Security Hub controls reference
This controls reference provides a list of available AWS Security Hub controls with links to more information about each control. The overview table displays the controls in alphabetical order by control ID. Only controls in active use by Security Hub are included here. Retired controls are excluded from this list. The table provides the following information for each control:
-
Security control ID – This ID applies across standards and indicates the AWS service and resource that the control relates to. The Security Hub console displays security control IDs, regardless of whether consolidated control findings is turned on or off in your account. However, Security Hub findings reference security control IDs only if consolidated control findings is turned on in your account. If consolidated control findings is turned off in your account, some control IDs vary by standard in your control findings. For a mapping of standard-specific control IDs to security control IDs, see How consolidation impacts control IDs and titles.
If you want to set up automations for security controls, we recommend filtering based on control ID rather than title or description. Whereas Security Hub may occasionally update control titles or descriptions, control IDs stay the same.
Control IDs may skip numbers. These are placeholders for future controls.
-
Applicable standards – Indicates which standards a control applies to. Select a control to see specific requirements from third-party compliance frameworks.
-
Security control title – This title applies across standards. The Security Hub console displays security control titles, regardless of whether consolidated control findings is turned on or off in your account. However, Security Hub findings reference security control titles only if consolidated control findings is turned on in your account. If consolidated control findings is turned off in your account, some control titles vary by standard in your control findings. For a mapping of standard-specific control IDs to security control IDs, see How consolidation impacts control IDs and titles.
-
Severity – The severity of a control identifies its importance from a security standpoint. For information about how Security Hub determines control severity, see Assigning severity to control findings.
-
Schedule type – Indicates when the control is evaluated. For more information, see Schedule for running security checks.
-
Supports custom parameters – Indicates whether the control supports custom values for one or more parameters. Select a control to see the parameter details. For more information, see Understanding control parameters in Security Hub.
Select a control to view further details. Controls are listed in alphabetical order of the service name.
| Security control ID | Security control title | Applicable standards | Severity | Supports custom parameters | Schedule type |
|---|---|---|---|---|---|
| Account.1 | Security contact information should be provided for an AWS account | CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | Periodic | |
| Account.2 | AWS account should be part of an AWS Organizations organization | NIST SP 800-53 Rev. 5 | HIGH | |
Periodic |
| ACM.1 | Imported and ACM-issued certificates should be renewed after a specified time period | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered and periodic |
| ACM.2 | RSA certificates managed by ACM should use a key length of at least 2,048 bits | AWS Foundational Security Best Practices v1.0.0 | HIGH | |
Change triggered |
| ACM.3 | ACM certificates should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| APIGateway.1 | API Gateway REST and WebSocket API execution logging should be enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| APIGateway.2 | API Gateway REST API stages should be configured to use SSL certificates for backend authentication | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| APIGateway.3 | API Gateway REST API stages should have AWS X-Ray tracing enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| APIGateway.4 | API Gateway should be associated with a WAF Web ACL | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| APIGateway.5 | API Gateway REST API cache data should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| APIGateway.8 | API Gateway routes should specify an authorization type | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| APIGateway.9 | Access logging should be configured for API Gateway V2 Stages | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| AppSync.1 | AWS AppSync API caches should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Change triggered | |
| AppSync.2 | AWS AppSync should have field-level logging enabled | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | |
Change triggered |
| AppSync.4 | AWS AppSync GraphQL APIs should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| AppSync.5 | AWS AppSync GraphQL APIs should not be authenticated with API keys | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| AppSync.6 | AWS AppSync API caches should be encrypted in transit | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Change triggered | |
| Athena.2 | Athena data catalogs should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| Athena.3 | Athena workgroups should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| Athena.4 | Athena workgroups should have logging enabled | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Change triggered | |
| AutoScaling.1 | Auto Scaling groups associated with a load balancer should use ELB health checks | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | LOW | Change triggered | |
| AutoScaling.2 | Amazon EC2 Auto Scaling group should cover multiple Availability Zones | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| AutoScaling.3 | Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2) | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| Autoscaling.5 | Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| AutoScaling.6 | Auto Scaling groups should use multiple instance types in multiple Availability Zones | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| AutoScaling.9 | EC2 Auto Scaling groups should use EC2 launch templates | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| AutoScaling.10 | EC2 Auto Scaling groups should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| Backup.1 | AWS Backup recovery points should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| Backup.2 | AWS Backup recovery points should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| Backup.3 | AWS Backup vaults should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| Backup.4 | AWS Backup report plans should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| Backup.5 | AWS Backup backup plans should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| CloudFormation.2 | CloudFormation stacks should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| CloudFront.1 | CloudFront distributions should have a default root object configured | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | Change triggered | |
