Pacific (Hong Kong), US East (N. Virginia), Asia Pacific (Seoul), Asia Pacific (Osaka), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1465c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-notebook-instance-inside-vpc
<a name="sagemaker-notebook-instance-inside-vpc"></a>

Checks if an Amazon SageMaker notebook instance is launched within a VPC or within a list of approved subnets. The rule is NON\$1COMPLIANT if a notebook instance is not launched within a VPC or if its subnet ID is not included in the parameter list. 



**Identifier:** SAGEMAKER\$1NOTEBOOK\$1INSTANCE\$1INSIDE\$1VPC

**Resource Types:** AWS::SageMaker::NotebookInstance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

SubnetIds (Optional)Type: CSV  
Comma-separated list of subnet IDs that notebook instances can be launched in.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1467c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-notebook-instance-kms-key-configured
<a name="sagemaker-notebook-instance-kms-key-configured"></a>

Checks if an AWS Key Management Service (AWS KMS) key is configured for an Amazon SageMaker notebook instance. The rule is NON\$1COMPLIANT if 'KmsKeyId' is not specified for the SageMaker notebook instance. 



**Identifier:** SAGEMAKER\$1NOTEBOOK\$1INSTANCE\$1KMS\$1KEY\$1CONFIGURED

**Resource Types:** AWS::SageMaker::NotebookInstance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

kmsKeyArns (Optional)Type: String  
Comma-separated list of AWS KMS key ARNs allowed for an Amazon SageMaker notebook instance.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1469c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-notebook-instance-platform-version
<a name="sagemaker-notebook-instance-platform-version"></a>

Checks if a Sagemaker Notebook Instance is configured to use a supported platform identifier version. The rule is NON\$1COMPLIANT if a Notebook Instance is not using the specified supported platform identifier version as specified in the parameter. 



**Identifier:** SAGEMAKER\$1NOTEBOOK\$1INSTANCE\$1PLATFORM\$1VERSION

**Resource Types:** AWS::SageMaker::NotebookInstance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

supportedPlatformIdentifierVersionsType: CSV  
Comma-separated list of the supported platform identifier version for the rule to check.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1471c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-notebook-instance-root-access-check
<a name="sagemaker-notebook-instance-root-access-check"></a>

Checks if the Amazon SageMaker RootAccess setting is enabled for Amazon SageMaker notebook instances. The rule is NON\$1COMPLIANT if the RootAccess setting is set to ‘Enabled’ for an Amazon SageMaker notebook instance. 



**Identifier:** SAGEMAKER\$1NOTEBOOK\$1INSTANCE\$1ROOT\$1ACCESS\$1CHECK

**Resource Types:** AWS::SageMaker::NotebookInstance

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1473c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sagemaker-notebook-no-direct-internet-access
<a name="sagemaker-notebook-no-direct-internet-access"></a>

Checks if direct internet access is disabled for an Amazon SageMaker notebook instance. The rule is NON\$1COMPLIANT if a SageMaker notebook instance is internet-enabled. 



**Identifier:** SAGEMAKER\$1NOTEBOOK\$1NO\$1DIRECT\$1INTERNET\$1ACCESS

**Resource Types:** AWS::SageMaker::NotebookInstance

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1475c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# secretsmanager-rotation-enabled-check
<a name="secretsmanager-rotation-enabled-check"></a>

Checks if AWS Secrets Manager secret has rotation enabled. The rule also checks an optional `maximumAllowedRotationFrequency` parameter. If the parameter is specified, the rotation frequency of the secret is compared with the maximum allowed frequency. The rule is NON\$1COMPLIANT if the secret is not scheduled for rotation. The rule is also NON\$1COMPLIANT if the rotation frequency is higher than the number specified in the maximumAllowedRotationFrequency parameter.

**Note**  
Re-evaluating this rule within 4 hours of the first evaluation will have no effect on the results. 



**Identifier:** SECRETSMANAGER\$1ROTATION\$1ENABLED\$1CHECK

**Resource Types:** AWS::SecretsManager::Secret

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

maximumAllowedRotationFrequencyInHours (Optional)Type: int  
Maximum allowed rotation frequency of the secret in hours.

maximumAllowedRotationFrequency (Optional)Type: int  
Maximum allowed rotation frequency of the secret in days.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1477c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# secretsmanager-scheduled-rotation-success-check
<a name="secretsmanager-scheduled-rotation-success-check"></a>

Checks if AWS Secrets Manager secrets rotated successfully according to the rotation schedule. Secrets Manager calculates the date the rotation should happen. The rule is NON\$1COMPLIANT if the date passes and the secret isn't rotated. 

**Note**  
**Recording delays**  
Evaluation results for this rule can be delayed for up to 2 days from a missed rotation date. For more immediate monitoring, see [Monitor AWS Secrets Manager with Amazon CloudWatch](https://docs.aws.amazon.com/secretsmanager/latest/userguide/monitoring-cloudwatch.html) in the *Secrets Manager User Guide*.  
**Secrets without rotation**  
The rule returns `NOT_APPLICABLE` for secrets that aren't configured for rotation.

**Identifier:** SECRETSMANAGER\$1SCHEDULED\$1ROTATION\$1SUCCESS\$1CHECK

**Resource Types:** AWS::SecretsManager::Secret

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1479c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# secretsmanager-secret-periodic-rotation
<a name="secretsmanager-secret-periodic-rotation"></a>

Checks if AWS Secrets Manager secrets have been rotated in the past specified number of days. The rule is NON\$1COMPLIANT if a secret has not been rotated for more than maxDaysSinceRotation number of days. The default value is 90 days.



**Identifier:** SECRETSMANAGER\$1SECRET\$1PERIODIC\$1ROTATION

**Resource Types:** AWS::SecretsManager::Secret

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

maxDaysSinceRotation (Optional)Type: int  
Maximum number of days in which a secret can remain unchanged. The default value is 90 days.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1481c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# secretsmanager-secret-unused
<a name="secretsmanager-secret-unused"></a>

Checks if AWS Secrets Manager secrets have been accessed within a specified number of days. The rule is NON\$1COMPLIANT if a secret has not been accessed in 'unusedForDays' number of days. The default value is 90 days.

**Context**: It is recommended to routinely delete unused secrets. Unused secrets can be misused by former users who no longer need access to these secrets. Additionally, as more users gain access to a secret, it becomes increasingly possible that someone has misused a secret or has granted access to an unauthorized entity. Deleting unused secrets helps revoke secret access from users who no longer need it, and can reduce your cost of using AWS Secrets Manager.

**Identifier:** SECRETSMANAGER\$1SECRET\$1UNUSED

**Resource Types:** AWS::SecretsManager::Secret

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

unusedForDays (Optional)Type: int  
The number of days in which a secret can remain unused. The default value is 90 days.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1483c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# secretsmanager-using-cmk
<a name="secretsmanager-using-cmk"></a>

Checks if all secrets in AWS Secrets Manager are encrypted using the AWS managed key (`aws/secretsmanager`) or a customer managed key that was created in AWS Key Management Service (AWS KMS). The rule is COMPLIANT if a secret is encrypted using a customer managed key. This rule is NON\$1COMPLIANT if a secret is encrypted using `aws/secretsmanager`. 

**Note**  
This rule does not have access to cross-account customer managed keys and evaluates secrets as NON\$1COMPLIANT when a cross-account key is used.

**Identifier:** SECRETSMANAGER\$1USING\$1CMK

**Resource Types:** AWS::SecretsManager::Secret

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

kmsKeyArns (Optional)Type: CSV  
Comma-separated list of KMS key Amazon Resource Names (ARNs) to check if the keys are used in the encryption.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1485c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# securityhub-enabled
<a name="securityhub-enabled"></a>

Checks if AWS Security Hub is enabled for an AWS Account. The rule is NON\$1COMPLIANT if AWS Security Hub is not enabled. 



**Identifier:** SECURITYHUB\$1ENABLED

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1487c17"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# security-account-information-provided
<a name="security-account-information-provided"></a>

Checks if you have provided security contact information for your AWS account contacts. The rule is NON\$1COMPLIANT if security contact information within the account is not provided. 



**Identifier:** SECURITY\$1ACCOUNT\$1INFORMATION\$1PROVIDED

**Resource Types:** AWS::::Account

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1489c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# service-catalog-portfolio-tagged
<a name="service-catalog-portfolio-tagged"></a>

Checks if AWS Service Catalog portfolio resources have tags. Optionally, required tag keys can be specified. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** SERVICE\$1CATALOG\$1PORTFOLIO\$1TAGGED

**Resource Types:** AWS::ServiceCatalog::Portfolio

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1491c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# service-catalog-shared-within-organization
<a name="service-catalog-shared-within-organization"></a>

Checks if AWS Service Catalog shares portfolios to an organization (a collection of AWS accounts treated as a single unit) when integration is enabled with AWS Organizations. The rule is NON\$1COMPLIANT if the `Type` value of a share is `ACCOUNT`. 



**Identifier:** SERVICE\$1CATALOG\$1SHARED\$1WITHIN\$1ORGANIZATION

**Resource Types:** AWS::ServiceCatalog::Portfolio

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1493c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# service-vpc-endpoint-enabled
<a name="service-vpc-endpoint-enabled"></a>

Checks if Service Endpoint for the service provided in rule parameter is created for each Amazon Virtual Private Cloud (Amazon VPC). The rule is NON\$1COMPLIANT if an Amazon VPC doesn't have an Amazon VPC endpoint created for the service. 



**Identifier:** SERVICE\$1VPC\$1ENDPOINT\$1ENABLED

**Resource Types:** AWS::EC2::VPC

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

serviceNameType: String  
The short name or suffix for the service. Note: To get a list of available service names or valid suffix list, use DescribeVpcEndpointServices.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1495c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ses-malware-scanning-enabled
<a name="ses-malware-scanning-enabled"></a>

Checks if malware and spam scanning on receiving messages is enabled for Amazon Simple Email Service (Amazon SES). The rule is NON\$1COMPLIANT if malware and spam scanning is not enabled. 



**Identifier:** SES\$1MALWARE\$1SCANNING\$1ENABLED

**Resource Types:** AWS::SES::ReceiptRule

**Trigger type:** Periodic

**AWS Region:** Only available in Europe (Ireland), US East (N. Virginia), US West (Oregon) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1497c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ses-sending-tls-required
<a name="ses-sending-tls-required"></a>

Checks if Amazon Simple Email Service (SES) Configuration Set has TLS encryption enforced for email delivery. The rule is NON\$1COMPLIANT if the TLS Policy is not set to 'REQUIRE' in the Configuration Set. 



**Identifier:** SES\$1SENDING\$1TLS\$1REQUIRED

**Resource Types:** AWS::SES::ConfigurationSet

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hong Kong), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1499c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# shield-advanced-enabled-autorenew
<a name="shield-advanced-enabled-autorenew"></a>

Checks if AWS Shield Advanced is enabled in your AWS account and this subscription is set to automatically renew. The rule is COMPLIANT if Shield Advanced is enabled and auto renew is enabled. 

**Note**  
The API endpoint of AWS Shield Advanced is only available in US East (N. Virginia) Region. This rule should only be scheduled to run in the US East (N. Virginia) Region.

**Identifier:** SHIELD\$1ADVANCED\$1ENABLED\$1AUTORENEW

**Trigger type:** Periodic

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1501c17"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# shield-drt-access
<a name="shield-drt-access"></a>

Checks if the Shield Response Team (SRT) can access your AWS account. The rule is NON\$1COMPLIANT if AWS Shield Advanced is enabled but the role for SRT access is not configured.



**Identifier:** SHIELD\$1DRT\$1ACCESS

**Trigger type:** Periodic

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1503c17"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# signer-signingprofile-tagged
<a name="signer-signingprofile-tagged"></a>

Checks if AWS Signer signing profile resources have tags. Optionally, required tag keys can be specified. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** SIGNER\$1SIGNINGPROFILE\$1TAGGED

**Resource Types:** AWS::Signer::SigningProfile

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1505c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sns-encrypted-kms
<a name="sns-encrypted-kms"></a>

Checks if SNS topics are encrypted with AWS Key Management Service (AWS KMS). The rule is NON\$1COMPLIANT if an SNS topic is not encrypted with AWS KMS. Optionally, specify the key ARNs, the alias ARNs, the alias name, or the key IDs for the rule to check. 



**Identifier:** SNS\$1ENCRYPTED\$1KMS

**Resource Types:** AWS::SNS::Topic

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

kmsKeyIds (Optional)Type: CSV  
Comma-separated list of AWS KMS key Amazon Resource Names (ARNs), KMS alias ARNs, KMS alias names, or KMS key IDs for the rule to check.

## Proactive Evaluation
<a name="w2aac20c16c17b7e1507c19"></a>

 For steps on how to run this rule in proactive mode, see [Evaluating Your Resources with AWS Config Rules](./evaluating-your-resources.html#evaluating-your-resources-proactive). For this rule to return COMPLIANT in proactive mode, the resource configuration schema for the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API needs to include the following inputs, encoded as a string: 

```
"ResourceConfiguration":
...
{
   "KmsMasterKeyId": "my-kms-key-Id"
} 
...
```

 For more information on proactive evaluation, see [Evaluation Mode](./evaluate-config-rules.html). 

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1507c21"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sns-topic-message-delivery-notification-enabled
<a name="sns-topic-message-delivery-notification-enabled"></a>

Checks if Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints. The rule is NON\$1COMPLIANT if the delivery status notification for messages is not enabled. 



**Identifier:** SNS\$1TOPIC\$1MESSAGE\$1DELIVERY\$1NOTIFICATION\$1ENABLED

**Resource Types:** AWS::SNS::Topic

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1509c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sns-topic-no-public-access
<a name="sns-topic-no-public-access"></a>

Checks if the SNS topic access policy allows public access. The rule is NON\$1COMPLIANT if the SNS topic access policy allows public access. 

**Note**  
To be considered non-public, an SNS policy must grant access only to fixed values. This means values that don't contain a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables).

**Identifier:** SNS\$1TOPIC\$1NO\$1PUBLIC\$1ACCESS

**Resource Types:** AWS::SNS::Topic

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1511c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sqs-queue-dlq-check
<a name="sqs-queue-dlq-check"></a>

Checks if Amazon Simple Queue Service (Amazon SQS) queues have configuration to use dead-letter queue (DLQ). The rule is NON\$1COMPLIANT if an Amazon SQS queue does not have any configuration to use DLQ. 



**Identifier:** SQS\$1QUEUE\$1DLQ\$1CHECK

**Resource Types:** AWS::SQS::Queue

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1513c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sqs-queue-no-public-access
<a name="sqs-queue-no-public-access"></a>

Checks if the SQS queue access policy allows public access. The rule is NON\$1COMPLIANT if the SQS queue access policy allows public access. 

**Note**  
To be considered non-public, an SQS policy must grant access only to fixed values. This means values that don't contain a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables).

**Identifier:** SQS\$1QUEUE\$1NO\$1PUBLIC\$1ACCESS

**Resource Types:** AWS::SQS::Queue

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1515c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# sqs-queue-policy-full-access-check
<a name="sqs-queue-policy-full-access-check"></a>

Checks if the SQS queue access policy allows full access. The rule is NON\$1COMPLIANT if the SQS policy contains `SQS:\$1` within `Action` and `Effect` is `Allow`. 



**Identifier:** SQS\$1QUEUE\$1POLICY\$1FULL\$1ACCESS\$1CHECK

**Resource Types:** AWS::SQS::Queue

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1517c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ssm-automation-block-public-sharing
<a name="ssm-automation-block-public-sharing"></a>

Checks if AWS Systems Manager Documents has block public sharing enabled. The rule is NON\$1COMPLIANT if Systems Manager Documents has block public sharing disabled. 



**Identifier:** SSM\$1AUTOMATION\$1BLOCK\$1PUBLIC\$1SHARING

**Resource Types:** AWS::::Account

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1519c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ssm-automation-logging-enabled
<a name="ssm-automation-logging-enabled"></a>

Checks if AWS Systems Manager Automation has Amazon CloudWatch logging enabled. The rule returns NON\$1COMPLIANT if Systems Manager Automation doesn't have CloudWatch logging enabled. 



**Identifier:** SSM\$1AUTOMATION\$1LOGGING\$1ENABLED

**Resource Types:** AWS::::Account

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1521c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ssm-document-not-public
<a name="ssm-document-not-public"></a>

Checks if AWS Systems Manager documents owned by the account are public. The rule is NON\$1COMPLIANT if Systems Manager documents with the owner 'Self' are public. 



**Identifier:** SSM\$1DOCUMENT\$1NOT\$1PUBLIC

**Resource Types:** AWS::SSM::Document

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1523c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# ssm-document-tagged
<a name="ssm-document-tagged"></a>

Checks if AWS Systems Manager documents have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** SSM\$1DOCUMENT\$1TAGGED

**Resource Types:** AWS::SSM::Document

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1525c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# stepfunctions-state-machine-tagged
<a name="stepfunctions-state-machine-tagged"></a>

Checks if AWS Step Functions state machines have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** STEPFUNCTIONS\$1STATE\$1MACHINE\$1TAGGED

**Resource Types:** AWS::StepFunctions::StateMachine

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1527c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# step-functions-state-machine-logging-enabled
<a name="step-functions-state-machine-logging-enabled"></a>

Checks if AWS Step Functions machine has logging enabled. The rule is NON\$1COMPLIANT if a state machine does not have logging enabled or the logging configuration is not at the minimum level provided. 



**Identifier:** STEP\$1FUNCTIONS\$1STATE\$1MACHINE\$1LOGGING\$1ENABLED

**Resource Types:** AWS::StepFunctions::StateMachine

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

cloudWatchLogGroupArns (Optional)Type: CSV  
Comma-separated list of Amazon Resource Names (ARNs) for Amazon CloudWatch Logs log groups. The rule checks if the specified log groups are configured for your state machine logs.

logLevel (Optional)Type: String  
The minimum log level for your state machine. Valid values include: ALL, ERROR, FATAL.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1529c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# storagegateway-last-backup-recovery-point-created
<a name="storagegateway-last-backup-recovery-point-created"></a>

Checks if a recovery point was created for AWS Storage Gateway volumes. The rule is NON\$1COMPLIANT if the Storage Gateway volume does not have a corresponding recovery point created within the specified time period. 



**Identifier:** STORAGEGATEWAY\$1LAST\$1BACKUP\$1RECOVERY\$1POINT\$1CREATED

**Resource Types:** AWS::StorageGateway::Volume

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags of Storage Gateway volumes for the rule to check, in JSON format `{"tagkey" : "tagValue"}`.

resourceId (Optional)Type: String  
ID of Storage Gateway volume for the rule to check.

recoveryPointAgeValue (Optional)Type: intDefault: 1  
Numerical value for maximum allowed age. No more than 744 for hours, 31 for days.

recoveryPointAgeUnit (Optional)Type: StringDefault: days  
Unit of time for maximum allowed age. Accepted values: 'hours', 'days'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1531c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# storagegateway-resources-in-logically-air-gapped-vault
<a name="storagegateway-resources-in-logically-air-gapped-vault"></a>

Checks if AWS Storage Gateway volumes are in a logically air-gapped vault. The rule is NON\$1COMPLIANT if an AWS Storage Gateway volume is not in a logically air-gapped vault within the specified time period. 



**Identifier:** STORAGEGATEWAY\$1RESOURCES\$1IN\$1LOGICALLY\$1AIR\$1GAPPED\$1VAULT

**Resource Types:** AWS::StorageGateway::Volume

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags of Storage Gateway volumes for the rule to check, in JSON format.

resourceId (Optional)Type: String  
ID of Storage Gateway volume for the rule to check.

recoveryPointAgeValue (Optional)Type: intDefault: 1  
Numerical value for maximum allowed age. No more than 2184 for hours, 91 for days.

recoveryPointAgeUnit (Optional)Type: StringDefault: days  
Unit of time for maximum allowed age. Accepted values: 'hours', 'days'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1533c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# storagegateway-resources-protected-by-backup-plan
<a name="storagegateway-resources-protected-by-backup-plan"></a>

Checks if AWS Storage Gateway volumes are protected by a backup plan. The rule is NON\$1COMPLIANT if the Storage Gateway volume is not covered by a backup plan. 



**Identifier:** STORAGEGATEWAY\$1RESOURCES\$1PROTECTED\$1BY\$1BACKUP\$1PLAN

**Resource Types:** AWS::StorageGateway::Volume

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags for Storage Gateway Volumes for the rule to check, in JSON format.

resourceId (Optional)Type: String  
ID of Storage Gateway volume for the rule to check.

crossRegionList (Optional)Type: String  
Comma-separated list of destination regions for the cross-region backup copy to be kept

crossAccountList (Optional)Type: String  
Comma-separated list of destination accounts for cross-account backup copy to be kept

maxRetentionDays (Optional)Type: int  
The maximum retention period in days for the Backup Vault Lock

minRetentionDays (Optional)Type: int  
The minimum retention period in days for the Backup Vault Lock

backupVaultLockCheck (Optional)Type: String  
Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1535c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# subnet-auto-assign-public-ip-disabled
<a name="subnet-auto-assign-public-ip-disabled"></a>

Checks if Amazon Virtual Private Cloud (Amazon VPC) subnets are configured to automatically assign public IP addresses to instances launched within them. This rule is COMPLIANT if subnets do not auto-assign public IPv4 or IPv6 addresses. This rule is NON\$1COMPLIANT if subnets auto-assign public IPv4 or IPv6 addresses.

**Warning**  
This rule does not distinguish between private and public Global Unicast Address (GUA) IPv6 ranges and will treat all GUA ranges as violations when auto-assignment is enabled.



**Identifier:** SUBNET\$1AUTO\$1ASSIGN\$1PUBLIC\$1IP\$1DISABLED

**Resource Types:** AWS::EC2::Subnet

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## Proactive Evaluation
<a name="w2aac20c16c17b7e1537c21"></a>

 For steps on how to run this rule in proactive mode, see [Evaluating Your Resources with AWS Config Rules](./evaluating-your-resources.html#evaluating-your-resources-proactive). For this rule to return COMPLIANT in proactive mode, the resource configuration schema for the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API needs to include the following inputs, encoded as a string: 

```
"ResourceConfiguration":
...
{
   "MapPublicIpOnLaunch": BOOLEAN
} 
...
```

 For more information on proactive evaluation, see [Evaluation Mode](./evaluate-config-rules.html). 

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1537c23"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# transfer-agreement-description
<a name="transfer-agreement-description"></a>

Checks if AWS Transfer Family agreements have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist. 



**Identifier:** TRANSFER\$1AGREEMENT\$1DESCRIPTION

**Resource Types:** AWS::Transfer::Agreement

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1539c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# transfer-agreement-tagged
<a name="transfer-agreement-tagged"></a>

Checks if AWS Transfer Family agreements have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** TRANSFER\$1AGREEMENT\$1TAGGED

**Resource Types:** AWS::Transfer::Agreement

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1541c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# transfer-certificate-description
<a name="transfer-certificate-description"></a>

Checks if AWS Transfer Family certificates have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist. 



**Identifier:** TRANSFER\$1CERTIFICATE\$1DESCRIPTION

**Resource Types:** AWS::Transfer::Certificate

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1543c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# transfer-certificate-tagged
<a name="transfer-certificate-tagged"></a>

Checks if AWS Transfer Family certificates have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** TRANSFER\$1CERTIFICATE\$1TAGGED

**Resource Types:** AWS::Transfer::Certificate

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1545c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# transfer-connector-as2-encryption-algorithm-check
<a name="transfer-connector-as2-encryption-algorithm-check"></a>

Checks that AWS Transfer Family AS2 connectors are not configured with a weak encryption algorithm. The rule is NON\$1COMPLIANT if configuration.As2Config.EncryptionAlgorithm is 'DES\$1EDE3\$1CBC'. 



**Identifier:** TRANSFER\$1CONNECTOR\$1AS2\$1ENCRYPTION\$1ALGORITHM\$1CHECK

**Resource Types:** AWS::Transfer::Connector

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

approvedEncryptionAlgorithms (Optional)Type: CSV  
Comma-separated list of approved encryption algorithms for the rule to check. If provided, the rule is NON\$1COMPLIANT if configuration.As2Config.EncryptionAlgorithm is configured with a value not specified in this parameter. Valid values include: 'AES128\$1CBC', 'AES192\$1CBC', 'AES256\$1CBC', 'NONE', and 'DES\$1EDE3\$1CBC'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1547c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# transfer-connector-as2-mdn-signing-algorithm-check
<a name="transfer-connector-as2-mdn-signing-algorithm-check"></a>

Checks if AWS Transfer Family AS2 connectors are configured with a specified MDN signing algorithm for MDN responses. The rule is NON\$1COMPLIANT if configuration.As2Config.MdnSigningAlgorithm is a value not specified in the required rule parameter. 



**Identifier:** TRANSFER\$1CONNECTOR\$1AS2\$1MDN\$1SIGNING\$1ALGORITHM\$1CHECK

**Resource Types:** AWS::Transfer::Connector

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

approvedMdnSigningAlgorithmsType: CSV  
Comma-separated list of approved MDN signing algorithms for the rule to check. The rule is NON\$1COMPLIANT if configuration.As2Config.MdnSigningAlgorithm is configured with a value not specified in this parameter. Valid values include: 'SHA256', 'SHA384', 'SHA512', 'SHA1', 'DEFAULT', and 'NONE'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1549c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# transfer-connector-as2-signing-algorithm-check
<a name="transfer-connector-as2-signing-algorithm-check"></a>

Checks if AWS Transfer Family AS2 connectors are configured with a signing algorithm. The rule is NON\$1COMPLIANT if configuration.As2Config.SigningAlgorithm is 'NONE'. 



**Identifier:** TRANSFER\$1CONNECTOR\$1AS2\$1SIGNING\$1ALGORITHM\$1CHECK

**Resource Types:** AWS::Transfer::Connector

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

approvedSigningAlgorithms (Optional)Type: CSV  
Comma-separated list of approved signing algorithms for the rule to check. If provided, the rule is NON\$1COMPLIANT if configuration.As2Config.SigningAlgorithm is configured with a value not specified in this parameter. Valid values include: 'SHA256', 'SHA384', 'SHA512', 'SHA1', and 'NONE'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1551c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# transfer-connector-logging-enabled
<a name="transfer-connector-logging-enabled"></a>

Checks if AWS Transfer Family Connector publishes logs to Amazon CloudWatch. The rule is NON\$1COMPLIANT if a Connector does not have a LoggingRole assigned. 



**Identifier:** TRANSFER\$1CONNECTOR\$1LOGGING\$1ENABLED

**Resource Types:** AWS::Transfer::Connector

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1553c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# transfer-connector-tagged
<a name="transfer-connector-tagged"></a>

Checks if AWS Transfer Family connectors have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** TRANSFER\$1CONNECTOR\$1TAGGED

**Resource Types:** AWS::Transfer::Connector

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1555c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# transfer-family-server-no-ftp
<a name="transfer-family-server-no-ftp"></a>

Checks if a server created with AWS Transfer Family uses FTP for endpoint connection. The rule is NON\$1COMPLIANT if the server protocol for endpoint connection is FTP-enabled. 



**Identifier:** TRANSFER\$1FAMILY\$1SERVER\$1NO\$1FTP

**Resource Types:** AWS::Transfer::Server

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1557c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# transfer-profile-tagged
<a name="transfer-profile-tagged"></a>

Checks if AWS Transfer Family profiles have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** TRANSFER\$1PROFILE\$1TAGGED

**Resource Types:** AWS::Transfer::Profile

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1559c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# transfer-workflow-description
<a name="transfer-workflow-description"></a>

Checks if AWS Transfer Family workflows have a description. The rule is NON\$1COMPLIANT if configuration.Description does not exist or is an empty string. 



**Identifier:** TRANSFER\$1WORKFLOW\$1DESCRIPTION

**Resource Types:** AWS::Transfer::Workflow

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1561c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# transfer-workflow-tagged
<a name="transfer-workflow-tagged"></a>

Checks if AWS Transfer Family workflows have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** TRANSFER\$1WORKFLOW\$1TAGGED

**Resource Types:** AWS::Transfer::Workflow

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), China (Ningxia) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1563c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# virtualmachine-last-backup-recovery-point-created
<a name="virtualmachine-last-backup-recovery-point-created"></a>

Checks if a recovery point was created for AWS Backup-Gateway VirtualMachines. The rule is NON\$1COMPLIANT if an AWS Backup-Gateway VirtualMachines does not have a corresponding recovery point created within the specified time period. 



**Identifier:** VIRTUALMACHINE\$1LAST\$1BACKUP\$1RECOVERY\$1POINT\$1CREATED

**Resource Types:** AWS::BackupGateway::VirtualMachine

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags of AWS Backup-Gateway VirtualMachines for the rule to check, in JSON format `{"tagkey" : "tagValue"}`.

resourceId (Optional)Type: String  
ID of AWS Backup-Gateway VirtualMachine for the rule to check.

recoveryPointAgeValue (Optional)Type: intDefault: 1  
Numerical value for maximum allowed age. No more than 744 for hours, 31 for days.

recoveryPointAgeUnit (Optional)Type: StringDefault: days  
Unit of time for maximum allowed age. Accepted values: 'hours', 'days'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1565c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# virtualmachine-resources-in-logically-air-gapped-vault
<a name="virtualmachine-resources-in-logically-air-gapped-vault"></a>

Checks if AWS Backup-Gateway VirtualMachines are in a logically air-gapped vault. The rule is NON\$1COMPLIANT if an AWS Backup-Gateway VirtualMachines is not in a logically air-gapped vault within the specified time period. 



**Identifier:** VIRTUALMACHINE\$1RESOURCES\$1IN\$1LOGICALLY\$1AIR\$1GAPPED\$1VAULT

**Resource Types:** AWS::BackupGateway::VirtualMachine

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags of AWS Backup-Gateway VirtualMachines for the rule to check, in JSON format.

resourceId (Optional)Type: String  
ID of AWS Backup-Gateway VirtualMachine for the rule to check.

recoveryPointAgeValue (Optional)Type: intDefault: 1  
Numerical value for maximum allowed age. No more than 2184 for hours, 91 for days.

recoveryPointAgeUnit (Optional)Type: StringDefault: days  
Unit of time for maximum allowed age. Accepted values: 'hours', 'days'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1567c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# virtualmachine-resources-protected-by-backup-plan
<a name="virtualmachine-resources-protected-by-backup-plan"></a>

Checks if AWS Backup-Gateway VirtualMachines are protected by a backup plan. The rule is NON\$1COMPLIANT if the Backup-Gateway VirtualMachine is not covered by a backup plan. 



**Identifier:** VIRTUALMACHINE\$1RESOURCES\$1PROTECTED\$1BY\$1BACKUP\$1PLAN

**Resource Types:** AWS::BackupGateway::VirtualMachine

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

resourceTags (Optional)Type: String  
Tags for AWS Backup-Gateway VirtualMachines for the rule to check, in JSON format `{"tagkey" : "tagValue"}`.

resourceId (Optional)Type: String  
ID of AWS Backup-Gateway VirtualMachine for the rule to check.

crossRegionList (Optional)Type: String  
Comma-separated list of destination regions for the cross-region backup copy to be kept

crossAccountList (Optional)Type: String  
Comma-separated list of destination accounts for cross-account backup copy to be kept

maxRetentionDays (Optional)Type: int  
The maximum retention period in days for the Backup Vault Lock

minRetentionDays (Optional)Type: int  
The minimum retention period in days for the Backup Vault Lock

backupVaultLockCheck (Optional)Type: String  
Accepted values: 'True' or 'False'. Enter 'True' for the rule to check if the resource is backed up in a locked vault

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1569c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# vpc-default-security-group-closed
<a name="vpc-default-security-group-closed"></a>

Checks if the default security group of any Amazon Virtual Private Cloud (Amazon VPC) does not allow inbound or outbound traffic. The rule is NON\$1COMPLIANT if the default security group has one or more inbound or outbound traffic rules. 

**Note**  
There may be a delay between when AWS Config records the deletion of related resources such as default security groups, which are deleted as part of the Amazon VPC deletion. As a result, even if all default security groups or other related resources have been deleted or remediated, the rule may report NON\$1COMPLIANT until the next account baselining process.

**Identifier:** VPC\$1DEFAULT\$1SECURITY\$1GROUP\$1CLOSED

**Resource Types:** AWS::EC2::SecurityGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1571c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# vpc-endpoint-enabled
<a name="vpc-endpoint-enabled"></a>

Checks if each service specified in the parameter has an Amazon VPC endpoint. The rule is NON\$1COMPLIANT if Amazon VPC does not have a VPC endpoint created for each specified service. Optionally, you can specify certain VPCs for the rule to check. 



**Identifier:** VPC\$1ENDPOINT\$1ENABLED

**Resource Types:** AWS::EC2::VPC

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei) Region

**Parameters:**

serviceNamesType: CSV  
Comma-separated list of service names or endpoints. Example: "ec2, ecr.api" or "com.amazonaws.region.ec2". Use DescribeVpcEndpointServices for available names. The rule considers FIPS version of the endpoint to be compliant as well.

vpcIds (Optional)Type: CSV  
Comma-separated list of Amazon VPC IDs for VPC endpoints. If provided, the rule is NON\$1COMPLIANT if the services specified in the serviceName parameter do not have one of these VPC endpoints.

scopeConfigResourceTypes (Optional)Type: CSV  
Comma-separated list of AWS Config resource types for the rule to check. If specified, the rule returns a compliance status only if at least one specified resource is recorded in the account. For example: "AWS::SNS::Topic".

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1573c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# vpc-flow-logs-enabled
<a name="vpc-flow-logs-enabled"></a>

Checks if Amazon Virtual Private Cloud (Amazon VPC) flow logs are found and enabled for all Amazon VPCs. The rule is NON\$1COMPLIANT if flow logs are not enabled for at least one Amazon VPC. 



**Identifier:** VPC\$1FLOW\$1LOGS\$1ENABLED

**Resource Types:** AWS::EC2::VPC

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

trafficType (Optional)Type: String  
TrafficType of flow logs

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1575c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# vpc-network-acl-unused-check
<a name="vpc-network-acl-unused-check"></a>

Checks if there are unused network access control lists (network ACLs). The rule is COMPLIANT if each network ACL is associated with a subnet. The rule is NON\$1COMPLIANT if a network ACL is not associated with a subnet.



**Identifier:** VPC\$1NETWORK\$1ACL\$1UNUSED\$1CHECK

**Resource Types:** AWS::EC2::NetworkAcl

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1577c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# vpc-peering-dns-resolution-check
<a name="vpc-peering-dns-resolution-check"></a>

Checks if DNS resolution from accepter/requester VPC to private IP is enabled. The rule is NON\$1COMPLIANT if DNS resolution from accepter/requester VPC to private IP is not enabled. 



**Identifier:** VPC\$1PEERING\$1DNS\$1RESOLUTION\$1CHECK

**Resource Types:** AWS::EC2::VPCPeeringConnection

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

vpcIds (Optional)Type: CSV  
Comma-separated list of VPC IDs to be checked.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1579c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# vpc-sg-open-only-to-authorized-ports
<a name="vpc-sg-open-only-to-authorized-ports"></a>

Checks if security groups allowing unrestricted incoming traffic ('0.0.0.0/0' or '::/0') only allow inbound TCP or UDP connections on authorized ports. The rule is NON\$1COMPLIANT if such security groups do not have ports specified in the rule parameters. 

**Note**  
This rule evaluates Amazon EC2 security groups with ingress rule set to IPv4='0.0.0.0/0' or IPv6='::/'. If the security group does not have one of those destinations, this rule returns `NOT_APPLICABLE`.

**Identifier:** VPC\$1SG\$1OPEN\$1ONLY\$1TO\$1AUTHORIZED\$1PORTS

**Resource Types:** AWS::EC2::SecurityGroup

**Trigger type:** Configuration changes and Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

authorizedTcpPorts (Optional)Type: String  
 Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0 or ::/0. Ranges are defined by dash, for example, "443,1020-1025".

authorizedUdpPorts (Optional)Type: String  
 Comma-separated list of UDP ports authorized to be open to 0.0.0.0/0 or ::/0. Ranges are defined by dash, for example, "500,1020-1025".

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1581c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# vpc-sg-port-restriction-check
<a name="vpc-sg-port-restriction-check"></a>

Checks if security groups restrict incoming traffic to restricted ports explicitly from 0.0.0.0/0 or ::/0. The rule is NON\$1COMPLIANT if security groups allow incoming traffic from 0.0.0.0/0 or ::/0 over TCP/UDP ports 22/3389 or as specified in parameters. 



**Identifier:** VPC\$1SG\$1PORT\$1RESTRICTION\$1CHECK

**Resource Types:** AWS::EC2::SecurityGroup

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

restrictPorts (Optional)Type: CSV  
Comma-separated list of ports that should not be open for incoming traffic over the full IP range. Valid port numbers range from 0 to 65535. If not specified, the rule defaults to check for 22 and 3389.

protocolType (Optional)Type: String  
The Transmission Protocol Type for the rule to check. Valid values include 'TCP', 'UDP', and 'ALL' (case-insensitive). If set to 'ALL', the rule will check for rules that use either 'TCP', 'UDP', or 'ALL' (-1) protocol. Default value is 'ALL'.

excludeExternalSecurityGroups (Optional)Type: boolean  
Boolean flag to exclude the evaluation of external security groups. If set to 'true', the rule will not include external security groups in the evaluation. Otherwise, all security groups are evaluated if value is set to 'false.' Default value is 'true'.

ipType (Optional)Type: String  
The Internet Protocol (IP) version for the rule to check. Valid values include 'IPv4', 'IPv6', and 'ALL' (case-insensitive). If not specified, the rule defaults to check for 'ALL'.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1583c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# vpc-vpn-2-tunnels-up
<a name="vpc-vpn-2-tunnels-up"></a>

Checks if both virtual private network (VPN) tunnels provided by AWS Site-to-Site VPN are in UP status. The rule is NON\$1COMPLIANT if one or both tunnels are in DOWN status. 



**Identifier:** VPC\$1VPN\$12\$1TUNNELS\$1UP

**Resource Types:** AWS::EC2::VPNConnection

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except China (Beijing), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1585c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# wafv2-logging-enabled
<a name="wafv2-logging-enabled"></a>

Checks if logging is enabled on AWS WAFv2 regional and global web access control lists (web ACLs). The rule is NON\$1COMPLIANT if the logging is enabled but the logging destination does not match the value of the parameter. 

**Note**  
**Amazon Security Lake Exception**  
This rule does not check logging done with Security Lake for AWS WAFV2 web ACLs.

**Identifier:** WAFV2\$1LOGGING\$1ENABLED

**Resource Types:** AWS::WAFv2::WebACL

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

KinesisFirehoseDeliveryStreamArns (Optional)Type: CSV  
Comma separated list of Kinesis Firehose delivery stream ARNs

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1587c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# wafv2-rulegroup-logging-enabled
<a name="wafv2-rulegroup-logging-enabled"></a>

Checks if Amazon CloudWatch security metrics collection on AWS WAFv2 rule groups is enabled. The rule is NON\$1COMPLIANT if the 'VisibilityConfig.CloudWatchMetricsEnabled' field is set to false. 

**Context**: AWS WAFV2 (Web Application Firewall version 2) allows you to create AWS WAF rules to protect your web applications from common web exploits and vulnerabilities. An AWS WAF rule group is a collection of AWS WAF rules that you can associate with a web ACL (Access Control List) to define the desired behavior for your web application traffic. For more information, see [AWS WAF rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rules.html) and [Rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-groups.html) in the *AWS WAF Developer Guide*. 

By configuring CloudWatch security metrics collection on AWS WAFV2 rules group, you can monitor security metrics such as successful or failed Distributed denial of service (DDoS), SQL injection, and Cross-site scripting (XSS) attacks. The security metrics collected can help you simplify your investigations.

**Note**  
If there are no AWS WAF rules in the AWS WAFV2 rule group for the AWS Config managed rule to check, the AWS Config managed rule returns `NOT_APPLICABLE`.

**Identifier:** WAFV2\$1RULEGROUP\$1LOGGING\$1ENABLED

**Resource Types:** AWS::WAFv2::RuleGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1589c23"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# wafv2-rulegroup-not-empty
<a name="wafv2-rulegroup-not-empty"></a>

Checks if WAFv2 Rule Groups contain rules. The rule is NON\$1COMPLIANT if there are no rules in a WAFv2 Rule Group. 



**Identifier:** WAFV2\$1RULEGROUP\$1NOT\$1EMPTY

**Resource Types:** AWS::WAFv2::RuleGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except China (Beijing), Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1591c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# wafv2-webacl-not-empty
<a name="wafv2-webacl-not-empty"></a>

Checks if a WAFv2 Web ACL contains any WAF rules or WAF rule groups. This rule is NON\$1COMPLIANT if a Web ACL does not contain any WAF rules or WAF rule groups. 



**Identifier:** WAFV2\$1WEBACL\$1NOT\$1EMPTY

**Resource Types:** AWS::WAFv2::WebACL

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (Thailand), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1593c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# waf-classic-logging-enabled
<a name="waf-classic-logging-enabled"></a>

Checks if logging is enabled on AWS WAF classic global web access control lists (web ACLs). The rule is NON\$1COMPLIANT for a global web ACL, if it does not have logging enabled. 



**Identifier:** WAF\$1CLASSIC\$1LOGGING\$1ENABLED

**Resource Types:** AWS::WAF::WebACL

**Trigger type:** Periodic

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

KinesisFirehoseDeliveryStreamArns (Optional)Type: CSV  
Comma separated list of Amazon Kinesis stream ARN for AWS WAF logs.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1595c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# waf-global-rulegroup-not-empty
<a name="waf-global-rulegroup-not-empty"></a>

Checks if an AWS WAF Classic rule group contains any rules. The rule is NON\$1COMPLIANT if there are no rules present within a rule group. 



**Identifier:** WAF\$1GLOBAL\$1RULEGROUP\$1NOT\$1EMPTY

**Resource Types:** AWS::WAF::RuleGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1597c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# waf-global-rule-not-empty
<a name="waf-global-rule-not-empty"></a>

Checks if an AWS WAF global rule contains any conditions. The rule is NON\$1COMPLIANT if no conditions are present within the WAF global rule. 



**Identifier:** WAF\$1GLOBAL\$1RULE\$1NOT\$1EMPTY

**Resource Types:** AWS::WAF::Rule

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1599c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# waf-global-webacl-not-empty
<a name="waf-global-webacl-not-empty"></a>

Checks whether a WAF Global Web ACL contains any WAF rules or rule groups. This rule is NON\$1COMPLIANT if a Web ACL does not contain any WAF rule or rule group. 