| CloudFront.3 | CloudFront distributions should require encryption in transit | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| CloudFront.4 | CloudFront distributions should have origin failover configured | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| CloudFront.5 | CloudFront distributions should have logging enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| CloudFront.6 | CloudFront distributions should have WAF enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| CloudFront.7 | CloudFront distributions should use custom SSL/TLS certificates | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| CloudFront.8 | CloudFront distributions should use SNI to serve HTTPS requests | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| CloudFront.9 | CloudFront distributions should encrypt traffic to custom origins | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| CloudFront.10 | CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| CloudFront.12 | CloudFront distributions should not point to non-existent S3 origins | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | |
Periodic |
| CloudFront.13 | CloudFront distributions should use origin access control | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | |
Change triggered |
| CloudFront.14 | CloudFront distributions should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| CloudTrail.1 | CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | Periodic | |
| CloudTrail.2 | CloudTrail should have encryption at-rest enabled | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| CloudTrail.3 | At least one CloudTrail trail should be enabled | PCI DSS v3.2.1 | HIGH | Periodic | |
| CloudTrail.4 | CloudTrail log file validation should be enabled | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | LOW | |
Periodic |
| CloudTrail.5 | CloudTrail trails should be integrated with Amazon CloudWatch Logs | CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | LOW | |
Periodic |
| CloudTrail.6 | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0 | CRITICAL | |
Change triggered and periodic |
| CloudTrail.7 | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0 | LOW | |
Periodic |
| CloudTrail.9 | CloudTrail trails should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| CloudWatch.1 | A log metric filter and alarm should exist for usage of the "root" user | CIS AWS Foundations Benchmark v1.2.0, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0 | LOW | |
Periodic |
| CloudWatch.2 | Ensure a log metric filter and alarm exist for unauthorized API calls | CIS AWS Foundations Benchmark v1.2.0 | LOW | |
Periodic |
| CloudWatch.3 | Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | CIS AWS Foundations Benchmark v1.2.0 | LOW | |
Periodic |
| CloudWatch.4 | Ensure a log metric filter and alarm exist for IAM policy changes | CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0 | LOW | |
Periodic |
| CloudWatch.5 | Ensure a log metric filter and alarm exist for CloudTrail configuration changes | CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0 | LOW | |
Periodic |
| CloudWatch.6 | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0 | LOW | |
Periodic |
| CloudWatch.7 | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0 | LOW | |
Periodic |
| CloudWatch.8 | Ensure a log metric filter and alarm exist for S3 bucket policy changes | CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0 | LOW | |
Periodic |
| CloudWatch.9 | Ensure a log metric filter and alarm exist for AWS Config configuration changes | CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0 | LOW | |
Periodic |
| CloudWatch.10 | Ensure a log metric filter and alarm exist for security group changes | CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0 | LOW | |
Periodic |
| CloudWatch.11 | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0 | LOW | |
Periodic |
| CloudWatch.12 | Ensure a log metric filter and alarm exist for changes to network gateways | CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0 | LOW | |
Periodic |
| CloudWatch.13 | Ensure a log metric filter and alarm exist for route table changes | CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0 | LOW | |
Periodic |
| CloudWatch.14 | Ensure a log metric filter and alarm exist for VPC changes | CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0 | LOW | |
Periodic |
| CloudWatch.15 | CloudWatch alarms should have specified actions configured | NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| CloudWatch.16 | CloudWatch log groups should be retained for a specified time period | NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| CloudWatch.17 | CloudWatch alarm actions should be enabled | NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| CodeArtifact.1 | CodeArtifact repositories should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| CodeBuild.1 | CodeBuild Bitbucket source repository URLs should not contain sensitive credentials | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | Change triggered | |
| CodeBuild.2 | CodeBuild project environment variables should not contain clear text credentials | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | |
Change triggered |
| CodeBuild.3 | CodeBuild S3 logs should be encrypted | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| CodeBuild.4 | CodeBuild project environments should have a logging configuration | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| CodeBuild.7 | CodeBuild report group exports should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Change triggered | |
| Config.1 | AWS Config should be enabled and use the service-linked role for resource recording | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1 | CRITICAL | Periodic | |
| DataFirehose.1 | Firehose delivery streams should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| DataSync.1 | DataSync tasks should have logging enabled | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Change triggered | |
| Detective.1 | Detective behavior graphs should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| DMS.1 | Database Migration Service replication instances should not be public | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | |
Periodic |
| DMS.2 | DMS certificates should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| DMS.3 | DMS event subscriptions should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| DMS.4 | DMS replication instances should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| DMS.5 | DMS replication subnet groups should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| DMS.6 | DMS replication instances should have automatic minor version upgrade enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| DMS.7 | DMS replication tasks for the target database should have logging enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| DMS.8 | DMS replication tasks for the source database should have logging enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| DMS.9 | DMS endpoints should use SSL | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| DMS.10 | DMS endpoints for Neptune databases should have IAM authorization enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Change triggered | |
| DMS.11 | DMS endpoints for MongoDB should have an authentication mechanism enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Change triggered | |
| DMS.12 | DMS endpoints for Redis OSS should have TLS enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Change triggered | |
| DocumentDB.1 | Amazon DocumentDB clusters should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: AWS Control Tower | MEDIUM | |
Change triggered |
| DocumentDB.2 | Amazon DocumentDB clusters should have an adequate backup retention period | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: AWS Control Tower | MEDIUM | |
Change triggered |
| DocumentDB.3 | Amazon DocumentDB manual cluster snapshots should not be public | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | CRITICAL | |
Change triggered |