**Identifier:** WAF\$1GLOBAL\$1WEBACL\$1NOT\$1EMPTY

**Resource Types:** AWS::WAF::WebACL

**Trigger type:** Configuration changes

**AWS Region:** Only available in US East (N. Virginia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1601c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# waf-regional-rulegroup-not-empty
<a name="waf-regional-rulegroup-not-empty"></a>

Checks if WAF Regional rule groups contain any rules. The rule is NON\$1COMPLIANT if there are no rules present within a WAF Regional rule group. 



**Identifier:** WAF\$1REGIONAL\$1RULEGROUP\$1NOT\$1EMPTY

**Resource Types:** AWS::WAFRegional::RuleGroup

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), China (Beijing), Asia Pacific (Thailand), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), China (Ningxia), Europe (Zurich) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1603c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# waf-regional-rule-not-empty
<a name="waf-regional-rule-not-empty"></a>

Checks whether WAF regional rule contains conditions. This rule is COMPLIANT if the regional rule contains at least one condition and NON\$1COMPLIANT otherwise. 



**Identifier:** WAF\$1REGIONAL\$1RULE\$1NOT\$1EMPTY

**Resource Types:** AWS::WAFRegional::Rule

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1605c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# waf-regional-webacl-not-empty
<a name="waf-regional-webacl-not-empty"></a>

Checks if a WAF regional Web ACL contains any WAF rules or rule groups. The rule is NON\$1COMPLIANT if there are no WAF rules or rule groups present within a Web ACL. 



**Identifier:** WAF\$1REGIONAL\$1WEBACL\$1NOT\$1EMPTY

**Resource Types:** AWS::WAFRegional::WebACL

**Trigger type:** Configuration changes

**AWS Region:** All supported AWS regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Asia Pacific (Taipei), Canada West (Calgary) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1607c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# workspaces-connection-alias-tagged
<a name="workspaces-connection-alias-tagged"></a>

Checks if Amazon WorkSpaces connection aliases have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** WORKSPACES\$1CONNECTION\$1ALIAS\$1TAGGED

**Resource Types:** AWS::WorkSpaces::ConnectionAlias

**Trigger type:** Configuration changes

**AWS Region:** Only available in Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1609c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# workspaces-root-volume-encryption-enabled
<a name="workspaces-root-volume-encryption-enabled"></a>

Checks if an Amazon WorkSpace volume has the root volume encryption settings set to enabled. This rule is NON\$1COMPLIANT if the encryption setting is not enabled for the root volume. 



**Identifier:** WORKSPACES\$1ROOT\$1VOLUME\$1ENCRYPTION\$1ENABLED

**Resource Types:** AWS::WorkSpaces::Workspace

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Africa (Cape Town), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1611c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# workspaces-user-volume-encryption-enabled
<a name="workspaces-user-volume-encryption-enabled"></a>

Checks if an Amazon WorkSpace volume has the user volume encryption settings set to enabled. This rule is NON\$1COMPLIANT if the encryption setting is not enabled for the user volume. 



**Identifier:** WORKSPACES\$1USER\$1VOLUME\$1ENCRYPTION\$1ENABLED

**Resource Types:** AWS::WorkSpaces::Workspace

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Africa (Cape Town), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central), China (Ningxia) Region

**Parameters:**

None  

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1613c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# workspaces-workspace-tagged
<a name="workspaces-workspace-tagged"></a>

Checks if Amazon WorkSpaces workspaces have tags. Optionally, you can specify tag keys. The rule is NON\$1COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with 'aws:'. 



**Identifier:** WORKSPACES\$1WORKSPACE\$1TAGGED

**Resource Types:** AWS::WorkSpaces::Workspace

**Trigger type:** Configuration changes

**AWS Region:** Only available in Asia Pacific (Mumbai), Africa (Cape Town), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region

**Parameters:**

requiredKeyTags (Optional)Type: CSV  
Comma-separated list of tag keys for the rule to check. If provided, the rule is NON\$1COMPLIANT if the evaluated resource does not contain these keys. Tag keys are case-sensitive. Tag keys starting with 'aws:' are not allowed.

## AWS CloudFormation template
<a name="w2aac20c16c17b7e1615c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).

# List of AWS Config Managed Rules by Evaluation Mode
<a name="managed-rules-by-evaluation-mode"></a>

AWS Config currently supports the following managed rules. Before using these rules, see [Considerations](evaluate-config.md#evaluate-config-considerations).

## Proactive Evaluation
<a name="proactive-evaluation-section-head"></a>

*Proactive rules* are rules that support the proactive evaluation mode for resources that have not been deployed. This allows you to evaluate whether a set of resource properties, if used to define an AWS resource, would be COMPLIANT or NON\$1COMPLIANT given the set of proactive rules that you have in your account in your Region. For more information, see [Evaluation modes](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_components.html#evaluate-config_use-managed-rules-proactive-detective).

**Note**  
Proactive rules do not remediate resources that are flagged as NON\$1COMPLIANT or prevent them from being deployed.

### Proactive Evaluation
<a name="proactive-evaluation"></a>
+ [eip-attached](./eip-attached.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)

## Detective Evaluation
<a name="detective-evaluation-section-head"></a>

*Detective rules* are rules that support the detective evaluation mode for resource that have already been deployed. This allows you to evaluate the configuration settings of your existing resources.

**Note**  
Currently, all AWS Config rules support detective evaluation.

### Detective Evaluation
<a name="detective-evaluation"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appflow-flow-tagged](./appflow-flow-tagged.html)
+ [appflow-flow-trigger-type-check](./appflow-flow-trigger-type-check.html)
+ [appintegrations-application-approved-origins-check](./appintegrations-application-approved-origins-check.html)
+ [appintegrations-application-tagged](./appintegrations-application-tagged.html)
+ [appintegrations-event-integration-description](./appintegrations-event-integration-description.html)
+ [appintegrations-event-integration-tagged](./appintegrations-event-integration-tagged.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [apprunner-service-in-vpc](./apprunner-service-in-vpc.html)
+ [apprunner-service-ip-address-type-check](./apprunner-service-ip-address-type-check.html)
+ [apprunner-service-max-unhealthy-threshold](./apprunner-service-max-unhealthy-threshold.html)
+ [apprunner-service-no-public-access](./apprunner-service-no-public-access.html)
+ [apprunner-service-observability-enabled](./apprunner-service-observability-enabled.html)
+ [apprunner-service-tagged](./apprunner-service-tagged.html)
+ [apprunner-vpc-connector-tagged](./apprunner-vpc-connector-tagged.html)
+ [appstream-fleet-in-vpc](./appstream-fleet-in-vpc.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-ct-encryption-at-rest](./appsync-cache-ct-encryption-at-rest.html)
+ [appsync-cache-ct-encryption-in-transit](./appsync-cache-ct-encryption-in-transit.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [aps-rule-groups-namespace-tagged](./aps-rule-groups-namespace-tagged.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [auditmanager-assessment-tagged](./auditmanager-assessment-tagged.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudfront-accesslogs-enabled](./cloudfront-accesslogs-enabled.html)
+ [cloudfront-associated-with-waf](./cloudfront-associated-with-waf.html)
+ [cloudfront-custom-ssl-certificate](./cloudfront-custom-ssl-certificate.html)
+ [cloudfront-default-root-object-configured](./cloudfront-default-root-object-configured.html)
+ [cloudfront-distribution-key-group-enabled](./cloudfront-distribution-key-group-enabled.html)
+ [cloudfront-no-deprecated-ssl-protocols](./cloudfront-no-deprecated-ssl-protocols.html)
+ [cloudfront-origin-access-identity-enabled](./cloudfront-origin-access-identity-enabled.html)
+ [cloudfront-origin-failover-enabled](./cloudfront-origin-failover-enabled.html)
+ [cloudfront-origin-lambda-url-oac-enabled](./cloudfront-origin-lambda-url-oac-enabled.html)
+ [cloudfront-s3-origin-access-control-enabled](./cloudfront-s3-origin-access-control-enabled.html)
+ [cloudfront-s3-origin-non-existent-bucket](./cloudfront-s3-origin-non-existent-bucket.html)
+ [cloudfront-security-policy-check](./cloudfront-security-policy-check.html)
+ [cloudfront-sni-enabled](./cloudfront-sni-enabled.html)
+ [cloudfront-ssl-policy-check](./cloudfront-ssl-policy-check.html)
+ [cloudfront-traffic-to-origin-encrypted](./cloudfront-traffic-to-origin-encrypted.html)
+ [cloudfront-viewer-policy-https](./cloudfront-viewer-policy-https.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codeartifact-repository-tagged](./codeartifact-repository-tagged.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codeguruprofiler-profiling-group-tagged](./codeguruprofiler-profiling-group-tagged.html)
+ [codegurureviewer-repository-association-tagged](./codegurureviewer-repository-association-tagged.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [connect-instance-logging-enabled](./connect-instance-logging-enabled.html)
+ [customerprofiles-domain-tagged](./customerprofiles-domain-tagged.html)
+ [customerprofiles-object-type-allow-profile-creation](./customerprofiles-object-type-allow-profile-creation.html)
+ [customerprofiles-object-type-tagged](./customerprofiles-object-type-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [custom-schema-registry-policy-attached](./custom-schema-registry-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [dax-encryption-enabled](./dax-encryption-enabled.html)
+ [dax-tls-endpoint-encryption](./dax-tls-endpoint-encryption.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [devicefarm-instance-profile-tagged](./devicefarm-instance-profile-tagged.html)
+ [devicefarm-project-tagged](./devicefarm-project-tagged.html)
+ [devicefarm-test-grid-project-tagged](./devicefarm-test-grid-project-tagged.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-carrier-gateway-tagged](./ec2-carrier-gateway-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-paravirtual-instance-check](./ec2-paravirtual-instance-check.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [evidently-launch-description](./evidently-launch-description.html)
+ [evidently-launch-tagged](./evidently-launch-tagged.html)
+ [evidently-project-description](./evidently-project-description.html)
+ [evidently-project-tagged](./evidently-project-tagged.html)
+ [evidently-segment-description](./evidently-segment-description.html)
+ [evidently-segment-tagged](./evidently-segment-tagged.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [frauddetector-entity-type-tagged](./frauddetector-entity-type-tagged.html)
+ [frauddetector-label-tagged](./frauddetector-label-tagged.html)
+ [frauddetector-outcome-tagged](./frauddetector-outcome-tagged.html)
+ [frauddetector-variable-tagged](./frauddetector-variable-tagged.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [global-endpoint-event-replication-enabled](./global-endpoint-event-replication-enabled.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [groundstation-config-tagged](./groundstation-config-tagged.html)
+ [groundstation-dataflowendpointgroup-tagged](./groundstation-dataflowendpointgroup-tagged.html)
+ [groundstation-missionprofile-tagged](./groundstation-missionprofile-tagged.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [healthlake-fhirdatastore-tagged](./healthlake-fhirdatastore-tagged.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-oidc-provider-client-id-list-check](./iam-oidc-provider-client-id-list-check.html)
+ [iam-oidc-provider-tagged](./iam-oidc-provider-tagged.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-saml-provider-tagged](./iam-saml-provider-tagged.html)
+ [iam-server-certificate-expiration-check](./iam-server-certificate-expiration-check.html)
+ [iam-server-certificate-tagged](./iam-server-certificate-tagged.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-code-scan-enabled](./inspector-lambda-code-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iotevents-alarm-model-tagged](./iotevents-alarm-model-tagged.html)
+ [iotevents-detector-model-tagged](./iotevents-detector-model-tagged.html)
+ [iotevents-input-tagged](./iotevents-input-tagged.html)
+ [iotsitewise-asset-model-tagged](./iotsitewise-asset-model-tagged.html)
+ [iotsitewise-dashboard-tagged](./iotsitewise-dashboard-tagged.html)
+ [iotsitewise-gateway-tagged](./iotsitewise-gateway-tagged.html)
+ [iotsitewise-portal-tagged](./iotsitewise-portal-tagged.html)
+ [iotsitewise-project-tagged](./iotsitewise-project-tagged.html)
+ [iottwinmaker-component-type-tagged](./iottwinmaker-component-type-tagged.html)
+ [iottwinmaker-entity-tagged](./iottwinmaker-entity-tagged.html)
+ [iottwinmaker-scene-tagged](./iottwinmaker-scene-tagged.html)
+ [iottwinmaker-sync-job-tagged](./iottwinmaker-sync-job-tagged.html)
+ [iottwinmaker-workspace-tagged](./iottwinmaker-workspace-tagged.html)
+ [iotwireless-fuota-task-tagged](./iotwireless-fuota-task-tagged.html)
+ [iotwireless-multicast-group-tagged](./iotwireless-multicast-group-tagged.html)
+ [iotwireless-service-profile-tagged](./iotwireless-service-profile-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [ivs-channel-playback-authorization-enabled](./ivs-channel-playback-authorization-enabled.html)
+ [ivs-channel-tagged](./ivs-channel-tagged.html)
+ [ivs-playback-key-pair-tagged](./ivs-playback-key-pair-tagged.html)
+ [ivs-recording-configuration-tagged](./ivs-recording-configuration-tagged.html)
+ [kendra-index-tagged](./kendra-index-tagged.html)
+ [kinesisvideo-signalingchannel-tagged](./kinesisvideo-signalingchannel-tagged.html)
+ [kinesisvideo-stream-tagged](./kinesisvideo-stream-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kinesis-video-stream-minimum-data-retention](./kinesis-video-stream-minimum-data-retention.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [lightsail-bucket-allow-public-overrides-disabled](./lightsail-bucket-allow-public-overrides-disabled.html)
+ [lightsail-bucket-object-versioning-enabled](./lightsail-bucket-object-versioning-enabled.html)
+ [lightsail-bucket-tagged](./lightsail-bucket-tagged.html)
+ [lightsail-certificate-tagged](./lightsail-certificate-tagged.html)
+ [lightsail-disk-tagged](./lightsail-disk-tagged.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [memorydb-subnetgroup-tagged](./memorydb-subnetgroup-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearchserverless-collection-description](./opensearchserverless-collection-description.html)
+ [opensearchserverless-collection-standbyreplicas-enabled](./opensearchserverless-collection-standbyreplicas-enabled.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [panorama-package-tagged](./panorama-package-tagged.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-db-security-group-not-allowed](./rds-db-security-group-not-allowed.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-health-check-tagged](./route53-health-check-tagged.html)
+ [route53-hosted-zone-tagged](./route53-hosted-zone-tagged.html)
+ [route53-query-logging-enabled](./route53-query-logging-enabled.html)
+ [route53-recovery-control-cluster-tagged](./route53-recovery-control-cluster-tagged.html)
+ [route53-recovery-readiness-cell-tagged](./route53-recovery-readiness-cell-tagged.html)
+ [route53-recovery-readiness-readiness-check-tagged](./route53-recovery-readiness-readiness-check-tagged.html)
+ [route53-recovery-readiness-recovery-group-tagged](./route53-recovery-readiness-recovery-group-tagged.html)
+ [route53-recovery-readiness-resource-set-tagged](./route53-recovery-readiness-resource-set-tagged.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3express-dir-bucket-lifecycle-rules-check](./s3express-dir-bucket-lifecycle-rules-check.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-directory-bucket-lifecycle-policy-rule-check](./s3-directory-bucket-lifecycle-policy-rule-check.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-malware-scanning-enabled](./ses-malware-scanning-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [shield-advanced-enabled-autorenew](./shield-advanced-enabled-autorenew.html)
+ [shield-drt-access](./shield-drt-access.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-classic-logging-enabled](./waf-classic-logging-enabled.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-global-webacl-not-empty](./waf-global-webacl-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)
+ [workspaces-connection-alias-tagged](./workspaces-connection-alias-tagged.html)
+ [workspaces-root-volume-encryption-enabled](./workspaces-root-volume-encryption-enabled.html)
+ [workspaces-user-volume-encryption-enabled](./workspaces-user-volume-encryption-enabled.html)
+ [workspaces-workspace-tagged](./workspaces-workspace-tagged.html)

# List of AWS Config Managed Rules by Trigger Type
<a name="managed-rules-by-trigger-type"></a>

AWS Config currently supports the following managed rules. Before using these rules, see [Considerations](evaluate-config.md#evaluate-config-considerations).

## Configuration Changes
<a name="configuration-changes-section-head"></a>

*Change-triggered rules* are rules that AWS Config evaluates in response to configuration changes.

### Configuration Changes
<a name="configuration-changes"></a>
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appflow-flow-tagged](./appflow-flow-tagged.html)
+ [appflow-flow-trigger-type-check](./appflow-flow-trigger-type-check.html)
+ [appintegrations-application-approved-origins-check](./appintegrations-application-approved-origins-check.html)
+ [appintegrations-application-tagged](./appintegrations-application-tagged.html)
+ [appintegrations-event-integration-description](./appintegrations-event-integration-description.html)
+ [appintegrations-event-integration-tagged](./appintegrations-event-integration-tagged.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [apprunner-service-in-vpc](./apprunner-service-in-vpc.html)
+ [apprunner-service-ip-address-type-check](./apprunner-service-ip-address-type-check.html)
+ [apprunner-service-max-unhealthy-threshold](./apprunner-service-max-unhealthy-threshold.html)
+ [apprunner-service-no-public-access](./apprunner-service-no-public-access.html)
+ [apprunner-service-observability-enabled](./apprunner-service-observability-enabled.html)
+ [apprunner-service-tagged](./apprunner-service-tagged.html)
+ [apprunner-vpc-connector-tagged](./apprunner-vpc-connector-tagged.html)
+ [appstream-fleet-in-vpc](./appstream-fleet-in-vpc.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-ct-encryption-at-rest](./appsync-cache-ct-encryption-at-rest.html)
+ [appsync-cache-ct-encryption-in-transit](./appsync-cache-ct-encryption-in-transit.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [aps-rule-groups-namespace-tagged](./aps-rule-groups-namespace-tagged.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [auditmanager-assessment-tagged](./auditmanager-assessment-tagged.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudfront-accesslogs-enabled](./cloudfront-accesslogs-enabled.html)
+ [cloudfront-associated-with-waf](./cloudfront-associated-with-waf.html)
+ [cloudfront-custom-ssl-certificate](./cloudfront-custom-ssl-certificate.html)
+ [cloudfront-default-root-object-configured](./cloudfront-default-root-object-configured.html)
+ [cloudfront-distribution-key-group-enabled](./cloudfront-distribution-key-group-enabled.html)
+ [cloudfront-no-deprecated-ssl-protocols](./cloudfront-no-deprecated-ssl-protocols.html)
+ [cloudfront-origin-access-identity-enabled](./cloudfront-origin-access-identity-enabled.html)
+ [cloudfront-origin-failover-enabled](./cloudfront-origin-failover-enabled.html)
+ [cloudfront-origin-lambda-url-oac-enabled](./cloudfront-origin-lambda-url-oac-enabled.html)
+ [cloudfront-s3-origin-access-control-enabled](./cloudfront-s3-origin-access-control-enabled.html)
+ [cloudfront-security-policy-check](./cloudfront-security-policy-check.html)
+ [cloudfront-sni-enabled](./cloudfront-sni-enabled.html)
+ [cloudfront-ssl-policy-check](./cloudfront-ssl-policy-check.html)
+ [cloudfront-traffic-to-origin-encrypted](./cloudfront-traffic-to-origin-encrypted.html)
+ [cloudfront-viewer-policy-https](./cloudfront-viewer-policy-https.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [codeartifact-repository-tagged](./codeartifact-repository-tagged.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codeguruprofiler-profiling-group-tagged](./codeguruprofiler-profiling-group-tagged.html)
+ [codegurureviewer-repository-association-tagged](./codegurureviewer-repository-association-tagged.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [connect-instance-logging-enabled](./connect-instance-logging-enabled.html)
+ [customerprofiles-domain-tagged](./customerprofiles-domain-tagged.html)
+ [customerprofiles-object-type-allow-profile-creation](./customerprofiles-object-type-allow-profile-creation.html)
+ [customerprofiles-object-type-tagged](./customerprofiles-object-type-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [devicefarm-instance-profile-tagged](./devicefarm-instance-profile-tagged.html)
+ [devicefarm-project-tagged](./devicefarm-project-tagged.html)
+ [devicefarm-test-grid-project-tagged](./devicefarm-test-grid-project-tagged.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-carrier-gateway-tagged](./ec2-carrier-gateway-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-paravirtual-instance-check](./ec2-paravirtual-instance-check.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [evidently-launch-description](./evidently-launch-description.html)
+ [evidently-launch-tagged](./evidently-launch-tagged.html)
+ [evidently-project-description](./evidently-project-description.html)
+ [evidently-project-tagged](./evidently-project-tagged.html)
+ [evidently-segment-description](./evidently-segment-description.html)
+ [evidently-segment-tagged](./evidently-segment-tagged.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [frauddetector-entity-type-tagged](./frauddetector-entity-type-tagged.html)
+ [frauddetector-label-tagged](./frauddetector-label-tagged.html)
+ [frauddetector-outcome-tagged](./frauddetector-outcome-tagged.html)
+ [frauddetector-variable-tagged](./frauddetector-variable-tagged.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [global-endpoint-event-replication-enabled](./global-endpoint-event-replication-enabled.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [groundstation-config-tagged](./groundstation-config-tagged.html)
+ [groundstation-dataflowendpointgroup-tagged](./groundstation-dataflowendpointgroup-tagged.html)
+ [groundstation-missionprofile-tagged](./groundstation-missionprofile-tagged.html)
+ [healthlake-fhirdatastore-tagged](./healthlake-fhirdatastore-tagged.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-oidc-provider-client-id-list-check](./iam-oidc-provider-client-id-list-check.html)
+ [iam-oidc-provider-tagged](./iam-oidc-provider-tagged.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-saml-provider-tagged](./iam-saml-provider-tagged.html)
+ [iam-server-certificate-tagged](./iam-server-certificate-tagged.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iotevents-alarm-model-tagged](./iotevents-alarm-model-tagged.html)
+ [iotevents-detector-model-tagged](./iotevents-detector-model-tagged.html)
+ [iotevents-input-tagged](./iotevents-input-tagged.html)
+ [iotsitewise-asset-model-tagged](./iotsitewise-asset-model-tagged.html)
+ [iotsitewise-dashboard-tagged](./iotsitewise-dashboard-tagged.html)
+ [iotsitewise-gateway-tagged](./iotsitewise-gateway-tagged.html)
+ [iotsitewise-portal-tagged](./iotsitewise-portal-tagged.html)
+ [iotsitewise-project-tagged](./iotsitewise-project-tagged.html)
+ [iottwinmaker-component-type-tagged](./iottwinmaker-component-type-tagged.html)
+ [iottwinmaker-entity-tagged](./iottwinmaker-entity-tagged.html)
+ [iottwinmaker-scene-tagged](./iottwinmaker-scene-tagged.html)
+ [iottwinmaker-sync-job-tagged](./iottwinmaker-sync-job-tagged.html)
+ [iottwinmaker-workspace-tagged](./iottwinmaker-workspace-tagged.html)
+ [iotwireless-fuota-task-tagged](./iotwireless-fuota-task-tagged.html)
+ [iotwireless-multicast-group-tagged](./iotwireless-multicast-group-tagged.html)
+ [iotwireless-service-profile-tagged](./iotwireless-service-profile-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [ivs-channel-playback-authorization-enabled](./ivs-channel-playback-authorization-enabled.html)
+ [ivs-channel-tagged](./ivs-channel-tagged.html)
+ [ivs-playback-key-pair-tagged](./ivs-playback-key-pair-tagged.html)
+ [ivs-recording-configuration-tagged](./ivs-recording-configuration-tagged.html)
+ [kendra-index-tagged](./kendra-index-tagged.html)
+ [kinesisvideo-signalingchannel-tagged](./kinesisvideo-signalingchannel-tagged.html)
+ [kinesisvideo-stream-tagged](./kinesisvideo-stream-tagged.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kinesis-video-stream-minimum-data-retention](./kinesis-video-stream-minimum-data-retention.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [lightsail-bucket-allow-public-overrides-disabled](./lightsail-bucket-allow-public-overrides-disabled.html)
+ [lightsail-bucket-object-versioning-enabled](./lightsail-bucket-object-versioning-enabled.html)
+ [lightsail-bucket-tagged](./lightsail-bucket-tagged.html)
+ [lightsail-certificate-tagged](./lightsail-certificate-tagged.html)
+ [lightsail-disk-tagged](./lightsail-disk-tagged.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [memorydb-subnetgroup-tagged](./memorydb-subnetgroup-tagged.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [opensearchserverless-collection-description](./opensearchserverless-collection-description.html)
+ [opensearchserverless-collection-standbyreplicas-enabled](./opensearchserverless-collection-standbyreplicas-enabled.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [panorama-package-tagged](./panorama-package-tagged.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-db-security-group-not-allowed](./rds-db-security-group-not-allowed.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [route53-health-check-tagged](./route53-health-check-tagged.html)
+ [route53-hosted-zone-tagged](./route53-hosted-zone-tagged.html)
+ [route53-query-logging-enabled](./route53-query-logging-enabled.html)
+ [route53-recovery-control-cluster-tagged](./route53-recovery-control-cluster-tagged.html)
+ [route53-recovery-readiness-cell-tagged](./route53-recovery-readiness-cell-tagged.html)
+ [route53-recovery-readiness-readiness-check-tagged](./route53-recovery-readiness-readiness-check-tagged.html)
+ [route53-recovery-readiness-recovery-group-tagged](./route53-recovery-readiness-recovery-group-tagged.html)
+ [route53-recovery-readiness-resource-set-tagged](./route53-recovery-readiness-resource-set-tagged.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3express-dir-bucket-lifecycle-rules-check](./s3express-dir-bucket-lifecycle-rules-check.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-directory-bucket-lifecycle-policy-rule-check](./s3-directory-bucket-lifecycle-policy-rule-check.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-global-webacl-not-empty](./waf-global-webacl-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)
+ [workspaces-connection-alias-tagged](./workspaces-connection-alias-tagged.html)
+ [workspaces-root-volume-encryption-enabled](./workspaces-root-volume-encryption-enabled.html)
+ [workspaces-user-volume-encryption-enabled](./workspaces-user-volume-encryption-enabled.html)
+ [workspaces-workspace-tagged](./workspaces-workspace-tagged.html)

## Periodic
<a name="periodic-section-head"></a>

*Periodic rules* are rules that AWS Config evaluates periodicially at a frequency that you specify; for example, every 24 hours.

### Periodic
<a name="periodic"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [cloudfront-s3-origin-non-existent-bucket](./cloudfront-s3-origin-non-existent-bucket.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [custom-schema-registry-policy-attached](./custom-schema-registry-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [dax-encryption-enabled](./dax-encryption-enabled.html)
+ [dax-tls-endpoint-encryption](./dax-tls-endpoint-encryption.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-server-certificate-expiration-check](./iam-server-certificate-expiration-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-code-scan-enabled](./inspector-lambda-code-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-malware-scanning-enabled](./ses-malware-scanning-enabled.html)
+ [shield-advanced-enabled-autorenew](./shield-advanced-enabled-autorenew.html)
+ [shield-drt-access](./shield-drt-access.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [waf-classic-logging-enabled](./waf-classic-logging-enabled.html)

## Hybrid
<a name="hybrid-section-head"></a>

*Hybrid rules* are rules that AWS Config evaluates both in response to configuration changes and periodicially.

### Hybrid
<a name="hybrid"></a>
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)

# List of AWS Config Managed Rules by Region Availability
<a name="managing-rules-by-region-availability"></a>

AWS Config currently supports the following managed rules. Before using these rules, see [Considerations](evaluate-config.md#evaluate-config-considerations).

## US East (Ohio) Region
<a name="us-east-ohio-section-head"></a>

### US East (Ohio)
<a name="us-east-ohio"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appflow-flow-tagged](./appflow-flow-tagged.html)
+ [appflow-flow-trigger-type-check](./appflow-flow-trigger-type-check.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [apprunner-service-in-vpc](./apprunner-service-in-vpc.html)
+ [apprunner-service-ip-address-type-check](./apprunner-service-ip-address-type-check.html)
+ [apprunner-service-max-unhealthy-threshold](./apprunner-service-max-unhealthy-threshold.html)
+ [apprunner-service-no-public-access](./apprunner-service-no-public-access.html)
+ [apprunner-service-observability-enabled](./apprunner-service-observability-enabled.html)
+ [apprunner-service-tagged](./apprunner-service-tagged.html)
+ [apprunner-vpc-connector-tagged](./apprunner-vpc-connector-tagged.html)
+ [appstream-fleet-in-vpc](./appstream-fleet-in-vpc.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [aps-rule-groups-namespace-tagged](./aps-rule-groups-namespace-tagged.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [auditmanager-assessment-tagged](./auditmanager-assessment-tagged.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codeartifact-repository-tagged](./codeartifact-repository-tagged.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codeguruprofiler-profiling-group-tagged](./codeguruprofiler-profiling-group-tagged.html)
+ [codegurureviewer-repository-association-tagged](./codegurureviewer-repository-association-tagged.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [custom-schema-registry-policy-attached](./custom-schema-registry-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [dax-encryption-enabled](./dax-encryption-enabled.html)
+ [dax-tls-endpoint-encryption](./dax-tls-endpoint-encryption.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-carrier-gateway-tagged](./ec2-carrier-gateway-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [evidently-launch-description](./evidently-launch-description.html)
+ [evidently-launch-tagged](./evidently-launch-tagged.html)
+ [evidently-project-description](./evidently-project-description.html)
+ [evidently-project-tagged](./evidently-project-tagged.html)
+ [evidently-segment-description](./evidently-segment-description.html)
+ [evidently-segment-tagged](./evidently-segment-tagged.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [frauddetector-entity-type-tagged](./frauddetector-entity-type-tagged.html)
+ [frauddetector-label-tagged](./frauddetector-label-tagged.html)
+ [frauddetector-outcome-tagged](./frauddetector-outcome-tagged.html)
+ [frauddetector-variable-tagged](./frauddetector-variable-tagged.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [global-endpoint-event-replication-enabled](./global-endpoint-event-replication-enabled.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [groundstation-config-tagged](./groundstation-config-tagged.html)
+ [groundstation-dataflowendpointgroup-tagged](./groundstation-dataflowendpointgroup-tagged.html)
+ [groundstation-missionprofile-tagged](./groundstation-missionprofile-tagged.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [healthlake-fhirdatastore-tagged](./healthlake-fhirdatastore-tagged.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-code-scan-enabled](./inspector-lambda-code-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iotevents-alarm-model-tagged](./iotevents-alarm-model-tagged.html)
+ [iotevents-detector-model-tagged](./iotevents-detector-model-tagged.html)
+ [iotevents-input-tagged](./iotevents-input-tagged.html)
+ [iotsitewise-asset-model-tagged](./iotsitewise-asset-model-tagged.html)
+ [iotsitewise-dashboard-tagged](./iotsitewise-dashboard-tagged.html)
+ [iotsitewise-gateway-tagged](./iotsitewise-gateway-tagged.html)
+ [iotsitewise-portal-tagged](./iotsitewise-portal-tagged.html)
+ [iotsitewise-project-tagged](./iotsitewise-project-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [kendra-index-tagged](./kendra-index-tagged.html)
+ [kinesisvideo-signalingchannel-tagged](./kinesisvideo-signalingchannel-tagged.html)
+ [kinesisvideo-stream-tagged](./kinesisvideo-stream-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kinesis-video-stream-minimum-data-retention](./kinesis-video-stream-minimum-data-retention.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [lightsail-bucket-allow-public-overrides-disabled](./lightsail-bucket-allow-public-overrides-disabled.html)
+ [lightsail-bucket-object-versioning-enabled](./lightsail-bucket-object-versioning-enabled.html)
+ [lightsail-bucket-tagged](./lightsail-bucket-tagged.html)
+ [lightsail-certificate-tagged](./lightsail-certificate-tagged.html)
+ [lightsail-disk-tagged](./lightsail-disk-tagged.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [memorydb-subnetgroup-tagged](./memorydb-subnetgroup-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearchserverless-collection-description](./opensearchserverless-collection-description.html)
+ [opensearchserverless-collection-standbyreplicas-enabled](./opensearchserverless-collection-standbyreplicas-enabled.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3express-dir-bucket-lifecycle-rules-check](./s3express-dir-bucket-lifecycle-rules-check.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-directory-bucket-lifecycle-policy-rule-check](./s3-directory-bucket-lifecycle-policy-rule-check.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)

## US East (N. Virginia) Region
<a name="us-east-n-virginia-section-head"></a>

### US East (N. Virginia)
<a name="us-east-n-virginia"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appflow-flow-tagged](./appflow-flow-tagged.html)
+ [appflow-flow-trigger-type-check](./appflow-flow-trigger-type-check.html)
+ [appintegrations-application-approved-origins-check](./appintegrations-application-approved-origins-check.html)
+ [appintegrations-application-tagged](./appintegrations-application-tagged.html)
+ [appintegrations-event-integration-description](./appintegrations-event-integration-description.html)
+ [appintegrations-event-integration-tagged](./appintegrations-event-integration-tagged.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [apprunner-service-in-vpc](./apprunner-service-in-vpc.html)
+ [apprunner-service-ip-address-type-check](./apprunner-service-ip-address-type-check.html)
+ [apprunner-service-max-unhealthy-threshold](./apprunner-service-max-unhealthy-threshold.html)
+ [apprunner-service-no-public-access](./apprunner-service-no-public-access.html)
+ [apprunner-service-observability-enabled](./apprunner-service-observability-enabled.html)
+ [apprunner-service-tagged](./apprunner-service-tagged.html)
+ [apprunner-vpc-connector-tagged](./apprunner-vpc-connector-tagged.html)
+ [appstream-fleet-in-vpc](./appstream-fleet-in-vpc.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-ct-encryption-at-rest](./appsync-cache-ct-encryption-at-rest.html)
+ [appsync-cache-ct-encryption-in-transit](./appsync-cache-ct-encryption-in-transit.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [aps-rule-groups-namespace-tagged](./aps-rule-groups-namespace-tagged.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [auditmanager-assessment-tagged](./auditmanager-assessment-tagged.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudfront-accesslogs-enabled](./cloudfront-accesslogs-enabled.html)
+ [cloudfront-associated-with-waf](./cloudfront-associated-with-waf.html)
+ [cloudfront-custom-ssl-certificate](./cloudfront-custom-ssl-certificate.html)
+ [cloudfront-default-root-object-configured](./cloudfront-default-root-object-configured.html)
+ [cloudfront-distribution-key-group-enabled](./cloudfront-distribution-key-group-enabled.html)
+ [cloudfront-no-deprecated-ssl-protocols](./cloudfront-no-deprecated-ssl-protocols.html)
+ [cloudfront-origin-access-identity-enabled](./cloudfront-origin-access-identity-enabled.html)
+ [cloudfront-origin-failover-enabled](./cloudfront-origin-failover-enabled.html)
+ [cloudfront-origin-lambda-url-oac-enabled](./cloudfront-origin-lambda-url-oac-enabled.html)
+ [cloudfront-s3-origin-access-control-enabled](./cloudfront-s3-origin-access-control-enabled.html)
+ [cloudfront-s3-origin-non-existent-bucket](./cloudfront-s3-origin-non-existent-bucket.html)
+ [cloudfront-security-policy-check](./cloudfront-security-policy-check.html)
+ [cloudfront-sni-enabled](./cloudfront-sni-enabled.html)
+ [cloudfront-ssl-policy-check](./cloudfront-ssl-policy-check.html)
+ [cloudfront-traffic-to-origin-encrypted](./cloudfront-traffic-to-origin-encrypted.html)
+ [cloudfront-viewer-policy-https](./cloudfront-viewer-policy-https.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codeartifact-repository-tagged](./codeartifact-repository-tagged.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codeguruprofiler-profiling-group-tagged](./codeguruprofiler-profiling-group-tagged.html)
+ [codegurureviewer-repository-association-tagged](./codegurureviewer-repository-association-tagged.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [connect-instance-logging-enabled](./connect-instance-logging-enabled.html)
+ [customerprofiles-domain-tagged](./customerprofiles-domain-tagged.html)
+ [customerprofiles-object-type-allow-profile-creation](./customerprofiles-object-type-allow-profile-creation.html)
+ [customerprofiles-object-type-tagged](./customerprofiles-object-type-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [custom-schema-registry-policy-attached](./custom-schema-registry-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [dax-encryption-enabled](./dax-encryption-enabled.html)
+ [dax-tls-endpoint-encryption](./dax-tls-endpoint-encryption.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-carrier-gateway-tagged](./ec2-carrier-gateway-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-paravirtual-instance-check](./ec2-paravirtual-instance-check.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [evidently-launch-description](./evidently-launch-description.html)
+ [evidently-launch-tagged](./evidently-launch-tagged.html)
+ [evidently-project-description](./evidently-project-description.html)
+ [evidently-project-tagged](./evidently-project-tagged.html)
+ [evidently-segment-description](./evidently-segment-description.html)
+ [evidently-segment-tagged](./evidently-segment-tagged.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [frauddetector-entity-type-tagged](./frauddetector-entity-type-tagged.html)
+ [frauddetector-label-tagged](./frauddetector-label-tagged.html)
+ [frauddetector-outcome-tagged](./frauddetector-outcome-tagged.html)
+ [frauddetector-variable-tagged](./frauddetector-variable-tagged.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [global-endpoint-event-replication-enabled](./global-endpoint-event-replication-enabled.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [groundstation-config-tagged](./groundstation-config-tagged.html)
+ [groundstation-dataflowendpointgroup-tagged](./groundstation-dataflowendpointgroup-tagged.html)
+ [groundstation-missionprofile-tagged](./groundstation-missionprofile-tagged.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [healthlake-fhirdatastore-tagged](./healthlake-fhirdatastore-tagged.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-oidc-provider-client-id-list-check](./iam-oidc-provider-client-id-list-check.html)
+ [iam-oidc-provider-tagged](./iam-oidc-provider-tagged.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-saml-provider-tagged](./iam-saml-provider-tagged.html)
+ [iam-server-certificate-expiration-check](./iam-server-certificate-expiration-check.html)
+ [iam-server-certificate-tagged](./iam-server-certificate-tagged.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-code-scan-enabled](./inspector-lambda-code-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iotevents-alarm-model-tagged](./iotevents-alarm-model-tagged.html)
+ [iotevents-detector-model-tagged](./iotevents-detector-model-tagged.html)
+ [iotevents-input-tagged](./iotevents-input-tagged.html)
+ [iotsitewise-asset-model-tagged](./iotsitewise-asset-model-tagged.html)
+ [iotsitewise-dashboard-tagged](./iotsitewise-dashboard-tagged.html)
+ [iotsitewise-gateway-tagged](./iotsitewise-gateway-tagged.html)
+ [iotsitewise-portal-tagged](./iotsitewise-portal-tagged.html)
+ [iotsitewise-project-tagged](./iotsitewise-project-tagged.html)
+ [iottwinmaker-component-type-tagged](./iottwinmaker-component-type-tagged.html)
+ [iottwinmaker-entity-tagged](./iottwinmaker-entity-tagged.html)
+ [iottwinmaker-scene-tagged](./iottwinmaker-scene-tagged.html)
+ [iottwinmaker-sync-job-tagged](./iottwinmaker-sync-job-tagged.html)
+ [iottwinmaker-workspace-tagged](./iottwinmaker-workspace-tagged.html)
+ [iotwireless-fuota-task-tagged](./iotwireless-fuota-task-tagged.html)
+ [iotwireless-multicast-group-tagged](./iotwireless-multicast-group-tagged.html)
+ [iotwireless-service-profile-tagged](./iotwireless-service-profile-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [ivs-channel-playback-authorization-enabled](./ivs-channel-playback-authorization-enabled.html)
+ [ivs-channel-tagged](./ivs-channel-tagged.html)
+ [ivs-playback-key-pair-tagged](./ivs-playback-key-pair-tagged.html)
+ [ivs-recording-configuration-tagged](./ivs-recording-configuration-tagged.html)
+ [kendra-index-tagged](./kendra-index-tagged.html)
+ [kinesisvideo-signalingchannel-tagged](./kinesisvideo-signalingchannel-tagged.html)
+ [kinesisvideo-stream-tagged](./kinesisvideo-stream-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kinesis-video-stream-minimum-data-retention](./kinesis-video-stream-minimum-data-retention.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [lightsail-bucket-allow-public-overrides-disabled](./lightsail-bucket-allow-public-overrides-disabled.html)
+ [lightsail-bucket-object-versioning-enabled](./lightsail-bucket-object-versioning-enabled.html)
+ [lightsail-bucket-tagged](./lightsail-bucket-tagged.html)
+ [lightsail-certificate-tagged](./lightsail-certificate-tagged.html)
+ [lightsail-disk-tagged](./lightsail-disk-tagged.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [memorydb-subnetgroup-tagged](./memorydb-subnetgroup-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearchserverless-collection-description](./opensearchserverless-collection-description.html)
+ [opensearchserverless-collection-standbyreplicas-enabled](./opensearchserverless-collection-standbyreplicas-enabled.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [panorama-package-tagged](./panorama-package-tagged.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-db-security-group-not-allowed](./rds-db-security-group-not-allowed.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-health-check-tagged](./route53-health-check-tagged.html)
+ [route53-hosted-zone-tagged](./route53-hosted-zone-tagged.html)
+ [route53-query-logging-enabled](./route53-query-logging-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3express-dir-bucket-lifecycle-rules-check](./s3express-dir-bucket-lifecycle-rules-check.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-directory-bucket-lifecycle-policy-rule-check](./s3-directory-bucket-lifecycle-policy-rule-check.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-malware-scanning-enabled](./ses-malware-scanning-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [shield-advanced-enabled-autorenew](./shield-advanced-enabled-autorenew.html)
+ [shield-drt-access](./shield-drt-access.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-classic-logging-enabled](./waf-classic-logging-enabled.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-global-webacl-not-empty](./waf-global-webacl-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)
+ [workspaces-connection-alias-tagged](./workspaces-connection-alias-tagged.html)
+ [workspaces-root-volume-encryption-enabled](./workspaces-root-volume-encryption-enabled.html)
+ [workspaces-user-volume-encryption-enabled](./workspaces-user-volume-encryption-enabled.html)
+ [workspaces-workspace-tagged](./workspaces-workspace-tagged.html)

## US West (N. California) Region
<a name="us-west-n-california-section-head"></a>

### US West (N. California)
<a name="us-west-n-california"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appflow-flow-tagged](./appflow-flow-tagged.html)
+ [appflow-flow-trigger-type-check](./appflow-flow-trigger-type-check.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [auditmanager-assessment-tagged](./auditmanager-assessment-tagged.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [custom-schema-registry-policy-attached](./custom-schema-registry-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [dax-encryption-enabled](./dax-encryption-enabled.html)
+ [dax-tls-endpoint-encryption](./dax-tls-endpoint-encryption.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-paravirtual-instance-check](./ec2-paravirtual-instance-check.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [global-endpoint-event-replication-enabled](./global-endpoint-event-replication-enabled.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [memorydb-subnetgroup-tagged](./memorydb-subnetgroup-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-db-security-group-not-allowed](./rds-db-security-group-not-allowed.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)

## US West (Oregon) Region
<a name="us-west-oregon-section-head"></a>

### US West (Oregon)
<a name="us-west-oregon"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appflow-flow-tagged](./appflow-flow-tagged.html)
+ [appflow-flow-trigger-type-check](./appflow-flow-trigger-type-check.html)
+ [appintegrations-application-approved-origins-check](./appintegrations-application-approved-origins-check.html)
+ [appintegrations-application-tagged](./appintegrations-application-tagged.html)
+ [appintegrations-event-integration-description](./appintegrations-event-integration-description.html)
+ [appintegrations-event-integration-tagged](./appintegrations-event-integration-tagged.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [apprunner-service-in-vpc](./apprunner-service-in-vpc.html)
+ [apprunner-service-ip-address-type-check](./apprunner-service-ip-address-type-check.html)
+ [apprunner-service-max-unhealthy-threshold](./apprunner-service-max-unhealthy-threshold.html)
+ [apprunner-service-no-public-access](./apprunner-service-no-public-access.html)
+ [apprunner-service-observability-enabled](./apprunner-service-observability-enabled.html)
+ [apprunner-service-tagged](./apprunner-service-tagged.html)
+ [apprunner-vpc-connector-tagged](./apprunner-vpc-connector-tagged.html)
+ [appstream-fleet-in-vpc](./appstream-fleet-in-vpc.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [aps-rule-groups-namespace-tagged](./aps-rule-groups-namespace-tagged.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [auditmanager-assessment-tagged](./auditmanager-assessment-tagged.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codeartifact-repository-tagged](./codeartifact-repository-tagged.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codeguruprofiler-profiling-group-tagged](./codeguruprofiler-profiling-group-tagged.html)
+ [codegurureviewer-repository-association-tagged](./codegurureviewer-repository-association-tagged.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [connect-instance-logging-enabled](./connect-instance-logging-enabled.html)
+ [customerprofiles-domain-tagged](./customerprofiles-domain-tagged.html)
+ [customerprofiles-object-type-allow-profile-creation](./customerprofiles-object-type-allow-profile-creation.html)
+ [customerprofiles-object-type-tagged](./customerprofiles-object-type-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [custom-schema-registry-policy-attached](./custom-schema-registry-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [dax-encryption-enabled](./dax-encryption-enabled.html)
+ [dax-tls-endpoint-encryption](./dax-tls-endpoint-encryption.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [devicefarm-instance-profile-tagged](./devicefarm-instance-profile-tagged.html)
+ [devicefarm-project-tagged](./devicefarm-project-tagged.html)
+ [devicefarm-test-grid-project-tagged](./devicefarm-test-grid-project-tagged.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-carrier-gateway-tagged](./ec2-carrier-gateway-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-paravirtual-instance-check](./ec2-paravirtual-instance-check.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [evidently-launch-description](./evidently-launch-description.html)
+ [evidently-launch-tagged](./evidently-launch-tagged.html)
+ [evidently-project-description](./evidently-project-description.html)
+ [evidently-project-tagged](./evidently-project-tagged.html)
+ [evidently-segment-description](./evidently-segment-description.html)
+ [evidently-segment-tagged](./evidently-segment-tagged.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [frauddetector-entity-type-tagged](./frauddetector-entity-type-tagged.html)
+ [frauddetector-label-tagged](./frauddetector-label-tagged.html)
+ [frauddetector-outcome-tagged](./frauddetector-outcome-tagged.html)
+ [frauddetector-variable-tagged](./frauddetector-variable-tagged.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [global-endpoint-event-replication-enabled](./global-endpoint-event-replication-enabled.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [groundstation-config-tagged](./groundstation-config-tagged.html)
+ [groundstation-dataflowendpointgroup-tagged](./groundstation-dataflowendpointgroup-tagged.html)
+ [groundstation-missionprofile-tagged](./groundstation-missionprofile-tagged.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [healthlake-fhirdatastore-tagged](./healthlake-fhirdatastore-tagged.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-code-scan-enabled](./inspector-lambda-code-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iotevents-alarm-model-tagged](./iotevents-alarm-model-tagged.html)
+ [iotevents-detector-model-tagged](./iotevents-detector-model-tagged.html)
+ [iotevents-input-tagged](./iotevents-input-tagged.html)
+ [iotsitewise-asset-model-tagged](./iotsitewise-asset-model-tagged.html)
+ [iotsitewise-dashboard-tagged](./iotsitewise-dashboard-tagged.html)
+ [iotsitewise-gateway-tagged](./iotsitewise-gateway-tagged.html)
+ [iotsitewise-portal-tagged](./iotsitewise-portal-tagged.html)
+ [iotsitewise-project-tagged](./iotsitewise-project-tagged.html)
+ [iottwinmaker-component-type-tagged](./iottwinmaker-component-type-tagged.html)
+ [iottwinmaker-entity-tagged](./iottwinmaker-entity-tagged.html)
+ [iottwinmaker-scene-tagged](./iottwinmaker-scene-tagged.html)
+ [iottwinmaker-sync-job-tagged](./iottwinmaker-sync-job-tagged.html)
+ [iottwinmaker-workspace-tagged](./iottwinmaker-workspace-tagged.html)
+ [iotwireless-fuota-task-tagged](./iotwireless-fuota-task-tagged.html)
+ [iotwireless-multicast-group-tagged](./iotwireless-multicast-group-tagged.html)
+ [iotwireless-service-profile-tagged](./iotwireless-service-profile-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [ivs-channel-playback-authorization-enabled](./ivs-channel-playback-authorization-enabled.html)
+ [ivs-channel-tagged](./ivs-channel-tagged.html)
+ [ivs-playback-key-pair-tagged](./ivs-playback-key-pair-tagged.html)
+ [ivs-recording-configuration-tagged](./ivs-recording-configuration-tagged.html)
+ [kendra-index-tagged](./kendra-index-tagged.html)
+ [kinesisvideo-signalingchannel-tagged](./kinesisvideo-signalingchannel-tagged.html)
+ [kinesisvideo-stream-tagged](./kinesisvideo-stream-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kinesis-video-stream-minimum-data-retention](./kinesis-video-stream-minimum-data-retention.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [lightsail-bucket-allow-public-overrides-disabled](./lightsail-bucket-allow-public-overrides-disabled.html)
+ [lightsail-bucket-object-versioning-enabled](./lightsail-bucket-object-versioning-enabled.html)
+ [lightsail-bucket-tagged](./lightsail-bucket-tagged.html)
+ [lightsail-certificate-tagged](./lightsail-certificate-tagged.html)
+ [lightsail-disk-tagged](./lightsail-disk-tagged.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [memorydb-subnetgroup-tagged](./memorydb-subnetgroup-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearchserverless-collection-description](./opensearchserverless-collection-description.html)
+ [opensearchserverless-collection-standbyreplicas-enabled](./opensearchserverless-collection-standbyreplicas-enabled.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [panorama-package-tagged](./panorama-package-tagged.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-db-security-group-not-allowed](./rds-db-security-group-not-allowed.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-recovery-control-cluster-tagged](./route53-recovery-control-cluster-tagged.html)
+ [route53-recovery-readiness-cell-tagged](./route53-recovery-readiness-cell-tagged.html)
+ [route53-recovery-readiness-readiness-check-tagged](./route53-recovery-readiness-readiness-check-tagged.html)
+ [route53-recovery-readiness-recovery-group-tagged](./route53-recovery-readiness-recovery-group-tagged.html)
+ [route53-recovery-readiness-resource-set-tagged](./route53-recovery-readiness-resource-set-tagged.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3express-dir-bucket-lifecycle-rules-check](./s3express-dir-bucket-lifecycle-rules-check.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-directory-bucket-lifecycle-policy-rule-check](./s3-directory-bucket-lifecycle-policy-rule-check.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-malware-scanning-enabled](./ses-malware-scanning-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)
+ [workspaces-connection-alias-tagged](./workspaces-connection-alias-tagged.html)
+ [workspaces-root-volume-encryption-enabled](./workspaces-root-volume-encryption-enabled.html)
+ [workspaces-user-volume-encryption-enabled](./workspaces-user-volume-encryption-enabled.html)
+ [workspaces-workspace-tagged](./workspaces-workspace-tagged.html)

## Africa (Cape Town) Region
<a name="africa-cape-town-section-head"></a>

### Africa (Cape Town)
<a name="africa-cape-town"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appflow-flow-tagged](./appflow-flow-tagged.html)
+ [appflow-flow-trigger-type-check](./appflow-flow-trigger-type-check.html)
+ [appintegrations-application-approved-origins-check](./appintegrations-application-approved-origins-check.html)
+ [appintegrations-application-tagged](./appintegrations-application-tagged.html)
+ [appintegrations-event-integration-description](./appintegrations-event-integration-description.html)
+ [appintegrations-event-integration-tagged](./appintegrations-event-integration-tagged.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [connect-instance-logging-enabled](./connect-instance-logging-enabled.html)
+ [customerprofiles-domain-tagged](./customerprofiles-domain-tagged.html)
+ [customerprofiles-object-type-allow-profile-creation](./customerprofiles-object-type-allow-profile-creation.html)
+ [customerprofiles-object-type-tagged](./customerprofiles-object-type-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [groundstation-config-tagged](./groundstation-config-tagged.html)
+ [groundstation-dataflowendpointgroup-tagged](./groundstation-dataflowendpointgroup-tagged.html)
+ [groundstation-missionprofile-tagged](./groundstation-missionprofile-tagged.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)
+ [workspaces-root-volume-encryption-enabled](./workspaces-root-volume-encryption-enabled.html)
+ [workspaces-user-volume-encryption-enabled](./workspaces-user-volume-encryption-enabled.html)
+ [workspaces-workspace-tagged](./workspaces-workspace-tagged.html)

## Asia Pacific (Hong Kong) Region
<a name="asia-pacific-hong-kong-section-head"></a>

### Asia Pacific (Hong Kong)
<a name="asia-pacific-hong-kong"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [custom-schema-registry-policy-attached](./custom-schema-registry-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [kinesisvideo-signalingchannel-tagged](./kinesisvideo-signalingchannel-tagged.html)
+ [kinesisvideo-stream-tagged](./kinesisvideo-stream-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kinesis-video-stream-minimum-data-retention](./kinesis-video-stream-minimum-data-retention.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [memorydb-subnetgroup-tagged](./memorydb-subnetgroup-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)

## Asia Pacific (Hyderabad) Region
<a name="asia-pacific-hyderabad-section-head"></a>

### Asia Pacific (Hyderabad)
<a name="asia-pacific-hyderabad"></a>
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-tagged](./glb-tagged.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)

## Asia Pacific (Jakarta) Region
<a name="asia-pacific-jakarta-section-head"></a>

### Asia Pacific (Jakarta)
<a name="asia-pacific-jakarta"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-tagged](./glb-tagged.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)

## Asia Pacific (Malaysia) Region
<a name="asia-pacific-malaysia-section-head"></a>

### Asia Pacific (Malaysia)
<a name="asia-pacific-malaysia"></a>
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [required-tags](./required-tags.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)

## Asia Pacific (Melbourne) Region
<a name="asia-pacific-melbourne-section-head"></a>

### Asia Pacific (Melbourne)
<a name="asia-pacific-melbourne"></a>
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-tagged](./glb-tagged.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)

## Asia Pacific (Mumbai) Region
<a name="asia-pacific-mumbai-section-head"></a>

### Asia Pacific (Mumbai)
<a name="asia-pacific-mumbai"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appflow-flow-tagged](./appflow-flow-tagged.html)
+ [appflow-flow-trigger-type-check](./appflow-flow-trigger-type-check.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [apprunner-service-in-vpc](./apprunner-service-in-vpc.html)
+ [apprunner-service-ip-address-type-check](./apprunner-service-ip-address-type-check.html)
+ [apprunner-service-max-unhealthy-threshold](./apprunner-service-max-unhealthy-threshold.html)
+ [apprunner-service-no-public-access](./apprunner-service-no-public-access.html)
+ [apprunner-service-observability-enabled](./apprunner-service-observability-enabled.html)
+ [apprunner-service-tagged](./apprunner-service-tagged.html)
+ [apprunner-vpc-connector-tagged](./apprunner-vpc-connector-tagged.html)
+ [appstream-fleet-in-vpc](./appstream-fleet-in-vpc.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [aps-rule-groups-namespace-tagged](./aps-rule-groups-namespace-tagged.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [auditmanager-assessment-tagged](./auditmanager-assessment-tagged.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codeartifact-repository-tagged](./codeartifact-repository-tagged.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [custom-schema-registry-policy-attached](./custom-schema-registry-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [dax-encryption-enabled](./dax-encryption-enabled.html)
+ [dax-tls-endpoint-encryption](./dax-tls-endpoint-encryption.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [global-endpoint-event-replication-enabled](./global-endpoint-event-replication-enabled.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [healthlake-fhirdatastore-tagged](./healthlake-fhirdatastore-tagged.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iotevents-alarm-model-tagged](./iotevents-alarm-model-tagged.html)
+ [iotevents-detector-model-tagged](./iotevents-detector-model-tagged.html)
+ [iotevents-input-tagged](./iotevents-input-tagged.html)
+ [iotsitewise-asset-model-tagged](./iotsitewise-asset-model-tagged.html)
+ [iotsitewise-dashboard-tagged](./iotsitewise-dashboard-tagged.html)
+ [iotsitewise-gateway-tagged](./iotsitewise-gateway-tagged.html)
+ [iotsitewise-portal-tagged](./iotsitewise-portal-tagged.html)
+ [iotsitewise-project-tagged](./iotsitewise-project-tagged.html)
+ [iottwinmaker-component-type-tagged](./iottwinmaker-component-type-tagged.html)
+ [iottwinmaker-scene-tagged](./iottwinmaker-scene-tagged.html)
+ [iottwinmaker-sync-job-tagged](./iottwinmaker-sync-job-tagged.html)
+ [iottwinmaker-workspace-tagged](./iottwinmaker-workspace-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [ivs-channel-playback-authorization-enabled](./ivs-channel-playback-authorization-enabled.html)
+ [ivs-channel-tagged](./ivs-channel-tagged.html)
+ [ivs-playback-key-pair-tagged](./ivs-playback-key-pair-tagged.html)
+ [ivs-recording-configuration-tagged](./ivs-recording-configuration-tagged.html)
+ [kendra-index-tagged](./kendra-index-tagged.html)
+ [kinesisvideo-signalingchannel-tagged](./kinesisvideo-signalingchannel-tagged.html)
+ [kinesisvideo-stream-tagged](./kinesisvideo-stream-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kinesis-video-stream-minimum-data-retention](./kinesis-video-stream-minimum-data-retention.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [lightsail-bucket-allow-public-overrides-disabled](./lightsail-bucket-allow-public-overrides-disabled.html)
+ [lightsail-bucket-object-versioning-enabled](./lightsail-bucket-object-versioning-enabled.html)
+ [lightsail-bucket-tagged](./lightsail-bucket-tagged.html)
+ [lightsail-certificate-tagged](./lightsail-certificate-tagged.html)
+ [lightsail-disk-tagged](./lightsail-disk-tagged.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [memorydb-subnetgroup-tagged](./memorydb-subnetgroup-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearchserverless-collection-description](./opensearchserverless-collection-description.html)
+ [opensearchserverless-collection-standbyreplicas-enabled](./opensearchserverless-collection-standbyreplicas-enabled.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3express-dir-bucket-lifecycle-rules-check](./s3express-dir-bucket-lifecycle-rules-check.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-directory-bucket-lifecycle-policy-rule-check](./s3-directory-bucket-lifecycle-policy-rule-check.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)
+ [workspaces-root-volume-encryption-enabled](./workspaces-root-volume-encryption-enabled.html)
+ [workspaces-user-volume-encryption-enabled](./workspaces-user-volume-encryption-enabled.html)
+ [workspaces-workspace-tagged](./workspaces-workspace-tagged.html)

## Asia Pacific (Osaka) Region
<a name="asia-pacific-osaka-section-head"></a>

### Asia Pacific (Osaka)
<a name="asia-pacific-osaka"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [global-endpoint-event-replication-enabled](./global-endpoint-event-replication-enabled.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)

## Asia Pacific (Seoul) Region
<a name="asia-pacific-seoul-section-head"></a>

### Asia Pacific (Seoul)
<a name="asia-pacific-seoul"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appflow-flow-tagged](./appflow-flow-tagged.html)
+ [appflow-flow-trigger-type-check](./appflow-flow-trigger-type-check.html)
+ [appintegrations-application-approved-origins-check](./appintegrations-application-approved-origins-check.html)
+ [appintegrations-application-tagged](./appintegrations-application-tagged.html)
+ [appintegrations-event-integration-description](./appintegrations-event-integration-description.html)
+ [appintegrations-event-integration-tagged](./appintegrations-event-integration-tagged.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [appstream-fleet-in-vpc](./appstream-fleet-in-vpc.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [aps-rule-groups-namespace-tagged](./aps-rule-groups-namespace-tagged.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [connect-instance-logging-enabled](./connect-instance-logging-enabled.html)
+ [customerprofiles-domain-tagged](./customerprofiles-domain-tagged.html)
+ [customerprofiles-object-type-allow-profile-creation](./customerprofiles-object-type-allow-profile-creation.html)
+ [customerprofiles-object-type-tagged](./customerprofiles-object-type-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [custom-schema-registry-policy-attached](./custom-schema-registry-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-carrier-gateway-tagged](./ec2-carrier-gateway-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [global-endpoint-event-replication-enabled](./global-endpoint-event-replication-enabled.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [groundstation-config-tagged](./groundstation-config-tagged.html)
+ [groundstation-dataflowendpointgroup-tagged](./groundstation-dataflowendpointgroup-tagged.html)
+ [groundstation-missionprofile-tagged](./groundstation-missionprofile-tagged.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iotevents-alarm-model-tagged](./iotevents-alarm-model-tagged.html)
+ [iotevents-detector-model-tagged](./iotevents-detector-model-tagged.html)
+ [iotevents-input-tagged](./iotevents-input-tagged.html)
+ [iotsitewise-asset-model-tagged](./iotsitewise-asset-model-tagged.html)
+ [iotsitewise-dashboard-tagged](./iotsitewise-dashboard-tagged.html)
+ [iotsitewise-gateway-tagged](./iotsitewise-gateway-tagged.html)
+ [iotsitewise-portal-tagged](./iotsitewise-portal-tagged.html)
+ [iotsitewise-project-tagged](./iotsitewise-project-tagged.html)
+ [iottwinmaker-component-type-tagged](./iottwinmaker-component-type-tagged.html)
+ [iottwinmaker-scene-tagged](./iottwinmaker-scene-tagged.html)
+ [iottwinmaker-sync-job-tagged](./iottwinmaker-sync-job-tagged.html)
+ [iottwinmaker-workspace-tagged](./iottwinmaker-workspace-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [ivs-channel-playback-authorization-enabled](./ivs-channel-playback-authorization-enabled.html)
+ [ivs-channel-tagged](./ivs-channel-tagged.html)
+ [ivs-playback-key-pair-tagged](./ivs-playback-key-pair-tagged.html)
+ [ivs-recording-configuration-tagged](./ivs-recording-configuration-tagged.html)
+ [kinesisvideo-signalingchannel-tagged](./kinesisvideo-signalingchannel-tagged.html)
+ [kinesisvideo-stream-tagged](./kinesisvideo-stream-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kinesis-video-stream-minimum-data-retention](./kinesis-video-stream-minimum-data-retention.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [lightsail-bucket-allow-public-overrides-disabled](./lightsail-bucket-allow-public-overrides-disabled.html)
+ [lightsail-bucket-object-versioning-enabled](./lightsail-bucket-object-versioning-enabled.html)
+ [lightsail-bucket-tagged](./lightsail-bucket-tagged.html)
+ [lightsail-certificate-tagged](./lightsail-certificate-tagged.html)
+ [lightsail-disk-tagged](./lightsail-disk-tagged.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [memorydb-subnetgroup-tagged](./memorydb-subnetgroup-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)
+ [workspaces-connection-alias-tagged](./workspaces-connection-alias-tagged.html)
+ [workspaces-root-volume-encryption-enabled](./workspaces-root-volume-encryption-enabled.html)
+ [workspaces-user-volume-encryption-enabled](./workspaces-user-volume-encryption-enabled.html)
+ [workspaces-workspace-tagged](./workspaces-workspace-tagged.html)

## Asia Pacific (Singapore) Region
<a name="asia-pacific-singapore-section-head"></a>

### Asia Pacific (Singapore)
<a name="asia-pacific-singapore"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appflow-flow-tagged](./appflow-flow-tagged.html)
+ [appflow-flow-trigger-type-check](./appflow-flow-trigger-type-check.html)
+ [appintegrations-application-approved-origins-check](./appintegrations-application-approved-origins-check.html)
+ [appintegrations-application-tagged](./appintegrations-application-tagged.html)
+ [appintegrations-event-integration-description](./appintegrations-event-integration-description.html)
+ [appintegrations-event-integration-tagged](./appintegrations-event-integration-tagged.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [apprunner-service-in-vpc](./apprunner-service-in-vpc.html)
+ [apprunner-service-ip-address-type-check](./apprunner-service-ip-address-type-check.html)
+ [apprunner-service-max-unhealthy-threshold](./apprunner-service-max-unhealthy-threshold.html)
+ [apprunner-service-no-public-access](./apprunner-service-no-public-access.html)
+ [apprunner-service-observability-enabled](./apprunner-service-observability-enabled.html)
+ [apprunner-service-tagged](./apprunner-service-tagged.html)
+ [apprunner-vpc-connector-tagged](./apprunner-vpc-connector-tagged.html)
+ [appstream-fleet-in-vpc](./appstream-fleet-in-vpc.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [aps-rule-groups-namespace-tagged](./aps-rule-groups-namespace-tagged.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [auditmanager-assessment-tagged](./auditmanager-assessment-tagged.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codeartifact-repository-tagged](./codeartifact-repository-tagged.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codeguruprofiler-profiling-group-tagged](./codeguruprofiler-profiling-group-tagged.html)
+ [codegurureviewer-repository-association-tagged](./codegurureviewer-repository-association-tagged.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [connect-instance-logging-enabled](./connect-instance-logging-enabled.html)
+ [customerprofiles-domain-tagged](./customerprofiles-domain-tagged.html)
+ [customerprofiles-object-type-allow-profile-creation](./customerprofiles-object-type-allow-profile-creation.html)
+ [customerprofiles-object-type-tagged](./customerprofiles-object-type-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [custom-schema-registry-policy-attached](./custom-schema-registry-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [dax-encryption-enabled](./dax-encryption-enabled.html)
+ [dax-tls-endpoint-encryption](./dax-tls-endpoint-encryption.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-paravirtual-instance-check](./ec2-paravirtual-instance-check.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [evidently-launch-description](./evidently-launch-description.html)
+ [evidently-launch-tagged](./evidently-launch-tagged.html)
+ [evidently-project-description](./evidently-project-description.html)
+ [evidently-project-tagged](./evidently-project-tagged.html)
+ [evidently-segment-description](./evidently-segment-description.html)
+ [evidently-segment-tagged](./evidently-segment-tagged.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [frauddetector-entity-type-tagged](./frauddetector-entity-type-tagged.html)
+ [frauddetector-label-tagged](./frauddetector-label-tagged.html)
+ [frauddetector-outcome-tagged](./frauddetector-outcome-tagged.html)
+ [frauddetector-variable-tagged](./frauddetector-variable-tagged.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [global-endpoint-event-replication-enabled](./global-endpoint-event-replication-enabled.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [groundstation-config-tagged](./groundstation-config-tagged.html)
+ [groundstation-dataflowendpointgroup-tagged](./groundstation-dataflowendpointgroup-tagged.html)
+ [groundstation-missionprofile-tagged](./groundstation-missionprofile-tagged.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-code-scan-enabled](./inspector-lambda-code-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iotevents-alarm-model-tagged](./iotevents-alarm-model-tagged.html)
+ [iotevents-detector-model-tagged](./iotevents-detector-model-tagged.html)
+ [iotevents-input-tagged](./iotevents-input-tagged.html)
+ [iotsitewise-asset-model-tagged](./iotsitewise-asset-model-tagged.html)
+ [iotsitewise-dashboard-tagged](./iotsitewise-dashboard-tagged.html)
+ [iotsitewise-gateway-tagged](./iotsitewise-gateway-tagged.html)
+ [iotsitewise-portal-tagged](./iotsitewise-portal-tagged.html)
+ [iotsitewise-project-tagged](./iotsitewise-project-tagged.html)
+ [iottwinmaker-component-type-tagged](./iottwinmaker-component-type-tagged.html)
+ [iottwinmaker-entity-tagged](./iottwinmaker-entity-tagged.html)
+ [iottwinmaker-scene-tagged](./iottwinmaker-scene-tagged.html)
+ [iottwinmaker-sync-job-tagged](./iottwinmaker-sync-job-tagged.html)
+ [iottwinmaker-workspace-tagged](./iottwinmaker-workspace-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [kendra-index-tagged](./kendra-index-tagged.html)
+ [kinesisvideo-signalingchannel-tagged](./kinesisvideo-signalingchannel-tagged.html)
+ [kinesisvideo-stream-tagged](./kinesisvideo-stream-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kinesis-video-stream-minimum-data-retention](./kinesis-video-stream-minimum-data-retention.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [lightsail-bucket-allow-public-overrides-disabled](./lightsail-bucket-allow-public-overrides-disabled.html)
+ [lightsail-bucket-object-versioning-enabled](./lightsail-bucket-object-versioning-enabled.html)
+ [lightsail-bucket-tagged](./lightsail-bucket-tagged.html)
+ [lightsail-certificate-tagged](./lightsail-certificate-tagged.html)
+ [lightsail-disk-tagged](./lightsail-disk-tagged.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [memorydb-subnetgroup-tagged](./memorydb-subnetgroup-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearchserverless-collection-description](./opensearchserverless-collection-description.html)
+ [opensearchserverless-collection-standbyreplicas-enabled](./opensearchserverless-collection-standbyreplicas-enabled.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [panorama-package-tagged](./panorama-package-tagged.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-db-security-group-not-allowed](./rds-db-security-group-not-allowed.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)
+ [workspaces-connection-alias-tagged](./workspaces-connection-alias-tagged.html)
+ [workspaces-root-volume-encryption-enabled](./workspaces-root-volume-encryption-enabled.html)
+ [workspaces-user-volume-encryption-enabled](./workspaces-user-volume-encryption-enabled.html)
+ [workspaces-workspace-tagged](./workspaces-workspace-tagged.html)

## Asia Pacific (Sydney) Region
<a name="asia-pacific-sydney-section-head"></a>

### Asia Pacific (Sydney)
<a name="asia-pacific-sydney"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appflow-flow-tagged](./appflow-flow-tagged.html)
+ [appflow-flow-trigger-type-check](./appflow-flow-trigger-type-check.html)
+ [appintegrations-application-approved-origins-check](./appintegrations-application-approved-origins-check.html)
+ [appintegrations-application-tagged](./appintegrations-application-tagged.html)
+ [appintegrations-event-integration-description](./appintegrations-event-integration-description.html)
+ [appintegrations-event-integration-tagged](./appintegrations-event-integration-tagged.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [apprunner-service-in-vpc](./apprunner-service-in-vpc.html)
+ [apprunner-service-ip-address-type-check](./apprunner-service-ip-address-type-check.html)
+ [apprunner-service-max-unhealthy-threshold](./apprunner-service-max-unhealthy-threshold.html)
+ [apprunner-service-no-public-access](./apprunner-service-no-public-access.html)
+ [apprunner-service-observability-enabled](./apprunner-service-observability-enabled.html)
+ [apprunner-service-tagged](./apprunner-service-tagged.html)
+ [apprunner-vpc-connector-tagged](./apprunner-vpc-connector-tagged.html)
+ [appstream-fleet-in-vpc](./appstream-fleet-in-vpc.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [aps-rule-groups-namespace-tagged](./aps-rule-groups-namespace-tagged.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [auditmanager-assessment-tagged](./auditmanager-assessment-tagged.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codeartifact-repository-tagged](./codeartifact-repository-tagged.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codeguruprofiler-profiling-group-tagged](./codeguruprofiler-profiling-group-tagged.html)
+ [codegurureviewer-repository-association-tagged](./codegurureviewer-repository-association-tagged.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [connect-instance-logging-enabled](./connect-instance-logging-enabled.html)
+ [customerprofiles-domain-tagged](./customerprofiles-domain-tagged.html)
+ [customerprofiles-object-type-allow-profile-creation](./customerprofiles-object-type-allow-profile-creation.html)
+ [customerprofiles-object-type-tagged](./customerprofiles-object-type-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [custom-schema-registry-policy-attached](./custom-schema-registry-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [dax-encryption-enabled](./dax-encryption-enabled.html)
+ [dax-tls-endpoint-encryption](./dax-tls-endpoint-encryption.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-carrier-gateway-tagged](./ec2-carrier-gateway-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-paravirtual-instance-check](./ec2-paravirtual-instance-check.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [evidently-launch-description](./evidently-launch-description.html)
+ [evidently-launch-tagged](./evidently-launch-tagged.html)
+ [evidently-project-description](./evidently-project-description.html)
+ [evidently-project-tagged](./evidently-project-tagged.html)
+ [evidently-segment-description](./evidently-segment-description.html)
+ [evidently-segment-tagged](./evidently-segment-tagged.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [frauddetector-entity-type-tagged](./frauddetector-entity-type-tagged.html)
+ [frauddetector-label-tagged](./frauddetector-label-tagged.html)
+ [frauddetector-outcome-tagged](./frauddetector-outcome-tagged.html)
+ [frauddetector-variable-tagged](./frauddetector-variable-tagged.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [global-endpoint-event-replication-enabled](./global-endpoint-event-replication-enabled.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [groundstation-config-tagged](./groundstation-config-tagged.html)
+ [groundstation-dataflowendpointgroup-tagged](./groundstation-dataflowendpointgroup-tagged.html)
+ [groundstation-missionprofile-tagged](./groundstation-missionprofile-tagged.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-code-scan-enabled](./inspector-lambda-code-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iotevents-alarm-model-tagged](./iotevents-alarm-model-tagged.html)
+ [iotevents-detector-model-tagged](./iotevents-detector-model-tagged.html)
+ [iotevents-input-tagged](./iotevents-input-tagged.html)
+ [iotsitewise-asset-model-tagged](./iotsitewise-asset-model-tagged.html)
+ [iotsitewise-dashboard-tagged](./iotsitewise-dashboard-tagged.html)
+ [iotsitewise-gateway-tagged](./iotsitewise-gateway-tagged.html)
+ [iotsitewise-portal-tagged](./iotsitewise-portal-tagged.html)
+ [iotsitewise-project-tagged](./iotsitewise-project-tagged.html)
+ [iottwinmaker-component-type-tagged](./iottwinmaker-component-type-tagged.html)
+ [iottwinmaker-entity-tagged](./iottwinmaker-entity-tagged.html)
+ [iottwinmaker-scene-tagged](./iottwinmaker-scene-tagged.html)
+ [iottwinmaker-sync-job-tagged](./iottwinmaker-sync-job-tagged.html)
+ [iottwinmaker-workspace-tagged](./iottwinmaker-workspace-tagged.html)
+ [iotwireless-fuota-task-tagged](./iotwireless-fuota-task-tagged.html)
+ [iotwireless-multicast-group-tagged](./iotwireless-multicast-group-tagged.html)
+ [iotwireless-service-profile-tagged](./iotwireless-service-profile-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [kendra-index-tagged](./kendra-index-tagged.html)
+ [kinesisvideo-signalingchannel-tagged](./kinesisvideo-signalingchannel-tagged.html)
+ [kinesisvideo-stream-tagged](./kinesisvideo-stream-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kinesis-video-stream-minimum-data-retention](./kinesis-video-stream-minimum-data-retention.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [lightsail-bucket-allow-public-overrides-disabled](./lightsail-bucket-allow-public-overrides-disabled.html)
+ [lightsail-bucket-object-versioning-enabled](./lightsail-bucket-object-versioning-enabled.html)
+ [lightsail-bucket-tagged](./lightsail-bucket-tagged.html)
+ [lightsail-certificate-tagged](./lightsail-certificate-tagged.html)
+ [lightsail-disk-tagged](./lightsail-disk-tagged.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [memorydb-subnetgroup-tagged](./memorydb-subnetgroup-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearchserverless-collection-description](./opensearchserverless-collection-description.html)
+ [opensearchserverless-collection-standbyreplicas-enabled](./opensearchserverless-collection-standbyreplicas-enabled.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [panorama-package-tagged](./panorama-package-tagged.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-db-security-group-not-allowed](./rds-db-security-group-not-allowed.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)
+ [workspaces-connection-alias-tagged](./workspaces-connection-alias-tagged.html)
+ [workspaces-root-volume-encryption-enabled](./workspaces-root-volume-encryption-enabled.html)
+ [workspaces-user-volume-encryption-enabled](./workspaces-user-volume-encryption-enabled.html)
+ [workspaces-workspace-tagged](./workspaces-workspace-tagged.html)

## Asia Pacific (Taipei) Region
<a name="asia-pacific-taipei-section-head"></a>

### Asia Pacific (Taipei)
<a name="asia-pacific-taipei"></a>
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [required-tags](./required-tags.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)

## Asia Pacific (Thailand) Region
<a name="asia-pacific-thailand-section-head"></a>

### Asia Pacific (Thailand)
<a name="asia-pacific-thailand"></a>
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [required-tags](./required-tags.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)

## Asia Pacific (Tokyo) Region
<a name="asia-pacific-tokyo-section-head"></a>

### Asia Pacific (Tokyo)
<a name="asia-pacific-tokyo"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appflow-flow-tagged](./appflow-flow-tagged.html)
+ [appflow-flow-trigger-type-check](./appflow-flow-trigger-type-check.html)
+ [appintegrations-application-approved-origins-check](./appintegrations-application-approved-origins-check.html)
+ [appintegrations-application-tagged](./appintegrations-application-tagged.html)
+ [appintegrations-event-integration-description](./appintegrations-event-integration-description.html)
+ [appintegrations-event-integration-tagged](./appintegrations-event-integration-tagged.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [apprunner-service-in-vpc](./apprunner-service-in-vpc.html)
+ [apprunner-service-ip-address-type-check](./apprunner-service-ip-address-type-check.html)
+ [apprunner-service-max-unhealthy-threshold](./apprunner-service-max-unhealthy-threshold.html)
+ [apprunner-service-no-public-access](./apprunner-service-no-public-access.html)
+ [apprunner-service-observability-enabled](./apprunner-service-observability-enabled.html)
+ [apprunner-service-tagged](./apprunner-service-tagged.html)
+ [apprunner-vpc-connector-tagged](./apprunner-vpc-connector-tagged.html)
+ [appstream-fleet-in-vpc](./appstream-fleet-in-vpc.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [aps-rule-groups-namespace-tagged](./aps-rule-groups-namespace-tagged.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [auditmanager-assessment-tagged](./auditmanager-assessment-tagged.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codeartifact-repository-tagged](./codeartifact-repository-tagged.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codeguruprofiler-profiling-group-tagged](./codeguruprofiler-profiling-group-tagged.html)
+ [codegurureviewer-repository-association-tagged](./codegurureviewer-repository-association-tagged.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [connect-instance-logging-enabled](./connect-instance-logging-enabled.html)
+ [customerprofiles-domain-tagged](./customerprofiles-domain-tagged.html)
+ [customerprofiles-object-type-allow-profile-creation](./customerprofiles-object-type-allow-profile-creation.html)
+ [customerprofiles-object-type-tagged](./customerprofiles-object-type-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [custom-schema-registry-policy-attached](./custom-schema-registry-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [dax-encryption-enabled](./dax-encryption-enabled.html)
+ [dax-tls-endpoint-encryption](./dax-tls-endpoint-encryption.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-carrier-gateway-tagged](./ec2-carrier-gateway-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-paravirtual-instance-check](./ec2-paravirtual-instance-check.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [evidently-launch-description](./evidently-launch-description.html)
+ [evidently-launch-tagged](./evidently-launch-tagged.html)
+ [evidently-project-description](./evidently-project-description.html)
+ [evidently-project-tagged](./evidently-project-tagged.html)
+ [evidently-segment-description](./evidently-segment-description.html)
+ [evidently-segment-tagged](./evidently-segment-tagged.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [global-endpoint-event-replication-enabled](./global-endpoint-event-replication-enabled.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-code-scan-enabled](./inspector-lambda-code-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iotevents-alarm-model-tagged](./iotevents-alarm-model-tagged.html)
+ [iotevents-detector-model-tagged](./iotevents-detector-model-tagged.html)
+ [iotevents-input-tagged](./iotevents-input-tagged.html)
+ [iotsitewise-asset-model-tagged](./iotsitewise-asset-model-tagged.html)
+ [iotsitewise-dashboard-tagged](./iotsitewise-dashboard-tagged.html)
+ [iotsitewise-gateway-tagged](./iotsitewise-gateway-tagged.html)
+ [iotsitewise-portal-tagged](./iotsitewise-portal-tagged.html)
+ [iotsitewise-project-tagged](./iotsitewise-project-tagged.html)
+ [iottwinmaker-component-type-tagged](./iottwinmaker-component-type-tagged.html)
+ [iottwinmaker-scene-tagged](./iottwinmaker-scene-tagged.html)
+ [iottwinmaker-sync-job-tagged](./iottwinmaker-sync-job-tagged.html)
+ [iottwinmaker-workspace-tagged](./iottwinmaker-workspace-tagged.html)
+ [iotwireless-fuota-task-tagged](./iotwireless-fuota-task-tagged.html)
+ [iotwireless-multicast-group-tagged](./iotwireless-multicast-group-tagged.html)
+ [iotwireless-service-profile-tagged](./iotwireless-service-profile-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [ivs-channel-playback-authorization-enabled](./ivs-channel-playback-authorization-enabled.html)
+ [ivs-channel-tagged](./ivs-channel-tagged.html)
+ [ivs-playback-key-pair-tagged](./ivs-playback-key-pair-tagged.html)
+ [ivs-recording-configuration-tagged](./ivs-recording-configuration-tagged.html)
+ [kendra-index-tagged](./kendra-index-tagged.html)
+ [kinesisvideo-signalingchannel-tagged](./kinesisvideo-signalingchannel-tagged.html)
+ [kinesisvideo-stream-tagged](./kinesisvideo-stream-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kinesis-video-stream-minimum-data-retention](./kinesis-video-stream-minimum-data-retention.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [lightsail-bucket-allow-public-overrides-disabled](./lightsail-bucket-allow-public-overrides-disabled.html)
+ [lightsail-bucket-object-versioning-enabled](./lightsail-bucket-object-versioning-enabled.html)
+ [lightsail-bucket-tagged](./lightsail-bucket-tagged.html)
+ [lightsail-certificate-tagged](./lightsail-certificate-tagged.html)
+ [lightsail-disk-tagged](./lightsail-disk-tagged.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [memorydb-subnetgroup-tagged](./memorydb-subnetgroup-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearchserverless-collection-description](./opensearchserverless-collection-description.html)
+ [opensearchserverless-collection-standbyreplicas-enabled](./opensearchserverless-collection-standbyreplicas-enabled.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-db-security-group-not-allowed](./rds-db-security-group-not-allowed.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3express-dir-bucket-lifecycle-rules-check](./s3express-dir-bucket-lifecycle-rules-check.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-directory-bucket-lifecycle-policy-rule-check](./s3-directory-bucket-lifecycle-policy-rule-check.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)
+ [workspaces-connection-alias-tagged](./workspaces-connection-alias-tagged.html)
+ [workspaces-root-volume-encryption-enabled](./workspaces-root-volume-encryption-enabled.html)
+ [workspaces-user-volume-encryption-enabled](./workspaces-user-volume-encryption-enabled.html)
+ [workspaces-workspace-tagged](./workspaces-workspace-tagged.html)

## Canada (Central) Region
<a name="canada-central-section-head"></a>

### Canada (Central)
<a name="canada-central"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appflow-flow-tagged](./appflow-flow-tagged.html)
+ [appflow-flow-trigger-type-check](./appflow-flow-trigger-type-check.html)
+ [appintegrations-application-approved-origins-check](./appintegrations-application-approved-origins-check.html)
+ [appintegrations-application-tagged](./appintegrations-application-tagged.html)
+ [appintegrations-event-integration-description](./appintegrations-event-integration-description.html)
+ [appintegrations-event-integration-tagged](./appintegrations-event-integration-tagged.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [appstream-fleet-in-vpc](./appstream-fleet-in-vpc.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [auditmanager-assessment-tagged](./auditmanager-assessment-tagged.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [connect-instance-logging-enabled](./connect-instance-logging-enabled.html)
+ [customerprofiles-domain-tagged](./customerprofiles-domain-tagged.html)
+ [customerprofiles-object-type-allow-profile-creation](./customerprofiles-object-type-allow-profile-creation.html)
+ [customerprofiles-object-type-tagged](./customerprofiles-object-type-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [custom-schema-registry-policy-attached](./custom-schema-registry-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-carrier-gateway-tagged](./ec2-carrier-gateway-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [global-endpoint-event-replication-enabled](./global-endpoint-event-replication-enabled.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iotevents-alarm-model-tagged](./iotevents-alarm-model-tagged.html)
+ [iotevents-detector-model-tagged](./iotevents-detector-model-tagged.html)
+ [iotevents-input-tagged](./iotevents-input-tagged.html)
+ [iotsitewise-asset-model-tagged](./iotsitewise-asset-model-tagged.html)
+ [iotsitewise-dashboard-tagged](./iotsitewise-dashboard-tagged.html)
+ [iotsitewise-gateway-tagged](./iotsitewise-gateway-tagged.html)
+ [iotsitewise-portal-tagged](./iotsitewise-portal-tagged.html)
+ [iotsitewise-project-tagged](./iotsitewise-project-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [kendra-index-tagged](./kendra-index-tagged.html)
+ [kinesisvideo-signalingchannel-tagged](./kinesisvideo-signalingchannel-tagged.html)
+ [kinesisvideo-stream-tagged](./kinesisvideo-stream-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kinesis-video-stream-minimum-data-retention](./kinesis-video-stream-minimum-data-retention.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [lightsail-bucket-allow-public-overrides-disabled](./lightsail-bucket-allow-public-overrides-disabled.html)
+ [lightsail-bucket-object-versioning-enabled](./lightsail-bucket-object-versioning-enabled.html)
+ [lightsail-bucket-tagged](./lightsail-bucket-tagged.html)
+ [lightsail-certificate-tagged](./lightsail-certificate-tagged.html)
+ [lightsail-disk-tagged](./lightsail-disk-tagged.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [memorydb-subnetgroup-tagged](./memorydb-subnetgroup-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearchserverless-collection-description](./opensearchserverless-collection-description.html)
+ [opensearchserverless-collection-standbyreplicas-enabled](./opensearchserverless-collection-standbyreplicas-enabled.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [panorama-package-tagged](./panorama-package-tagged.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)
+ [workspaces-connection-alias-tagged](./workspaces-connection-alias-tagged.html)
+ [workspaces-root-volume-encryption-enabled](./workspaces-root-volume-encryption-enabled.html)
+ [workspaces-user-volume-encryption-enabled](./workspaces-user-volume-encryption-enabled.html)
+ [workspaces-workspace-tagged](./workspaces-workspace-tagged.html)