| DocumentDB.4 | Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| DocumentDB.5 | Amazon DocumentDB clusters should have deletion protection enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| DynamoDB.1 | DynamoDB tables should automatically scale capacity with demand | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| DynamoDB.2 | DynamoDB tables should have point-in-time recovery enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| DynamoDB.3 | DynamoDB Accelerator (DAX) clusters should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| DynamoDB.4 | DynamoDB tables should be present in a backup plan | NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| DynamoDB.5 | DynamoDB tables should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| DynamoDB.6 | DynamoDB tables should have deletion protection enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| DynamoDB.7 | DynamoDB Accelerator clusters should be encrypted in transit | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Periodic | |
| EC2.1 | EBS snapshots should not be publicly restorable | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | |
Periodic |
| EC2.2 | VPC default security groups should not allow inbound or outbound traffic | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| EC2.3 | Attached EBS volumes should be encrypted at-rest | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| EC2.4 | Stopped EC2 instances should be removed after a specified time period | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| EC2.6 | VPC flow logging should be enabled in all VPCs | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| EC2.7 | EBS default encryption should be enabled | CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| EC2.8 | EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) | CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| EC2.9 | EC2 instances should not have a public IPv4 address | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| EC2.10 | Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| EC2.12 | Unused EC2 EIPs should be removed | PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| EC2.13 | Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 | CIS AWS Foundations Benchmark v1.2.0, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | HIGH | Change triggered and periodic | |
| EC2.14 | Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389 | CIS AWS Foundations Benchmark v1.2.0 | HIGH | Change triggered and periodic | |
| EC2.15 | EC2 subnets should not automatically assign public IP addresses | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| EC2.16 | Unused Network Access Control Lists should be removed | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| EC2.17 | EC2 instances should not use multiple ENIs | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| EC2.18 | Security groups should only allow unrestricted incoming traffic for authorized ports | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| EC2.19 | Security groups should not allow unrestricted access to ports with high risk | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | CRITICAL | Change triggered and periodic | |
| EC2.20 | Both VPN tunnels for an AWS Site-to-Site VPN connection should be up | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| EC2.21 | Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| EC2.22 | Unused EC2 security groups should be removed | Service-Managed Standard: AWS Control Tower | MEDIUM | Periodic | |
| EC2.23 | EC2 Transit Gateways should not automatically accept VPC attachment requests | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| EC2.24 | EC2 paravirtual instance types should not be used | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| EC2.25 | EC2 launch templates should not assign public IPs to network interfaces | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| EC2.28 | EBS volumes should be in a backup plan | NIST SP 800-53 Rev. 5 | LOW | |
Periodic |
| EC2.33 | EC2 transit gateway attachments should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EC2.34 | EC2 transit gateway route tables should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EC2.35 | EC2 network interfaces should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EC2.36 | EC2 customer gateways should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EC2.37 | EC2 Elastic IP addresses should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EC2.38 | EC2 instances should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EC2.39 | EC2 internet gateways should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EC2.40 | EC2 NAT gateways should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EC2.41 | EC2 network ACLs should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EC2.42 | EC2 route tables should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EC2.43 | EC2 security groups should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EC2.44 | EC2 subnets should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EC2.45 | EC2 volumes should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EC2.46 | Amazon VPCs should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EC2.47 | Amazon VPC endpoint services should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EC2.48 | Amazon VPC flow logs should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EC2.49 | Amazon VPC peering connections should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EC2.50 | EC2 VPN gateways should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EC2.51 | EC2 Client VPN endpoints should have client connection logging enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| EC2.52 | EC2 transit gateways should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EC2.53 | EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports | CIS AWS Foundations Benchmark v3.0.0 | HIGH | Periodic | |
| EC2.54 | EC2 security groups should not allow ingress from ::/0 to remote server administration ports | CIS AWS Foundations Benchmark v3.0.0 | HIGH | Periodic | |
| EC2.55 | VPCs should be configured with an interface endpoint for ECR API | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Periodic | |
| EC2.56 | VPCs should be configured with an interface endpoint for Docker Registry | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Periodic | |
| EC2.57 | VPCs should be configured with an interface endpoint for Systems Manager | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Periodic | |
| EC2.58 | VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Periodic | |
| EC2.60 | VPCs should be configured with an interface endpoint for Systems Manager Incident Manager | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Periodic | |
| EC2.170 | EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2) | AWS Foundational Security Best Practices v1.0.0 | LOW | Change triggered | |
| EC2.171 | EC2 VPN connections should have logging enabled | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Change triggered | |
| ECR.1 | ECR private repositories should have image scanning configured | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Periodic |
| ECR.2 | ECR private repositories should have tag immutability configured | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ECR.3 | ECR repositories should have at least one lifecycle policy configured | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ECR.4 | ECR public repositories should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| ECS.1 | Amazon ECS task definitions should have secure networking modes and user definitions. | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| ECS.2 | ECS services should not have public IP addresses assigned to them automatically | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| ECS.3 | ECS task definitions should not share the host's process namespace | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| ECS.4 | ECS containers should run as non-privileged | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| ECS.5 | ECS containers should be limited to read-only access to root filesystems | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| ECS.8 | Secrets should not be passed as container environment variables | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| ECS.9 | ECS task definitions should have a logging configuration | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| ECS.10 | ECS Fargate services should run on the latest Fargate platform version | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ECS.12 | ECS clusters should use Container Insights | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ECS.13 | ECS services should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| ECS.14 | ECS clusters should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| ECS.15 | ECS task definitions should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| ECS.16 | ECS task sets should not automatically assign public IP addresses | AWS Foundational Security Best Practices v1.0.0 | HIGH | Change triggered | |
| EFS.1 | Elastic File System should be configured to encrypt file data at-rest using AWS KMS | CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| EFS.2 | Amazon EFS volumes should be in backup plans | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| EFS.3 | EFS access points should enforce a root directory | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| EFS.4 | EFS access points should enforce a user identity | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| EFS.5 | EFS access points should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EFS.6 | EFS mount targets should not be associated with a public subnet | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Periodic | |
| EFS.7 | EFS file systems should have automatic backups enabled | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Change triggered | |
| EFS.8 | EFS file systems should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Change triggered | |
| EKS.1 | EKS cluster endpoints should not be publicly accessible | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | |
Periodic |
| EKS.2 | EKS clusters should run on a supported Kubernetes version | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| EKS.3 | EKS clusters should use encrypted Kubernetes secrets | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Periodic | |
| EKS.6 | EKS clusters should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EKS.7 | EKS identity provider configurations should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EKS.8 | EKS clusters should have audit logging enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ElastiCache.1 | ElastiCache (Redis OSS) clusters should have automatic backups enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | |
Periodic |
| ElastiCache.2 | ElastiCache (Redis OSS) clusters should have auto minor version upgrades enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | |
Periodic |
| ElastiCache.3 | ElastiCache replication groups should have automatic failover enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| ElastiCache.4 | ElastiCache replication groups should be encrypted-at-rest | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| ElastiCache.5 | ElastiCache replication groups should be encrypted-in-transit | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| ElastiCache.6 | ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| ElastiCache.7 | ElastiCache clusters should not use the default subnet group | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | |
Periodic |
| ElasticBeanstalk.1 | Elastic Beanstalk environments should have enhanced health reporting enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| ElasticBeanstalk.2 | Elastic Beanstalk managed platform updates should be enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| ElasticBeanstalk.3 | Elastic Beanstalk should stream logs to CloudWatch | AWS Foundational Security Best Practices v1.0.0 | HIGH | |
Change triggered |
| ELB.1 | Application Load Balancer should be configured to redirect all HTTP requests to HTTPS | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| ELB.2 | Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ELB.3 | Classic Load Balancer listeners should be configured with HTTPS or TLS termination | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ELB.4 | Application Load Balancer should be configured to drop http headers | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ELB.5 | Application and Classic Load Balancers logging should be enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ELB.6 | Application, Gateway, and Network Load Balancers should have deletion protection enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | Change triggered | |
| ELB.7 | Classic Load Balancers should have connection draining enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ELB.8 | Classic Load Balancers with SSL listeners should use a predefined security policy that has strong configuration | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ELB.9 | Classic Load Balancers should have cross-zone load balancing enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ELB.10 | Classic Load Balancer should span multiple Availability Zones | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ELB.12 | Application Load Balancer should be configured with defensive or strictest desync mitigation mode | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ELB.13 | Application, Network and Gateway Load Balancers should span multiple Availability Zones | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ELB.14 | Classic Load Balancer should be configured with defensive or strictest desync mitigation mode | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ELB.16 | Application Load Balancers should be associated with an AWS WAF web ACL | NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| EMR.1 | Amazon EMR cluster primary nodes should not have public IP addresses | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Periodic |
| EMR.2 | Amazon EMR block public access setting should be enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | CRITICAL | |
Periodic |
| ES.1 | Elasticsearch domains should have encryption at-rest enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| ES.2 | Elasticsearch domains should not be publicly accessible | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | |
Periodic |
| ES.3 | Elasticsearch domains should encrypt data sent between nodes | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ES.4 | Elasticsearch domain error logging to CloudWatch Logs should be enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ES.5 | Elasticsearch domains should have audit logging enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ES.6 | Elasticsearch domains should have at least three data nodes | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ES.7 | Elasticsearch domains should be configured with at least three dedicated master nodes | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| ES.8 | Connections to Elasticsearch domains should be encrypted using the latest TLS security policy | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | Change triggered | |