## Canada West (Calgary) Region
<a name="canada-west-section-head"></a>

### Canada West (Calgary)
<a name="canada-west"></a>
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [glb-tagged](./glb-tagged.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [required-tags](./required-tags.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)

## China (Beijing) Region
<a name="china-beijing-section-head"></a>

### China (Beijing)
<a name="china-beijing"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudfront-s3-origin-non-existent-bucket](./cloudfront-s3-origin-non-existent-bucket.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [dax-encryption-enabled](./dax-encryption-enabled.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-paravirtual-instance-check](./ec2-paravirtual-instance-check.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-server-certificate-expiration-check](./iam-server-certificate-expiration-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [required-tags](./required-tags.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)

## China (Ningxia) Region
<a name="china-ningxia-section-head"></a>

### China (Ningxia)
<a name="china-ningxia"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [dax-encryption-enabled](./dax-encryption-enabled.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [required-tags](./required-tags.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)
+ [workspaces-root-volume-encryption-enabled](./workspaces-root-volume-encryption-enabled.html)
+ [workspaces-user-volume-encryption-enabled](./workspaces-user-volume-encryption-enabled.html)

## Europe (Frankfurt) Region
<a name="europe-frankfurt-section-head"></a>

### Europe (Frankfurt)
<a name="europe-frankfurt"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appflow-flow-tagged](./appflow-flow-tagged.html)
+ [appflow-flow-trigger-type-check](./appflow-flow-trigger-type-check.html)
+ [appintegrations-application-approved-origins-check](./appintegrations-application-approved-origins-check.html)
+ [appintegrations-application-tagged](./appintegrations-application-tagged.html)
+ [appintegrations-event-integration-description](./appintegrations-event-integration-description.html)
+ [appintegrations-event-integration-tagged](./appintegrations-event-integration-tagged.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [apprunner-service-in-vpc](./apprunner-service-in-vpc.html)
+ [apprunner-service-ip-address-type-check](./apprunner-service-ip-address-type-check.html)
+ [apprunner-service-max-unhealthy-threshold](./apprunner-service-max-unhealthy-threshold.html)
+ [apprunner-service-no-public-access](./apprunner-service-no-public-access.html)
+ [apprunner-service-observability-enabled](./apprunner-service-observability-enabled.html)
+ [apprunner-service-tagged](./apprunner-service-tagged.html)
+ [apprunner-vpc-connector-tagged](./apprunner-vpc-connector-tagged.html)
+ [appstream-fleet-in-vpc](./appstream-fleet-in-vpc.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-ct-encryption-at-rest](./appsync-cache-ct-encryption-at-rest.html)
+ [appsync-cache-ct-encryption-in-transit](./appsync-cache-ct-encryption-in-transit.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [aps-rule-groups-namespace-tagged](./aps-rule-groups-namespace-tagged.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [auditmanager-assessment-tagged](./auditmanager-assessment-tagged.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codeartifact-repository-tagged](./codeartifact-repository-tagged.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codeguruprofiler-profiling-group-tagged](./codeguruprofiler-profiling-group-tagged.html)
+ [codegurureviewer-repository-association-tagged](./codegurureviewer-repository-association-tagged.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [connect-instance-logging-enabled](./connect-instance-logging-enabled.html)
+ [customerprofiles-domain-tagged](./customerprofiles-domain-tagged.html)
+ [customerprofiles-object-type-allow-profile-creation](./customerprofiles-object-type-allow-profile-creation.html)
+ [customerprofiles-object-type-tagged](./customerprofiles-object-type-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [custom-schema-registry-policy-attached](./custom-schema-registry-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [dax-encryption-enabled](./dax-encryption-enabled.html)
+ [dax-tls-endpoint-encryption](./dax-tls-endpoint-encryption.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-carrier-gateway-tagged](./ec2-carrier-gateway-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-paravirtual-instance-check](./ec2-paravirtual-instance-check.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [evidently-launch-description](./evidently-launch-description.html)
+ [evidently-launch-tagged](./evidently-launch-tagged.html)
+ [evidently-project-description](./evidently-project-description.html)
+ [evidently-project-tagged](./evidently-project-tagged.html)
+ [evidently-segment-description](./evidently-segment-description.html)
+ [evidently-segment-tagged](./evidently-segment-tagged.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [global-endpoint-event-replication-enabled](./global-endpoint-event-replication-enabled.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [groundstation-config-tagged](./groundstation-config-tagged.html)
+ [groundstation-dataflowendpointgroup-tagged](./groundstation-dataflowendpointgroup-tagged.html)
+ [groundstation-missionprofile-tagged](./groundstation-missionprofile-tagged.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-code-scan-enabled](./inspector-lambda-code-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iotevents-alarm-model-tagged](./iotevents-alarm-model-tagged.html)
+ [iotevents-detector-model-tagged](./iotevents-detector-model-tagged.html)
+ [iotevents-input-tagged](./iotevents-input-tagged.html)
+ [iotsitewise-asset-model-tagged](./iotsitewise-asset-model-tagged.html)
+ [iotsitewise-dashboard-tagged](./iotsitewise-dashboard-tagged.html)
+ [iotsitewise-gateway-tagged](./iotsitewise-gateway-tagged.html)
+ [iotsitewise-portal-tagged](./iotsitewise-portal-tagged.html)
+ [iotsitewise-project-tagged](./iotsitewise-project-tagged.html)
+ [iottwinmaker-component-type-tagged](./iottwinmaker-component-type-tagged.html)
+ [iottwinmaker-entity-tagged](./iottwinmaker-entity-tagged.html)
+ [iottwinmaker-scene-tagged](./iottwinmaker-scene-tagged.html)
+ [iottwinmaker-sync-job-tagged](./iottwinmaker-sync-job-tagged.html)
+ [iottwinmaker-workspace-tagged](./iottwinmaker-workspace-tagged.html)
+ [iotwireless-fuota-task-tagged](./iotwireless-fuota-task-tagged.html)
+ [iotwireless-multicast-group-tagged](./iotwireless-multicast-group-tagged.html)
+ [iotwireless-service-profile-tagged](./iotwireless-service-profile-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [ivs-channel-playback-authorization-enabled](./ivs-channel-playback-authorization-enabled.html)
+ [ivs-channel-tagged](./ivs-channel-tagged.html)
+ [ivs-playback-key-pair-tagged](./ivs-playback-key-pair-tagged.html)
+ [ivs-recording-configuration-tagged](./ivs-recording-configuration-tagged.html)
+ [kinesisvideo-signalingchannel-tagged](./kinesisvideo-signalingchannel-tagged.html)
+ [kinesisvideo-stream-tagged](./kinesisvideo-stream-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kinesis-video-stream-minimum-data-retention](./kinesis-video-stream-minimum-data-retention.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [lightsail-bucket-allow-public-overrides-disabled](./lightsail-bucket-allow-public-overrides-disabled.html)
+ [lightsail-bucket-object-versioning-enabled](./lightsail-bucket-object-versioning-enabled.html)
+ [lightsail-bucket-tagged](./lightsail-bucket-tagged.html)
+ [lightsail-certificate-tagged](./lightsail-certificate-tagged.html)
+ [lightsail-disk-tagged](./lightsail-disk-tagged.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [memorydb-subnetgroup-tagged](./memorydb-subnetgroup-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearchserverless-collection-description](./opensearchserverless-collection-description.html)
+ [opensearchserverless-collection-standbyreplicas-enabled](./opensearchserverless-collection-standbyreplicas-enabled.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)
+ [workspaces-connection-alias-tagged](./workspaces-connection-alias-tagged.html)
+ [workspaces-root-volume-encryption-enabled](./workspaces-root-volume-encryption-enabled.html)
+ [workspaces-user-volume-encryption-enabled](./workspaces-user-volume-encryption-enabled.html)
+ [workspaces-workspace-tagged](./workspaces-workspace-tagged.html)

## Europe (Ireland) Region
<a name="europe-ireland-section-head"></a>

### Europe (Ireland)
<a name="europe-ireland"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appflow-flow-tagged](./appflow-flow-tagged.html)
+ [appflow-flow-trigger-type-check](./appflow-flow-trigger-type-check.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [apprunner-service-in-vpc](./apprunner-service-in-vpc.html)
+ [apprunner-service-ip-address-type-check](./apprunner-service-ip-address-type-check.html)
+ [apprunner-service-max-unhealthy-threshold](./apprunner-service-max-unhealthy-threshold.html)
+ [apprunner-service-no-public-access](./apprunner-service-no-public-access.html)
+ [apprunner-service-observability-enabled](./apprunner-service-observability-enabled.html)
+ [apprunner-service-tagged](./apprunner-service-tagged.html)
+ [apprunner-vpc-connector-tagged](./apprunner-vpc-connector-tagged.html)
+ [appstream-fleet-in-vpc](./appstream-fleet-in-vpc.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [aps-rule-groups-namespace-tagged](./aps-rule-groups-namespace-tagged.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [auditmanager-assessment-tagged](./auditmanager-assessment-tagged.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codeartifact-repository-tagged](./codeartifact-repository-tagged.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codeguruprofiler-profiling-group-tagged](./codeguruprofiler-profiling-group-tagged.html)
+ [codegurureviewer-repository-association-tagged](./codegurureviewer-repository-association-tagged.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [custom-schema-registry-policy-attached](./custom-schema-registry-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [dax-encryption-enabled](./dax-encryption-enabled.html)
+ [dax-tls-endpoint-encryption](./dax-tls-endpoint-encryption.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-carrier-gateway-tagged](./ec2-carrier-gateway-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-paravirtual-instance-check](./ec2-paravirtual-instance-check.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [evidently-launch-description](./evidently-launch-description.html)
+ [evidently-launch-tagged](./evidently-launch-tagged.html)
+ [evidently-project-description](./evidently-project-description.html)
+ [evidently-project-tagged](./evidently-project-tagged.html)
+ [evidently-segment-description](./evidently-segment-description.html)
+ [evidently-segment-tagged](./evidently-segment-tagged.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [frauddetector-entity-type-tagged](./frauddetector-entity-type-tagged.html)
+ [frauddetector-label-tagged](./frauddetector-label-tagged.html)
+ [frauddetector-outcome-tagged](./frauddetector-outcome-tagged.html)
+ [frauddetector-variable-tagged](./frauddetector-variable-tagged.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [global-endpoint-event-replication-enabled](./global-endpoint-event-replication-enabled.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [groundstation-config-tagged](./groundstation-config-tagged.html)
+ [groundstation-dataflowendpointgroup-tagged](./groundstation-dataflowendpointgroup-tagged.html)
+ [groundstation-missionprofile-tagged](./groundstation-missionprofile-tagged.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-code-scan-enabled](./inspector-lambda-code-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iotevents-alarm-model-tagged](./iotevents-alarm-model-tagged.html)
+ [iotevents-detector-model-tagged](./iotevents-detector-model-tagged.html)
+ [iotevents-input-tagged](./iotevents-input-tagged.html)
+ [iotsitewise-asset-model-tagged](./iotsitewise-asset-model-tagged.html)
+ [iotsitewise-dashboard-tagged](./iotsitewise-dashboard-tagged.html)
+ [iotsitewise-gateway-tagged](./iotsitewise-gateway-tagged.html)
+ [iotsitewise-portal-tagged](./iotsitewise-portal-tagged.html)
+ [iotsitewise-project-tagged](./iotsitewise-project-tagged.html)
+ [iottwinmaker-component-type-tagged](./iottwinmaker-component-type-tagged.html)
+ [iottwinmaker-entity-tagged](./iottwinmaker-entity-tagged.html)
+ [iottwinmaker-scene-tagged](./iottwinmaker-scene-tagged.html)
+ [iottwinmaker-sync-job-tagged](./iottwinmaker-sync-job-tagged.html)
+ [iottwinmaker-workspace-tagged](./iottwinmaker-workspace-tagged.html)
+ [iotwireless-fuota-task-tagged](./iotwireless-fuota-task-tagged.html)
+ [iotwireless-multicast-group-tagged](./iotwireless-multicast-group-tagged.html)
+ [iotwireless-service-profile-tagged](./iotwireless-service-profile-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [ivs-channel-playback-authorization-enabled](./ivs-channel-playback-authorization-enabled.html)
+ [ivs-channel-tagged](./ivs-channel-tagged.html)
+ [ivs-playback-key-pair-tagged](./ivs-playback-key-pair-tagged.html)
+ [ivs-recording-configuration-tagged](./ivs-recording-configuration-tagged.html)
+ [kendra-index-tagged](./kendra-index-tagged.html)
+ [kinesisvideo-signalingchannel-tagged](./kinesisvideo-signalingchannel-tagged.html)
+ [kinesisvideo-stream-tagged](./kinesisvideo-stream-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kinesis-video-stream-minimum-data-retention](./kinesis-video-stream-minimum-data-retention.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [lightsail-bucket-allow-public-overrides-disabled](./lightsail-bucket-allow-public-overrides-disabled.html)
+ [lightsail-bucket-object-versioning-enabled](./lightsail-bucket-object-versioning-enabled.html)
+ [lightsail-bucket-tagged](./lightsail-bucket-tagged.html)
+ [lightsail-certificate-tagged](./lightsail-certificate-tagged.html)
+ [lightsail-disk-tagged](./lightsail-disk-tagged.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [memorydb-subnetgroup-tagged](./memorydb-subnetgroup-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearchserverless-collection-description](./opensearchserverless-collection-description.html)
+ [opensearchserverless-collection-standbyreplicas-enabled](./opensearchserverless-collection-standbyreplicas-enabled.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [panorama-package-tagged](./panorama-package-tagged.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-db-security-group-not-allowed](./rds-db-security-group-not-allowed.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3express-dir-bucket-lifecycle-rules-check](./s3express-dir-bucket-lifecycle-rules-check.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-directory-bucket-lifecycle-policy-rule-check](./s3-directory-bucket-lifecycle-policy-rule-check.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-malware-scanning-enabled](./ses-malware-scanning-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)
+ [workspaces-connection-alias-tagged](./workspaces-connection-alias-tagged.html)
+ [workspaces-root-volume-encryption-enabled](./workspaces-root-volume-encryption-enabled.html)
+ [workspaces-user-volume-encryption-enabled](./workspaces-user-volume-encryption-enabled.html)
+ [workspaces-workspace-tagged](./workspaces-workspace-tagged.html)

## Europe (London) Region
<a name="europe-london-section-head"></a>

### Europe (London)
<a name="europe-london"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appflow-flow-tagged](./appflow-flow-tagged.html)
+ [appflow-flow-trigger-type-check](./appflow-flow-trigger-type-check.html)
+ [appintegrations-application-approved-origins-check](./appintegrations-application-approved-origins-check.html)
+ [appintegrations-application-tagged](./appintegrations-application-tagged.html)
+ [appintegrations-event-integration-description](./appintegrations-event-integration-description.html)
+ [appintegrations-event-integration-tagged](./appintegrations-event-integration-tagged.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [apprunner-service-in-vpc](./apprunner-service-in-vpc.html)
+ [apprunner-service-ip-address-type-check](./apprunner-service-ip-address-type-check.html)
+ [apprunner-service-max-unhealthy-threshold](./apprunner-service-max-unhealthy-threshold.html)
+ [apprunner-service-no-public-access](./apprunner-service-no-public-access.html)
+ [apprunner-service-observability-enabled](./apprunner-service-observability-enabled.html)
+ [apprunner-service-tagged](./apprunner-service-tagged.html)
+ [appstream-fleet-in-vpc](./appstream-fleet-in-vpc.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [aps-rule-groups-namespace-tagged](./aps-rule-groups-namespace-tagged.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [auditmanager-assessment-tagged](./auditmanager-assessment-tagged.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codeartifact-repository-tagged](./codeartifact-repository-tagged.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codeguruprofiler-profiling-group-tagged](./codeguruprofiler-profiling-group-tagged.html)
+ [codegurureviewer-repository-association-tagged](./codegurureviewer-repository-association-tagged.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [connect-instance-logging-enabled](./connect-instance-logging-enabled.html)
+ [customerprofiles-domain-tagged](./customerprofiles-domain-tagged.html)
+ [customerprofiles-object-type-allow-profile-creation](./customerprofiles-object-type-allow-profile-creation.html)
+ [customerprofiles-object-type-tagged](./customerprofiles-object-type-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [custom-schema-registry-policy-attached](./custom-schema-registry-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [dax-encryption-enabled](./dax-encryption-enabled.html)
+ [dax-tls-endpoint-encryption](./dax-tls-endpoint-encryption.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-carrier-gateway-tagged](./ec2-carrier-gateway-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [global-endpoint-event-replication-enabled](./global-endpoint-event-replication-enabled.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-code-scan-enabled](./inspector-lambda-code-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iotevents-alarm-model-tagged](./iotevents-alarm-model-tagged.html)
+ [iotevents-detector-model-tagged](./iotevents-detector-model-tagged.html)
+ [iotevents-input-tagged](./iotevents-input-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [kendra-index-tagged](./kendra-index-tagged.html)
+ [kinesisvideo-signalingchannel-tagged](./kinesisvideo-signalingchannel-tagged.html)
+ [kinesisvideo-stream-tagged](./kinesisvideo-stream-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kinesis-video-stream-minimum-data-retention](./kinesis-video-stream-minimum-data-retention.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [lightsail-bucket-allow-public-overrides-disabled](./lightsail-bucket-allow-public-overrides-disabled.html)
+ [lightsail-bucket-object-versioning-enabled](./lightsail-bucket-object-versioning-enabled.html)
+ [lightsail-bucket-tagged](./lightsail-bucket-tagged.html)
+ [lightsail-certificate-tagged](./lightsail-certificate-tagged.html)
+ [lightsail-disk-tagged](./lightsail-disk-tagged.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [memorydb-subnetgroup-tagged](./memorydb-subnetgroup-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearchserverless-collection-description](./opensearchserverless-collection-description.html)
+ [opensearchserverless-collection-standbyreplicas-enabled](./opensearchserverless-collection-standbyreplicas-enabled.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)
+ [workspaces-connection-alias-tagged](./workspaces-connection-alias-tagged.html)
+ [workspaces-root-volume-encryption-enabled](./workspaces-root-volume-encryption-enabled.html)
+ [workspaces-user-volume-encryption-enabled](./workspaces-user-volume-encryption-enabled.html)
+ [workspaces-workspace-tagged](./workspaces-workspace-tagged.html)

## Europe (Milan) Region
<a name="europe-milan-section-head"></a>

### Europe (Milan)
<a name="europe-milan"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codeartifact-repository-tagged](./codeartifact-repository-tagged.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)

## Europe (Paris) Region
<a name="europe-paris-section-head"></a>

### Europe (Paris)
<a name="europe-paris"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appflow-flow-tagged](./appflow-flow-tagged.html)
+ [appflow-flow-trigger-type-check](./appflow-flow-trigger-type-check.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [apprunner-service-in-vpc](./apprunner-service-in-vpc.html)
+ [apprunner-service-ip-address-type-check](./apprunner-service-ip-address-type-check.html)
+ [apprunner-service-max-unhealthy-threshold](./apprunner-service-max-unhealthy-threshold.html)
+ [apprunner-service-no-public-access](./apprunner-service-no-public-access.html)
+ [apprunner-service-observability-enabled](./apprunner-service-observability-enabled.html)
+ [apprunner-service-tagged](./apprunner-service-tagged.html)
+ [apprunner-vpc-connector-tagged](./apprunner-vpc-connector-tagged.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [aps-rule-groups-namespace-tagged](./aps-rule-groups-namespace-tagged.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codeartifact-repository-tagged](./codeartifact-repository-tagged.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [custom-schema-registry-policy-attached](./custom-schema-registry-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [dax-encryption-enabled](./dax-encryption-enabled.html)
+ [dax-tls-endpoint-encryption](./dax-tls-endpoint-encryption.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-carrier-gateway-tagged](./ec2-carrier-gateway-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [global-endpoint-event-replication-enabled](./global-endpoint-event-replication-enabled.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [kinesisvideo-signalingchannel-tagged](./kinesisvideo-signalingchannel-tagged.html)
+ [kinesisvideo-stream-tagged](./kinesisvideo-stream-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kinesis-video-stream-minimum-data-retention](./kinesis-video-stream-minimum-data-retention.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [lightsail-bucket-allow-public-overrides-disabled](./lightsail-bucket-allow-public-overrides-disabled.html)
+ [lightsail-bucket-object-versioning-enabled](./lightsail-bucket-object-versioning-enabled.html)
+ [lightsail-bucket-tagged](./lightsail-bucket-tagged.html)
+ [lightsail-certificate-tagged](./lightsail-certificate-tagged.html)
+ [lightsail-disk-tagged](./lightsail-disk-tagged.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearchserverless-collection-description](./opensearchserverless-collection-description.html)
+ [opensearchserverless-collection-standbyreplicas-enabled](./opensearchserverless-collection-standbyreplicas-enabled.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)

## Europe (Spain) Region
<a name="europe-spain-section-head"></a>

### Europe (Spain)
<a name="europe-spain"></a>
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [dax-encryption-enabled](./dax-encryption-enabled.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-tagged](./glb-tagged.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)

## Europe (Stockholm) Region
<a name="europe-stockholm-section-head"></a>

### Europe (Stockholm)
<a name="europe-stockholm"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [aps-rule-groups-namespace-tagged](./aps-rule-groups-namespace-tagged.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codeartifact-repository-tagged](./codeartifact-repository-tagged.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codeguruprofiler-profiling-group-tagged](./codeguruprofiler-profiling-group-tagged.html)
+ [codegurureviewer-repository-association-tagged](./codegurureviewer-repository-association-tagged.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [custom-schema-registry-policy-attached](./custom-schema-registry-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [dax-encryption-enabled](./dax-encryption-enabled.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [evidently-launch-description](./evidently-launch-description.html)
+ [evidently-launch-tagged](./evidently-launch-tagged.html)
+ [evidently-project-description](./evidently-project-description.html)
+ [evidently-project-tagged](./evidently-project-tagged.html)
+ [evidently-segment-description](./evidently-segment-description.html)
+ [evidently-segment-tagged](./evidently-segment-tagged.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [global-endpoint-event-replication-enabled](./global-endpoint-event-replication-enabled.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [groundstation-config-tagged](./groundstation-config-tagged.html)
+ [groundstation-dataflowendpointgroup-tagged](./groundstation-dataflowendpointgroup-tagged.html)
+ [groundstation-missionprofile-tagged](./groundstation-missionprofile-tagged.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-code-scan-enabled](./inspector-lambda-code-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [lightsail-bucket-allow-public-overrides-disabled](./lightsail-bucket-allow-public-overrides-disabled.html)
+ [lightsail-bucket-object-versioning-enabled](./lightsail-bucket-object-versioning-enabled.html)
+ [lightsail-bucket-tagged](./lightsail-bucket-tagged.html)
+ [lightsail-certificate-tagged](./lightsail-certificate-tagged.html)
+ [lightsail-disk-tagged](./lightsail-disk-tagged.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [memorydb-subnetgroup-tagged](./memorydb-subnetgroup-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3express-dir-bucket-lifecycle-rules-check](./s3express-dir-bucket-lifecycle-rules-check.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-directory-bucket-lifecycle-policy-rule-check](./s3-directory-bucket-lifecycle-policy-rule-check.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)

## Europe (Zurich) Region
<a name="europe-zurich-section-head"></a>

### Europe (Zurich)
<a name="europe-zurich"></a>
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-tagged](./glb-tagged.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-encrypted-in-transit](./redshift-serverless-workgroup-encrypted-in-transit.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-serverless-workgroup-routes-within-vpc](./redshift-serverless-workgroup-routes-within-vpc.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)

## Israel (Tel Aviv) Region
<a name="israel-central-section-head"></a>

### Israel (Tel Aviv)
<a name="israel-central"></a>
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [eip-attached](./eip-attached.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-tagged](./glb-tagged.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)

## Mexico (Central) Region
<a name="mexico-central-section-head"></a>

### Mexico (Central)
<a name="mexico-central"></a>
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [aurora-mysql-backtracking-enabled](./aurora-mysql-backtracking-enabled.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [required-tags](./required-tags.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)

## Middle East (Bahrain) Region
<a name="middle-east-bahrain-section-head"></a>

### Middle East (Bahrain)
<a name="middle-east-bahrain"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-ct-encryption-at-rest](./appsync-cache-ct-encryption-at-rest.html)
+ [appsync-cache-ct-encryption-in-transit](./appsync-cache-ct-encryption-in-transit.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [groundstation-config-tagged](./groundstation-config-tagged.html)
+ [groundstation-dataflowendpointgroup-tagged](./groundstation-dataflowendpointgroup-tagged.html)
+ [groundstation-missionprofile-tagged](./groundstation-missionprofile-tagged.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)

## Middle East (UAE) Region
<a name="middle-east-uae-section-head"></a>

### Middle East (UAE)
<a name="middle-east-uae"></a>
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-tagged](./glb-tagged.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotdevicedefender-custom-metric-tagged](./iotdevicedefender-custom-metric-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [iot-scheduled-audit-tagged](./iot-scheduled-audit-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)

## South America (São Paulo) Region
<a name="south-america-sao-paulo-section-head"></a>

### South America (São Paulo)
<a name="south-america-sao-paulo"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acmpca-certificate-authority-tagged](./acmpca-certificate-authority-tagged.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [acm-certificate-rsa-check](./acm-certificate-rsa-check.html)
+ [acm-certificate-transparent-logging-enabled](./acm-certificate-transparent-logging-enabled.html)
+ [acm-pca-root-ca-disabled](./acm-pca-root-ca-disabled.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-internal-scheme-check](./alb-internal-scheme-check.html)
+ [alb-listener-tagged](./alb-listener-tagged.html)
+ [alb-tagged](./alb-tagged.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [amplify-app-branch-auto-deletion-enabled](./amplify-app-branch-auto-deletion-enabled.html)
+ [amplify-app-build-spec-configured](./amplify-app-build-spec-configured.html)
+ [amplify-app-description](./amplify-app-description.html)
+ [amplify-app-no-environment-variables](./amplify-app-no-environment-variables.html)
+ [amplify-app-platform-check](./amplify-app-platform-check.html)
+ [amplify-app-tagged](./amplify-app-tagged.html)
+ [amplify-branch-auto-build-enabled](./amplify-branch-auto-build-enabled.html)
+ [amplify-branch-build-spec-configured](./amplify-branch-build-spec-configured.html)
+ [amplify-branch-description](./amplify-branch-description.html)
+ [amplify-branch-framework-configured](./amplify-branch-framework-configured.html)
+ [amplify-branch-performance-mode-enabled](./amplify-branch-performance-mode-enabled.html)
+ [amplify-branch-pull-request-preview-enabled](./amplify-branch-pull-request-preview-enabled.html)
+ [amplify-branch-tagged](./amplify-branch-tagged.html)
+ [apigatewayv2-integration-private-https-enabled](./apigatewayv2-integration-private-https-enabled.html)
+ [apigatewayv2-stage-description](./apigatewayv2-stage-description.html)
+ [apigateway-domain-name-tls-check](./apigateway-domain-name-tls-check.html)
+ [apigateway-stage-access-logs-enabled](./apigateway-stage-access-logs-enabled.html)
+ [apigateway-stage-description](./apigateway-stage-description.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gwv2-authorization-type-configured](./api-gwv2-authorization-type-configured.html)
+ [api-gwv2-stage-default-route-detailed-metrics-enabled](./api-gwv2-stage-default-route-detailed-metrics-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-rest-api-tagged](./api-gw-rest-api-tagged.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-stage-tagged](./api-gw-stage-tagged.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [appconfig-application-description](./appconfig-application-description.html)
+ [appconfig-application-tagged](./appconfig-application-tagged.html)
+ [appconfig-configuration-profile-tagged](./appconfig-configuration-profile-tagged.html)
+ [appconfig-configuration-profile-validators-not-empty](./appconfig-configuration-profile-validators-not-empty.html)
+ [appconfig-deployment-strategy-description](./appconfig-deployment-strategy-description.html)
+ [appconfig-deployment-strategy-minimum-final-bake-time](./appconfig-deployment-strategy-minimum-final-bake-time.html)
+ [appconfig-deployment-strategy-replicate-to-ssm](./appconfig-deployment-strategy-replicate-to-ssm.html)
+ [appconfig-deployment-strategy-tagged](./appconfig-deployment-strategy-tagged.html)
+ [appconfig-environment-description](./appconfig-environment-description.html)
+ [appconfig-environment-tagged](./appconfig-environment-tagged.html)
+ [appconfig-extension-association-tagged](./appconfig-extension-association-tagged.html)
+ [appconfig-freeform-profile-config-storage](./appconfig-freeform-profile-config-storage.html)
+ [appconfig-hosted-configuration-version-description](./appconfig-hosted-configuration-version-description.html)
+ [appflow-flow-tagged](./appflow-flow-tagged.html)
+ [appflow-flow-trigger-type-check](./appflow-flow-trigger-type-check.html)
+ [appmesh-gateway-route-tagged](./appmesh-gateway-route-tagged.html)
+ [appmesh-mesh-deny-tcp-forwarding](./appmesh-mesh-deny-tcp-forwarding.html)
+ [appmesh-mesh-ip-pref-check](./appmesh-mesh-ip-pref-check.html)
+ [appmesh-mesh-tagged](./appmesh-mesh-tagged.html)
+ [appmesh-route-tagged](./appmesh-route-tagged.html)
+ [appmesh-virtual-gateway-backend-defaults-tls](./appmesh-virtual-gateway-backend-defaults-tls.html)
+ [appmesh-virtual-gateway-listeners-health-check-enabled](./appmesh-virtual-gateway-listeners-health-check-enabled.html)
+ [appmesh-virtual-gateway-logging-file-path-exists](./appmesh-virtual-gateway-logging-file-path-exists.html)
+ [appmesh-virtual-gateway-tagged](./appmesh-virtual-gateway-tagged.html)
+ [appmesh-virtual-node-backend-defaults-tls-on](./appmesh-virtual-node-backend-defaults-tls-on.html)
+ [appmesh-virtual-node-cloud-map-ip-pref-check](./appmesh-virtual-node-cloud-map-ip-pref-check.html)
+ [appmesh-virtual-node-dns-ip-pref-check](./appmesh-virtual-node-dns-ip-pref-check.html)
+ [appmesh-virtual-node-listeners-health-check-enabled](./appmesh-virtual-node-listeners-health-check-enabled.html)
+ [appmesh-virtual-node-listeners-outlier-detect-enabled](./appmesh-virtual-node-listeners-outlier-detect-enabled.html)
+ [appmesh-virtual-node-logging-file-path-exists](./appmesh-virtual-node-logging-file-path-exists.html)
+ [appmesh-virtual-node-service-backends-tls-enforced](./appmesh-virtual-node-service-backends-tls-enforced.html)
+ [appmesh-virtual-node-tagged](./appmesh-virtual-node-tagged.html)
+ [appmesh-virtual-router-tagged](./appmesh-virtual-router-tagged.html)
+ [appmesh-virtual-service-tagged](./appmesh-virtual-service-tagged.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [appsync-associated-with-waf](./appsync-associated-with-waf.html)
+ [appsync-authorization-check](./appsync-authorization-check.html)
+ [appsync-cache-ct-encryption-at-rest](./appsync-cache-ct-encryption-at-rest.html)
+ [appsync-cache-ct-encryption-in-transit](./appsync-cache-ct-encryption-in-transit.html)
+ [appsync-cache-encryption-at-rest](./appsync-cache-encryption-at-rest.html)
+ [appsync-graphql-api-xray-enabled](./appsync-graphql-api-xray-enabled.html)
+ [appsync-logging-enabled](./appsync-logging-enabled.html)
+ [aps-rule-groups-namespace-tagged](./aps-rule-groups-namespace-tagged.html)
+ [athena-data-catalog-description](./athena-data-catalog-description.html)
+ [athena-prepared-statement-description](./athena-prepared-statement-description.html)
+ [athena-workgroup-description](./athena-workgroup-description.html)
+ [athena-workgroup-encrypted-at-rest](./athena-workgroup-encrypted-at-rest.html)
+ [athena-workgroup-enforce-workgroup-configuration](./athena-workgroup-enforce-workgroup-configuration.html)
+ [athena-workgroup-engine-version-auto-upgrade](./athena-workgroup-engine-version-auto-upgrade.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-global-database-encryption-at-rest](./aurora-global-database-encryption-at-rest.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-meets-restore-time-target](./aurora-meets-restore-time-target.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-in-logically-air-gapped-vault](./aurora-resources-in-logically-air-gapped-vault.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-capacity-rebalancing](./autoscaling-capacity-rebalancing.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-hop-limit](./autoscaling-launch-config-hop-limit.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-az](./autoscaling-multiple-az.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [batch-compute-environment-enabled](./batch-compute-environment-enabled.html)
+ [batch-compute-environment-managed](./batch-compute-environment-managed.html)
+ [batch-compute-environment-tagged](./batch-compute-environment-tagged.html)
+ [batch-job-queue-enabled](./batch-job-queue-enabled.html)
+ [batch-job-queue-tagged](./batch-job-queue-tagged.html)
+ [batch-managed-compute-environment-using-launch-template](./batch-managed-compute-environment-using-launch-template.html)
+ [batch-managed-compute-env-allocation-strategy-check](./batch-managed-compute-env-allocation-strategy-check.html)
+ [batch-managed-compute-env-compute-resources-tagged](./batch-managed-compute-env-compute-resources-tagged.html)
+ [batch-managed-spot-compute-environment-max-bid](./batch-managed-spot-compute-environment-max-bid.html)
+ [batch-scheduling-policy-tagged](./batch-scheduling-policy-tagged.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [cassandra-keyspace-tagged](./cassandra-keyspace-tagged.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [clb-multiple-az](./clb-multiple-az.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-event-data-store-multi-region](./cloudtrail-event-data-store-multi-region.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-action-enabled-check](./cloudwatch-alarm-action-enabled-check.html)
+ [cloudwatch-alarm-description](./cloudwatch-alarm-description.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloudwatch-metric-stream-tagged](./cloudwatch-metric-stream-tagged.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codebuild-project-artifact-encryption](./codebuild-project-artifact-encryption.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-project-tagged](./codebuild-project-tagged.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [codebuild-report-group-tagged](./codebuild-report-group-tagged.html)
+ [codedeploy-auto-rollback-monitor-enabled](./codedeploy-auto-rollback-monitor-enabled.html)
+ [codedeploy-deployment-group-auto-rollback-enabled](./codedeploy-deployment-group-auto-rollback-enabled.html)
+ [codedeploy-deployment-group-outdated-instances-update](./codedeploy-deployment-group-outdated-instances-update.html)
+ [codedeploy-ec2-minimum-healthy-hosts-configured](./codedeploy-ec2-minimum-healthy-hosts-configured.html)
+ [codedeploy-lambda-allatonce-traffic-shift-disabled](./codedeploy-lambda-allatonce-traffic-shift-disabled.html)
+ [codepipeline-deployment-count-check](./codepipeline-deployment-count-check.html)
+ [codepipeline-region-fanout-check](./codepipeline-region-fanout-check.html)
+ [cognito-identity-pool-unauthenticated-logins](./cognito-identity-pool-unauthenticated-logins.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [cognito-userpool-cust-auth-threat-full-check](./cognito-userpool-cust-auth-threat-full-check.html)
+ [cognito-user-pool-advanced-security-enabled](./cognito-user-pool-advanced-security-enabled.html)
+ [cognito-user-pool-deletion-protection-enabled](./cognito-user-pool-deletion-protection-enabled.html)
+ [cognito-user-pool-mfa-enabled](./cognito-user-pool-mfa-enabled.html)
+ [cognito-user-pool-password-policy-check](./cognito-user-pool-password-policy-check.html)
+ [cognito-user-pool-tagged](./cognito-user-pool-tagged.html)
+ [custom-eventbus-policy-attached](./custom-eventbus-policy-attached.html)
+ [custom-schema-registry-policy-attached](./custom-schema-registry-policy-attached.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-location-object-storage-using-https](./datasync-location-object-storage-using-https.html)
+ [datasync-task-data-verification-enabled](./datasync-task-data-verification-enabled.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [datasync-task-tagged](./datasync-task-tagged.html)
+ [dax-encryption-enabled](./dax-encryption-enabled.html)
+ [dax-tls-endpoint-encryption](./dax-tls-endpoint-encryption.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-endpoint-ssl-configured](./dms-endpoint-ssl-configured.html)
+ [dms-endpoint-tagged](./dms-endpoint-tagged.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-sourcedb-logging](./dms-replication-task-sourcedb-logging.html)
+ [dms-replication-task-tagged](./dms-replication-task-tagged.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-audit-logging-enabled](./docdb-cluster-audit-logging-enabled.html)
+ [docdb-cluster-backup-retention-check](./docdb-cluster-backup-retention-check.html)
+ [docdb-cluster-deletion-protection-enabled](./docdb-cluster-deletion-protection-enabled.html)
+ [docdb-cluster-encrypted](./docdb-cluster-encrypted.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [docdb-cluster-snapshot-public-prohibited](./docdb-cluster-snapshot-public-prohibited.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-meets-restore-time-target](./dynamodb-meets-restore-time-target.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-meets-restore-time-target](./ebs-meets-restore-time-target.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-in-logically-air-gapped-vault](./ebs-resources-in-logically-air-gapped-vault.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-capacity-reservation-tagged](./ec2-capacity-reservation-tagged.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-client-vpn-endpoint-tagged](./ec2-client-vpn-endpoint-tagged.html)
+ [ec2-client-vpn-not-authorize-all](./ec2-client-vpn-not-authorize-all.html)
+ [ec2-dhcp-options-tagged](./ec2-dhcp-options-tagged.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-fleet-tagged](./ec2-fleet-tagged.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-ipamscope-tagged](./ec2-ipamscope-tagged.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launchtemplate-ebs-encrypted](./ec2-launchtemplate-ebs-encrypted.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-launch-template-imdsv2-check](./ec2-launch-template-imdsv2-check.html)
+ [ec2-launch-template-public-ip-disabled](./ec2-launch-template-public-ip-disabled.html)
+ [ec2-launch-template-tagged](./ec2-launch-template-tagged.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-meets-restore-time-target](./ec2-meets-restore-time-target.html)
+ [ec2-network-insights-access-scope-analysis-tagged](./ec2-network-insights-access-scope-analysis-tagged.html)
+ [ec2-network-insights-access-scope-tagged](./ec2-network-insights-access-scope-tagged.html)
+ [ec2-network-insights-analysis-tagged](./ec2-network-insights-analysis-tagged.html)
+ [ec2-network-insights-path-tagged](./ec2-network-insights-path-tagged.html)
+ [ec2-no-amazon-key-pair](./ec2-no-amazon-key-pair.html)
+ [ec2-paravirtual-instance-check](./ec2-paravirtual-instance-check.html)
+ [ec2-prefix-list-tagged](./ec2-prefix-list-tagged.html)
+ [ec2-resources-in-logically-air-gapped-vault](./ec2-resources-in-logically-air-gapped-vault.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-security-group-attached-to-eni-periodic](./ec2-security-group-attached-to-eni-periodic.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-token-hop-limit-check](./ec2-token-hop-limit-check.html)
+ [ec2-traffic-mirror-filter-description](./ec2-traffic-mirror-filter-description.html)
+ [ec2-traffic-mirror-filter-tagged](./ec2-traffic-mirror-filter-tagged.html)
+ [ec2-traffic-mirror-session-description](./ec2-traffic-mirror-session-description.html)
+ [ec2-traffic-mirror-session-tagged](./ec2-traffic-mirror-session-tagged.html)
+ [ec2-traffic-mirror-target-description](./ec2-traffic-mirror-target-description.html)
+ [ec2-traffic-mirror-target-tagged](./ec2-traffic-mirror-target-tagged.html)
+ [ec2-transit-gateway-auto-vpc-attach-disabled](./ec2-transit-gateway-auto-vpc-attach-disabled.html)
+ [ec2-transit-gateway-multicast-domain-tagged](./ec2-transit-gateway-multicast-domain-tagged.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ec2-vpn-connection-tagged](./ec2-vpn-connection-tagged.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecr-repository-tagged](./ecr-repository-tagged.html)
+ [ecs-awsvpc-networking-enabled](./ecs-awsvpc-networking-enabled.html)
+ [ecs-capacity-provider-tagged](./ecs-capacity-provider-tagged.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-no-environment-secrets](./ecs-no-environment-secrets.html)
+ [ecs-service-propagate-tags-enabled](./ecs-service-propagate-tags-enabled.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-log-configuration](./ecs-task-definition-log-configuration.html)
+ [ecs-task-definition-memory-hard-limit](./ecs-task-definition-memory-hard-limit.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-nonroot-user](./ecs-task-definition-nonroot-user.html)
+ [ecs-task-definition-pid-mode-check](./ecs-task-definition-pid-mode-check.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-root-directory](./efs-access-point-enforce-root-directory.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-file-system-tagged](./efs-file-system-tagged.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-meets-restore-time-target](./efs-meets-restore-time-target.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-in-logically-air-gapped-vault](./efs-resources-in-logically-air-gapped-vault.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-addon-tagged](./eks-addon-tagged.html)
+ [eks-cluster-logging-enabled](./eks-cluster-logging-enabled.html)
+ [eks-cluster-log-enabled](./eks-cluster-log-enabled.html)
+ [eks-cluster-oldest-supported-version](./eks-cluster-oldest-supported-version.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-fargate-profile-tagged](./eks-fargate-profile-tagged.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-auto-minor-version-upgrade-check](./elasticache-auto-minor-version-upgrade-check.html)
+ [elasticache-rbac-auth-enabled](./elasticache-rbac-auth-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticache-repl-grp-auto-failover-enabled](./elasticache-repl-grp-auto-failover-enabled.html)
+ [elasticache-repl-grp-encrypted-at-rest](./elasticache-repl-grp-encrypted-at-rest.html)
+ [elasticache-repl-grp-encrypted-in-transit](./elasticache-repl-grp-encrypted-in-transit.html)
+ [elasticache-repl-grp-redis-auth-enabled](./elasticache-repl-grp-redis-auth-enabled.html)
+ [elasticache-subnet-group-check](./elasticache-subnet-group-check.html)
+ [elasticache-supported-engine-version](./elasticache-supported-engine-version.html)
+ [elasticbeanstalk-application-description](./elasticbeanstalk-application-description.html)
+ [elasticbeanstalk-application-version-description](./elasticbeanstalk-application-version-description.html)
+ [elasticbeanstalk-environment-description](./elasticbeanstalk-environment-description.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-logs-to-cloudwatch](./elastic-beanstalk-logs-to-cloudwatch.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-acm-certificate-required](./elbv2-acm-certificate-required.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-multiple-az](./elbv2-multiple-az.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elbv2-targetgroup-healthcheck-protocol-encrypted](./elbv2-targetgroup-healthcheck-protocol-encrypted.html)
+ [elbv2-targetgroup-protocol-encrypted](./elbv2-targetgroup-protocol-encrypted.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-internal-scheme-check](./elb-internal-scheme-check.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tagged](./elb-tagged.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-block-public-access](./emr-block-public-access.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [emr-security-configuration-encryption-rest](./emr-security-configuration-encryption-rest.html)
+ [emr-security-configuration-encryption-transit](./emr-security-configuration-encryption-transit.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [eventschemas-discoverer-tagged](./eventschemas-discoverer-tagged.html)
+ [eventschemas-registry-tagged](./eventschemas-registry-tagged.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fis-experiment-template-log-configuration-exists](./fis-experiment-template-log-configuration-exists.html)
+ [fis-experiment-template-tagged](./fis-experiment-template-tagged.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-lustre-copy-tags-to-backups](./fsx-lustre-copy-tags-to-backups.html)
+ [fsx-meets-restore-time-target](./fsx-meets-restore-time-target.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-copy-tags-enabled](./fsx-openzfs-copy-tags-enabled.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-audit-log-configured](./fsx-windows-audit-log-configured.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glb-listener-tagged](./glb-listener-tagged.html)
+ [glb-tagged](./glb-tagged.html)
+ [global-endpoint-event-replication-enabled](./global-endpoint-event-replication-enabled.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-ml-transform-tagged](./glue-ml-transform-tagged.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [groundstation-config-tagged](./groundstation-config-tagged.html)
+ [groundstation-dataflowendpointgroup-tagged](./groundstation-dataflowendpointgroup-tagged.html)
+ [groundstation-missionprofile-tagged](./groundstation-missionprofile-tagged.html)
+ [guardduty-ec2-protection-runtime-enabled](./guardduty-ec2-protection-runtime-enabled.html)
+ [guardduty-ecs-protection-runtime-enabled](./guardduty-ecs-protection-runtime-enabled.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-eks-protection-runtime-enabled](./guardduty-eks-protection-runtime-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-malware-protection-enabled](./guardduty-malware-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-rds-protection-enabled](./guardduty-rds-protection-enabled.html)
+ [guardduty-runtime-monitoring-enabled](./guardduty-runtime-monitoring-enabled.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-external-access-analyzer-enabled](./iam-external-access-analyzer-enabled.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-description](./iam-policy-description.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [imagebuilder-distributionconfiguration-tagged](./imagebuilder-distributionconfiguration-tagged.html)
+ [imagebuilder-imagepipeline-tagged](./imagebuilder-imagepipeline-tagged.html)
+ [imagebuilder-imagerecipe-ebs-volumes-encrypted](./imagebuilder-imagerecipe-ebs-volumes-encrypted.html)
+ [imagebuilder-imagerecipe-tagged](./imagebuilder-imagerecipe-tagged.html)
+ [imagebuilder-infrastructureconfiguration-tagged](./imagebuilder-infrastructureconfiguration-tagged.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [iotwireless-fuota-task-tagged](./iotwireless-fuota-task-tagged.html)
+ [iotwireless-multicast-group-tagged](./iotwireless-multicast-group-tagged.html)
+ [iotwireless-service-profile-tagged](./iotwireless-service-profile-tagged.html)
+ [iot-authorizer-token-signing-enabled](./iot-authorizer-token-signing-enabled.html)
+ [iot-job-template-tagged](./iot-job-template-tagged.html)
+ [iot-provisioning-template-description](./iot-provisioning-template-description.html)
+ [iot-provisioning-template-jitp](./iot-provisioning-template-jitp.html)
+ [iot-provisioning-template-tagged](./iot-provisioning-template-tagged.html)
+ [kinesisvideo-signalingchannel-tagged](./kinesisvideo-signalingchannel-tagged.html)
+ [kinesisvideo-stream-tagged](./kinesisvideo-stream-tagged.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kinesis-video-stream-minimum-data-retention](./kinesis-video-stream-minimum-data-retention.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [kms-key-policy-no-public-access](./kms-key-policy-no-public-access.html)
+ [kms-key-tagged](./kms-key-tagged.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-application-log-level-check](./lambda-function-application-log-level-check.html)
+ [lambda-function-description](./lambda-function-description.html)
+ [lambda-function-log-format-json](./lambda-function-log-format-json.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-system-log-level-check](./lambda-function-system-log-level-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [lambda-vpc-multi-az-check](./lambda-vpc-multi-az-check.html)
+ [macie-auto-sensitive-data-discovery-check](./macie-auto-sensitive-data-discovery-check.html)
+ [macie-status-check](./macie-status-check.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mediapackage-packagingconfiguration-tagged](./mediapackage-packagingconfiguration-tagged.html)
+ [mediatailor-playbackconfiguration-tagged](./mediatailor-playbackconfiguration-tagged.html)
+ [memorydb-subnetgroup-tagged](./memorydb-subnetgroup-tagged.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-active-broker-ldap-authentication](./mq-active-broker-ldap-authentication.html)
+ [mq-active-deployment-mode](./mq-active-deployment-mode.html)
+ [mq-active-single-instance-broker-storage-type-efs](./mq-active-single-instance-broker-storage-type-efs.html)
+ [mq-automatic-minor-version-upgrade-enabled](./mq-automatic-minor-version-upgrade-enabled.html)
+ [mq-auto-minor-version-upgrade-enabled](./mq-auto-minor-version-upgrade-enabled.html)
+ [mq-broker-general-logging-enabled](./mq-broker-general-logging-enabled.html)
+ [mq-cloudwatch-audit-logging-enabled](./mq-cloudwatch-audit-logging-enabled.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [mq-no-public-access](./mq-no-public-access.html)
+ [mq-rabbit-deployment-mode](./mq-rabbit-deployment-mode.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-cluster-tagged](./msk-cluster-tagged.html)
+ [msk-connect-connector-logging-enabled](./msk-connect-connector-logging-enabled.html)
+ [msk-enhanced-monitoring-enabled](./msk-enhanced-monitoring-enabled.html)
+ [msk-in-cluster-node-require-tls](./msk-in-cluster-node-require-tls.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-backup-retention-check](./neptune-cluster-backup-retention-check.html)
+ [neptune-cluster-cloudwatch-log-export-enabled](./neptune-cluster-cloudwatch-log-export-enabled.html)
+ [neptune-cluster-copy-tags-to-snapshot-enabled](./neptune-cluster-copy-tags-to-snapshot-enabled.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [neptune-cluster-encrypted](./neptune-cluster-encrypted.html)
+ [neptune-cluster-iam-database-authentication](./neptune-cluster-iam-database-authentication.html)
+ [neptune-cluster-multi-az-enabled](./neptune-cluster-multi-az-enabled.html)
+ [neptune-cluster-snapshot-encrypted](./neptune-cluster-snapshot-encrypted.html)
+ [neptune-cluster-snapshot-iam-database-auth-enabled](./neptune-cluster-snapshot-iam-database-auth-enabled.html)
+ [neptune-cluster-snapshot-public-prohibited](./neptune-cluster-snapshot-public-prohibited.html)
+ [netfw-deletion-protection-enabled](./netfw-deletion-protection-enabled.html)
+ [netfw-logging-enabled](./netfw-logging-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-default-action-fragment-packets](./netfw-policy-default-action-fragment-packets.html)
+ [netfw-policy-default-action-full-packets](./netfw-policy-default-action-full-packets.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-internal-scheme-check](./nlb-internal-scheme-check.html)
+ [nlb-listener-tagged](./nlb-listener-tagged.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [nlb-tagged](./nlb-tagged.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearchserverless-collection-description](./opensearchserverless-collection-description.html)
+ [opensearchserverless-collection-standbyreplicas-enabled](./opensearchserverless-collection-standbyreplicas-enabled.html)
+ [opensearch-access-control-enabled](./opensearch-access-control-enabled.html)
+ [opensearch-audit-logging-enabled](./opensearch-audit-logging-enabled.html)
+ [opensearch-data-node-fault-tolerance](./opensearch-data-node-fault-tolerance.html)
+ [opensearch-encrypted-at-rest](./opensearch-encrypted-at-rest.html)
+ [opensearch-https-required](./opensearch-https-required.html)
+ [opensearch-in-vpc-only](./opensearch-in-vpc-only.html)
+ [opensearch-logs-to-cloudwatch](./opensearch-logs-to-cloudwatch.html)
+ [opensearch-node-to-node-encryption-check](./opensearch-node-to-node-encryption-check.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-mysql-audit-logging-enabled](./rds-aurora-mysql-audit-logging-enabled.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-auto-minor-version-upgrade-enable](./rds-cluster-auto-minor-version-upgrade-enable.html)
+ [rds-cluster-backup-retention-check](./rds-cluster-backup-retention-check.html)
+ [rds-cluster-default-admin-check](./rds-cluster-default-admin-check.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-encrypted-at-rest](./rds-cluster-encrypted-at-rest.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-db-security-group-not-allowed](./rds-db-security-group-not-allowed.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-event-subscription-tagged](./rds-event-subscription-tagged.html)
+ [rds-global-cluster-aurora-mysql-supported-version](./rds-global-cluster-aurora-mysql-supported-version.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-meets-restore-time-target](./rds-meets-restore-time-target.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-cluster-copy-tags-to-snapshot-check](./rds-mysql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-option-group-tagged](./rds-option-group-tagged.html)
+ [rds-pgsql-cluster-copy-tags-to-snapshot-check](./rds-pgsql-cluster-copy-tags-to-snapshot-check.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-proxy-tls-encryption](./rds-proxy-tls-encryption.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-audit-logging-enabled](./redshift-audit-logging-enabled.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-parameter-group-tagged](./redshift-cluster-parameter-group-tagged.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-default-db-name-check](./redshift-default-db-name-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-serverless-publish-logs-to-cloudwatch](./redshift-serverless-publish-logs-to-cloudwatch.html)
+ [redshift-serverless-workgroup-no-public-access](./redshift-serverless-workgroup-no-public-access.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [resiliencehub-app-tagged](./resiliencehub-app-tagged.html)
+ [resiliencehub-resiliencypolicy-tagged](./resiliencehub-resiliencypolicy-tagged.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [root-account-hardware-mfa-enabled](./root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](./root-account-mfa-enabled.html)
+ [route53-resolver-firewall-domain-list-tagged](./route53-resolver-firewall-domain-list-tagged.html)
+ [route53-resolver-firewall-rule-group-association-tagged](./route53-resolver-firewall-rule-group-association-tagged.html)
+ [route53-resolver-firewall-rule-group-tagged](./route53-resolver-firewall-rule-group-tagged.html)
+ [route53-resolver-resolver-endpoint-tagged](./route53-resolver-resolver-endpoint-tagged.html)
+ [route53-resolver-resolver-rule-tagged](./route53-resolver-resolver-rule-tagged.html)
+ [rum-app-monitor-cloudwatch-logs-enabled](./rum-app-monitor-cloudwatch-logs-enabled.html)
+ [rum-app-monitor-tagged](./rum-app-monitor-tagged.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-mfa-delete-enabled](./s3-bucket-mfa-delete-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-tagged](./s3-bucket-tagged.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-meets-restore-time-target](./s3-meets-restore-time-target.html)
+ [s3-resources-in-logically-air-gapped-vault](./s3-resources-in-logically-air-gapped-vault.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-app-image-config-tagged](./sagemaker-app-image-config-tagged.html)
+ [sagemaker-data-quality-job-encrypt-in-transit](./sagemaker-data-quality-job-encrypt-in-transit.html)
+ [sagemaker-data-quality-job-isolation](./sagemaker-data-quality-job-isolation.html)
+ [sagemaker-domain-in-vpc](./sagemaker-domain-in-vpc.html)
+ [sagemaker-domain-tagged](./sagemaker-domain-tagged.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-featuregroup-description](./sagemaker-featuregroup-description.html)
+ [sagemaker-featuregroup-encryption-at-rest](./sagemaker-featuregroup-encryption-at-rest.html)
+ [sagemaker-feature-group-tagged](./sagemaker-feature-group-tagged.html)
+ [sagemaker-image-description](./sagemaker-image-description.html)
+ [sagemaker-image-tagged](./sagemaker-image-tagged.html)
+ [sagemaker-inferenceexperiment-tagged](./sagemaker-inferenceexperiment-tagged.html)
+ [sagemaker-model-bias-job-encrypt-in-transit](./sagemaker-model-bias-job-encrypt-in-transit.html)
+ [sagemaker-model-bias-job-isolation](./sagemaker-model-bias-job-isolation.html)
+ [sagemaker-model-explainability-job-encrypt-in-transit](./sagemaker-model-explainability-job-encrypt-in-transit.html)
+ [sagemaker-model-in-vpc](./sagemaker-model-in-vpc.html)
+ [sagemaker-model-isolation-enabled](./sagemaker-model-isolation-enabled.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-model-quality-job-encrypt-in-transit](./sagemaker-model-quality-job-encrypt-in-transit.html)
+ [sagemaker-monitoring-schedule-isolation](./sagemaker-monitoring-schedule-isolation.html)
+ [sagemaker-notebook-instance-inside-vpc](./sagemaker-notebook-instance-inside-vpc.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-instance-root-access-check](./sagemaker-notebook-instance-root-access-check.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [security-account-information-provided](./security-account-information-provided.html)
+ [service-catalog-portfolio-tagged](./service-catalog-portfolio-tagged.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [signer-signingprofile-tagged](./signer-signingprofile-tagged.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sns-topic-message-delivery-notification-enabled](./sns-topic-message-delivery-notification-enabled.html)
+ [sns-topic-no-public-access](./sns-topic-no-public-access.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-no-public-access](./sqs-queue-no-public-access.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [ssm-document-tagged](./ssm-document-tagged.html)
+ [stepfunctions-state-machine-tagged](./stepfunctions-state-machine-tagged.html)
+ [step-functions-state-machine-logging-enabled](./step-functions-state-machine-logging-enabled.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-in-logically-air-gapped-vault](./storagegateway-resources-in-logically-air-gapped-vault.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-agreement-description](./transfer-agreement-description.html)
+ [transfer-agreement-tagged](./transfer-agreement-tagged.html)
+ [transfer-certificate-description](./transfer-certificate-description.html)
+ [transfer-certificate-tagged](./transfer-certificate-tagged.html)
+ [transfer-connector-as2-encryption-algorithm-check](./transfer-connector-as2-encryption-algorithm-check.html)
+ [transfer-connector-as2-mdn-signing-algorithm-check](./transfer-connector-as2-mdn-signing-algorithm-check.html)
+ [transfer-connector-as2-signing-algorithm-check](./transfer-connector-as2-signing-algorithm-check.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-connector-tagged](./transfer-connector-tagged.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [transfer-profile-tagged](./transfer-profile-tagged.html)
+ [transfer-workflow-description](./transfer-workflow-description.html)
+ [transfer-workflow-tagged](./transfer-workflow-tagged.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-in-logically-air-gapped-vault](./virtualmachine-resources-in-logically-air-gapped-vault.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-peering-dns-resolution-check](./vpc-peering-dns-resolution-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [wafv2-rulegroup-logging-enabled](./wafv2-rulegroup-logging-enabled.html)
+ [wafv2-rulegroup-not-empty](./wafv2-rulegroup-not-empty.html)
+ [wafv2-webacl-not-empty](./wafv2-webacl-not-empty.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [waf-regional-rulegroup-not-empty](./waf-regional-rulegroup-not-empty.html)
+ [waf-regional-rule-not-empty](./waf-regional-rule-not-empty.html)
+ [waf-regional-webacl-not-empty](./waf-regional-webacl-not-empty.html)
+ [workspaces-connection-alias-tagged](./workspaces-connection-alias-tagged.html)
+ [workspaces-root-volume-encryption-enabled](./workspaces-root-volume-encryption-enabled.html)
+ [workspaces-user-volume-encryption-enabled](./workspaces-user-volume-encryption-enabled.html)
+ [workspaces-workspace-tagged](./workspaces-workspace-tagged.html)