| ES.9 | Elasticsearch domains should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EventBridge.2 | EventBridge event buses should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| EventBridge.3 | EventBridge custom event buses should have a resource-based policy attached | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| EventBridge.4 | EventBridge global endpoints should have event replication enabled | NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| FSx.1 | FSx for OpenZFS file systems should be configured to copy tags to backups and volumes | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | |
Periodic |
| FSx.2 | FSx for Lustre file systems should be configured to copy tags to backups | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | Periodic | |
| Glue.1 | AWS Glue jobs should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| Glue.2 | AWS Glue jobs should have logging enabled | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Change triggered | |
| Glue.3 | AWS Glue machine learning transforms should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Change triggered | |
| GlobalAccelerator.1 | Global Accelerator accelerators should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| GuardDuty.1 | GuardDuty should be enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | HIGH | |
Periodic |
| GuardDuty.2 | GuardDuty filters should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| GuardDuty.3 | GuardDuty IPSets should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| GuardDuty.4 | GuardDuty detectors should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| GuardDuty.5 | GuardDuty EKS Audit Log Monitoring should be enabled | AWS Foundational Security Best Practices v1.0.0 | HIGH | Periodic | |
| GuardDuty.6 | GuardDuty Lambda Protection should be enabled | AWS Foundational Security Best Practices v1.0.0 | HIGH | Periodic | |
| GuardDuty.7 | GuardDuty EKS Runtime Monitoring should be enabled | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Periodic | |
| GuardDuty.8 | GuardDuty Malware Protection for EC2 should be enabled | AWS Foundational Security Best Practices v1.0.0 | HIGH | Periodic | |
| GuardDuty.9 | GuardDuty RDS Protection should be enabled | AWS Foundational Security Best Practices v1.0.0 | HIGH | Periodic | |
| GuardDuty.10 | GuardDuty S3 Protection should be enabled | AWS Foundational Security Best Practices v1.0.0 | HIGH | Periodic | |
| IAM.1 | IAM policies should not allow full "*" administrative privileges | CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| IAM.2 | IAM users should not have IAM policies attached | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| IAM.3 | IAM users' access keys should be rotated every 90 days or less | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| IAM.4 | IAM root user access key should not exist | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | |
Periodic |
| IAM.5 | MFA should be enabled for all IAM users that have a console password | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| IAM.6 | Hardware MFA should be enabled for the root user | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | |
Periodic |
| IAM.7 | Password policies for IAM users should have strong configurations | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| IAM.8 | Unused IAM user credentials should be removed | CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| IAM.9 | MFA should be enabled for the root user | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | |
Periodic |
| IAM.10 | Password policies for IAM users should have strong configurations | PCI DSS v3.2.1 | MEDIUM | |
Periodic |
| IAM.11 | Ensure IAM password policy requires at least one uppercase letter | CIS AWS Foundations Benchmark v1.2.0 | MEDIUM | |
Periodic |
| IAM.12 | Ensure IAM password policy requires at least one lowercase letter | CIS AWS Foundations Benchmark v1.2.0 | MEDIUM | |
Periodic |
| IAM.13 | Ensure IAM password policy requires at least one symbol | CIS AWS Foundations Benchmark v1.2.0 | MEDIUM | |
Periodic |
| IAM.14 | Ensure IAM password policy requires at least one number | CIS AWS Foundations Benchmark v1.2.0 | MEDIUM | |
Periodic |
| IAM.15 | Ensure IAM password policy requires minimum password length of 14 or greater | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0 | MEDIUM | |
Periodic |
| IAM.16 | Ensure IAM password policy prevents password reuse | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0 | LOW | |
Periodic |
| IAM.17 | Ensure IAM password policy expires passwords within 90 days or less | CIS AWS Foundations Benchmark v1.2.0 | LOW | |
Periodic |
| IAM.18 | Ensure a support role has been created to manage incidents with AWS Support | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0 | LOW | |
Periodic |
| IAM.19 | MFA should be enabled for all IAM users | PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| IAM.21 | IAM customer managed policies that you create should not allow wildcard actions for services | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| IAM.22 | IAM user credentials unused for 45 days should be removed | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0 | MEDIUM | |
Periodic |
| IAM.23 | IAM Access Analyzer analyzers should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| IAM.24 | IAM roles should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| IAM.25 | IAM users should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| IAM.26 | Expired SSL/TLS certificates managed in IAM should be removed | CIS AWS Foundations Benchmark v3.0.0 | MEDIUM | Periodic | |
| IAM.27 | IAM identities should not have the AWSCloudShellFullAccess policy attached | CIS AWS Foundations Benchmark v3.0.0 | MEDIUM | Change triggered | |
| IAM.28 | IAM Access Analyzer external access analyzer should be enabled | CIS AWS Foundations Benchmark v3.0.0 | HIGH | Periodic | |
| Inspector.1 | Amazon Inspector EC2 scanning should be enabled | AWS Foundational Security Best Practices v1.0.0 | HIGH | Periodic | |
| Inspector.2 | Amazon Inspector ECR scanning should be enabled | AWS Foundational Security Best Practices v1.0.0 | HIGH | Periodic | |
| Inspector.3 | Amazon Inspector Lambda code scanning should be enabled | AWS Foundational Security Best Practices v1.0.0 | HIGH | Periodic | |
| Inspector.4 | Amazon Inspector Lambda standard scanning should be enabled | AWS Foundational Security Best Practices v1.0.0 | HIGH | Periodic | |
| IoT.1 | AWS IoT Device Defender security profiles should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| IoT.2 | AWS IoT Core mitigation actions should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| IoT.3 | AWS IoT Core dimensions should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| IoT.4 | AWS IoT Core authorizers should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| IoT.5 | AWS IoT Core role aliases should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| IoT.6 | AWS IoT Core policies should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| Kinesis.1 | Kinesis streams should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| Kinesis.2 | Kinesis streams should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| Kinesis.3 | Kinesis streams should have an adequate data retention period | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Change triggered | |
| KMS.1 | IAM customer managed policies should not allow decryption actions on all KMS keys | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| KMS.2 | IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| KMS.3 | AWS KMS keys should not be deleted unintentionally | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | CRITICAL | |
Change triggered |
| KMS.4 | AWS KMS key rotation should be enabled | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| KMS.5 | KMS keys should not be publicly accessible | AWS Foundational Security Best Practices v1.0.0 | CRITICAL | Change triggered | |
| Lambda.1 | Lambda function policies should prohibit public access | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | |
Change triggered |
| Lambda.2 | Lambda functions should use supported runtimes | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| Lambda.3 | Lambda functions should be in a VPC | PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| Lambda.5 | VPC Lambda functions should operate in multiple Availability Zones | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| Lambda.6 | Lambda functions should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| Macie.1 | Amazon Macie should be enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| Macie.2 | Macie automated sensitive data discovery should be enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | Periodic | |
| MSK.1 | MSK clusters should be encrypted in transit among broker nodes | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| MSK.2 | MSK clusters should have enhanced monitoring configured | NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| MSK.3 | MSK Connect connectors should be encrypted in transit | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Change triggered | |
| MQ.2 | ActiveMQ brokers should stream audit logs to CloudWatch | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Change triggered | |
| MQ.3 | Amazon MQ brokers should have automatic minor version upgrade enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | Change triggered | |
| MQ.4 | Amazon MQ brokers should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| MQ.5 | ActiveMQ brokers should use active/standby deployment mode | NIST SP 800-53 Rev. 5, Service-Managed Standard: AWS Control Tower | LOW | |
Change triggered |
| MQ.6 | RabbitMQ brokers should use cluster deployment mode | NIST SP 800-53 Rev. 5, Service-Managed Standard: AWS Control Tower | LOW | |
Change triggered |
| Neptune.1 | Neptune DB clusters should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: AWS Control Tower | MEDIUM | |
Change triggered |
| Neptune.2 | Neptune DB clusters should publish audit logs to CloudWatch Logs | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: AWS Control Tower | MEDIUM | |
Change triggered |
| Neptune.3 | Neptune DB cluster snapshots should not be public | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: AWS Control Tower | CRITICAL | |
Change triggered |
| Neptune.4 | Neptune DB clusters should have deletion protection enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: AWS Control Tower | LOW | |
Change triggered |
| Neptune.5 | Neptune DB clusters should have automated backups enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: AWS Control Tower | MEDIUM | |
Change triggered |
| Neptune.6 | Neptune DB cluster snapshots should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: AWS Control Tower | MEDIUM | |
Change triggered |
| Neptune.7 | Neptune DB clusters should have IAM database authentication enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: AWS Control Tower | MEDIUM | |
Change triggered |
| Neptune.8 | Neptune DB clusters should be configured to copy tags to snapshots | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: AWS Control Tower | LOW | |
Change triggered |
| Neptune.9 | Neptune DB clusters should be deployed across multiple Availability Zones | NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| NetworkFirewall.1 | Network Firewall firewalls should be deployed across multiple Availability Zones | NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| NetworkFirewall.2 | Network Firewall logging should be enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| NetworkFirewall.3 | Network Firewall policies should have at least one rule group associated | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| NetworkFirewall.4 | The default stateless action for Network Firewall policies should be drop or forward for full packets | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| NetworkFirewall.5 | The default stateless action for Network Firewall policies should be drop or forward for fragmented packets | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| NetworkFirewall.6 | Stateless network firewall rule group should not be empty | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| NetworkFirewall.7 | Network Firewall firewalls should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| NetworkFirewall.8 | Network Firewall firewall policies should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| NetworkFirewall.9 | Network Firewall firewalls should have deletion protection enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| Opensearch.1 | OpenSearch domains should have encryption at rest enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| Opensearch.2 | OpenSearch domains should not be publicly accessible | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | |
Change triggered |
| Opensearch.3 | OpenSearch domains should encrypt data sent between nodes | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| Opensearch.4 | OpenSearch domain error logging to CloudWatch Logs should be enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| Opensearch.5 | OpenSearch domains should have audit logging enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| Opensearch.6 | OpenSearch domains should have at least three data nodes | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| Opensearch.7 | OpenSearch domains should have fine-grained access control enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| Opensearch.8 | Connections to OpenSearch domains should be encrypted using the latest TLS security policy | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | Change triggered | |
| Opensearch.9 | OpenSearch domains should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| Opensearch.10 | OpenSearch domains should have the latest software update installed | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| Opensearch.11 | OpenSearch domains should have at least three dedicated primary nodes | NIST SP 800-53 Rev. 5 | MEDIUM | Periodic | |
| PCA.1 | AWS Private CA root certificate authority should be disabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | |
Periodic |
| RDS.1 | RDS snapshot should be private | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | |
Change triggered |
| RDS.2 | RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration | CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | |
Change triggered |