## AWS GovCloud (US-East) Region
<a name="aws-govcloud-us-east-section-head"></a>

### AWS GovCloud (US-East)
<a name="aws-govcloud-us-east"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)

## AWS GovCloud (US-West) Region
<a name="aws-govcloud-us-west-section-head"></a>

### AWS GovCloud (US-West)
<a name="aws-govcloud-us-west"></a>
+ [access-keys-rotated](./access-keys-rotated.html)
+ [account-part-of-organizations](./account-part-of-organizations.html)
+ [acm-certificate-expiration-check](./acm-certificate-expiration-check.html)
+ [active-mq-supported-version](./active-mq-supported-version.html)
+ [alb-desync-mode-check](./alb-desync-mode-check.html)
+ [alb-http-drop-invalid-header-enabled](./alb-http-drop-invalid-header-enabled.html)
+ [alb-http-to-https-redirection-check](./alb-http-to-https-redirection-check.html)
+ [alb-waf-enabled](./alb-waf-enabled.html)
+ [api-gwv2-access-logs-enabled](./api-gwv2-access-logs-enabled.html)
+ [api-gw-associated-with-waf](./api-gw-associated-with-waf.html)
+ [api-gw-cache-enabled-and-encrypted](./api-gw-cache-enabled-and-encrypted.html)
+ [api-gw-endpoint-type-check](./api-gw-endpoint-type-check.html)
+ [api-gw-execution-logging-enabled](./api-gw-execution-logging-enabled.html)
+ [api-gw-ssl-enabled](./api-gw-ssl-enabled.html)
+ [api-gw-xray-enabled](./api-gw-xray-enabled.html)
+ [approved-amis-by-id](./approved-amis-by-id.html)
+ [approved-amis-by-tag](./approved-amis-by-tag.html)
+ [athena-workgroup-logging-enabled](./athena-workgroup-logging-enabled.html)
+ [aurora-last-backup-recovery-point-created](./aurora-last-backup-recovery-point-created.html)
+ [aurora-mysql-cluster-audit-logging](./aurora-mysql-cluster-audit-logging.html)
+ [aurora-resources-protected-by-backup-plan](./aurora-resources-protected-by-backup-plan.html)
+ [autoscaling-group-elb-healthcheck-required](./autoscaling-group-elb-healthcheck-required.html)
+ [autoscaling-launchconfig-requires-imdsv2](./autoscaling-launchconfig-requires-imdsv2.html)
+ [autoscaling-launch-config-public-ip-disabled](./autoscaling-launch-config-public-ip-disabled.html)
+ [autoscaling-launch-template](./autoscaling-launch-template.html)
+ [autoscaling-multiple-instance-types](./autoscaling-multiple-instance-types.html)
+ [backup-plan-min-frequency-and-min-retention-check](./backup-plan-min-frequency-and-min-retention-check.html)
+ [backup-recovery-point-encrypted](./backup-recovery-point-encrypted.html)
+ [backup-recovery-point-manual-deletion-disabled](./backup-recovery-point-manual-deletion-disabled.html)
+ [backup-recovery-point-minimum-retention-check](./backup-recovery-point-minimum-retention-check.html)
+ [beanstalk-enhanced-health-reporting-enabled](./beanstalk-enhanced-health-reporting-enabled.html)
+ [clb-desync-mode-check](./clb-desync-mode-check.html)
+ [cloudformation-stack-drift-detection-check](./cloudformation-stack-drift-detection-check.html)
+ [cloudformation-stack-notification-check](./cloudformation-stack-notification-check.html)
+ [cloudformation-stack-service-role-check](./cloudformation-stack-service-role-check.html)
+ [cloudformation-termination-protection-check](./cloudformation-termination-protection-check.html)
+ [cloudtrail-all-read-s3-data-event-check](./cloudtrail-all-read-s3-data-event-check.html)
+ [cloudtrail-all-write-s3-data-event-check](./cloudtrail-all-write-s3-data-event-check.html)
+ [cloudtrail-s3-bucket-access-logging](./cloudtrail-s3-bucket-access-logging.html)
+ [cloudtrail-s3-bucket-public-access-prohibited](./cloudtrail-s3-bucket-public-access-prohibited.html)
+ [cloudtrail-s3-dataevents-enabled](./cloudtrail-s3-dataevents-enabled.html)
+ [cloudtrail-security-trail-enabled](./cloudtrail-security-trail-enabled.html)
+ [cloudwatch-alarm-action-check](./cloudwatch-alarm-action-check.html)
+ [cloudwatch-alarm-resource-check](./cloudwatch-alarm-resource-check.html)
+ [cloudwatch-alarm-settings-check](./cloudwatch-alarm-settings-check.html)
+ [cloudwatch-log-group-encrypted](./cloudwatch-log-group-encrypted.html)
+ [cloud-trail-cloud-watch-logs-enabled](./cloud-trail-cloud-watch-logs-enabled.html)
+ [cloud-trail-enabled](./cloud-trail-enabled.html)
+ [cloud-trail-encryption-enabled](./cloud-trail-encryption-enabled.html)
+ [cloud-trail-log-file-validation-enabled](./cloud-trail-log-file-validation-enabled.html)
+ [cmk-backing-key-rotation-enabled](./cmk-backing-key-rotation-enabled.html)
+ [codebuild-project-environment-privileged-check](./codebuild-project-environment-privileged-check.html)
+ [codebuild-project-envvar-awscred-check](./codebuild-project-envvar-awscred-check.html)
+ [codebuild-project-logging-enabled](./codebuild-project-logging-enabled.html)
+ [codebuild-project-s3-logs-encrypted](./codebuild-project-s3-logs-encrypted.html)
+ [codebuild-project-source-repo-url-check](./codebuild-project-source-repo-url-check.html)
+ [codebuild-report-group-encrypted-at-rest](./codebuild-report-group-encrypted-at-rest.html)
+ [cognito-identity-pool-unauth-access-check](./cognito-identity-pool-unauth-access-check.html)
+ [connect-instance-logging-enabled](./connect-instance-logging-enabled.html)
+ [cw-loggroup-retention-period-check](./cw-loggroup-retention-period-check.html)
+ [datasync-task-logging-enabled](./datasync-task-logging-enabled.html)
+ [db-instance-backup-enabled](./db-instance-backup-enabled.html)
+ [desired-instance-tenancy](./desired-instance-tenancy.html)
+ [desired-instance-type](./desired-instance-type.html)
+ [dms-auto-minor-version-upgrade-check](./dms-auto-minor-version-upgrade-check.html)
+ [dms-mongo-db-authentication-enabled](./dms-mongo-db-authentication-enabled.html)
+ [dms-neptune-iam-authorization-enabled](./dms-neptune-iam-authorization-enabled.html)
+ [dms-redis-tls-enabled](./dms-redis-tls-enabled.html)
+ [dms-replication-instance-multi-az-enabled](./dms-replication-instance-multi-az-enabled.html)
+ [dms-replication-not-public](./dms-replication-not-public.html)
+ [dms-replication-task-targetdb-logging](./dms-replication-task-targetdb-logging.html)
+ [docdb-cluster-encrypted-in-transit](./docdb-cluster-encrypted-in-transit.html)
+ [dynamodb-autoscaling-enabled](./dynamodb-autoscaling-enabled.html)
+ [dynamodb-in-backup-plan](./dynamodb-in-backup-plan.html)
+ [dynamodb-last-backup-recovery-point-created](./dynamodb-last-backup-recovery-point-created.html)
+ [dynamodb-pitr-enabled](./dynamodb-pitr-enabled.html)
+ [dynamodb-resources-protected-by-backup-plan](./dynamodb-resources-protected-by-backup-plan.html)
+ [dynamodb-table-deletion-protection-enabled](./dynamodb-table-deletion-protection-enabled.html)
+ [dynamodb-table-encrypted-kms](./dynamodb-table-encrypted-kms.html)
+ [dynamodb-table-encryption-enabled](./dynamodb-table-encryption-enabled.html)
+ [dynamodb-throughput-limit-check](./dynamodb-throughput-limit-check.html)
+ [ebs-in-backup-plan](./ebs-in-backup-plan.html)
+ [ebs-last-backup-recovery-point-created](./ebs-last-backup-recovery-point-created.html)
+ [ebs-optimized-instance](./ebs-optimized-instance.html)
+ [ebs-resources-protected-by-backup-plan](./ebs-resources-protected-by-backup-plan.html)
+ [ebs-snapshot-block-public-access](./ebs-snapshot-block-public-access.html)
+ [ebs-snapshot-public-restorable-check](./ebs-snapshot-public-restorable-check.html)
+ [ec2-client-vpn-connection-log-enabled](./ec2-client-vpn-connection-log-enabled.html)
+ [ec2-ebs-encryption-by-default](./ec2-ebs-encryption-by-default.html)
+ [ec2-enis-source-destination-check-enabled](./ec2-enis-source-destination-check-enabled.html)
+ [ec2-imdsv2-check](./ec2-imdsv2-check.html)
+ [ec2-instance-detailed-monitoring-enabled](./ec2-instance-detailed-monitoring-enabled.html)
+ [ec2-instance-launched-with-allowed-ami](./ec2-instance-launched-with-allowed-ami.html)
+ [ec2-instance-managed-by-ssm](./ec2-instance-managed-by-ssm.html)
+ [ec2-instance-multiple-eni-check](./ec2-instance-multiple-eni-check.html)
+ [ec2-instance-no-public-ip](./ec2-instance-no-public-ip.html)
+ [ec2-instance-profile-attached](./ec2-instance-profile-attached.html)
+ [ec2-last-backup-recovery-point-created](./ec2-last-backup-recovery-point-created.html)
+ [ec2-launch-templates-ebs-volume-encrypted](./ec2-launch-templates-ebs-volume-encrypted.html)
+ [ec2-managedinstance-applications-blacklisted](./ec2-managedinstance-applications-blacklisted.html)
+ [ec2-managedinstance-applications-required](./ec2-managedinstance-applications-required.html)
+ [ec2-managedinstance-association-compliance-status-check](./ec2-managedinstance-association-compliance-status-check.html)
+ [ec2-managedinstance-inventory-blacklisted](./ec2-managedinstance-inventory-blacklisted.html)
+ [ec2-managedinstance-patch-compliance-status-check](./ec2-managedinstance-patch-compliance-status-check.html)
+ [ec2-managedinstance-platform-check](./ec2-managedinstance-platform-check.html)
+ [ec2-resources-protected-by-backup-plan](./ec2-resources-protected-by-backup-plan.html)
+ [ec2-security-group-attached-to-eni](./ec2-security-group-attached-to-eni.html)
+ [ec2-spot-fleet-request-ct-encryption-at-rest](./ec2-spot-fleet-request-ct-encryption-at-rest.html)
+ [ec2-stopped-instance](./ec2-stopped-instance.html)
+ [ec2-volume-inuse-check](./ec2-volume-inuse-check.html)
+ [ec2-vpn-connection-ike-version-check](./ec2-vpn-connection-ike-version-check.html)
+ [ec2-vpn-connection-logging-enabled](./ec2-vpn-connection-logging-enabled.html)
+ [ecr-private-image-scanning-enabled](./ecr-private-image-scanning-enabled.html)
+ [ecr-private-lifecycle-policy-configured](./ecr-private-lifecycle-policy-configured.html)
+ [ecr-private-tag-immutability-enabled](./ecr-private-tag-immutability-enabled.html)
+ [ecr-repository-cmk-encryption-enabled](./ecr-repository-cmk-encryption-enabled.html)
+ [ecs-capacity-provider-termination-check](./ecs-capacity-provider-termination-check.html)
+ [ecs-containers-nonprivileged](./ecs-containers-nonprivileged.html)
+ [ecs-containers-readonly-access](./ecs-containers-readonly-access.html)
+ [ecs-container-insights-enabled](./ecs-container-insights-enabled.html)
+ [ecs-fargate-latest-platform-version](./ecs-fargate-latest-platform-version.html)
+ [ecs-task-definition-efs-encryption-enabled](./ecs-task-definition-efs-encryption-enabled.html)
+ [ecs-task-definition-linux-user-non-root](./ecs-task-definition-linux-user-non-root.html)
+ [ecs-task-definition-network-mode-not-host](./ecs-task-definition-network-mode-not-host.html)
+ [ecs-task-definition-user-for-host-mode-check](./ecs-task-definition-user-for-host-mode-check.html)
+ [ecs-task-definition-windows-user-non-admin](./ecs-task-definition-windows-user-non-admin.html)
+ [efs-access-point-enforce-user-identity](./efs-access-point-enforce-user-identity.html)
+ [efs-automatic-backups-enabled](./efs-automatic-backups-enabled.html)
+ [efs-encrypted-check](./efs-encrypted-check.html)
+ [efs-filesystem-ct-encrypted](./efs-filesystem-ct-encrypted.html)
+ [efs-in-backup-plan](./efs-in-backup-plan.html)
+ [efs-last-backup-recovery-point-created](./efs-last-backup-recovery-point-created.html)
+ [efs-mount-target-public-accessible](./efs-mount-target-public-accessible.html)
+ [efs-resources-protected-by-backup-plan](./efs-resources-protected-by-backup-plan.html)
+ [eip-attached](./eip-attached.html)
+ [eks-cluster-secrets-encrypted](./eks-cluster-secrets-encrypted.html)
+ [eks-cluster-supported-version](./eks-cluster-supported-version.html)
+ [eks-endpoint-no-public-access](./eks-endpoint-no-public-access.html)
+ [eks-nodegroup-supported-version-check](./eks-nodegroup-supported-version-check.html)
+ [eks-secrets-encrypted](./eks-secrets-encrypted.html)
+ [elasticache-automatic-backup-check-enabled](./elasticache-automatic-backup-check-enabled.html)
+ [elasticache-redis-cluster-automatic-backup-check](./elasticache-redis-cluster-automatic-backup-check.html)
+ [elasticsearch-encrypted-at-rest](./elasticsearch-encrypted-at-rest.html)
+ [elasticsearch-in-vpc-only](./elasticsearch-in-vpc-only.html)
+ [elasticsearch-logs-to-cloudwatch](./elasticsearch-logs-to-cloudwatch.html)
+ [elasticsearch-node-to-node-encryption-check](./elasticsearch-node-to-node-encryption-check.html)
+ [elastic-beanstalk-managed-updates-enabled](./elastic-beanstalk-managed-updates-enabled.html)
+ [elbv2-listener-encryption-in-transit](./elbv2-listener-encryption-in-transit.html)
+ [elbv2-predefined-security-policy-ssl-check](./elbv2-predefined-security-policy-ssl-check.html)
+ [elb-acm-certificate-required](./elb-acm-certificate-required.html)
+ [elb-cross-zone-load-balancing-enabled](./elb-cross-zone-load-balancing-enabled.html)
+ [elb-custom-security-policy-ssl-check](./elb-custom-security-policy-ssl-check.html)
+ [elb-deletion-protection-enabled](./elb-deletion-protection-enabled.html)
+ [elb-logging-enabled](./elb-logging-enabled.html)
+ [elb-predefined-security-policy-ssl-check](./elb-predefined-security-policy-ssl-check.html)
+ [elb-tls-https-listeners-only](./elb-tls-https-listeners-only.html)
+ [emr-kerberos-enabled](./emr-kerberos-enabled.html)
+ [emr-master-no-public-ip](./emr-master-no-public-ip.html)
+ [encrypted-volumes](./encrypted-volumes.html)
+ [event-data-store-cmk-encryption-enabled](./event-data-store-cmk-encryption-enabled.html)
+ [fms-shield-resource-policy-check](./fms-shield-resource-policy-check.html)
+ [fms-webacl-resource-policy-check](./fms-webacl-resource-policy-check.html)
+ [fms-webacl-rulegroup-association-check](./fms-webacl-rulegroup-association-check.html)
+ [fsx-last-backup-recovery-point-created](./fsx-last-backup-recovery-point-created.html)
+ [fsx-ontap-deployment-type-check](./fsx-ontap-deployment-type-check.html)
+ [fsx-openzfs-deployment-type-check](./fsx-openzfs-deployment-type-check.html)
+ [fsx-resources-protected-by-backup-plan](./fsx-resources-protected-by-backup-plan.html)
+ [fsx-windows-deployment-type-check](./fsx-windows-deployment-type-check.html)
+ [glue-job-logging-enabled](./glue-job-logging-enabled.html)
+ [glue-ml-transform-encrypted-at-rest](./glue-ml-transform-encrypted-at-rest.html)
+ [glue-spark-job-supported-version](./glue-spark-job-supported-version.html)
+ [guardduty-eks-protection-audit-enabled](./guardduty-eks-protection-audit-enabled.html)
+ [guardduty-enabled-centralized](./guardduty-enabled-centralized.html)
+ [guardduty-lambda-protection-enabled](./guardduty-lambda-protection-enabled.html)
+ [guardduty-non-archived-findings](./guardduty-non-archived-findings.html)
+ [guardduty-s3-protection-enabled](./guardduty-s3-protection-enabled.html)
+ [iam-customer-policy-blocked-kms-actions](./iam-customer-policy-blocked-kms-actions.html)
+ [iam-group-has-users-check](./iam-group-has-users-check.html)
+ [iam-inline-policy-blocked-kms-actions](./iam-inline-policy-blocked-kms-actions.html)
+ [iam-no-inline-policy-check](./iam-no-inline-policy-check.html)
+ [iam-password-policy](./iam-password-policy.html)
+ [iam-policy-blacklisted-check](./iam-policy-blacklisted-check.html)
+ [iam-policy-in-use](./iam-policy-in-use.html)
+ [iam-policy-no-statements-with-admin-access](./iam-policy-no-statements-with-admin-access.html)
+ [iam-policy-no-statements-with-full-access](./iam-policy-no-statements-with-full-access.html)
+ [iam-role-managed-policy-check](./iam-role-managed-policy-check.html)
+ [iam-root-access-key-check](./iam-root-access-key-check.html)
+ [iam-server-certificate-expiration-check](./iam-server-certificate-expiration-check.html)
+ [iam-user-group-membership-check](./iam-user-group-membership-check.html)
+ [iam-user-mfa-enabled](./iam-user-mfa-enabled.html)
+ [iam-user-no-policies-check](./iam-user-no-policies-check.html)
+ [iam-user-unused-credentials-check](./iam-user-unused-credentials-check.html)
+ [incoming-ssh-disabled](./incoming-ssh-disabled.html)
+ [inspector-ec2-scan-enabled](./inspector-ec2-scan-enabled.html)
+ [inspector-ecr-scan-enabled](./inspector-ecr-scan-enabled.html)
+ [inspector-lambda-standard-scan-enabled](./inspector-lambda-standard-scan-enabled.html)
+ [instances-in-vpc](./instances-in-vpc.html)
+ [internet-gateway-authorized-vpc-only](./internet-gateway-authorized-vpc-only.html)
+ [kinesis-firehose-delivery-stream-encrypted](./kinesis-firehose-delivery-stream-encrypted.html)
+ [kinesis-stream-backup-retention-check](./kinesis-stream-backup-retention-check.html)
+ [kinesis-stream-encrypted](./kinesis-stream-encrypted.html)
+ [kms-cmk-not-scheduled-for-deletion](./kms-cmk-not-scheduled-for-deletion.html)
+ [lambda-concurrency-check](./lambda-concurrency-check.html)
+ [lambda-dlq-check](./lambda-dlq-check.html)
+ [lambda-function-public-access-prohibited](./lambda-function-public-access-prohibited.html)
+ [lambda-function-settings-check](./lambda-function-settings-check.html)
+ [lambda-function-xray-enabled](./lambda-function-xray-enabled.html)
+ [lambda-inside-vpc](./lambda-inside-vpc.html)
+ [mariadb-publish-logs-to-cloudwatch-logs](./mariadb-publish-logs-to-cloudwatch-logs.html)
+ [mfa-enabled-for-iam-console-access](./mfa-enabled-for-iam-console-access.html)
+ [mq-cloudwatch-audit-log-enabled](./mq-cloudwatch-audit-log-enabled.html)
+ [msk-cluster-public-access-disabled](./msk-cluster-public-access-disabled.html)
+ [msk-unrestricted-access-check](./msk-unrestricted-access-check.html)
+ [multi-region-cloud-trail-enabled](./multi-region-cloud-trail-enabled.html)
+ [nacl-no-unrestricted-ssh-rdp](./nacl-no-unrestricted-ssh-rdp.html)
+ [neptune-cluster-deletion-protection-enabled](./neptune-cluster-deletion-protection-enabled.html)
+ [netfw-multi-az-enabled](./netfw-multi-az-enabled.html)
+ [netfw-policy-rule-group-associated](./netfw-policy-rule-group-associated.html)
+ [netfw-stateless-rule-group-not-empty](./netfw-stateless-rule-group-not-empty.html)
+ [netfw-subnet-change-protection-enabled](./netfw-subnet-change-protection-enabled.html)
+ [nlb-cross-zone-load-balancing-enabled](./nlb-cross-zone-load-balancing-enabled.html)
+ [nlb-logging-enabled](./nlb-logging-enabled.html)
+ [no-unrestricted-route-to-igw](./no-unrestricted-route-to-igw.html)
+ [opensearch-primary-node-fault-tolerance](./opensearch-primary-node-fault-tolerance.html)
+ [opensearch-update-check](./opensearch-update-check.html)
+ [rabbit-mq-supported-version](./rabbit-mq-supported-version.html)
+ [rds-aurora-postgresql-logs-to-cloudwatch](./rds-aurora-postgresql-logs-to-cloudwatch.html)
+ [rds-automatic-minor-version-upgrade-enabled](./rds-automatic-minor-version-upgrade-enabled.html)
+ [rds-cluster-deletion-protection-enabled](./rds-cluster-deletion-protection-enabled.html)
+ [rds-cluster-iam-authentication-enabled](./rds-cluster-iam-authentication-enabled.html)
+ [rds-cluster-multi-az-enabled](./rds-cluster-multi-az-enabled.html)
+ [rds-enhanced-monitoring-enabled](./rds-enhanced-monitoring-enabled.html)
+ [rds-instance-default-admin-check](./rds-instance-default-admin-check.html)
+ [rds-instance-deletion-protection-enabled](./rds-instance-deletion-protection-enabled.html)
+ [rds-instance-iam-authentication-enabled](./rds-instance-iam-authentication-enabled.html)
+ [rds-instance-public-access-check](./rds-instance-public-access-check.html)
+ [rds-instance-subnet-igw-check](./rds-instance-subnet-igw-check.html)
+ [rds-in-backup-plan](./rds-in-backup-plan.html)
+ [rds-last-backup-recovery-point-created](./rds-last-backup-recovery-point-created.html)
+ [rds-logging-enabled](./rds-logging-enabled.html)
+ [rds-mariadb-instance-encrypted-in-transit](./rds-mariadb-instance-encrypted-in-transit.html)
+ [rds-multi-az-support](./rds-multi-az-support.html)
+ [rds-mysql-instance-encrypted-in-transit](./rds-mysql-instance-encrypted-in-transit.html)
+ [rds-postgresql-logs-to-cloudwatch](./rds-postgresql-logs-to-cloudwatch.html)
+ [rds-postgres-instance-encrypted-in-transit](./rds-postgres-instance-encrypted-in-transit.html)
+ [rds-resources-protected-by-backup-plan](./rds-resources-protected-by-backup-plan.html)
+ [rds-snapshots-public-prohibited](./rds-snapshots-public-prohibited.html)
+ [rds-snapshot-encrypted](./rds-snapshot-encrypted.html)
+ [rds-sqlserver-encrypted-in-transit](./rds-sqlserver-encrypted-in-transit.html)
+ [rds-sql-server-logs-to-cloudwatch](./rds-sql-server-logs-to-cloudwatch.html)
+ [rds-storage-encrypted](./rds-storage-encrypted.html)
+ [redshift-backup-enabled](./redshift-backup-enabled.html)
+ [redshift-cluster-configuration-check](./redshift-cluster-configuration-check.html)
+ [redshift-cluster-kms-enabled](./redshift-cluster-kms-enabled.html)
+ [redshift-cluster-maintenancesettings-check](./redshift-cluster-maintenancesettings-check.html)
+ [redshift-cluster-multi-az-enabled](./redshift-cluster-multi-az-enabled.html)
+ [redshift-cluster-public-access-check](./redshift-cluster-public-access-check.html)
+ [redshift-cluster-subnet-group-multi-az](./redshift-cluster-subnet-group-multi-az.html)
+ [redshift-default-admin-check](./redshift-default-admin-check.html)
+ [redshift-enhanced-vpc-routing-enabled](./redshift-enhanced-vpc-routing-enabled.html)
+ [redshift-require-tls-ssl](./redshift-require-tls-ssl.html)
+ [redshift-serverless-default-admin-check](./redshift-serverless-default-admin-check.html)
+ [redshift-serverless-default-db-name-check](./redshift-serverless-default-db-name-check.html)
+ [redshift-serverless-namespace-cmk-encryption](./redshift-serverless-namespace-cmk-encryption.html)
+ [redshift-unrestricted-port-access](./redshift-unrestricted-port-access.html)
+ [required-tags](./required-tags.html)
+ [restricted-incoming-traffic](./restricted-incoming-traffic.html)
+ [s3-access-point-in-vpc-only](./s3-access-point-in-vpc-only.html)
+ [s3-access-point-public-access-blocks](./s3-access-point-public-access-blocks.html)
+ [s3-account-level-public-access-blocks](./s3-account-level-public-access-blocks.html)
+ [s3-account-level-public-access-blocks-periodic](./s3-account-level-public-access-blocks-periodic.html)
+ [s3-bucket-acl-prohibited](./s3-bucket-acl-prohibited.html)
+ [s3-bucket-blacklisted-actions-prohibited](./s3-bucket-blacklisted-actions-prohibited.html)
+ [s3-bucket-cross-region-replication-enabled](./s3-bucket-cross-region-replication-enabled.html)
+ [s3-bucket-default-lock-enabled](./s3-bucket-default-lock-enabled.html)
+ [s3-bucket-level-public-access-prohibited](./s3-bucket-level-public-access-prohibited.html)
+ [s3-bucket-logging-enabled](./s3-bucket-logging-enabled.html)
+ [s3-bucket-policy-grantee-check](./s3-bucket-policy-grantee-check.html)
+ [s3-bucket-policy-not-more-permissive](./s3-bucket-policy-not-more-permissive.html)
+ [s3-bucket-public-read-prohibited](./s3-bucket-public-read-prohibited.html)
+ [s3-bucket-public-write-prohibited](./s3-bucket-public-write-prohibited.html)
+ [s3-bucket-replication-enabled](./s3-bucket-replication-enabled.html)
+ [s3-bucket-server-side-encryption-enabled](./s3-bucket-server-side-encryption-enabled.html)
+ [s3-bucket-ssl-requests-only](./s3-bucket-ssl-requests-only.html)
+ [s3-bucket-versioning-enabled](./s3-bucket-versioning-enabled.html)
+ [s3-default-encryption-kms](./s3-default-encryption-kms.html)
+ [s3-event-notifications-enabled](./s3-event-notifications-enabled.html)
+ [s3-last-backup-recovery-point-created](./s3-last-backup-recovery-point-created.html)
+ [s3-lifecycle-policy-check](./s3-lifecycle-policy-check.html)
+ [s3-resources-protected-by-backup-plan](./s3-resources-protected-by-backup-plan.html)
+ [s3-version-lifecycle-policy-check](./s3-version-lifecycle-policy-check.html)
+ [sagemaker-endpoint-configuration-kms-key-configured](./sagemaker-endpoint-configuration-kms-key-configured.html)
+ [sagemaker-endpoint-config-prod-instance-count](./sagemaker-endpoint-config-prod-instance-count.html)
+ [sagemaker-model-private-registry-required](./sagemaker-model-private-registry-required.html)
+ [sagemaker-notebook-instance-kms-key-configured](./sagemaker-notebook-instance-kms-key-configured.html)
+ [sagemaker-notebook-instance-platform-version](./sagemaker-notebook-instance-platform-version.html)
+ [sagemaker-notebook-no-direct-internet-access](./sagemaker-notebook-no-direct-internet-access.html)
+ [secretsmanager-rotation-enabled-check](./secretsmanager-rotation-enabled-check.html)
+ [secretsmanager-scheduled-rotation-success-check](./secretsmanager-scheduled-rotation-success-check.html)
+ [secretsmanager-secret-periodic-rotation](./secretsmanager-secret-periodic-rotation.html)
+ [secretsmanager-secret-unused](./secretsmanager-secret-unused.html)
+ [secretsmanager-using-cmk](./secretsmanager-using-cmk.html)
+ [securityhub-enabled](./securityhub-enabled.html)
+ [service-catalog-shared-within-organization](./service-catalog-shared-within-organization.html)
+ [service-vpc-endpoint-enabled](./service-vpc-endpoint-enabled.html)
+ [ses-sending-tls-required](./ses-sending-tls-required.html)
+ [sns-encrypted-kms](./sns-encrypted-kms.html)
+ [sqs-queue-dlq-check](./sqs-queue-dlq-check.html)
+ [sqs-queue-policy-full-access-check](./sqs-queue-policy-full-access-check.html)
+ [ssm-automation-block-public-sharing](./ssm-automation-block-public-sharing.html)
+ [ssm-automation-logging-enabled](./ssm-automation-logging-enabled.html)
+ [ssm-document-not-public](./ssm-document-not-public.html)
+ [storagegateway-last-backup-recovery-point-created](./storagegateway-last-backup-recovery-point-created.html)
+ [storagegateway-resources-protected-by-backup-plan](./storagegateway-resources-protected-by-backup-plan.html)
+ [subnet-auto-assign-public-ip-disabled](./subnet-auto-assign-public-ip-disabled.html)
+ [transfer-connector-logging-enabled](./transfer-connector-logging-enabled.html)
+ [transfer-family-server-no-ftp](./transfer-family-server-no-ftp.html)
+ [virtualmachine-last-backup-recovery-point-created](./virtualmachine-last-backup-recovery-point-created.html)
+ [virtualmachine-resources-protected-by-backup-plan](./virtualmachine-resources-protected-by-backup-plan.html)
+ [vpc-default-security-group-closed](./vpc-default-security-group-closed.html)
+ [vpc-endpoint-enabled](./vpc-endpoint-enabled.html)
+ [vpc-flow-logs-enabled](./vpc-flow-logs-enabled.html)
+ [vpc-network-acl-unused-check](./vpc-network-acl-unused-check.html)
+ [vpc-sg-open-only-to-authorized-ports](./vpc-sg-open-only-to-authorized-ports.html)
+ [vpc-sg-port-restriction-check](./vpc-sg-port-restriction-check.html)
+ [vpc-vpn-2-tunnels-up](./vpc-vpn-2-tunnels-up.html)
+ [wafv2-logging-enabled](./wafv2-logging-enabled.html)
+ [waf-global-rulegroup-not-empty](./waf-global-rulegroup-not-empty.html)
+ [waf-global-rule-not-empty](./waf-global-rule-not-empty.html)
+ [workspaces-root-volume-encryption-enabled](./workspaces-root-volume-encryption-enabled.html)
+ [workspaces-user-volume-encryption-enabled](./workspaces-user-volume-encryption-enabled.html)

# Creating AWS Config Managed Rules With AWS CloudFormation Templates
<a name="aws-config-managed-rules-cloudformation-templates"></a>

**Important**  
You must first create and start the AWS Config configuration recorder in order to create AWS Config managed rules with AWS CloudFormation. For more information, see [Managing the Configuration Recorder](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html).

For supported AWS Config managed rules, you can use the CloudFormation templates to create the rule for your account or update an existing CloudFormation stack. A stack is a collection of related resources that you provision and update as a single unit. When you launch a stack with a template, the AWS Config managed rule is created for you. The templates create only the rule, and don't create additional AWS resources.

**Note**  
When AWS Config managed rules are updated, the templates are updated for the latest changes. To save a specific version of a template for a rule, download the template, and upload it to your S3 bucket.

For more information about working with AWS CloudFormation templates, see [Getting Started with AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/GettingStarted.html) in the *AWS CloudFormation User Guide*. 

**To launch an CloudFormation stack for an AWS Config managed rule**

1. Go to the [CloudFormation console](https://console.aws.amazon.com/cloudformation) and create a new stack. 

1. For **Specify template**: 
   + If you downloaded the template, choose **Upload a template file**, and then **Choose file** to upload the template.
   + You can also choose **Amazon S3 URL**, and enter the template URL `http://s3.amazonaws.com/aws-configservice-us-east-1/cloudformation-templates-for-managed-rules/THE_RULE_IDENTIFIER.template`. 
**Note**  
The rule identifier should be written in ALL\$1CAPS\$1WITH\$1UNDERSCORES. For example, CLOUDWATCH\$1LOG\$1GROUP\$1ENCRYPTED instead of cloudwatch-log-group-encrypted.  
For some rules, the rule identifier is different from the rule name. Make sure to use the rule identifier. For example, the rule identifier for restricted-ssh is INCOMING\$1SSH\$1DISABLED.

1. Choose **Next**. 

1. For **Specify stack details**, type a stack name and enter parameter values for the AWS Config rule. For example, if you are using the `DESIRED_INSTANCE_TYPE` managed rule template, you can specify the instance type such as "m4.large". 

1. Choose **Next**. 

1. For **Options**, you can create tags or configure other advanced options. These are not required.

1. Choose **Next**. 

1. For **Review**, verify that the template, parameters, and other options are correct.

1. Choose **Create**. The stack is created in a few minutes. You can view the created rule in the [AWS Config console](https://console.aws.amazon.com/config). 

You can use the templates to create a single stack for AWS Config managed rules or update an existing stack in your account. If you delete a stack, the managed rules created from that stack are also deleted. For more information, see [Working with Stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html) in the *AWS CloudFormation User Guide*. 

# AWS Config Custom Rules
<a name="evaluate-config_develop-rules"></a>

AWS Config Custom Rules are rules that you create from scratch. There are two ways to create AWS Config custom rules: with Lambda functions ([AWS Lambda Developer Guide](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-concepts.html#gettingstarted-concepts-function)) and with Guard ([Guard GitHub Repository](https://github.com/aws-cloudformation/cloudformation-guard)), a policy-as-code language.

AWS Config custom rules created with Lambda are called *AWS Config Custom Lambda Rules* and AWS Config custom rules created with Guard are called *AWS Config Custom Policy Rules*.

Before using custom rules, see [Considerations](evaluate-config.md#evaluate-config-considerations).

## AWS Config Custom Policy Rules
<a name="evaluate-config_develop-rules-policy"></a>

Rules written using Guard can be created from the AWS Config console or by using the AWS Config rule APIs. AWS Config Custom Policy rules allow you to create AWS Config Custom rules without needing to use Java or Python to develop Lambda functions to manage your custom rules. AWS Config Custom Policy rules are initiated by configuration changes. For more information about Guard, see the [Guard GitHub Repository](https://github.com/aws-cloudformation/cloudformation-guard).

## AWS Config Custom Lambda Rules
<a name="evaluate-config_develop-rules-lambda"></a>

Custom Lambda rules provide you with the option to use Java or Python to create a Lambda function for a AWS Config Custom rule. A * Lambda function* is custom code that you upload to AWS Lambda, and it is invoked by events that are published to it by an event source. If the Lambda function is associated with an AWS Config rule, AWS Config invokes it when the rule is initiated. The Lambda function then evaluates the configuration information that is sent by AWS Config, and it returns the evaluation results. For more information about Lambda functions, see [Function and Event Sources](https://docs.aws.amazon.com/lambda/latest/dg/intro-core-components.html) in the *AWS Lambda Developer Guide*.

## Format differences for AWS Config Custom Rules
<a name="evaluate-config_develop-schema"></a>

The following table displays the format differences in the fields for the [ConfigurationItem](https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigurationItem.html) data type and for AWS Config Custom Rules.


| ConfigurationItem | AWS Config Custom Rule | 
| --- | --- | 
| version | configurationItemVersion | 
| accountId | awsAccountId | 
| arn | ARN | 
| configurationItemMD5Hash | configurationStateMd5Hash | 

**Topics**
+ [Custom Policy Rules](#evaluate-config_develop-rules-policy)
+ [Custom Lambda Rules](#evaluate-config_develop-rules-lambda)
+ [

## Format differences for AWS Config Custom Rules
](#evaluate-config_develop-schema)
+ [Creating Custom Policy Rules](evaluate-config_develop-rules_cfn-guard.md)
+ [Creating Custom Lambda Rules](evaluate-config_develop-rules_lambda-functions.md)
+ [Managing Deleted Resources for Custom Lambda Rules](evaluate-config_develop-rules-delete.md)

# Creating AWS Config Custom Policy Rules
<a name="evaluate-config_develop-rules_cfn-guard"></a>

You can create AWS Config Custom Policy rules from the AWS Management Console, AWS CLI, or AWS Config API.

## Adding AWS Config Custom Policy rules
<a name="config-custom-policy-rules-add"></a>

------
#### [ Using the console ]

1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).

1. In the AWS Management Console menu, verify that the Region selector is set to an AWS Region that supports AWS Config rules. For the list of supported Regions, see [AWS Config Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/awsconfig.html) in the *Amazon Web Services General Reference*. 

1. In the left navigation, choose **Rules**. 

1. On the **Rules** page, choose **Add rule**. 

1. On the **Specify rule type** page, choose **Create custom rule using Guard**.

1. On the **Configure rule** page, create your rule by completing the following steps:

   1. For **Rule name**, type a unique name for the rule.

   1. For **Description**, type a description for the rule.

   1. For **Guard runtime version**, choose the runtime system for your AWS Config Custom Policy rule.

   1. For **Rule Content**, you can populate it with the Guard Custom policy for your rule. 

   1. For **Evaluation mode**, choose when in the resource creation and management process you want AWS Config to evaluate your resources. Depending on the rule, AWS Config can evaluate your resource configurations before a resource has been provisioned, after a resource has been provisoned, or both.

      1. Choose **Turn on proactive evaluation** to allow you to run evaluations on the configuration settings of your resources before they are deployed.

         After you have turned on proactive evaluation, you can use the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API and [GetResourceEvaluationSummary](https://docs.aws.amazon.com/config/latest/APIReference/API_GetResourceEvaluationSummary.html) API to check if the resources you specify in these commands would be flagged as NON\$1COMPLIANT by the proactive rules in your account in your Region.

          For more information on using this commands, see [Evaluating Your Resources with AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluating-your-resources.html#evaluating-your-resources-proactive). For a list of managed rules that support proactive evaluation, see [List of AWS Config Managed Rules by Evaluation Mode](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-evaluation-mode.html).

      1. Choose **Turn on detective evaluation** to evaluate the configuration settings of your existing resources.

         For detective evaluation, AWS Config Custom Policy rules are initiated by **Configuration changes**. This option will be pre-selected.
         +  **Resources** – When a resource that matches the specified resource type, or the type plus identifier, is created, changed, or deleted.
         +  **Tags** – When a resource with the specified tag is created, changed, or deleted.
         +  **All changes** – When a resource recorded by AWS Config is created, changed, or deleted.

         AWS Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to constrain which resources initiate evaluations. Otherwise, evaluations are initiated when there is a change to a post-provisioned resource.

   1. For **Parameters**, you can customize the values for the provided keys if your rule includes parameters. A parameter is an attribute that your resources must adhere to before they are considered compliant with the rule.

1. On the **Review and create** page, review all your selections before adding the rule to your AWS account.

1. When you finish reviewing your rules, choose **Add rule**.

------
#### [ Using the AWS CLI ]

Use the [http://docs.aws.amazon.com/cli/latest/reference/configservice/put-config-rule.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/put-config-rule.html) command.

The `Owner` field should be `CUSTOM_POLICY`. The following additional fields are required for AWS Config Custom Policy rules:
+ `Runtime`: The runtime system for your AWS Config Custom Policy rules.
+ `PolicyText`: The policy definition containing the logic for your AWS Config Custom Policy rules.
+ `EnableDebugLogDelivery`: The Boolean expression for enabling debug logging for your AWS Config Custom Policy rule. The default value is `false`.

------
#### [ Using the API Reference ]

Use the [PutConfigRule](https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigRule.html) action.

The `Owner` field should be `CUSTOM_POLICY`. The following additional fields are required for AWS Config Custom Policy rules:
+ `Runtime`: The runtime system for your AWS Config Custom Policy rules.
+ `PolicyText`: The policy definition containing the logic for your AWS Config Custom Policy rules.
+ `EnableDebugLogDelivery`: The Boolean expression for enabling debug logging for your AWS Config Custom Policy rule. The default value is `false`.

------

## Writing rule content for AWS Config Custom Policy rules
<a name="config-custom-policy-rules"></a>

With AWS Config Custom Policy rules, you can use AWS CloudFormation Guard's domain-specific language (DSL) to evaluate resource configurations. This topic provides patterns and best practices for writing custom policy rules.

For more information on how to write rules with Guard, see [Writing Guard rules](https://docs.aws.amazon.com/cfn-guard/latest/ug/writing-rules.html) in the AWS CloudFormation Guard User Guide and [AWS CloudFormation Guard 2.0's Modes of Operation](https://github.com/aws-cloudformation/cloudformation-guard/tree/main/guard) in the Guard GitHub Repository.

### Basic rule structure
<a name="config-custom-policy-rules-structure"></a>

Use the following basic format to create rules:

```
# Basic rule format
rule <rule_name> when
    resourceType == "<AWS::Service::Resource>" {
    # Evaluation clauses
}

# Example with filtering
let resources_of_type = Resources.*[ Type == 'AWS::Service::Resource' ]
rule check_resources when %resources_of_type !empty {
    %resources_of_type.configuration.property == expected_value
}
```

### Key components
<a name="config-custom-policy-rules-components"></a>

configuration  
Contains the contents for the resource configuration.

supplementaryConfiguration  
Contains additional contents for the resource configuration. AWS Config returns this field for certain resource types to supplement the information returned for the configuration field.

resourceType  
AWS resource type being evaluated.

resourceId  
The ID of the resource (for example, `sg-xxxxxx`).

accountId  
The 12-digit AWS account ID associated with the resource.

### Common patterns
<a name="config-custom-policy-rules-patterns"></a>

------
#### [ Status checks ]

```
let allowed_status = ['ACTIVE', 'RUNNING']
rule check_resource_status when
    resourceType == "AWS::Service::Resource" {
    configuration.status IN %allowed_status
}
```

------
#### [ Required properties ]

```
rule check_required_properties when
    resourceType == "AWS::Service::Resource" {
    configuration.propertyName exists
    configuration.propertyName is_string  # or is_list, is_struct
}
```

------
#### [ Query blocks ]

```
configuration.Properties {
    property1 exists
    property2 is_string
    property3 IN [allowed_value1, allowed_value2]
}
```

------
#### [ Conditional evaluation ]

```
when configuration.feature_enabled == true {
    configuration.feature_settings exists
    configuration.feature_settings is_struct
}
```

------
#### [ Custom messages ]

```
rule check_compliance when
    resourceType == "AWS::Service::Resource" {
    configuration.property == expected_value <<Custom error message explaining the requirement>>
}}
```

------

### Advanced features
<a name="config-custom-policy-rules-advanced"></a>

------
#### [ Range checks ]

```
rule check_numeric_limits {
    # Inclusive range (lower_limit <= value <= upper_limit)
    configuration.value IN r[minimum_value, maximum_value]  

    # Exclusive range (lower_limit < value < upper_limit)
    configuration.value IN r(exclusive_min, exclusive_max)  

    # Left inclusive, right exclusive (lower_limit <= value < upper_limit)
    configuration.value IN r[minimum_value, exclusive_max)

    # Left exclusive, right inclusive (lower_limit < value <= upper_limit)
    configuration.value IN r(exclusive_min, maximum_value]
}
```

------
#### [ Combining conditions ]

```
# AND conditions (implicit through new lines)
condition_1
condition_2

# OR conditions (explicit)
condition_3 OR
condition_4
```

------
#### [ Chaining rules ]

```
rule check_prerequisites {
    configuration.required_setting exists
}

rule check_details when check_prerequisites {
    configuration.required_setting == expected_value
}
```

------

### Best practices
<a name="config-custom-policy-rules-best-practices"></a>
+ Use variables with `let` statements for improved readability.
+ Group related checks using named rule blocks.
+ Include descriptive comments.
+ Use appropriate operators (`exists`, `is_string`, `is_list`).
+ Use regex patterns with case-insensitive matching.

### Example: dynamodb-pitr-enabled
<a name="config-custom-policy-rules-example"></a>

The following example shows the policy definition for an AWS Config Custom Policy rule version of the AWS Config Managed rule [dynamodb-pitr-enabled](dynamodb-pitr-enabled.md). This rule checks if DynamoDB tables have Point-in-Time Recovery enabled.

```
# Check if DynamoDB tables have Point-in-Time Recovery enabled
let status = ['ACTIVE']

rule tableisactive when
    resourceType == "AWS::DynamoDB::Table" {
    configuration.tableStatus == %status
}

rule checkcompliance when
    resourceType == "AWS::DynamoDB::Table"
    tableisactive {
    let pitr = supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus
    %pitr == "ENABLED" <<DynamoDB tables must have Point-in-Time Recovery enabled>>
}
```

# Creating AWS Config Custom Lambda Rules
<a name="evaluate-config_develop-rules_lambda-functions"></a>

You can develop custom rules and add them to AWS Config with AWS Lambda functions.

You associate each custom rule with an Lambda function, which contains the logic that evaluates whether your AWS resources comply with the rule. You associate this function with your rule, and the rule invokes the function either in response to configuration changes or periodically. The function then evaluates whether your resources comply with your rule, and sends its evaluation results to AWS Config. 

## AWS Rule Development Kit (RDK)
<a name="rdk"></a>

The AWS Rule Development Kit (RDK) is designed to support a "Compliance-as-Code" workflow that is intuitive and productive. It abstracts away much of the undifferentiated heavy lifting associated with deploying AWS Config rules backed by custom Lambda functions, and provides a streamlined develop-deploy-monitor iterative process.

For step-by-step instruction, see the [AWS Rule Development Kit (RDK) Documentation](https://aws-config-rdk.readthedocs.io/en/master).

## Example AWS Lambda Functions for AWS Config Rules (Node.js)
<a name="evaluate-config_develop-rules_nodejs-sample"></a>

AWS Lambda executes functions in response to events that are published by AWS services. The function for an AWS Config Custom Lambda rule receives an event that is published by AWS Config, and the function then uses data that it receives from the event and that it retrieves from the AWS Config API to evaluate the compliance of the rule. The operations in a function for a Config rule differ depending on whether it performs an evaluation that is triggered by configuration changes or triggered periodically.

For information about common patterns within AWS Lambda functions, see [Programming Model](https://docs.aws.amazon.com/lambda/latest/dg/programming-model-v2.html) in the *AWS Lambda Developer Guide*.

------
#### [ Example Function for Evaluations Triggered by Configuration Changes ]

AWS Config will invoke a function like the following example when it detects a configuration change for a resource that is within a custom rule's scope.

If you use the AWS Config console to create a rule that is associated with a function like this example, choose **Configuration changes** as the trigger type. If you use the AWS Config API or AWS CLI to create the rule, set the `MessageType` attribute to `ConfigurationItemChangeNotification` and `OversizedConfigurationItemChangeNotification`. These settings enable your rule to be triggered whenever AWS Config generates a configuration item or an oversized configuration item as a result of a resource change.

This example evaluates your resources and checks whether the instances match the resource type, `AWS::EC2::Instance`. The rule is triggered when AWS Config generates a configuration item or an oversized configuration item notification. 

```
'use strict';

import { ConfigServiceClient, GetResourceConfigHistoryCommand, PutEvaluationsCommand } from "@aws-sdk/client-config-service";

const configClient = new ConfigServiceClient({});

// Helper function used to validate input
function checkDefined(reference, referenceName) {
    if (!reference) {
        throw new Error(`Error: ${referenceName} is not defined`);
    }
    return reference;
}

// Check whether the message type is OversizedConfigurationItemChangeNotification,
function isOverSizedChangeNotification(messageType) {
    checkDefined(messageType, 'messageType');
    return messageType === 'OversizedConfigurationItemChangeNotification';
}

// Get the configurationItem for the resource using the getResourceConfigHistory API.
async function getConfiguration(resourceType, resourceId, configurationCaptureTime, callback) {
    const input = { resourceType, resourceId, laterTime: new Date(configurationCaptureTime), limit: 1 };
    const command = new GetResourceConfigHistoryCommand(input);
    await configClient.send(command).then(
        (data) => {
            callback(null, data.configurationItems[0]);
        },
        (error) => {
            callback(error, null);
        }
    );

}

// Convert the oversized configuration item from the API model to the original invocation model.
function convertApiConfiguration(apiConfiguration) {
    apiConfiguration.awsAccountId = apiConfiguration.accountId;
    apiConfiguration.ARN = apiConfiguration.arn;
    apiConfiguration.configurationStateMd5Hash = apiConfiguration.configurationItemMD5Hash;
    apiConfiguration.configurationItemVersion = apiConfiguration.version;
    apiConfiguration.configuration = JSON.parse(apiConfiguration.configuration);
    if ({}.hasOwnProperty.call(apiConfiguration, 'relationships')) {
        for (let i = 0; i < apiConfiguration.relationships.length; i++) {
            apiConfiguration.relationships[i].name = apiConfiguration.relationships[i].relationshipName;
        }
    }
    return apiConfiguration;
}

// Based on the message type, get the configuration item either from the configurationItem object in the invoking event or with the getResourceConfigHistory API in the getConfiguration function.
async function getConfigurationItem(invokingEvent, callback) {
    checkDefined(invokingEvent, 'invokingEvent');
    if (isOverSizedChangeNotification(invokingEvent.messageType)) {
        const configurationItemSummary = checkDefined(invokingEvent.configurationItemSummary, 'configurationItemSummary');
        await getConfiguration(configurationItemSummary.resourceType, configurationItemSummary.resourceId, configurationItemSummary.configurationItemCaptureTime, (err, apiConfigurationItem) => {
            if (err) {
                callback(err);
            }
            const configurationItem = convertApiConfiguration(apiConfigurationItem);
            callback(null, configurationItem);
        });
    } else {
        checkDefined(invokingEvent.configurationItem, 'configurationItem');
        callback(null, invokingEvent.configurationItem);
    }
}

// Check whether the resource has been deleted. If the resource was deleted, then the evaluation returns not applicable.
function isApplicable(configurationItem, event) {
    checkDefined(configurationItem, 'configurationItem');
    checkDefined(event, 'event');
    const status = configurationItem.configurationItemStatus;
    const eventLeftScope = event.eventLeftScope;
    return (status === 'OK' || status === 'ResourceDiscovered') && eventLeftScope === false;
}

// In this example, the resource is compliant if it is an instance and its type matches the type specified as the desired type.
// If the resource is not an instance, then this resource is not applicable.
function evaluateChangeNotificationCompliance(configurationItem, ruleParameters) {
    checkDefined(configurationItem, 'configurationItem');
    checkDefined(configurationItem.configuration, 'configurationItem.configuration');
    checkDefined(ruleParameters, 'ruleParameters');

    if (configurationItem.resourceType !== 'AWS::EC2::Instance') {
        return 'NOT_APPLICABLE';
    } else if (ruleParameters.desiredInstanceType === configurationItem.configuration.instanceType) {
        return 'COMPLIANT';
    }
    return 'NON_COMPLIANT';
}

// Receives the event and context from AWS Lambda.
export const handler = async (event, context) => {
    checkDefined(event, 'event');
    const invokingEvent = JSON.parse(event.invokingEvent);
    const ruleParameters = JSON.parse(event.ruleParameters);
    await getConfigurationItem(invokingEvent, async (err, configurationItem) => {

        let compliance = 'NOT_APPLICABLE';
        let annotation = '';
        const putEvaluationsRequest = {};
        if (isApplicable(configurationItem, event)) {
            // Invoke the compliance checking function.
            compliance = evaluateChangeNotificationCompliance(configurationItem, ruleParameters);
            if (compliance === "NON_COMPLIANT") {
                annotation = "This is an annotation describing why the resource is not compliant.";
            }
        }
        // Initializes the request that contains the evaluation results.
        if (annotation) {
            putEvaluationsRequest.Evaluations = [
                {
                    ComplianceResourceType: configurationItem.resourceType,
                    ComplianceResourceId: configurationItem.resourceId,
                    ComplianceType: compliance,
                    OrderingTimestamp: new Date(configurationItem.configurationItemCaptureTime),
                    Annotation: annotation
                },
            ];
        } else {
            putEvaluationsRequest.Evaluations = [
                {
                    ComplianceResourceType: configurationItem.resourceType,
                    ComplianceResourceId: configurationItem.resourceId,
                    ComplianceType: compliance,
                    OrderingTimestamp: new Date(configurationItem.configurationItemCaptureTime),
                },
            ];
        }
        putEvaluationsRequest.ResultToken = event.resultToken;

        // Sends the evaluation results to AWS Config.
        await configClient.send(new PutEvaluationsCommand(putEvaluationsRequest));
    });
};
```

**Function Operations**

The function performs the following operations at runtime:

1. The function runs when AWS Lambda passes the `event` object to the `handler` function. In this example, the function accepts the optional `callback` parameter, which it uses to return information to the caller. AWS Lambda also passes a `context` object, which contains information and methods that the function can use while it runs. Note that in newer versions of Lambda, context is no longer used.

1. The function checks whether the `messageType` for the event is a configuration item or an oversized configuration item, and then returns the configuration item. 

1. The handler calls the `isApplicable` function to determine whether the resource was deleted.
**Note**  
Rules reporting on deleted resources should return the evaluation result of `NOT_APPLICABLE` in order to avoid unnecessary rule evaluations.

1. The handler calls the `evaluateChangeNotificationCompliance` function and passes the `configurationItem` and `ruleParameters` objects that AWS Config published in the event.

   The function first evaluates whether the resource is an EC2 instance. If the resource is not an EC2 instance, the function returns a compliance value of `NOT_APPLICABLE`. 

   The function then evaluates whether the `instanceType` attribute in the configuration item is equal to the `desiredInstanceType` parameter value. If the values are equal, the function returns `COMPLIANT`. If the values are not equal, the function returns `NON_COMPLIANT`.

1. The handler prepares to send the evaluation results to AWS Config by initializing the `putEvaluationsRequest` object. This object includes the `Evaluations` parameter, which identifies the compliance result, the resource type, and the ID of the resource that was evaluated. The `putEvaluationsRequest` object also includes the result token from the event, which identifies the rule and the event for AWS Config. 

1. The handler sends the evaluation results to AWS Config by passing the object to the `putEvaluations` method of the `config` client.

------
#### [ Example Function for Periodic Evaluations ]

AWS Config will invoke a function like the following example for periodic evaluations. Periodic evaluations occur at the frequency that you specify when you define the rule in AWS Config.

If you use the AWS Config console to create a rule that is associated with a function like this example, choose **Periodic** as the trigger type. If you use the AWS Config API or AWS CLI to create the rule, set the `MessageType` attribute to `ScheduledNotification`.

This example checks whether the total number of a specified resource exceeds a specified maximum.

```
'use strict';
import { ConfigServiceClient, ListDiscoveredResourcesCommand, PutEvaluationsCommand } from "@aws-sdk/client-config-service";

const configClient = new ConfigServiceClient({});

// Receives the event and context from AWS Lambda.
export const handler = async (event, context, callback) => {
    // Parses the invokingEvent and ruleParameters values, which contain JSON objects passed as strings.
    var invokingEvent = JSON.parse(event.invokingEvent),
        ruleParameters = JSON.parse(event.ruleParameters),
        numberOfResources = 0;

    if (isScheduledNotification(invokingEvent) && hasValidRuleParameters(ruleParameters, callback)) {
        await countResourceTypes(ruleParameters.applicableResourceType, "", numberOfResources, async function (err, count) {
            if (err === null) {
                var putEvaluationsRequest;
                const compliance = evaluateCompliance(ruleParameters.maxCount, count);
                var annotation = '';
                if (compliance === "NON_COMPLIANT") {
                    annotation = "Description of why the resource is not compliant.";
                }
                // Initializes the request that contains the evaluation results.
                if (annotation) {
                    putEvaluationsRequest = {
                        Evaluations: [{
                            // Applies the evaluation result to the AWS account published in the event.
                            ComplianceResourceType: 'AWS::::Account',
                            ComplianceResourceId: event.accountId,
                            ComplianceType: compliance,
                            OrderingTimestamp: new Date(),
                            Annotation: annotation
                        }],
                        ResultToken: event.resultToken
                    };
                } else {
                    putEvaluationsRequest = {
                        Evaluations: [{
                            // Applies the evaluation result to the AWS account published in the event.
                            ComplianceResourceType: 'AWS::::Account',
                            ComplianceResourceId: event.accountId,
                            ComplianceType: compliance,
                            OrderingTimestamp: new Date()
                        }],
                        ResultToken: event.resultToken
                    };
                }

                // Sends the evaluation results to AWS Config.
                try {
                    await configClient.send(new PutEvaluationsCommand(putEvaluationsRequest));
                }
                catch (e) {
                    callback(e, null);
                }
            } else {
                callback(err, null);
            }
        });
    } else {
        console.log("Invoked for a notification other than Scheduled Notification... Ignoring.");
    }
};

// Checks whether the invoking event is ScheduledNotification.
function isScheduledNotification(invokingEvent) {
    return (invokingEvent.messageType === 'ScheduledNotification');
}

// Checks the rule parameters to see if they are valid
function hasValidRuleParameters(ruleParameters, callback) {
    // Regular express to verify that applicable resource given is a resource type
    const awsResourcePattern = /^AWS::(\w*)::(\w*)$/;
    const isApplicableResourceType = awsResourcePattern.test(ruleParameters.applicableResourceType);
    // Check to make sure the maxCount in the parameters is an integer
    const maxCountIsInt = !isNaN(ruleParameters.maxCount) && parseInt(Number(ruleParameters.maxCount)) == ruleParameters.maxCount && !isNaN(parseInt(ruleParameters.maxCount, 10));
    if (!isApplicableResourceType) {
        callback("The applicableResourceType parameter is not a valid resource type.", null);
    }
    if (!maxCountIsInt) {
        callback("The maxCount parameter is not a valid integer.", null);
    }
    return isApplicableResourceType && maxCountIsInt;
}

// Checks whether the compliance conditions for the rule are violated.
function evaluateCompliance(maxCount, actualCount) {
    if (actualCount > maxCount) {
        return "NON_COMPLIANT";
    } else {
        return "COMPLIANT";
    }
}

// Counts the applicable resources that belong to the AWS account.
async function countResourceTypes(applicableResourceType, nextToken, count, callback) {
    const input = { resourceType: applicableResourceType, nextToken: nextToken };
    const command = new ListDiscoveredResourcesCommand(input);
    try {
        const response = await configClient.send(command);
        count = count + response.resourceIdentifiers.length;
        if (response.nextToken !== undefined && response.nextToken != null) {
            countResourceTypes(applicableResourceType, response.nextToken, count, callback);
        }
        callback(null, count);
    } catch (e) {
        callback(e, null);
    }
    return count;
}
```

**Function Operations**

The function performs the following operations at runtime:

1. The function runs when AWS Lambda passes the `event` object to the `handler` function. In this example, the function accepts the optional `callback` parameter, which it uses to return information to the caller. AWS Lambda also passes a `context` object, which contains information and methods that the function can use while it runs. Note that in newer versions of Lambda, context is no longer used.

1. To count the resources of the specified type, the handler calls the `countResourceTypes` function, and it passes the `applicableResourceType` parameter that it received from the event. The `countResourceTypes` function calls the `listDiscoveredResources` method of the `config` client, which returns a list of identifiers for the applicable resources. The function uses the length of this list to determine the number of applicable resources, and it returns this count to the handler.

1. The handler prepares to send the evaluation results to AWS Config by initializing the `putEvaluationsRequest` object. This object includes the `Evaluations` parameter, which identifies the compliance result and the AWS account that was published in the event. You can use the `Evaluations` parameter to apply the result to any resource type that is supported by AWS Config. The `putEvaluationsRequest` object also includes the result token from the event, which identifies the rule and the event for AWS Config.

1. Within the `putEvaluationsRequest` object, the handler calls the `evaluateCompliance` function. This function tests whether the number of applicable resources exceeds the maximum assigned to the `maxCount` parameter, which was provided by the event. If the number of resources exceeds the maximum, the function returns `NON_COMPLIANT`. If the number of resources does not exceed the maximum, the function returns `COMPLIANT`.

1. The handler sends the evaluation results to AWS Config by passing the object to the `putEvaluations` method of the `config` client.

------

## Example AWS Lambda Functions for AWS Config Rules (Python)
<a name="evaluate-config_develop-rules_python-sample"></a>

AWS Lambda executes functions in response to events that are published by AWS services. The function for an AWS Config Custom Lambda rule receives an event that is published by AWS Config, and the function then uses data that it receives from the event and that it retrieves from the AWS Config API to evaluate the compliance of the rule. The operations in a function for a Config rule differ depending on whether it performs an evaluation that is triggered by configuration changes or triggered periodically.

For information about common patterns within AWS Lambda functions, see [Programming Model](https://docs.aws.amazon.com/lambda/latest/dg/programming-model-v2.html) in the *AWS Lambda Developer Guide*.

------
#### [ Example Function for Evaluations Triggered by Configuration Changes ]

AWS Config will invoke a function like the following example when it detects a configuration change for a resource that is within a custom rule's scope.

If you use the AWS Config console to create a rule that is associated with a function like this example, choose **Configuration changes** as the trigger type. If you use the AWS Config API or AWS CLI to create the rule, set the `MessageType` attribute to `ConfigurationItemChangeNotification` and `OversizedConfigurationItemChangeNotification`. These settings enable your rule to be triggered whenever AWS Config generates a configuration item or an oversized configuration item as a result of a resource change.

```
import botocore 
import boto3
import json
import datetime

# Set to True to get the lambda to assume the Role attached on the Config Service (useful for cross-account).
ASSUME_ROLE_MODE = False

# This gets the client after assuming the Config service role
# either in the same AWS account or cross-account.
def get_client(service, event):
    """Return the service boto client. It should be used instead of directly calling the client.
    Keyword arguments:
    service -- the service name used for calling the boto.client()
    event -- the event variable given in the lambda handler
    """
    if not ASSUME_ROLE_MODE:
        return boto3.client(service)
    credentials = get_assume_role_credentials(event["executionRoleArn"])
    return boto3.client(service, aws_access_key_id=credentials['AccessKeyId'],
                        aws_secret_access_key=credentials['SecretAccessKey'],
                        aws_session_token=credentials['SessionToken']
                       )

# Helper function used to validate input
def check_defined(reference, reference_name):
    if not reference:
        raise Exception('Error: ', reference_name, 'is not defined')
    return reference

# Check whether the message is OversizedConfigurationItemChangeNotification or not
def is_oversized_changed_notification(message_type):
    check_defined(message_type, 'messageType')
    return message_type == 'OversizedConfigurationItemChangeNotification'

# Get configurationItem using getResourceConfigHistory API
# in case of OversizedConfigurationItemChangeNotification
def get_configuration(resource_type, resource_id, configuration_capture_time):
    result = AWS_CONFIG_CLIENT.get_resource_config_history(
        resourceType=resource_type,
        resourceId=resource_id,
        laterTime=configuration_capture_time,
        limit=1)
    configurationItem = result['configurationItems'][0]
    return convert_api_configuration(configurationItem)

# Convert from the API model to the original invocation model
def convert_api_configuration(configurationItem):
    for k, v in configurationItem.items():
        if isinstance(v, datetime.datetime):
            configurationItem[k] = str(v)
    configurationItem['awsAccountId'] = configurationItem['accountId']
    configurationItem['ARN'] = configurationItem['arn']
    configurationItem['configurationStateMd5Hash'] = configurationItem['configurationItemMD5Hash']
    configurationItem['configurationItemVersion'] = configurationItem['version']
    configurationItem['configuration'] = json.loads(configurationItem['configuration'])
    if 'relationships' in configurationItem:
        for i in range(len(configurationItem['relationships'])):
            configurationItem['relationships'][i]['name'] = configurationItem['relationships'][i]['relationshipName']
    return configurationItem

# Based on the type of message get the configuration item
# either from configurationItem in the invoking event
# or using the getResourceConfigHistory API in getConfiguration function.
def get_configuration_item(invokingEvent):
    check_defined(invokingEvent, 'invokingEvent')
    if is_oversized_changed_notification(invokingEvent['messageType']):
        configurationItemSummary = check_defined(invokingEvent['configurationItemSummary'], 'configurationItemSummary')
        return get_configuration(configurationItemSummary['resourceType'], configurationItemSummary['resourceId'], configurationItemSummary['configurationItemCaptureTime'])
    return check_defined(invokingEvent['configurationItem'], 'configurationItem')

# Check whether the resource has been deleted. If it has, then the evaluation is unnecessary.
def is_applicable(configurationItem, event):
    try:
        check_defined(configurationItem, 'configurationItem')
        check_defined(event, 'event')
    except:
        return True
    status = configurationItem['configurationItemStatus']
    eventLeftScope = event['eventLeftScope']
    if status == 'ResourceDeleted':
        print("Resource Deleted, setting Compliance Status to NOT_APPLICABLE.")
    return (status == 'OK' or status == 'ResourceDiscovered') and not eventLeftScope

def get_assume_role_credentials(role_arn):
    sts_client = boto3.client('sts')
    try:
        assume_role_response = sts_client.assume_role(RoleArn=role_arn, RoleSessionName="configLambdaExecution")
        return assume_role_response['Credentials']
    except botocore.exceptions.ClientError as ex:
        # Scrub error message for any internal account info leaks
        if 'AccessDenied' in ex.response['Error']['Code']:
            ex.response['Error']['Message'] = "AWS Config does not have permission to assume the IAM role."
        else:
            ex.response['Error']['Message'] = "InternalError"
            ex.response['Error']['Code'] = "InternalError"
        raise ex

def evaluate_change_notification_compliance(configuration_item, rule_parameters):
    check_defined(configuration_item, 'configuration_item')
    check_defined(configuration_item['configuration'], 'configuration_item[\'configuration\']')
    if rule_parameters:
        check_defined(rule_parameters, 'rule_parameters')

    if (configuration_item['resourceType'] != 'AWS::EC2::Instance'):
        return 'NOT_APPLICABLE'

    elif rule_parameters.get('desiredInstanceType'):
        if (configuration_item['configuration']['instanceType'] in rule_parameters['desiredInstanceType']):
            return 'COMPLIANT'
    return 'NON_COMPLIANT'

def lambda_handler(event, context):

    global AWS_CONFIG_CLIENT

    check_defined(event, 'event')
    invoking_event = json.loads(event['invokingEvent'])
    rule_parameters = {}
    if 'ruleParameters' in event:
        rule_parameters = json.loads(event['ruleParameters'])

    compliance_value = 'NOT_APPLICABLE'

    AWS_CONFIG_CLIENT = get_client('config', event)
    configuration_item = get_configuration_item(invoking_event)
    if is_applicable(configuration_item, event):
        compliance_value = evaluate_change_notification_compliance(
                configuration_item, rule_parameters)

    response = AWS_CONFIG_CLIENT.put_evaluations(
       Evaluations=[
           {
               'ComplianceResourceType': invoking_event['configurationItem']['resourceType'],
               'ComplianceResourceId': invoking_event['configurationItem']['resourceId'],
               'ComplianceType': compliance_value,
               'OrderingTimestamp': invoking_event['configurationItem']['configurationItemCaptureTime']
           },
       ],
       ResultToken=event['resultToken'])
```

**Function Operations**

The function performs the following operations at runtime:

1. The function runs when AWS Lambda passes the `event` object to the `handler` function. In this example, the function accepts the optional `callback` parameter, which it uses to return information to the caller. AWS Lambda also passes a `context` object, which contains information and methods that the function can use while it runs. Note that in newer versions of Lambda, context is no longer used.

1. The function checks whether the `messageType` for the event is a configuration item or an oversized configuration item, and then returns the configuration item. 

1. The handler calls the `isApplicable` function to determine whether the resource was deleted.
**Note**  
Rules reporting on deleted resources should return the evaluation result of `NOT_APPLICABLE` in order to avoid unnecessary rule evaluations.

1. The handler calls the `evaluateChangeNotificationCompliance` function and passes the `configurationItem` and `ruleParameters` objects that AWS Config published in the event.

   The function first evaluates whether the resource is an EC2 instance. If the resource is not an EC2 instance, the function returns a compliance value of `NOT_APPLICABLE`. 

   The function then evaluates whether the `instanceType` attribute in the configuration item is equal to the `desiredInstanceType` parameter value. If the values are equal, the function returns `COMPLIANT`. If the values are not equal, the function returns `NON_COMPLIANT`.

1. The handler prepares to send the evaluation results to AWS Config by initializing the `putEvaluationsRequest` object. This object includes the `Evaluations` parameter, which identifies the compliance result, the resource type, and the ID of the resource that was evaluated. The `putEvaluationsRequest` object also includes the result token from the event, which identifies the rule and the event for AWS Config. 