| RDS.3 | RDS DB instances should have encryption at-rest enabled | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| RDS.4 | RDS cluster snapshots and database snapshots should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| RDS.5 | RDS DB instances should be configured with multiple Availability Zones | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| RDS.6 | Enhanced monitoring should be configured for RDS DB instances | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| RDS.7 | RDS clusters should have deletion protection enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| RDS.8 | RDS DB instances should have deletion protection enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| RDS.9 | RDS DB instances should publish logs to CloudWatch Logs | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| RDS.10 | IAM authentication should be configured for RDS instances | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| RDS.11 | RDS instances should have automatic backups enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| RDS.12 | IAM authentication should be configured for RDS clusters | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| RDS.13 | RDS automatic minor version upgrades should be enabled | CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| RDS.14 | Amazon Aurora clusters should have backtracking enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| RDS.15 | RDS DB clusters should be configured for multiple Availability Zones | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| RDS.16 | RDS DB clusters should be configured to copy tags to snapshots | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| RDS.17 | RDS DB instances should be configured to copy tags to snapshots | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| RDS.18 | RDS instances should be deployed in a VPC | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| RDS.19 | Existing RDS event notification subscriptions should be configured for critical cluster events | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| RDS.20 | Existing RDS event notification subscriptions should be configured for critical database instance events | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| RDS.21 | An RDS event notifications subscription should be configured for critical database parameter group events | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| RDS.22 | An RDS event notifications subscription should be configured for critical database security group events | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| RDS.23 | RDS instances should not use a database engine default port | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| RDS.24 | RDS Database Clusters should use a custom administrator username | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| RDS.25 | RDS database instances should use a custom administrator username | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| RDS.26 | RDS DB instances should be protected by a backup plan | NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| RDS.27 | RDS DB clusters should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: AWS Control Tower | MEDIUM | |
Change triggered |
| RDS.28 | RDS DB clusters should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| RDS.29 | RDS DB cluster snapshots should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| RDS.30 | RDS DB instances should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| RDS.31 | RDS DB security groups should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| RDS.32 | RDS DB snapshots should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| RDS.33 | RDS DB subnet groups should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| RDS.34 | Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| RDS.35 | RDS DB clusters should have automatic minor version upgrade enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| RDS.36 | RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Change triggered | |
| RDS.37 | Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Change triggered | |
| Redshift.1 | Amazon Redshift clusters should prohibit public access | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | |
Change triggered |
| Redshift.2 | Connections to Amazon Redshift clusters should be encrypted in transit | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| Redshift.3 | Amazon Redshift clusters should have automatic snapshots enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| Redshift.4 | Amazon Redshift clusters should have audit logging enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| Redshift.6 | Amazon Redshift should have automatic upgrades to major versions enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| Redshift.7 | Redshift clusters should use enhanced VPC routing | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| Redshift.8 | Amazon Redshift clusters should not use the default Admin username | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| Redshift.9 | Redshift clusters should not use the default database name | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| Redshift.10 | Redshift clusters should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| Redshift.11 | Redshift clusters should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| Redshift.12 | Redshift event subscription notifications should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| Redshift.13 | Redshift cluster snapshots should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| Redshift.14 | Redshift cluster subnet groups should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| Redshift.15 | Redshift security groups should allow ingress on the cluster port only from restricted origins | AWS Foundational Security Best Practices v1.0.0 | HIGH | Periodic | |
| Route53.1 | Route 53 health checks should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| Route53.2 | Route 53 public hosted zones should log DNS queries | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| S3.1 | S3 general purpose buckets should have block public access settings enabled | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | MEDIUM | Periodic | |
| S3.2 | S3 general purpose buckets should block public read access | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | Change triggered and periodic | |
| S3.3 | S3 general purpose buckets should block public write access | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | Change triggered and periodic | |
| S3.5 | S3 general purpose buckets should require requests to use SSL | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | MEDIUM | Change triggered | |
| S3.6 | S3 general purpose bucket policies should restrict access to other AWS accounts | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | Change triggered | |
| S3.7 | S3 general purpose buckets should use cross-Region replication | PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | LOW | Change triggered | |
| S3.8 | S3 general purpose buckets should block public access | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | Change triggered | |
| S3.9 | S3 general purpose buckets should have server access logging enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | Change triggered | |
| S3.10 | S3 general purpose buckets with versioning enabled should have Lifecycle configurations | NIST SP 800-53 Rev. 5 | MEDIUM | Change triggered | |
| S3.11 | S3 general purpose buckets should have event notifications enabled | NIST SP 800-53 Rev. 5 | MEDIUM | Change triggered | |
| S3.12 | ACLs should not be used to manage user access to S3 general purpose buckets | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | Change triggered | |
| S3.13 | S3 general purpose buckets should have Lifecycle configurations | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | Change triggered | |
| S3.14 | S3 general purpose buckets should have versioning enabled | NIST SP 800-53 Rev. 5 | LOW | Change triggered | |
| S3.15 | S3 general purpose buckets should have Object Lock enabled | NIST SP 800-53 Rev. 5 | MEDIUM | Change triggered | |
| S3.17 | S3 general purpose buckets should be encrypted at rest with AWS KMS keys | Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | Change triggered | |
| S3.19 | S3 access points should have block public access settings enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | CRITICAL | Change triggered | |
| S3.20 | S3 general purpose buckets should have MFA delete enabled | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | LOW | Change triggered | |