1. The handler sends the evaluation results to AWS Config by passing the object to the `putEvaluations` method of the `config` client.

------
#### [ Example Function for Periodic Evaluations ]

AWS Config will invoke a function like the following example for periodic evaluations. Periodic evaluations occur at the frequency that you specify when you define the rule in AWS Config.

If you use the AWS Config console to create a rule that is associated with a function like this example, choose **Periodic** as the trigger type. If you use the AWS Config API or AWS CLI to create the rule, set the `MessageType` attribute to `ScheduledNotification`.

```
import botocore 
import boto3
import json
import datetime

# Set to True to get the lambda to assume the Role attached on the Config Service (useful for cross-account).
ASSUME_ROLE_MODE = False
DEFAULT_RESOURCE_TYPE = 'AWS::::Account'

# This gets the client after assuming the Config service role
# either in the same AWS account or cross-account.
def get_client(service, event):
    """Return the service boto client. It should be used instead of directly calling the client.
    Keyword arguments:
    service -- the service name used for calling the boto.client()
    event -- the event variable given in the lambda handler
    """
    if not ASSUME_ROLE_MODE:
        return boto3.client(service)
    credentials = get_assume_role_credentials(event["executionRoleArn"])
    return boto3.client(service, aws_access_key_id=credentials['AccessKeyId'],
                        aws_secret_access_key=credentials['SecretAccessKey'],
                        aws_session_token=credentials['SessionToken']
                       )

def get_assume_role_credentials(role_arn):
    sts_client = boto3.client('sts')
    try:
        assume_role_response = sts_client.assume_role(RoleArn=role_arn, RoleSessionName="configLambdaExecution")
        return assume_role_response['Credentials']
    except botocore.exceptions.ClientError as ex:
        # Scrub error message for any internal account info leaks
        if 'AccessDenied' in ex.response['Error']['Code']:
            ex.response['Error']['Message'] = "AWS Config does not have permission to assume the IAM role."
        else:
            ex.response['Error']['Message'] = "InternalError"
            ex.response['Error']['Code'] = "InternalError"
        raise ex

# Check whether the message is a ScheduledNotification or not.
def is_scheduled_notification(message_type):
    return message_type == 'ScheduledNotification'

def count_resource_types(applicable_resource_type, next_token, count):
    resource_identifier = AWS_CONFIG_CLIENT.list_discovered_resources(resourceType=applicable_resource_type, nextToken=next_token)
    updated = count + len(resource_identifier['resourceIdentifiers']);
    return updated

# Evaluates the configuration items in the snapshot and returns the compliance value to the handler.
def evaluate_compliance(max_count, actual_count):
    return 'NON_COMPLIANT' if int(actual_count) > int(max_count) else 'COMPLIANT'

def evaluate_parameters(rule_parameters):
    if 'applicableResourceType' not in rule_parameters:
        raise ValueError('The parameter with "applicableResourceType" as key must be defined.')
    if not rule_parameters['applicableResourceType']:
        raise ValueError('The parameter "applicableResourceType" must have a defined value.')
    return rule_parameters

# This generate an evaluation for config
def build_evaluation(resource_id, compliance_type, event, resource_type=DEFAULT_RESOURCE_TYPE, annotation=None):
    """Form an evaluation as a dictionary. Usually suited to report on scheduled rules.
    Keyword arguments:
    resource_id -- the unique id of the resource to report
    compliance_type -- either COMPLIANT, NON_COMPLIANT or NOT_APPLICABLE
    event -- the event variable given in the lambda handler
    resource_type -- the CloudFormation resource type (or AWS::::Account) to report on the rule (default DEFAULT_RESOURCE_TYPE)
    annotation -- an annotation to be added to the evaluation (default None)
    """
    eval_cc = {}
    if annotation:
        eval_cc['Annotation'] = annotation
    eval_cc['ComplianceResourceType'] = resource_type
    eval_cc['ComplianceResourceId'] = resource_id
    eval_cc['ComplianceType'] = compliance_type
    eval_cc['OrderingTimestamp'] = str(json.loads(event['invokingEvent'])['notificationCreationTime'])
    return eval_cc

def lambda_handler(event, context):

    global AWS_CONFIG_CLIENT

    evaluations = []
    rule_parameters = {}
    resource_count = 0
    max_count = 0

    invoking_event = json.loads(event['invokingEvent'])
    if 'ruleParameters' in event:
        rule_parameters = json.loads(event['ruleParameters'])
        valid_rule_parameters = evaluate_parameters(rule_parameters)

    compliance_value = 'NOT_APPLICABLE'

    AWS_CONFIG_CLIENT = get_client('config', event)
    if is_scheduled_notification(invoking_event['messageType']):
        result_resource_count = count_resource_types(valid_rule_parameters['applicableResourceType'], '', resource_count)

    if valid_rule_parameters.get('maxCount'):
        max_count = valid_rule_parameters['maxCount']

    compliance_value = evaluate_compliance(max_count, result_resource_count)
    evaluations.append(build_evaluation(event['accountId'], compliance_value, event, resource_type=DEFAULT_RESOURCE_TYPE))
    response = AWS_CONFIG_CLIENT.put_evaluations(Evaluations=evaluations, ResultToken=event['resultToken'])
```

**Function Operations**

The function performs the following operations at runtime:

1. The function runs when AWS Lambda passes the `event` object to the `handler` function. In this example, the function accepts the optional `callback` parameter, which it uses to return information to the caller. AWS Lambda also passes a `context` object, which contains information and methods that the function can use while it runs. Note that in newer versions of Lambda, context is no longer used.

1. To count the resources of the specified type, the handler calls the `countResourceTypes` function, and it passes the `applicableResourceType` parameter that it received from the event. The `countResourceTypes` function calls the `listDiscoveredResources` method of the `config` client, which returns a list of identifiers for the applicable resources. The function uses the length of this list to determine the number of applicable resources, and it returns this count to the handler.

1. The handler prepares to send the evaluation results to AWS Config by initializing the `putEvaluationsRequest` object. This object includes the `Evaluations` parameter, which identifies the compliance result and the AWS account that was published in the event. You can use the `Evaluations` parameter to apply the result to any resource type that is supported by AWS Config. The `putEvaluationsRequest` object also includes the result token from the event, which identifies the rule and the event for AWS Config.

1. Within the `putEvaluationsRequest` object, the handler calls the `evaluateCompliance` function. This function tests whether the number of applicable resources exceeds the maximum assigned to the `maxCount` parameter, which was provided by the event. If the number of resources exceeds the maximum, the function returns `NON_COMPLIANT`. If the number of resources does not exceed the maximum, the function returns `COMPLIANT`.

1. The handler sends the evaluation results to AWS Config by passing the object to the `putEvaluations` method of the `config` client.

------

## Example Events for AWS Config Rules
<a name="evaluate-config_develop-rules_example-events"></a>

When the trigger for a rule occurs, AWS Config invokes the rule's AWS Lambda function by publishing an event. Then AWS Lambda executes the function by passing the event to the function's handler.

------
#### [ Example Event for Evaluations Triggered by Configuration Changes ]

AWS Config publishes an event when it detects a configuration change for a resource that is within a rule's scope. The following example event shows that the rule was triggered by a configuration change for an EC2 instance.

```
{ 
    "invokingEvent": "{\"configurationItem\":{\"configurationItemCaptureTime\":\"2016-02-17T01:36:34.043Z\",\"awsAccountId\":\"123456789012\",\"configurationItemStatus\":\"OK\",\"resourceId\":\"i-00000000\",\"ARN\":\"arn:aws:ec2:us-east-2:123456789012:instance/i-00000000\",\"awsRegion\":\"us-east-2\",\"availabilityZone\":\"us-east-2a\",\"resourceType\":\"AWS::EC2::Instance\",\"tags\":{\"Foo\":\"Bar\"},\"relationships\":[{\"resourceId\":\"eipalloc-00000000\",\"resourceType\":\"AWS::EC2::EIP\",\"name\":\"Is attached to ElasticIp\"}],\"configuration\":{\"foo\":\"bar\"}},\"messageType\":\"ConfigurationItemChangeNotification\"}",
    "ruleParameters": "{\"myParameterKey\":\"myParameterValue\"}",
    "resultToken": "myResultToken",
    "eventLeftScope": false,
    "executionRoleArn": "arn:aws:iam::123456789012:role/config-role",
    "configRuleArn": "arn:aws:config:us-east-2:123456789012:config-rule/config-rule-0123456",
    "configRuleName": "change-triggered-config-rule",
    "configRuleId": "config-rule-0123456",
    "accountId": "123456789012",
    "version": "1.0"
}
```

------
#### [ Example Event for Evaluations Triggered by Oversized Configuration Changes ]

Some resource changes generate oversized configuration items. The following example event shows that the rule was triggered by an oversized configuration change for an EC2 instance.

```
{
        "invokingEvent": "{\"configurationItemSummary\": {\"changeType\": \"UPDATE\",\"configurationItemVersion\": \"1.2\",\"configurationItemCaptureTime\":\"2016-10-06T16:46:16.261Z\",\"configurationStateId\": 0,\"awsAccountId\":\"123456789012\",\"configurationItemStatus\": \"OK\",\"resourceType\": \"AWS::EC2::Instance\",\"resourceId\":\"i-00000000\",\"resourceName\":null,\"ARN\":\"arn:aws:ec2:us-west-2:123456789012:instance/i-00000000\",\"awsRegion\": \"us-west-2\",\"availabilityZone\":\"us-west-2a\",\"configurationStateMd5Hash\":\"8f1ee69b287895a0f8bc5753eca68e96\",\"resourceCreationTime\":\"2016-10-06T16:46:10.489Z\"},\"messageType\":\"OversizedConfigurationItemChangeNotification\"}",
        "ruleParameters": "{\"myParameterKey\":\"myParameterValue\"}",
        "resultToken": "myResultToken",
        "eventLeftScope": false,
        "executionRoleArn": "arn:aws:iam::123456789012:role/config-role",
        "configRuleArn": "arn:aws:config:us-east-2:123456789012:config-rule/config-rule-ec2-managed-instance-inventory",
        "configRuleName": "change-triggered-config-rule",
        "configRuleId": "config-rule-0123456",
        "accountId": "123456789012",
        "version": "1.0"
    }
```

------
#### [ Example Event for Evaluations Triggered by Periodic Frequency ]

AWS Config publishes an event when it evaluates your resources at a frequency that you specify (such as every 24 hours). The following example event shows that the rule was triggered by a periodic frequency. 

```
{
    "invokingEvent": "{\"awsAccountId\":\"123456789012\",\"notificationCreationTime\":\"2016-07-13T21:50:00.373Z\",\"messageType\":\"ScheduledNotification\",\"recordVersion\":\"1.0\"}",
    "ruleParameters": "{\"myParameterKey\":\"myParameterValue\"}",
    "resultToken": "myResultToken",
    "eventLeftScope": false,
    "executionRoleArn": "arn:aws:iam::123456789012:role/config-role",
    "configRuleArn": "arn:aws:config:us-east-2:123456789012:config-rule/config-rule-0123456",
    "configRuleName": "periodic-config-rule",
    "configRuleId": "config-rule-6543210",
    "accountId": "123456789012",
    "version": "1.0"
}
```

------

### Event Attributes
<a name="w2aac20c19c20c13b1b7"></a>

The JSON object for an AWS Config event contains the following attributes:

`invokingEvent`  
The event that triggers the evaluation for a rule. If the event is published in response to a resource configuration change, the value for this attribute is a string that contains a JSON `configurationItem` or a `configurationItemSummary` (for oversized configuration items). The configuration item represents the state of the resource at the moment that AWS Config detected the change. For an example of a configuration item, see the output produced by the `get-resource-config-history` AWS CLI command in [Viewing Configuration History](view-manage-resource-console.md#get-config-history-cli).  
If the event is published for a periodic evaluation, the value is a string that contains a JSON object. The object includes information about the evaluation that was triggered.  
For each type of event, a function must parse the string with a JSON parser to be able to evaluate its contents, as shown in the following Node.js example:  

```
var invokingEvent = JSON.parse(event.invokingEvent);
```

`ruleParameters`  
Key/value pairs that the function processes as part of its evaluation logic. You define parameters when you use the AWS Config console to create a Custom Lambda rule. You can also define parameters with the `InputParameters` attribute in the `PutConfigRule` AWS Config API request or the `put-config-rule` AWS CLI command.  
The JSON code for the parameters is contained within a string, so a function must parse the string with a JSON parser to be able to evaluate its contents, as shown in the following Node.js example:  

```
var ruleParameters = JSON.parse(event.ruleParameters);
```

`resultToken`  
A token that the function must pass to AWS Config with the `PutEvaluations` call.

`eventLeftScope`  
A Boolean value that indicates whether the AWS resource to be evaluated has been removed from the rule's scope. If the value is `true`, the function indicates that the evaluation can be ignored by passing `NOT_APPLICABLE` as the value for the `ComplianceType` attribute in the `PutEvaluations` call.

`executionRoleArn`  
The ARN of the IAM role that is assigned to AWS Config.

`configRuleArn`  
The ARN that AWS Config assigned to the rule.

`configRuleName`  
The name that you assigned to the rule that caused AWS Config to publish the event and invoke the function.

`configRuleId`  
The ID that AWS Config assigned to the rule.

`accountId`  
The ID of the AWS account that owns the rule.

`version`  
A version number assigned by AWS. The version will increment if AWS adds attributes to AWS Config events. If a function requires an attribute that is only in events that match or exceed a specific version, then that function can check the value of this attribute.  
The current version for AWS Config events is 1.0.

# Managing Deleted Resources for AWS Config Custom Lambda Rules
<a name="evaluate-config_develop-rules-delete"></a>

Rules reporting on deleted resources should return the evaluation result of `NOT_APPLICABLE` in order to avoid unnecessary rule evaluations.

When you delete a resource, AWS Config creates a `configurationItem` with `ResourceDeleted` for the `configurationItemStatus`. You can use this metadata to check if a rule reports on a deleted resource. For more information on configuration items, see [Concepts \$1 Configuration Items](https://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#config-items.html).

Include the following code snippets to check for deleted resources and set the evaluation result of an AWS Config custom lambda rule to `NOT_APPLICABLE` if it reports on a deleted resource:

------
#### [ Custom Lambda Rules (Node.js) ]

```
// Check whether the resource has been deleted. If the resource was deleted, then the evaluation returns not applicable.
function isApplicable(configurationItem, event) {
    checkDefined(configurationItem, 'configurationItem');
    checkDefined(event, 'event');
    const status = configurationItem.configurationItemStatus;
    const eventLeftScope = event.eventLeftScope;
    return (status === 'OK' || status === 'ResourceDiscovered') && eventLeftScope === false;
}
```

------
#### [ Custom Lambda Rules (Python) ]

```
# Check whether the resource has been deleted. If the resource was deleted, then the evaluation returns not applicable.
def is_applicable(configurationItem, event):
    try:
        check_defined(configurationItem, 'configurationItem')
        check_defined(event, 'event')
    except:
        return True
    status = configurationItem['configurationItemStatus']
    eventLeftScope = event['eventLeftScope']
    if status == 'ResourceDeleted':
        print("Resource Deleted, setting Compliance Status to NOT_APPLICABLE.")
    return (status == 'OK' or status == 'ResourceDiscovered') and not eventLeftScope
```

------

**Note**  
AWS Config managed rules and AWS Config custom policy rules handle this behavior by default.  
If you create an AWS Config custom lambd rule with Python using the AWS Config Development Kit (RDK) and AWS Config Development Kit Library (RDKlib), the imported [Evaluator](https://github.com/awslabs/aws-config-rdklib/blob/master/rdklib/evaluator.py#L56) class will check this behavior. For information on how to write rules with the RDK and RDKlib, see [Writing rules with the RDK and RDKlib](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_components.html#evaluate-config_components_logic).

# Service-Linked AWS Config Rules
<a name="service-linked-awsconfig-rules"></a>

A service-linked AWS Config rule is a unique type of AWS Config managed rules that supports other AWS services to create AWS Config rules in your account. Service-linked rules are predefined to include all the permissions required to call other AWS services on your behalf. These rules are similar to standards that an AWS service recommends in your AWS account for compliance verification. 

These service-linked AWS Config rules are owned by AWS service teams. The AWS service team creates these rules in your AWS account. You have read-only access to these rules. You cannot edit or delete these rules if you are subscribed to AWS service that these rules are linked to.

**Service-linked rules and the AWS Command Line Interface**

With the AWS CLI, the [PutConfigRule](https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigRule.html), [DeleteConfigRule](https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteConfigRule.html), and [DeleteEvaluationResults](https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteEvaluationResults.html) APIs return access denied with the following error message:

`INSUFFICIENT_SLCR_PERMISSIONS = "An AWS service owns ServiceLinkedConfigRule. You do not have permissions to take action on this rule." `

**Service-linked rules and the AWS Config console**

In the AWS Config console, the service-linked AWS Config rules are visible in the **Rules** page. The **Edit** and **Delete results** buttons are greyed in the console to restrict you from editing the rule. You can view details of the rule by choosing the rule.

**Service-linked rules, remediation actions, and conformance packs**

To add remediation actions to a service-linked rules in a conformance pack, you need to add the remediation action to the conformance pack template itself, and then update the conformance pack with your updated template. For information on updating conformance packs, see [Deploying a Conformance Pack (Console)](https://docs.aws.amazon.com/config/latest/developerguide/conformance-pack-console.html), [Deploying a Conformance Pack (AWS CLI)](https://docs.aws.amazon.com/config/latest/developerguide/conformance-pack-cli.html) and [Managing Organizational Conformance Packs](https://docs.aws.amazon.com/config/latest/developerguide/conformance-pack-organization-apis.html).

**Editing and deleting service-linked rules**

To edit or delete a service-linked rule, contact the AWS service that created the rule. For example, for service-linked rules created by AWS Security Hub CSPM, you can remove a service-linked rule by following these steps in the *AWS Security Hub CSPM User Guide*: [Disabling a security standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html).

# Managing AWS Config Rules Across All Accounts in Your Organization
<a name="config-rule-multi-account-deployment"></a>

**Important**  
Organizational rules can only be created using the API or CLI. This operation is not supported in the AWS Config console.

AWS Config allows you to manage AWS Config rules across all AWS accounts within an organization. You can:
+ Centrally create, update, and delete AWS Config rules across all accounts in your organization. 
+ Deploy a common set of AWS Config rules across all accounts and specify accounts where AWS Config rules should not be created.
+ Use the APIs from the management account in AWS Organizations to enforce governance by ensuring that the underlying AWS Config rules are not modifiable by your organization’s member accounts.

## Considerations
<a name="config-rule-multi-account-deployment-considerations"></a>

**For deployments across different regions**

The API call to deploy rules and conformance packs across accounts is AWS Region specific. At the organization level, you need to change the context of your API call to a different region if you want to deploy rules in other regions. For example, to deploy a rule in US East (N. Virginia), change the region to US East (N. Virginia) and then call `PutOrganizationConfigRule`.

**For accounts within an organization**

If a new account joins an organization, the rule or conformance pack is deployed to that account. When an account leaves an organization, the rule or conformance pack is removed.

If you deploy an organizational rule or conformance pack in an organization administrator account, and then establish a delegated administrator and deploy an organizational rule or conformance pack in the delegated administrator account, you won't be able to see the organizational rule or conformance pack in the organization administrator account from the delegated administrator account or see the organizational rule or conformance pack in the delegated administrator account from organization administrator account. The [DescribeOrganizationConfigRules](https://docs.aws.amazon.com/config/latest/APIReference/API_DescribeOrganizationConfigRules.html) and [DescribeOrganizationConformancePacks](https://docs.aws.amazon.com/config/latest/APIReference/API_DescribeOrganizationConformancePacks.html) APIs can only see and interact with the organization-related resource that were deployed from within the account calling those APIs. 

**Retry mechanism for new accounts added to an organization**

Deployment of existing organizational rules and conformance packs will only be retried for 7 hours after an account is added to your organization if a recorder is not available. You are expected to create a recorder if one doesn't exist within 7 hours of adding an account to your organization.

**Organization management accounts, delegated administrators, and service-linked roles**

If you are using an organization management account and intend to use a delegated administrator for organizational deployment, be aware that AWS Config won't automatically create the service-linked role (SLR). You must manually create the service-linked role (SLR) separately using IAM.

If you do not have an SLR for your management account, you will not be able to deploy resources to that account from a delegated administrator account. You will still be able to deploy AWS Config rules to member accounts from management and delegated administrator accounts. For more information, see [Using service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) in the *AWS Identity and Access Management (IAM) User Guide*.

## Deployment
<a name="config-rule-multi-account-deployment-deploy"></a>

For information on how to integrate AWS Config with AWS Organizations, see [AWS Config and AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-config.html) in the *AWS Organizations User Guide*. Ensure AWS Config recording is on before you use the following APIs to manage AWS Config rules across all AWS accounts within an organization:
+ [PutOrganizationConfigRule](https://docs.aws.amazon.com/config/latest/APIReference/API_PutOrganizationConfigRule.html), adds or updates organization config rule for your entire organization evaluating whether your AWS resources comply with your desired configurations.
+ [DescribeOrganizationConfigRules](https://docs.aws.amazon.com/config/latest/APIReference/API_DescribeOrganizationConfigRules.html), returns a list of organization config rules.
+ [GetOrganizationConfigRuleDetailedStatus](https://docs.aws.amazon.com/config/latest/APIReference/API_GetOrganizationConfigRuleDetailedStatus.html), returns detailed status for each member account within an organization for a given organization config rule.
+ [GetOrganizationCustomRulePolicy](https://docs.aws.amazon.com/config/latest/APIReference/API_GetOrganizationCustomRulePolicy.html), returns the policy definition containing the logic for your organization config custom policy rule.
+ [DescribeOrganizationConfigRuleStatuses](https://docs.aws.amazon.com/config/latest/APIReference/API_DescribeOrganizationConfigRuleStatuses.html), provides organization config rule deployment status for an organization.
+ [DeleteOrganizationConfigRule](https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteOrganizationConfigRule.html), deletes the specified organization config rule and all of its evaluation results from all member accounts in that organization.

## Region Support
<a name="region-support-org-config-rules"></a>

Deploying AWS Config Rules across member accounts in an AWS Organization is supported in the following Regions.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/config-rule-multi-account-deployment.html)

# Adding AWS Config Rules
<a name="evaluate-config_add-rules"></a>

You can use the AWS Config console or the AWS SDKs to add rules.

**Topics**
+ [Using the console](#evaluate-config_add-rules-console)
+ [Using the AWS SDKs](#evaluate-config_add-rules-cli)

## Adding Rules (Console)
<a name="evaluate-config_add-rules-console"></a>

The **Rules** page shows your rules and their current compliance results in a table. The result for each rule is **Evaluating...** until AWS Config finishes evaluating your resources against the rule. You can update the results with the refresh button. When AWS Config finishes evaluations, you can see the rules and resource types that are compliant or noncompliant. For more information, see [Viewing Compliance Information and Evaluation Results for your AWS Resources with AWS Config](evaluate-config_view-compliance.md).

**Note**  
When you add a new rule, AWS Config evaluates the applicable resources in your resource inventory, including previously recorded resources. For example, if you recorded `AWS::IoT::Policy` resources but later excluded them from recording, AWS Config retains the initial configuration items (CIs) in your inventory. Although AWS Config no longer updates these CIs when their associated resource types are excluded from recording, it retains their last recorded state and evaluates them when you add applicable rules.  
AWS Config does not evaluate resources that are not in the resource inventory. For example, if you add the [amplify-branch-tagged](amplify-branch-tagged.md) rule but don't record and have never recorded `AWS::Amplify::Branch` resources, AWS Config can't evaluate whether the AWS Amplify branches in your account are compliant or noncompliant.  
For more information, see [Recording AWS Resources with AWS ConfigConsiderations](select-resources.md).

### Adding rules
<a name="add-rules-console"></a>

**To add a rule**

1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).

1. In the AWS Management Console menu, verify that the region selector is set to a region that supports AWS Config rules. For the list of supported regions, see [AWS Config Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/awsconfig.html) in the *Amazon Web Services General Reference*. 

1. In the left navigation, choose **Rules**. 

1. On the **Rules** page, choose **Add rule**. 

1. On the **Specify rule type** page, specify the rule type by completing the following steps:

   1. Type in the search field to filter the list of managed rules by rule name, description, and label. For example, type **EC2** to return rules that evaluate EC2 resource types or type **periodic** to return rules that are triggered periodically.

   1. You can also create your own custom rule. Choose **Create custom rule using Lambda** or **Create custom rule using Guard**, and follow the procedure in [Creating AWS Config Custom Lambda Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_lambda-functions.html) or [Creating AWS Config Custom Policy Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_cfn-guard.html). 

1. On the **Configure rule** page, configure your rule by completing the following steps:

   1. For **Name**, type a unique name for the rule.

   1. For **Description**, type a description for the rule.

   1. For **Evaluation mode**, choose when in the resource creation and management process you want AWS Config to evaluate your resources. Depending on the rule, AWS Config can evaluate your resource configurations before a resource has been deployed, after a resource has been deployed, or both.

      1. Choose **Turn on proactive evaluation** to allow you to run evaluations on the configuration settings of your resources before they are deployed.

         After you have turned on proactive evaluation, you can use the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API and [GetResourceEvaluationSummary](https://docs.aws.amazon.com/config/latest/APIReference/API_GetResourceEvaluationSummary.html) API to check if the resources you specify in these commands would be flagged as NON\$1COMPLIANT by the proactive rules in your account in your Region.

          For more information on using this commands, see [Evaluating Your Resources with AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluating-your-resources.html#evaluating-your-resources-proactive). For a list of managed rules that support proactive evaluation, see [List of AWS Config Managed Rules by Evaluation Mode](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-evaluation-mode.html).

      1. Choose **Turn on detective evaluation** to evaluate the configuration settings of your existing resources.

         For detective evaluation, there are two types of triggers: **When configuration changes** and **Periodic**.

         1.  If the trigger types for your rule include **Configuration changes**, specify one of the following options for **Scope of changes** with which AWS Config invokes your Lambda function:
            +  **Resources** – When a resource that matches the specified resource type, or the type plus identifier, is created, changed, or deleted.
            +  **Tags** – When a resource with the specified tag is created, changed, or deleted.
            +  **All changes** – When a resource recorded by AWS Config is created, changed, or deleted.

            AWS Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to define which resources initiate evaluations.

         1. If the trigger types for your rule include **Periodic**, specify the **Frequency** with which AWS Config invokes your Lambda function.

   1. For **Parameters**, you can customize the values for the provided keys if your rule includes parameters. A parameter is an attribute that your resources must adhere to before they are considered compliant with the rule.

1. On the **Review and create** page, review all your selections before adding the rule to your AWS account. If your rule is not working as expected, you might see one of the following for **Compliance**: 
   +  **No results reported** - AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted. To get evaluation results, update the rule, change its scope, or choose **Re-evaluate**. 

     This message may also appear if the rule didn't report evaluation results.
   +  **No resources in scope ** - AWS Config cannot evaluate your recorded AWS resources against this rule because none of your resources are within the rule’s scope. To get evaluation results, edit the rule and change its scope, or add resources for AWS Config to record by using the **Settings** page.
   +  **Evaluations failed** - For information that can help you determine the problem, choose the rule name to open its details page and see the error message.

## Adding Rules (AWS SDKs)
<a name="evaluate-config_add-rules-cli"></a>

### Adding rules
<a name="add-rules-cli"></a>

The following code examples show how to use `PutConfigRule`.

------
#### [ CLI ]

**AWS CLI**  
**To add an AWS managed Config rule**  
The following command provides JSON code to add an AWS managed Config rule:  

```
aws configservice put-config-rule --config-rule file://RequiredTagsForEC2Instances.json
```
`RequiredTagsForEC2Instances.json` is a JSON file that contains the rule configuration:  

```
{
  "ConfigRuleName": "RequiredTagsForEC2Instances",
  "Description": "Checks whether the CostCenter and Owner tags are applied to EC2 instances.",
  "Scope": {
    "ComplianceResourceTypes": [
      "AWS::EC2::Instance"
    ]
  },
  "Source": {
    "Owner": "AWS",
    "SourceIdentifier": "REQUIRED_TAGS"
  },
  "InputParameters": "{\"tag1Key\":\"CostCenter\",\"tag2Key\":\"Owner\"}"
}
```
For the `ComplianceResourceTypes` attribute, this JSON code limits the scope to resources of the `AWS::EC2::Instance` type, so AWS Config will evaluate only EC2 instances against the rule. Because the rule is a managed rule, the `Owner` attribute is set to `AWS`, and the `SourceIdentifier` attribute is set to the rule identifier, `REQUIRED_TAGS`. For the `InputParameters` attribute, the tag keys that the rule requires, `CostCenter` and `Owner`, are specified.  
If the command succeeds, AWS Config returns no output. To verify the rule configuration, run the describe-config-rules command, and specify the rule name.  
**To add a customer managed Config rule**  
The following command provides JSON code to add a customer managed Config rule:  

```
aws configservice put-config-rule --config-rule file://InstanceTypesAreT2micro.json
```
`InstanceTypesAreT2micro.json` is a JSON file that contains the rule configuration:  

```
{
  "ConfigRuleName": "InstanceTypesAreT2micro",
  "Description": "Evaluates whether EC2 instances are the t2.micro type.",
  "Scope": {
    "ComplianceResourceTypes": [
      "AWS::EC2::Instance"
    ]
  },
  "Source": {
    "Owner": "CUSTOM_LAMBDA",
    "SourceIdentifier": "arn:aws:lambda:us-east-1:123456789012:function:InstanceTypeCheck",
    "SourceDetails": [
      {
        "EventSource": "aws.config",
        "MessageType": "ConfigurationItemChangeNotification"
      }
    ]
  },
  "InputParameters": "{\"desiredInstanceType\":\"t2.micro\"}"
}
```
For the `ComplianceResourceTypes` attribute, this JSON code limits the scope to resources of the `AWS::EC2::Instance` type, so AWS Config will evaluate only EC2 instances against the rule. Because this rule is a customer managed rule, the `Owner` attribute is set to `CUSTOM_LAMBDA`, and the `SourceIdentifier` attribute is set to the ARN of the AWS Lambda function. The `SourceDetails` object is required. The parameters that are specified for the `InputParameters` attribute are passed to the AWS Lambda function when AWS Config invokes it to evaluate resources against the rule.  
If the command succeeds, AWS Config returns no output. To verify the rule configuration, run the describe-config-rules command, and specify the rule name.  
+  For API details, see [PutConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/put-config-rule.html) in *AWS CLI Command Reference*. 

------
#### [ Python ]

**SDK for Python (Boto3)**  
 There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/config#code-examples). 

```
class ConfigWrapper:
    """
    Encapsulates AWS Config functions.
    """

    def __init__(self, config_client):
        """
        :param config_client: A Boto3 AWS Config client.
        """
        self.config_client = config_client


    def put_config_rule(self, rule_name):
        """
        Sets a configuration rule that prohibits making Amazon S3 buckets publicly
        readable.

        :param rule_name: The name to give the rule.
        """
        try:
            self.config_client.put_config_rule(
                ConfigRule={
                    "ConfigRuleName": rule_name,
                    "Description": "S3 Public Read Prohibited Bucket Rule",
                    "Scope": {
                        "ComplianceResourceTypes": [
                            "AWS::S3::Bucket",
                        ],
                    },
                    "Source": {
                        "Owner": "AWS",
                        "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED",
                    },
                    "InputParameters": "{}",
                    "ConfigRuleState": "ACTIVE",
                }
            )
            logger.info("Created configuration rule %s.", rule_name)
        except ClientError:
            logger.exception("Couldn't create configuration rule %s.", rule_name)
            raise
```
+  For API details, see [PutConfigRule](https://docs.aws.amazon.com/goto/boto3/config-2014-11-12/PutConfigRule) in *AWS SDK for Python (Boto3) API Reference*. 

------
#### [ SAP ABAP ]

**SDK for SAP ABAP**  
 There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/cfs#code-examples). 

```
    " Create a config rule for S3 bucket public read prohibition
    lo_cfs->putconfigrule(
      io_configrule = NEW /aws1/cl_cfsconfigrule(
        iv_configrulename = iv_rule_name
        iv_description = |S3 Public Read Prohibited Bucket Rule|
        io_scope = NEW /aws1/cl_cfsscope(
          it_complianceresourcetypes = VALUE /aws1/cl_cfscplncresrctypes_w=>tt_complianceresourcetypes(
            ( NEW /aws1/cl_cfscplncresrctypes_w( |AWS::S3::Bucket| ) )
          )
        )
        io_source = NEW /aws1/cl_cfssource(
          iv_owner = |AWS|
          iv_sourceidentifier = |S3_BUCKET_PUBLIC_READ_PROHIBITED|
        )
        iv_inputparameters = '{}'
        iv_configrulestate = |ACTIVE|
      )
    ).
    MESSAGE 'Created AWS Config rule.' TYPE 'I'.
```
+  For API details, see [PutConfigRule](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html) in *AWS SDK for SAP ABAP API reference*. 

------

# Updating AWS Config Rules
<a name="evaluate-config_update-rules"></a>

You can use the AWS Config console or the AWS SDKs to update your rules.

**Topics**
+ [Using the console](#evaluate-config_update-rules-console)
+ [Using the AWS SDKs](#evaluate-config_update-rules-cli)

## Updating Rules (Console)
<a name="evaluate-config_update-rules-console"></a>

The **Rules** page shows your rules and their current compliance results in a table. The result for each rule is **Evaluating...** until AWS Config finishes evaluating your resources against the rule. You can update the results with the refresh button. When AWS Config finishes evaluations, you can see the rules and resource types that are compliant or noncompliant. For more information, see [Viewing Compliance Information and Evaluation Results for your AWS Resources with AWS Config](evaluate-config_view-compliance.md).

### Updating rules
<a name="update-rules-console"></a>

**To update a rule**

1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).

1. In the AWS Management Console menu, verify that the region selector is set to a region that supports AWS Config rules. For the list of supported regions, see [AWS Config Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#awsconfig_region) in the *Amazon Web Services General Reference*. 

1. In the left navigation, choose **Rules**. 

1. Choose a rule and **Edit rule** for the rule that you want to update.

1. Modify the settings on the **Edit rule** page to change your rule as needed.

1. Choose **Save**.

## Updating Rules (AWS SDKs)
<a name="evaluate-config_update-rules-cli"></a>

### Updating rules
<a name="update-rules-cli"></a>

If you are updating a rule that you added previously, you can specify the rule by `ConfigRuleName`, `ConfigRuleId`, or `ConfigRuleArn` in the `ConfigRule` data type that you use in this request. You use the same `PutConfigRule` command that you use when adding a rule.

The following code examples show how to use `PutConfigRule`.

------
#### [ CLI ]

**AWS CLI**  
**To add an AWS managed Config rule**  
The following command provides JSON code to add an AWS managed Config rule:  

```
aws configservice put-config-rule --config-rule file://RequiredTagsForEC2Instances.json
```
`RequiredTagsForEC2Instances.json` is a JSON file that contains the rule configuration:  

```
{
  "ConfigRuleName": "RequiredTagsForEC2Instances",
  "Description": "Checks whether the CostCenter and Owner tags are applied to EC2 instances.",
  "Scope": {
    "ComplianceResourceTypes": [
      "AWS::EC2::Instance"
    ]
  },
  "Source": {
    "Owner": "AWS",
    "SourceIdentifier": "REQUIRED_TAGS"
  },
  "InputParameters": "{\"tag1Key\":\"CostCenter\",\"tag2Key\":\"Owner\"}"
}
```
For the `ComplianceResourceTypes` attribute, this JSON code limits the scope to resources of the `AWS::EC2::Instance` type, so AWS Config will evaluate only EC2 instances against the rule. Because the rule is a managed rule, the `Owner` attribute is set to `AWS`, and the `SourceIdentifier` attribute is set to the rule identifier, `REQUIRED_TAGS`. For the `InputParameters` attribute, the tag keys that the rule requires, `CostCenter` and `Owner`, are specified.  
If the command succeeds, AWS Config returns no output. To verify the rule configuration, run the describe-config-rules command, and specify the rule name.  
**To add a customer managed Config rule**  
The following command provides JSON code to add a customer managed Config rule:  

```
aws configservice put-config-rule --config-rule file://InstanceTypesAreT2micro.json
```
`InstanceTypesAreT2micro.json` is a JSON file that contains the rule configuration:  

```
{
  "ConfigRuleName": "InstanceTypesAreT2micro",
  "Description": "Evaluates whether EC2 instances are the t2.micro type.",
  "Scope": {
    "ComplianceResourceTypes": [
      "AWS::EC2::Instance"
    ]
  },
  "Source": {
    "Owner": "CUSTOM_LAMBDA",
    "SourceIdentifier": "arn:aws:lambda:us-east-1:123456789012:function:InstanceTypeCheck",
    "SourceDetails": [
      {
        "EventSource": "aws.config",
        "MessageType": "ConfigurationItemChangeNotification"
      }
    ]
  },
  "InputParameters": "{\"desiredInstanceType\":\"t2.micro\"}"
}
```
For the `ComplianceResourceTypes` attribute, this JSON code limits the scope to resources of the `AWS::EC2::Instance` type, so AWS Config will evaluate only EC2 instances against the rule. Because this rule is a customer managed rule, the `Owner` attribute is set to `CUSTOM_LAMBDA`, and the `SourceIdentifier` attribute is set to the ARN of the AWS Lambda function. The `SourceDetails` object is required. The parameters that are specified for the `InputParameters` attribute are passed to the AWS Lambda function when AWS Config invokes it to evaluate resources against the rule.  
If the command succeeds, AWS Config returns no output. To verify the rule configuration, run the describe-config-rules command, and specify the rule name.  
+  For API details, see [PutConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/put-config-rule.html) in *AWS CLI Command Reference*. 

------
#### [ Python ]

**SDK for Python (Boto3)**  
 There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/config#code-examples). 

```
class ConfigWrapper:
    """
    Encapsulates AWS Config functions.
    """

    def __init__(self, config_client):
        """
        :param config_client: A Boto3 AWS Config client.
        """
        self.config_client = config_client


    def put_config_rule(self, rule_name):
        """
        Sets a configuration rule that prohibits making Amazon S3 buckets publicly
        readable.

        :param rule_name: The name to give the rule.
        """
        try:
            self.config_client.put_config_rule(
                ConfigRule={
                    "ConfigRuleName": rule_name,
                    "Description": "S3 Public Read Prohibited Bucket Rule",
                    "Scope": {
                        "ComplianceResourceTypes": [
                            "AWS::S3::Bucket",
                        ],
                    },
                    "Source": {
                        "Owner": "AWS",
                        "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED",
                    },
                    "InputParameters": "{}",
                    "ConfigRuleState": "ACTIVE",
                }
            )
            logger.info("Created configuration rule %s.", rule_name)
        except ClientError:
            logger.exception("Couldn't create configuration rule %s.", rule_name)
            raise
```
+  For API details, see [PutConfigRule](https://docs.aws.amazon.com/goto/boto3/config-2014-11-12/PutConfigRule) in *AWS SDK for Python (Boto3) API Reference*. 

------
#### [ SAP ABAP ]

**SDK for SAP ABAP**  
 There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/cfs#code-examples). 

```
    " Create a config rule for S3 bucket public read prohibition
    lo_cfs->putconfigrule(
      io_configrule = NEW /aws1/cl_cfsconfigrule(
        iv_configrulename = iv_rule_name
        iv_description = |S3 Public Read Prohibited Bucket Rule|
        io_scope = NEW /aws1/cl_cfsscope(
          it_complianceresourcetypes = VALUE /aws1/cl_cfscplncresrctypes_w=>tt_complianceresourcetypes(
            ( NEW /aws1/cl_cfscplncresrctypes_w( |AWS::S3::Bucket| ) )
          )
        )
        io_source = NEW /aws1/cl_cfssource(
          iv_owner = |AWS|
          iv_sourceidentifier = |S3_BUCKET_PUBLIC_READ_PROHIBITED|
        )
        iv_inputparameters = '{}'
        iv_configrulestate = |ACTIVE|
      )
    ).
    MESSAGE 'Created AWS Config rule.' TYPE 'I'.
```
+  For API details, see [PutConfigRule](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html) in *AWS SDK for SAP ABAP API reference*. 

------

# Deleting AWS Config Rules
<a name="evaluate-config_delete-rules"></a>

You can use the AWS Config console or the AWS SDKs to delete your rules.

**Topics**
+ [

## Considerations
](#evaluate-config_delete-rules-considerations)
+ [Using the console](#evaluate-config_delete-rules-console)
+ [Using the AWS SDKs](#evaluate-config_delete-rules-cli)

## Considerations
<a name="evaluate-config_delete-rules-considerations"></a>

**Recommendation: Consider excluding the `AWS::Config::ResourceCompliance` resource type from recording before deleting rules**

Deleting rules creates configuration items (CIs) for `AWS::Config::ResourceCompliance` that can affect your costs for the configuration recorder. If you are deleting rules which evaluate a large number of resource types, this can lead to a spike in the number of CIs recorded.

To avoid the associated costs, you can opt to disable recording for the `AWS::Config::ResourceCompliance` resource type before deleting rules, and re-enable recording after the rules have been deleted.

However, since deleting rules is an asynchronous process, it might take an hour or more to complete. During the time when recording is disabled for `AWS::Config::ResourceCompliance`, rule evaluations will not be recorded in the associated resource’s history.

## Deleting Rules (Console)
<a name="evaluate-config_delete-rules-console"></a>

The **Rules** page shows your rules and their current compliance results in a table. The result for each rule is **Evaluating...** until AWS Config finishes evaluating your resources against the rule. You can update the results with the refresh button. When AWS Config finishes evaluations, you can see the rules and resource types that are compliant or noncompliant. For more information, see [Viewing Compliance Information and Evaluation Results for your AWS Resources with AWS Config](evaluate-config_view-compliance.md).

**Note**  
AWS Config evaluates only the resource types that it is recording. For example, if you add the **cloudtrail-enabled** rule but don't record the CloudTrail trail resource type, AWS Config can't evaluate whether the trails in your account are compliant or noncompliant. For more information, see [Recording AWS Resources with AWS ConfigConsiderations](select-resources.md).

### Deleting rules
<a name="delete-rules-console"></a>

**To delete a rule**

1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).

1. In the AWS Management Console menu, verify that the region selector is set to a region that supports AWS Config rules. For the list of supported regions, see [AWS Config Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#awsconfig_region) in the *Amazon Web Services General Reference*. 

1. In the left navigation, choose **Rules**. 

1. Choose a rule from the table that you want to delete.

1. From the **Actions** dropdown list, choose **Delete rule**.

1. When prompted, type "Delete" (case-sensitive) and then choose **Delete**.

## Deleting Rules (AWS SDKs)
<a name="evaluate-config_delete-rules-cli"></a>

### Deleting rules
<a name="delete-rules-cli"></a>

The following code examples show how to use `DeleteConfigRule`.

------
#### [ CLI ]

**AWS CLI**  
**To delete an AWS Config rule**  
The following command deletes an AWS Config rule named `MyConfigRule`:  

```
aws configservice delete-config-rule --config-rule-name MyConfigRule
```
+  For API details, see [DeleteConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/delete-config-rule.html) in *AWS CLI Command Reference*. 

------
#### [ Python ]

**SDK for Python (Boto3)**  
 There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/config#code-examples). 

```
class ConfigWrapper:
    """
    Encapsulates AWS Config functions.
    """

    def __init__(self, config_client):
        """
        :param config_client: A Boto3 AWS Config client.
        """
        self.config_client = config_client


    def delete_config_rule(self, rule_name):
        """
        Delete the specified rule.

        :param rule_name: The name of the rule to delete.
        """
        try:
            self.config_client.delete_config_rule(ConfigRuleName=rule_name)
            logger.info("Deleted rule %s.", rule_name)
        except ClientError:
            logger.exception("Couldn't delete rule %s.", rule_name)
            raise
```
+  For API details, see [DeleteConfigRule](https://docs.aws.amazon.com/goto/boto3/config-2014-11-12/DeleteConfigRule) in *AWS SDK for Python (Boto3) API Reference*. 

------
#### [ SAP ABAP ]

**SDK for SAP ABAP**  
 There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/cfs#code-examples). 

```
    lo_cfs->deleteconfigrule( iv_rule_name ).
    MESSAGE 'Deleted AWS Config rule.' TYPE 'I'.
```
+  For API details, see [DeleteConfigRule](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html) in *AWS SDK for SAP ABAP API reference*. 

------

# Viewing Details and Compliance Information for your AWS Config Rules
<a name="evaluate-config_view-rules"></a>

**Important**  
For accurate reporting on the compliance status, you must record the `AWS::Config::ResourceCompliance` resource type. For more information, see [Recording AWS Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html).

You can use the AWS Config console or the AWS SDKs to view your rules.

**Topics**
+ [Using the console](#evaluate-config_view-rules-console)
+ [Using the AWS SDKs](#evaluate-config_view-rules-cli)

## Viewing Rules (Console)
<a name="evaluate-config_view-rules-console"></a>

The **Rules** page shows your rules and their current compliance results in a table. The result for each rule is **Evaluating...** until AWS Config finishes evaluating your resources against the rule. You can update the results with the refresh button. When AWS Config finishes evaluations, you can see the rules and resource types that are compliant or noncompliant. For more information, see [Viewing Compliance Information and Evaluation Results for your AWS Resources with AWS Config](evaluate-config_view-compliance.md).

**Note**  
AWS Config evaluates only the resource types that it is recording. For example, if you add the **cloudtrail-enabled** rule but don't record the CloudTrail trail resource type, AWS Config can't evaluate whether the trails in your account are compliant or noncompliant. For more information, see [Recording AWS Resources with AWS ConfigConsiderations](select-resources.md).

### Viewing rules
<a name="view-rules-console"></a>

**To view your rules**

1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).

1. In the AWS Management Console menu, verify that the region selector is set to a region that supports AWS Config rules. For the list of supported regions, see [AWS Config Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#awsconfig_region) in the *Amazon Web Services General Reference*. 

1. In the left navigation, choose **Rules**. 

1. The **Rules** page shows all the rule that are currently in your AWS account. It lists the name, associated remediation action, and compliance status of each rule.
   + Choose **Add rule** to get started with creating a rule.
   + Choose a rule to see its settings, or choose a rule and **View details**.
   + See the compliance status of the rule when it evaluates your resources.
   + Choose a rule and **Edit rule** to change the configuration settings of the rule and set a remediation action for a noncompliant rule.

## Viewing Rules (AWS SDKs)
<a name="evaluate-config_view-rules-cli"></a>

### Viewing details for your rules
<a name="view-rules-cli"></a>

The following code examples show how to use `DescribeConfigRules`.

------
#### [ CLI ]

**AWS CLI**  
**To get details for an AWS Config rule**  
The following command returns details for an AWS Config rule named `InstanceTypesAreT2micro`:  

```
aws configservice describe-config-rules --config-rule-names InstanceTypesAreT2micro
```
Output:  

```
{
    "ConfigRules": [
        {
            "ConfigRuleState": "ACTIVE",
            "Description": "Evaluates whether EC2 instances are the t2.micro type.",
            "ConfigRuleName": "InstanceTypesAreT2micro",
            "ConfigRuleArn": "arn:aws:config:us-east-1:123456789012:config-rule/config-rule-abcdef",
            "Source": {
                "Owner": "CUSTOM_LAMBDA",
                "SourceIdentifier": "arn:aws:lambda:us-east-1:123456789012:function:InstanceTypeCheck",
                "SourceDetails": [
                    {
                        "EventSource": "aws.config",
                        "MessageType": "ConfigurationItemChangeNotification"
                    }
                ]
            },
            "InputParameters": "{\"desiredInstanceType\":\"t2.micro\"}",
            "Scope": {
                "ComplianceResourceTypes": [
                    "AWS::EC2::Instance"
                ]
            },
            "ConfigRuleId": "config-rule-abcdef"
        }
    ]
}
```
+  For API details, see [DescribeConfigRules](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-config-rules.html) in *AWS CLI Command Reference*. 

------
#### [ PowerShell ]

**Tools for PowerShell V4**  
**Example 1: This sample lists config rules for the account, with selected properties.**  

```
Get-CFGConfigRule | Select-Object ConfigRuleName, ConfigRuleId, ConfigRuleArn, ConfigRuleState
```
**Output:**  

```
ConfigRuleName                                    ConfigRuleId       ConfigRuleArn                                                        ConfigRuleState
--------------                                    ------------       -------------                                                        ---------------
ALB_REDIRECTION_CHECK                             config-rule-12iyn3 arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-12iyn3 ACTIVE
access-keys-rotated                               config-rule-aospfr arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-aospfr ACTIVE
autoscaling-group-elb-healthcheck-required        config-rule-cn1f2x arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-cn1f2x ACTIVE
```
+  For API details, see [DescribeConfigRules](https://docs.aws.amazon.com/powershell/v4/reference) in *AWS Tools for PowerShell Cmdlet Reference (V4)*. 

**Tools for PowerShell V5**  
**Example 1: This sample lists config rules for the account, with selected properties.**  

```
Get-CFGConfigRule | Select-Object ConfigRuleName, ConfigRuleId, ConfigRuleArn, ConfigRuleState
```
**Output:**  

```
ConfigRuleName                                    ConfigRuleId       ConfigRuleArn                                                        ConfigRuleState
--------------                                    ------------       -------------                                                        ---------------
ALB_REDIRECTION_CHECK                             config-rule-12iyn3 arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-12iyn3 ACTIVE
access-keys-rotated                               config-rule-aospfr arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-aospfr ACTIVE
autoscaling-group-elb-healthcheck-required        config-rule-cn1f2x arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-cn1f2x ACTIVE
```
+  For API details, see [DescribeConfigRules](https://docs.aws.amazon.com/powershell/v5/reference) in *AWS Tools for PowerShell Cmdlet Reference (V5)*. 

------
#### [ Python ]

**SDK for Python (Boto3)**  
 There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/config#code-examples). 

```
class ConfigWrapper:
    """
    Encapsulates AWS Config functions.
    """

    def __init__(self, config_client):
        """
        :param config_client: A Boto3 AWS Config client.
        """
        self.config_client = config_client


    def describe_config_rule(self, rule_name):
        """
        Gets data for the specified rule.

        :param rule_name: The name of the rule to retrieve.
        :return: The rule data.
        """
        try:
            response = self.config_client.describe_config_rules(
                ConfigRuleNames=[rule_name]
            )
            rule = response["ConfigRules"]
            logger.info("Got data for rule %s.", rule_name)
        except ClientError:
            logger.exception("Couldn't get data for rule %s.", rule_name)
            raise
        else:
            return rule
```
+  For API details, see [DescribeConfigRules](https://docs.aws.amazon.com/goto/boto3/config-2014-11-12/DescribeConfigRules) in *AWS SDK for Python (Boto3) API Reference*. 

------
#### [ SAP ABAP ]

**SDK for SAP ABAP**  
 There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/cfs#code-examples). 

```
    DATA(lo_result) = lo_cfs->describeconfigrules(
      it_configrulenames = VALUE /aws1/cl_cfsconfigrulenames_w=>tt_configrulenames(
        ( NEW /aws1/cl_cfsconfigrulenames_w( iv_rule_name ) )
      )
    ).
    ot_cfg_rules = lo_result->get_configrules( ).
    MESSAGE 'Retrieved AWS Config rule data.' TYPE 'I'.
```
+  For API details, see [DescribeConfigRules](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html) in *AWS SDK for SAP ABAP API reference*. 

------

### Viewing compliance information for your rules
<a name="evaluate-config_view-rules-compliance-information-cli-collapsible"></a>

The following code examples show how to use `DescribeComplianceByConfigRule`.

------
#### [ CLI ]

**AWS CLI**  
**To get compliance information for your AWS Config rules**  
The following command returns compliance information for each AWS Config rule that is violated by one or more AWS resources:  

```
aws configservice describe-compliance-by-config-rule --compliance-types NON_COMPLIANT
```
In the output, the value for each `CappedCount` attribute indicates how many resources do not comply with the related rule. For example, the following output indicates that 3 resources do not comply with the rule named `InstanceTypesAreT2micro`.  
Output:  

```
{
    "ComplianceByConfigRules": [
        {
            "Compliance": {
                "ComplianceContributorCount": {
                    "CappedCount": 3,
                    "CapExceeded": false
                },
                "ComplianceType": "NON_COMPLIANT"
            },
            "ConfigRuleName": "InstanceTypesAreT2micro"
        },
        {
            "Compliance": {
                "ComplianceContributorCount": {
                    "CappedCount": 10,
                    "CapExceeded": false
                },
                "ComplianceType": "NON_COMPLIANT"
            },
            "ConfigRuleName": "RequiredTagsForVolumes"
        }
    ]
}
```
+  For API details, see [DescribeComplianceByConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-compliance-by-config-rule.html) in *AWS CLI Command Reference*. 

------
#### [ PowerShell ]

**Tools for PowerShell V4**  
**Example 1: This example retrieves compliances details for the rule ebs-optimized-instance, for which there is no current evaluation results for the rule, hence it returns INSUFFICIENT\$1DATA**  

```
(Get-CFGComplianceByConfigRule -ConfigRuleName ebs-optimized-instance).Compliance
```
**Output:**  

```
ComplianceContributorCount ComplianceType
-------------------------- --------------
                           INSUFFICIENT_DATA
```
**Example 2: This example returns the number of non-compliant resources for the rule ALB\$1HTTP\$1TO\$1HTTPS\$1REDIRECTION\$1CHECK.**  

```
(Get-CFGComplianceByConfigRule -ConfigRuleName ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK -ComplianceType NON_COMPLIANT).Compliance.ComplianceContributorCount
```
**Output:**  

```
CapExceeded CappedCount
----------- -----------
False       2
```
+  For API details, see [DescribeComplianceByConfigRule](https://docs.aws.amazon.com/powershell/v4/reference) in *AWS Tools for PowerShell Cmdlet Reference (V4)*. 

**Tools for PowerShell V5**  
**Example 1: This example retrieves compliances details for the rule ebs-optimized-instance, for which there is no current evaluation results for the rule, hence it returns INSUFFICIENT\$1DATA**  

```
(Get-CFGComplianceByConfigRule -ConfigRuleName ebs-optimized-instance).Compliance
```
**Output:**  

```
ComplianceContributorCount ComplianceType
-------------------------- --------------
                           INSUFFICIENT_DATA
```
**Example 2: This example returns the number of non-compliant resources for the rule ALB\$1HTTP\$1TO\$1HTTPS\$1REDIRECTION\$1CHECK.**  

```
(Get-CFGComplianceByConfigRule -ConfigRuleName ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK -ComplianceType NON_COMPLIANT).Compliance.ComplianceContributorCount
```
**Output:**  

```
CapExceeded CappedCount
----------- -----------
False       2
```
+  For API details, see [DescribeComplianceByConfigRule](https://docs.aws.amazon.com/powershell/v5/reference) in *AWS Tools for PowerShell Cmdlet Reference (V5)*. 

------

### Viewing the compliance summary for your rules
<a name="evaluate-config_view-rules-compliance-sdk-compliance-summar6-rules-collapsible"></a>

The following code examples show how to use `GetComplianceSummaryByConfigRule`.

------
#### [ CLI ]

**AWS CLI**  
**To get the compliance summary for your AWS Config rules**  
The following command returns the number of rules that are compliant and the number that are noncompliant:  

```
aws configservice get-compliance-summary-by-config-rule
```
In the output, the value for each `CappedCount` attribute indicates how many rules are compliant or noncompliant.  
Output:  

```
{
    "ComplianceSummary": {
        "NonCompliantResourceCount": {
            "CappedCount": 3,
            "CapExceeded": false
        },
        "ComplianceSummaryTimestamp": 1452204131.493,
        "CompliantResourceCount": {
            "CappedCount": 2,
            "CapExceeded": false
        }
    }
}
```
+  For API details, see [GetComplianceSummaryByConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/get-compliance-summary-by-config-rule.html) in *AWS CLI Command Reference*. 

------
#### [ PowerShell ]

**Tools for PowerShell V4**  
**Example 1: This sample returns the number of Config rules that are non-compliant.**  

```
Get-CFGComplianceSummaryByConfigRule -Select ComplianceSummary.NonCompliantResourceCount
```
**Output:**  

```
CapExceeded CappedCount
----------- -----------
False       9
```
+  For API details, see [GetComplianceSummaryByConfigRule](https://docs.aws.amazon.com/powershell/v4/reference) in *AWS Tools for PowerShell Cmdlet Reference (V4)*. 

**Tools for PowerShell V5**  
**Example 1: This sample returns the number of Config rules that are non-compliant.**  

```
Get-CFGComplianceSummaryByConfigRule -Select ComplianceSummary.NonCompliantResourceCount
```
**Output:**  

```
CapExceeded CappedCount
----------- -----------
False       9
```
+  For API details, see [GetComplianceSummaryByConfigRule](https://docs.aws.amazon.com/powershell/v5/reference) in *AWS Tools for PowerShell Cmdlet Reference (V5)*. 

------

### Viewing the evaluation results for your rules
<a name="evaluate-config_view-rules-compliance-sdk-evaluation-results-rules-collapsible"></a>

The following code examples show how to use `GetComplianceDetailsByConfigRule`.

------
#### [ CLI ]

**AWS CLI**  
**To get the evaluation results for an AWS Config rule**  
The following command returns the evaluation results for all of the resources that don't comply with an AWS Config rule named `InstanceTypesAreT2micro`:  

```
aws configservice get-compliance-details-by-config-rule --config-rule-name InstanceTypesAreT2micro --compliance-types NON_COMPLIANT
```
Output:  

```
{
    "EvaluationResults": [
        {
            "EvaluationResultIdentifier": {
                "OrderingTimestamp": 1450314635.065,
                "EvaluationResultQualifier": {
                    "ResourceType": "AWS::EC2::Instance",
                    "ResourceId": "i-1a2b3c4d",
                    "ConfigRuleName": "InstanceTypesAreT2micro"
                }
            },
            "ResultRecordedTime": 1450314645.261,
            "ConfigRuleInvokedTime": 1450314642.948,
            "ComplianceType": "NON_COMPLIANT"
        },
        {
            "EvaluationResultIdentifier": {
                "OrderingTimestamp": 1450314635.065,
                "EvaluationResultQualifier": {
                    "ResourceType": "AWS::EC2::Instance",
                    "ResourceId": "i-2a2b3c4d",
                    "ConfigRuleName": "InstanceTypesAreT2micro"
                }
            },
            "ResultRecordedTime": 1450314645.18,
            "ConfigRuleInvokedTime": 1450314642.902,
            "ComplianceType": "NON_COMPLIANT"
        },
        {
            "EvaluationResultIdentifier": {
                "OrderingTimestamp": 1450314635.065,
                "EvaluationResultQualifier": {
                    "ResourceType": "AWS::EC2::Instance",
                    "ResourceId": "i-3a2b3c4d",
                    "ConfigRuleName": "InstanceTypesAreT2micro"
                }
            },
            "ResultRecordedTime": 1450314643.346,
            "ConfigRuleInvokedTime": 1450314643.124,
            "ComplianceType": "NON_COMPLIANT"
        }
    ]
}
```
+  For API details, see [GetComplianceDetailsByConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/get-compliance-details-by-config-rule.html) in *AWS CLI Command Reference*. 

------
#### [ PowerShell ]

**Tools for PowerShell V4**  
**Example 1: This example obtains the evaluation results for the rule access-keys-rotated and returns the output grouped by compliance-type**  

```
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated | Group-Object ComplianceType
```
**Output:**  

```
Count Name                      Group
----- ----                      -----
    2 COMPLIANT                 {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult}
    5 NON_COMPLIANT             {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationRes...
```
**Example 2: This example queries compliance details for the rule access-keys-rotated for COMPLIANT resources.**  

```
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated -ComplianceType COMPLIANT | ForEach-Object {$_.EvaluationResultIdentifier.EvaluationResultQualifier}
```
**Output:**  

```
ConfigRuleName      ResourceId            ResourceType
--------------      ----------            ------------
access-keys-rotated BCAB1CDJ2LITAPVEW3JAH AWS::IAM::User
access-keys-rotated BCAB1CDJ2LITL3EHREM4Q AWS::IAM::User
```
+  For API details, see [GetComplianceDetailsByConfigRule](https://docs.aws.amazon.com/powershell/v4/reference) in *AWS Tools for PowerShell Cmdlet Reference (V4)*. 

**Tools for PowerShell V5**  
**Example 1: This example obtains the evaluation results for the rule access-keys-rotated and returns the output grouped by compliance-type**  

```
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated | Group-Object ComplianceType
```
**Output:**  

```
Count Name                      Group
----- ----                      -----
    2 COMPLIANT                 {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult}
    5 NON_COMPLIANT             {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationRes...
```
**Example 2: This example queries compliance details for the rule access-keys-rotated for COMPLIANT resources.**  

```
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated -ComplianceType COMPLIANT | ForEach-Object {$_.EvaluationResultIdentifier.EvaluationResultQualifier}
```
**Output:**  

```
ConfigRuleName      ResourceId            ResourceType
--------------      ----------            ------------
access-keys-rotated BCAB1CDJ2LITAPVEW3JAH AWS::IAM::User
access-keys-rotated BCAB1CDJ2LITL3EHREM4Q AWS::IAM::User
```
+  For API details, see [GetComplianceDetailsByConfigRule](https://docs.aws.amazon.com/powershell/v5/reference) in *AWS Tools for PowerShell Cmdlet Reference (V5)*. 

------

# Turning on Proactive Evaluation for AWS Config Rules
<a name="evaluate-config_turn-on-proactive-rules"></a>

You can use the AWS Config console or the AWS SDKs to turn on proactive evaluation rules. For a list of resource types and managed rules that support proactive evaluation, see [Components of a Rule \$1 Evaluation Modes](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_components.html#evaluate-config_use-managed-rules-proactive-detective).

**Topics**
+ [Using the console](#evaluate-config_turn-on-proactive-rules-console)
+ [Using the AWS SDKs](#evaluate-config_turn-on-proactive-rules-cli)

## Turning on Proactive Evaluation (Console)
<a name="evaluate-config_turn-on-proactive-rules-console"></a>

The **Rules** page shows your rules and their current compliance results in a table. The result for each rule is **Evaluating...** until AWS Config finishes evaluating your resources against the rule. You can update the results with the refresh button.

When AWS Config finishes evaluations, you can see the rules and resource types that are compliant or noncompliant. For more information, see [Viewing Compliance Information and Evaluation Results for your AWS Resources with AWS Config](evaluate-config_view-compliance.md).

**Note**  
AWS Config evaluates only the resource types that it is recording. For example, if you add the **cloudtrail-enabled** rule but don't record the CloudTrail trail resource type, AWS Config can't evaluate whether the trails in your account are compliant or noncompliant. For more information, see [Recording AWS Resources with AWS ConfigConsiderations](select-resources.md).

### Turning on proactive evaluation
<a name="turn-on-proactive-rules-console"></a>

You can use *proactive evaluation* to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an AWS resource, would be COMPLIANT or NON\$1COMPLIANT given the set of proactive rules that you have in your account in your Region.

The [Resource type schema](https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/resource-type-schema.html) states the properties of a resource. You can find the resource type schema in "*AWS public extensions*" within the AWS CloudFormation registry or with the following CLI commmand:

```
aws cloudformation describe-type --type-name "AWS::S3::Bucket" --type RESOURCE
```

For more information, see [Managing extensions through the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html#registry-view) and [AWS resource and property types reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) in the AWS CloudFormation User Guide.

**Note**  
Proactive rules do not remediate resources that are flagged as NON\$1COMPLIANT or prevent them from being deployed.

**To turn on proactive evalution**

1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).

1. In the AWS Management Console menu, verify that the Region selector is set to a Region that supports AWS Config rules. For the list of supported AWS Regions, see [AWS Config Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#awsconfig_region) in the *Amazon Web Services General Reference*. 

1. In the left navigation, choose **Rules**. For a list of managed rules that support proactive evaluation, see [List of AWS Config Managed Rules by Evaluation Mode](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-evaluation-mode.html).

1. Choose a rule, and then choose **Edit rule** for the rule that you want to update.

1. For **Evaluation mode**, choose **Turn on proactive evaluation** to allow you to run evaluations on the configuration settings of your resources before they are deployed.

1. Choose **Save**.

After you have turned on proactive evaluation, you can use the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API and [GetResourceEvaluationSummary](https://docs.aws.amazon.com/config/latest/APIReference/API_GetResourceEvaluationSummary.html) API to check if the resources you specify in these commands would be flagged as NON\$1COMPLIANT by the proactive rules in your account in your Region.

For example, start with the StartResourceEvaluation API:

```
aws configservice start-resource-evaluation --evaluation-mode PROACTIVE
                --resource-details '{"ResourceId":"MY_RESOURCE_ID",
                                     "ResourceType":"AWS::RESOURCE::TYPE",
                                     "ResourceConfiguration":"RESOURCE_DEFINITION_AS_PER_THE_RESOURCE_CONFIGURATION_SCHEMA",
                                     "ResourceConfigurationSchemaType":"CFN_RESOURCE_SCHEMA"}'
```

You should receive the `ResourceEvaluationId` in the output:

```
{
    "ResourceEvaluationId": "MY_RESOURCE_EVALUATION_ID"
}
```

Then, use the `ResourceEvaluationId` with the GetResourceEvaluationSummary API to check the evaluation result:

```
aws configservice get-resource-evaluation-summary
    --resource-evaluation-id MY_RESOURCE_EVALUATION_ID
```

You should receive output similiar to the following:

```
{
    "ResourceEvaluationId": "MY_RESOURCE_EVALUATION_ID",
    "EvaluationMode": "PROACTIVE",
    "EvaluationStatus": {
        "Status": "SUCCEEDED"
    },
    "EvaluationStartTimestamp": "2022-11-15T19:13:46.029000+00:00",
    "Compliance": "COMPLIANT",
    "ResourceDetails": {
        "ResourceId": "MY_RESOURCE_ID",
        "ResourceType": "AWS::RESOURCE::TYPE",
        "ResourceConfiguration": "RESOURCE_DEFINITION_AS_PER_THE_RESOURCE_CONFIGURATION_SCHEMA"
    }
}
```

To see additional information about the evaluation result, such as which rule flagged a resource as NON\$1COMPLIANT, use the [GetComplianceDetailsByResource](https://docs.aws.amazon.com/config/latest/APIReference/API_GetComplianceDetailsByResource.html) API.

## Turning on Proactive Evaluation (AWS SDKs)
<a name="evaluate-config_turn-on-proactive-rules-cli"></a>

### Turning on proactive evaluation (AWS CLI)
<a name="turn-on-proactive-rules-cli"></a>

You can use *proactive evaluation* to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an AWS resource, would be COMPLIANT or NON\$1COMPLIANT given the set of proactive rules that you have in your account in your Region.

The [Resource type schema](https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/resource-type-schema.html) states the properties of a resource. You can find the resource type schema in "*AWS public extensions*" within the AWS CloudFormation registry or with the following CLI commmand:

```
aws cloudformation describe-type --type-name "AWS::S3::Bucket" --type RESOURCE
```

For more information, see [Managing extensions through the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html#registry-view) and [AWS resource and property types reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) in the AWS CloudFormation User Guide.

**Note**  
Proactive rules do not remediate resources that are flagged as NON\$1COMPLIANT or prevent them from being deployed.

**To turn on proactive evaluation**

Use the [http://docs.aws.amazon.com/cli/latest/reference/configservice/put-config-rule.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/put-config-rule.html) command and enable `PROACTIVE` for `EvaluationModes`.

After you have turned on proactive evaluation, you can use the [start-resource-evaluation](https://docs.aws.amazon.com/cli/latest/reference/configservice/start-resource-evaluation.html) CLI command and [get-resource-evaluation-summary](https://docs.aws.amazon.com/cli/latest/reference/configservice/get-resource-evaluation-summary.html) CLI command to check if the resources you specify in these commands would be flagged as NON\$1COMPLIANT by the proactive rules in your account in your Region.

For example, start with the **start-resource-evaluation** command:

```
aws configservice start-resource-evaluation --evaluation-mode PROACTIVE
                --resource-details '{"ResourceId":"MY_RESOURCE_ID",
                                     "ResourceType":"AWS::RESOURCE::TYPE",
                                     "ResourceConfiguration":"RESOURCE_DEFINITION_AS_PER_THE_RESOURCE_CONFIGURATION_SCHEMA",
                                     "ResourceConfigurationSchemaType":"CFN_RESOURCE_SCHEMA"}'
```

You should receive the `ResourceEvaluationId` in the output:

```
{
    "ResourceEvaluationId": "MY_RESOURCE_EVALUATION_ID"
}
```

Then, use the `ResourceEvaluationId` with the **get-resource-evaluation-summary** to check the evaluation result:

```
aws configservice get-resource-evaluation-summary
    --resource-evaluation-id MY_RESOURCE_EVALUATION_ID
```

You should receive output similiar to the following:

```
{
    "ResourceEvaluationId": "MY_RESOURCE_EVALUATION_ID",
    "EvaluationMode": "PROACTIVE",
    "EvaluationStatus": {
        "Status": "SUCCEEDED"
    },
    "EvaluationStartTimestamp": "2022-11-15T19:13:46.029000+00:00",
    "Compliance": "COMPLIANT",
    "ResourceDetails": {
        "ResourceId": "MY_RESOURCE_ID",
        "ResourceType": "AWS::RESOURCE::TYPE",
        "ResourceConfiguration": "RESOURCE_DEFINITION_AS_PER_THE_RESOURCE_CONFIGURATION_SCHEMA"
    }
}
```

To see additional information about the evaluation result, such as which rule flagged a resource as NON\$1COMPLIANT, use the [get-compliance-details-by-resource](https://docs.aws.amazon.com/cli/latest/reference/configservice/get-compliance-details-by-resource.html) CLI command.

**Note**  
For a list of managed rules that support proactive evaluation, see [List of AWS Config Managed Rules by Evaluation Mode](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-evaluation-mode.html).

### Turning on proactive evaluation (API)
<a name="turn-on-proactive-rules-api"></a>

You can use *proactive evaluation* to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an AWS resource, would be COMPLIANT or NON\$1COMPLIANT given the set of proactive rules that you have in your account in your Region.

The [Resource type schema](https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/resource-type-schema.html) states the properties of a resource. You can find the resource type schema in "*AWS public extensions*" within the AWS CloudFormation registry or with the following CLI commmand:

```
aws cloudformation describe-type --type-name "AWS::S3::Bucket" --type RESOURCE
```

For more information, see [Managing extensions through the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html#registry-view) and [AWS resource and property types reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) in the AWS CloudFormation User Guide.

**Note**  
Proactive rules do not remediate resources that are flagged as NON\$1COMPLIANT or prevent them from being deployed.

**To turn on proactive evaluation for a rule**

Use the [PutConfigRule](https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigRule.html) action and enable `PROACTIVE` for `EvaluationModes`.

After you have turned on proactive evaluation, you can use the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API and [GetResourceEvaluationSummary](https://docs.aws.amazon.com/config/latest/APIReference/API_GetResourceEvaluationSummary.html) API to check if the resources you specify in these commands would be flagged as NON\$1COMPLIANT by the proactive rules in your account in your Region. For example, start with the StartResourceEvaluation API:

```
aws configservice start-resource-evaluation --evaluation-mode PROACTIVE
                --resource-details '{"ResourceId":"MY_RESOURCE_ID",
                                     "ResourceType":"AWS::RESOURCE::TYPE",
                                     "ResourceConfiguration":"RESOURCE_DEFINITION_AS_PER_THE_RESOURCE_CONFIGURATION_SCHEMA",
                                     "ResourceConfigurationSchemaType":"CFN_RESOURCE_SCHEMA"}'
```

You should receive the `ResourceEvaluationId` in the output:

```
{
    "ResourceEvaluationId": "MY_RESOURCE_EVALUATION_ID"
}
```

Then, use the `ResourceEvaluationId` with the GetResourceEvaluationSummary API to check the evaluation result:

```
aws configservice get-resource-evaluation-summary
    --resource-evaluation-id MY_RESOURCE_EVALUATION_ID
```

You should receive output similiar to the following:

```
{
    "ResourceEvaluationId": "MY_RESOURCE_EVALUATION_ID",
    "EvaluationMode": "PROACTIVE",
    "EvaluationStatus": {
        "Status": "SUCCEEDED"
    },
    "EvaluationStartTimestamp": "2022-11-15T19:13:46.029000+00:00",
    "Compliance": "COMPLIANT",
    "ResourceDetails": {
        "ResourceId": "MY_RESOURCE_ID",
        "ResourceType": "AWS::RESOURCE::TYPE",
        "ResourceConfiguration": "RESOURCE_DEFINITION_AS_PER_THE_RESOURCE_CONFIGURATION_SCHEMA"
    }
}
```

To see additional information about the evaluation result, such as which rule flagged a resource as NON\$1COMPLIANT, use the [GetComplianceDetailsByResource](https://docs.aws.amazon.com/config/latest/APIReference/API_GetComplianceDetailsByResource.html) API.

**Note**  
For a list of managed rules that support proactive evaluation, see [List of AWS Config Managed Rules by Evaluation Mode](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-evaluation-mode.html).

# Sending Rule Evaluations to Security Hub CSPM
<a name="setting-up-aws-config-rules-with-console-integration"></a>

After adding an AWS Config rule, you can also send rule evaluations to AWS Security Hub CSPM. The integration between AWS Config and Security Hub CSPM allows you to triage and remediate rule evaluations alongside other misconfigurations and security issues.

## Send Rule Evaluations to Security Hub CSPM
<a name="w2aac20c41b5"></a>

To send rule evaluations to Security Hub CSPM, you must first set up AWS Security Hub CSPM and AWS Config, and then add at least one AWS Config managed or custom rule. After this, AWS Config immediately starts sending rule evaluations to Security Hub CSPM. Security Hub CSPM enriches the rule evaluations and transforms them into Security Hub CSPM findings.

For more information about this integration, see [Available AWS Service Integrations](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html#integration-config) in the AWS Security Hub CSPM User Guide.

# Evaluating Your Resources with AWS Config Rules
<a name="evaluating-your-resources"></a>

When you create custom rules or use managed rules, AWS Config evaluates your resources against those rules. You can run on-demand evaluations for resources against your rules. For example, this is helpful when you create a custom rule and want to check that AWS Config is correctly evaluating your resources or to identify if there is an issue with the evaluation logic of your AWS Lambda function. 

**Example**

1.  You create a custom rule that evaluates whether your IAM users have active access keys. 

1.  AWS Config evaluates your resources against your custom rule.

1.  An IAM user who doesn't have an active access key exists in your account. Your rule doesn't correctly flag this resource as NON\$1COMPLIANT. 

1.  You fix the rule and start the evaluation again. 

1. Because you fixed your rule, the rule correctly evaluates your resources, and flags the IAM user resource as NON\$1COMPLIANT. 

When you add a rule to your account, you can specify when in the resource creation and management process that you want AWS Config to evaluate your resources. The resource creation and management process is known as resource provisioning. You choose the *evaluation mode* to specify when in this process you want AWS Config to evaluate your resources.

Depending on the rule, AWS Config can evaluate your resource configurations before a resource has been deployed, after a resource has been deployed, or both. Evaluating a resource before it has been deployed is **proactive evaluation**. Evaluating a resource after it has been deployed is **detective evaluation**.

## Proactive mode
<a name="evaluating-your-resources-proactive"></a>

Use proactive evaluation to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an AWS resource, would be COMPLIANT or NON\$1COMPLIANT given the set of proactive rules that you have in your account in your Region.

The [Resource type schema](https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/resource-type-schema.html) states the properties of a resource. You can find the resource type schema in "*AWS public extensions*" within the AWS CloudFormation registry or with the following CLI commmand:

```
aws cloudformation describe-type --type-name "AWS::S3::Bucket" --type RESOURCE
```

For more information, see [Managing extensions through the CloudFormation registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html#registry-view) and [AWS resource and property types reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) in the AWS CloudFormation User Guide.

**Note**  
Proactive rules do not remediate resources that are flagged as NON\$1COMPLIANT or prevent them from being deployed.

### Evaluating your Resources
<a name="evaluating-your-resources-console-proactive"></a>

**To turn on proactive evalution**

1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).

1. In the AWS Management Console menu, verify that the Region selector is set to a Region that supports AWS Config rules. For the list of supported AWS Regions, see [AWS Config Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#awsconfig_region) in the *Amazon Web Services General Reference*. 

1. In the left navigation, choose **Rules**. For a list of managed rules that support proactive evaluation, see [List of AWS Config Managed Rules by Evaluation Mode](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-evaluation-mode.html).

1. Choose a rule, and then choose **Edit rule** for the rule that you want to update.

1. For **Evaluation mode**, choose **Turn on proactive evaluation** to allow you to run evaluations on the configuration settings of your resources before they are deployed.

1. Choose **Save**.

**Note**  
You can also turn on proactive evaluation using the [http://docs.aws.amazon.com/cli/latest/reference/configservice/put-config-rule.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/put-config-rule.html) command and enabling `PROACTIVE` for `EvaluationModes` or using the [PutConfigRule](https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigRule.html) action and enabling `PROACTIVE` for `EvaluationModes`.

After you have turned on proactive evaluation, you can use the [StartResourceEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartResourceEvaluation.html) API and [GetResourceEvaluationSummary](https://docs.aws.amazon.com/config/latest/APIReference/API_GetResourceEvaluationSummary.html) API to check if the resources you specify in these commands would be flagged as NON\$1COMPLIANT by the proactive rules in your account in your Region.

For example, start with the StartResourceEvaluation API:

```
aws configservice start-resource-evaluation --evaluation-mode PROACTIVE
                --resource-details '{"ResourceId":"MY_RESOURCE_ID",
                                     "ResourceType":"AWS::RESOURCE::TYPE",
                                     "ResourceConfiguration":"RESOURCE_DEFINITION_AS_PER_THE_RESOURCE_CONFIGURATION_SCHEMA",
                                     "ResourceConfigurationSchemaType":"CFN_RESOURCE_SCHEMA"}'
```

You should receive the `ResourceEvaluationId` in the output:

```
{
    "ResourceEvaluationId": "MY_RESOURCE_EVALUATION_ID"
}
```

Then, use the `ResourceEvaluationId` with the GetResourceEvaluationSummary API to check the evaluation result:

```
aws configservice get-resource-evaluation-summary
    --resource-evaluation-id MY_RESOURCE_EVALUATION_ID
```

You should receive output similiar to the following:

```
{
    "ResourceEvaluationId": "MY_RESOURCE_EVALUATION_ID",
    "EvaluationMode": "PROACTIVE",
    "EvaluationStatus": {
        "Status": "SUCCEEDED"
    },
    "EvaluationStartTimestamp": "2022-11-15T19:13:46.029000+00:00",
    "Compliance": "COMPLIANT",
    "ResourceDetails": {
        "ResourceId": "MY_RESOURCE_ID",
        "ResourceType": "AWS::RESOURCE::TYPE",
        "ResourceConfiguration": "RESOURCE_DEFINITION_AS_PER_THE_RESOURCE_CONFIGURATION_SCHEMA"
    }
}
```

To see additional information about the evaluation result, such as which rule flagged a resource as NON\$1COMPLIANT, use the [GetComplianceDetailsByResource](https://docs.aws.amazon.com/config/latest/APIReference/API_GetComplianceDetailsByResource.html) API.

## Detective mode
<a name="evaluating-your-resources-detective"></a>

Use detective evaluation to evaluate resources that have already been deployed. This allows you to evaluate the configuration settings of your existing resources.

### Evaluating your Resources (Console)
<a name="evaluating-your-resources-console"></a>

1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).

1. In the AWS Management Console menu, check that the region selector is set to a Region that supports AWS Config rules. For the list of supported regions, see [AWS Config Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/awsconfig.html) in the *Amazon Web Services General Reference*.

1. In the navigation pane, choose **Rules**. The **Rules** page shows the name, associated remediation action, and compliance status of each rule.

1. Choose a rule from the table.

1. From the **Actions** dropdown list, choose **Re-evaluate**.

1.  AWS Config starts evaluating the resources against your rule.

**Note**  
You can re-evaluate a rule one time each minute. You must wait for AWS Config to complete the evaluation for your rule before you start another evaluation. You can't run an evaluation if at the same time the rule is being updated or if the rule is being deleted.

### Evaluating your Resources (CLI)
<a name="evaluating-your-resources-cli"></a>
+ Use the **start-config-rules-evaluation** command:

  ```
  $ aws configservice start-config-rules-evaluation --config-rule-names ConfigRuleName
  ```

  AWS Config starts evaluating the recorded resource configurations against your rule. You can also specify multiple rules in your request:

  ```
  $ aws configservice start-config-rules-evaluation --config-rule-names ConfigRuleName1 ConfigRuleName2 ConfigRuleName3
  ```

### Evaluating your Resources (API)
<a name="evaluating-your-resources-api"></a>

Use the [StartConfigRulesEvaluation](https://docs.aws.amazon.com/config/latest/APIReference/API_StartConfigRulesEvaluation.html) action.

# Deleting Evaluation Results from AWS Config Rules
<a name="deleting-evaluations-results"></a>

After AWS Config evaluates your rule, you can see the evaluation results on the **Rules** page or the **Rules details** page for the rule. If the evaluation results are incorrect or if you want to evaluate again, you can delete the current evaluation results for the rule. For example, if your rule was incorrectly evaluating your resources or you recently deleted resources from your account, you can delete the evaluation results and then run a new evaluation.

------
#### [ Deleting Evaluation Results (Console) ]

1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).

1. In the AWS Management Console menu, verify that the Region selector is set to an AWS Region that supports AWS Config rules. For the list of supported Regions, see [AWS Config Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#awsconfig_region) in the *Amazon Web Services General Reference*.

1. In the navigation pane, choose **Rules**. The **Rules** page shows the name, associated remediation action, and compliance status of each rule.

1. Choose a rule from the table.

1. From the **Actions** dropdown list, choose **Delete results**.

1. When prompted, type **Delete** (this entry is case sensitive), and then choose **Delete**. After you delete an evaluation, you cannot retrieve it. 

1. After the evaluation results are deleted, you can manually start a new evaluation.

------
#### [ Deleting Evaluation Results (CLI) ]
+ Use the **delete-evaluation-results** command.

  ```
  $ aws configservice delete-evaluation-results --config-rule-name ConfigRuleName
  ```

  AWS Config deletes the evaluation results for the rule.

------
#### [ Deleting Evaluation Results (API) ]

Use the [DeleteEvaluationResults](https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteEvaluationResults.html) action.

------

# Troubleshooting for AWS Config rules
<a name="troubleshooting-rules"></a>

Check the following issues to troubleshoot if you cannot delete an AWS Config rule or receive an error similair to the following: "An error has occurred with AWS Config."

**The AWS Identity and Access Management (IAM) entity has permissions for the DeleteConfigRule API**

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane choose **Users** or **Roles**.

1. Choose the user or role that you used to delete the AWS Config rule, and expand **Permissions policies**.

1. In the **Permissions** tab, choose **JSON**.

1. In the JSON preview pane, confirm that the IAM policy allows permissions for the [DeleteConfigRule](https://docs.aws.amazon.com/config/latest/APIReference/API_APIDeleteConfigRule.html) API.

**The IAM entity permission boundary allows the DeleteConfigRule API**

If the IAM entity has a permissions boundary, be sure that it allows permissions for the the DeleteConfigRule API.

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane choose **Users** or **Roles**.

1. Choose the user or role that you used to delete the AWS Config rule, expand **Permissions boundary**, and then choose **JSON**.

1. In the JSON preview pane, confirm that the IAM policy allows permissions for the [DeleteConfigRule](https://docs.aws.amazon.com/config/latest/APIReference/API_APIDeleteConfigRule.html) API.

**Warning**  
IAM users have long-term credentials, which presents a security risk. To help mitigate this risk, we recommend that you provide these users with only the permissions they require to perform the task and that you remove these users when they are no longer needed.

**The service control policy (SCP) allows the DeleteConfigRule API**

1. Open the AWS Organizations console at https://console.aws.amazon.com/organizations/ using the [management account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) for the organization.

1. In Account name, choose the AWS account.

1. In **Policies**, expand **Service control policies** and note the SCP policies that are attached.

1. At the top of the page, choose **Policies**.

1. Select the policy, and then choose **View details**.

1.  In the JSON preview pane, confirm that the policy allows the [DeleteConfigRule](https://docs.aws.amazon.com/config/latest/APIReference/API_APIDeleteConfigRule.html) API.

**The rule is not a service-linked rule**

When you [enable a security standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html), AWS Security Hub CSPM creates [service-linked rules](https://docs.aws.amazon.com/config/latest/developerguide/service-linked-awsconfig-rules.html) for you. You can't delete these service-linked rules using AWS Config, and the delete button is grayed out. To remove a service-linked rule, see [Disabling a security standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html) in the *Security Hub CSPM User Guide*.

**No remediation actions are in progress**

You cannot delete AWS Config rules that have [remediation actions](https://docs.aws.amazon.com/config/latest/developerguide/remediation.html) in progress. Follow the steps to [delete the remediation action that is associated with that rule](https://docs.aws.amazon.com/config/latest/developerguide/remediation.html#delete-remediation-action). Then, try deleting the rule again.

**Important**  
Only delete remediation actions that are in **failed** or **successful** states.