| S3.22 | S3 general purpose buckets should log object-level write events | CIS AWS Foundations Benchmark v3.0.0 | MEDIUM | Periodic | |
| S3.23 | S3 general purpose buckets should log object-level read events | CIS AWS Foundations Benchmark v3.0.0 | MEDIUM | Periodic | |
| S3.24 | S3 Multi-Region Access Points should have block public access settings enabled | AWS Foundational Security Best Practices v1.0.0 | HIGH | Change triggered | |
| SageMaker.1 | Amazon SageMaker notebook instances should not have direct internet access | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | HIGH | |
Periodic |
| SageMaker.2 | SageMaker notebook instances should be launched in a custom VPC | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| SageMaker.3 | Users should not have root access to SageMaker notebook instances | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| SageMaker.4 | SageMaker endpoint production variants should have an initial instance count greater than 1 | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Periodic | |
| SecretsManager.1 | Secrets Manager secrets should have automatic rotation enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| SecretsManager.2 | Secrets Manager secrets configured with automatic rotation should rotate successfully | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| SecretsManager.3 | Remove unused Secrets Manager secrets | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| SecretsManager.4 | Secrets Manager secrets should be rotated within a specified number of days | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| SecretsManager.5 | Secrets Manager secrets should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| ServiceCatalog.1 | Service Catalog portfolios should be shared within an AWS organization only | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | Periodic | |
| SES.1 | SES contact lists should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| SES.2 | SES configuration sets should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| SNS.1 | SNS topics should be encrypted at-rest using AWS KMS | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: AWS Control Tower | MEDIUM | Change triggered | |
| SNS.3 | SNS topics should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| SNS.4 | SNS topic access policies should not allow public access | AWS Foundational Security Best Practices v1.0.0 | HIGH | Change triggered | |
| SQS.1 | Amazon SQS queues should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| SQS.2 | SQS queues should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| SSM.1 | EC2 instances should be managed by AWS Systems Manager | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| SSM.2 | EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | HIGH | |
Change triggered |
| SSM.3 | EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | LOW | |
Change triggered |
| SSM.4 | SSM documents should not be public | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | CRITICAL | |
Periodic |
| StepFunctions.1 | Step Functions state machines should have logging turned on | AWS Foundational Security Best Practices | MEDIUM | |
Change triggered |
| StepFunctions.2 | Step Functions activities should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| Transfer.1 | Transfer Family workflows should be tagged | AWS Resource Tagging Standard | LOW | Change triggered | |
| Transfer.2 | Transfer Family servers should not use FTP protocol for endpoint connection | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Periodic | |
| WAF.1 | AWS WAF Classic Global Web ACL logging should be enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Periodic |
| WAF.2 | AWS WAF Classic Regional rules should have at least one condition | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| WAF.3 | AWS WAF Classic Regional rule groups should have at least one rule | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| WAF.4 | AWS WAF Classic Regional web ACLs should have at least one rule or rule group | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| WAF.6 | AWS WAF Classic global rules should have at least one condition | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| WAF.7 | AWS WAF Classic global rule groups should have at least one rule | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| WAF.8 | AWS WAF Classic global web ACLs should have at least one rule or rule group | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| WAF.10 | AWS WAF web ACLs should have at least one rule or rule group | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| WAF.11 | AWS WAF web ACL logging should be enabled | NIST SP 800-53 Rev. 5 | LOW | |
Periodic |
| WAF.12 | AWS WAF rules should have CloudWatch metrics enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | |
Change triggered |
| WorkSpaces.1 | WorkSpaces user volumes should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Change triggered | |
| WorkSpaces.2 | WorkSpaces root volumes should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Change triggered |
Topics
- Security Hub controls for AWS accounts
- Security Hub controls for API Gateway
- Security Hub controls for AWS AppSync
- Security Hub controls for Athena
- Security Hub controls for AWS Backup
- Security Hub controls for ACM
- Security Hub controls for AWS CloudFormation
- Security Hub controls for CloudFront
- Security Hub controls for CloudTrail
- Security Hub controls for CloudWatch
- Security Hub controls for CodeArtifact
- Security Hub controls for CodeBuild
- Security Hub controls for AWS Config
- Security Hub controls for Amazon Data Firehose
- Security Hub controls for DataSync
- Security Hub controls for Detective
- Security Hub controls for AWS DMS
- Security Hub controls for Amazon DocumentDB
- Security Hub controls for DynamoDB
- Security Hub controls for Amazon EC2
- Security Hub controls for Auto Scaling
- Security Hub controls for Amazon ECR
- Security Hub controls for Amazon ECS
- Security Hub controls for Amazon EFS
- Security Hub controls for Amazon EKS
- Security Hub controls for ElastiCache
- Security Hub controls for Elastic Beanstalk
- Security Hub controls for Elastic Load Balancing
- Security Hub for Elasticsearch
- Security Hub controls for Amazon EMR
- Security Hub controls for EventBridge
- Security Hub controls for Amazon FSx
- Security Hub controls for Global Accelerator
- Security Hub controls for AWS Glue
- Security Hub controls for GuardDuty
- Security Hub controls for IAM
- Security Hub controls for Amazon Inspector
- Security Hub controls for AWS IoT
- Security Hub controls for Kinesis
- Security Hub controls for AWS KMS
- Security Hub controls for Lambda
- Security Hub controls for Macie
- Security Hub controls for Amazon MSK
- Security Hub controls for Amazon MQ
- Security Hub controls for Neptune
- Security Hub controls for Network Firewall
- Security Hub controls for OpenSearch Service
- Security Hub controls for AWS Private CA
- Security Hub controls for Amazon RDS
- Security Hub controls for Amazon Redshift
- Security Hub controls for Route 53
- Security Hub controls for Amazon S3
- Security Hub controls for SageMaker
- Security Hub controls for Secrets Manager
- Security Hub controls for Service Catalog
- Security Hub controls for Amazon SES
- Security Hub controls for Amazon SNS
- Security Hub controls for Amazon SQS
- Security Hub controls for Step Functions
- Security Hub controls for Systems Manager
- Security Hub controls for Transfer Family
- Security Hub controls for AWS WAF
- Security Hub controls for WorkSpaces
