# Regional limits for Security Hub CSPM
<a name="securityhub-regions"></a>

Some AWS Security Hub CSPM features are available in only certain AWS Regions. The following sections specify these Regional limits. For a complete list of all the Regions where Security Hub CSPM is currently available, see [AWS Security Hub endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/sechub.html) in the *AWS General Reference*.

## Cross-Region aggregation restrictions
<a name="securityhub-regions-finding-aggregation-support"></a>

In AWS GovCloud (US) Regions, [cross-Region aggregation](finding-aggregation.md) is available for findings, finding updates, and insights across AWS GovCloud (US) Regions only. Specifically, you can aggregate findings, finding updates, and insights only between the AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions.

In the China Regions, cross-Region aggregation is available for findings, finding updates, and insights across the China Regions only. Specifically, you can aggregate findings, finding updates, and insights only between the China (Beijing) and China (Ningxia) Regions.

You can't use a Region that's disabled by default as your aggregation Region. For a list of Regions that are disabled by default, see [Enable or disable AWS Regions in your account](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html#rande-manage-enable) in the *AWS Account Management Reference Guide*.

## Availability of integrations by Region
<a name="securityhub-regions-integration-support"></a>

Some integrations aren't available in all AWS Regions. On the Security Hub CSPM console, an integration doesn't appear on the **Integrations** page if it isn't available in the Region that you're currently signed in to.

### Integrations supported in the China (Beijing) and China (Ningxia) Regions
<a name="securityhub-regions-integration-support-china"></a>

In the China (Beijing) and China (Ningxia) Regions, Security Hub CSPM supports only the following [integrations with AWS services](securityhub-internal-providers.md):
+ AWS Firewall Manager
+ Amazon GuardDuty
+ AWS Identity and Access Management Access Analyzer
+ Amazon Inspector
+ AWS IoT Device Defender
+ AWS Systems Manager Explorer
+ AWS Systems Manager OpsCenter
+ AWS Systems Manager Patch Manager

In the China (Beijing) and China (Ningxia) Regions, Security Hub CSPM supports only the following [third-party integrations](securityhub-partner-providers.md):
+ Cloud Custodian
+ FireEye Helix
+ Helecloud
+ IBM QRadar
+ PagerDuty
+ Palo Alto Networks Cortex XSOAR
+ Palo Alto Networks VM-Series
+ Prowler
+ RSA Archer
+ Splunk Enterprise
+ Splunk Phantom
+ ThreatModeler

### Integrations supported in the AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions
<a name="securityhub-regions-integration-support-govcloud"></a>

In the AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions, Security Hub CSPM supports only the following [integrations with AWS services](securityhub-internal-providers.md):
+ AWS Config
+ Amazon Detective
+ AWS Firewall Manager
+ Amazon GuardDuty
+ AWS Health
+ IAM Access Analyzer
+ Amazon Inspector
+ AWS IoT Device Defender

In the AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions, Security Hub CSPM supports only the following [third-party integrations](securityhub-partner-providers.md):
+ Atlassian Jira Service Management
+ Atlassian Jira Service Management Cloud
+ Atlassian OpsGenie
+ Caveonix Cloud
+ Cloud Custodian
+ Cloud Storage Security Antivirus for Amazon S3
+ CrowdStrike Falcon
+ FireEye Helix
+ Forcepoint CASB
+ Forcepoint DLP
+ Forcepoint NGFW
+ Fugue
+ Kion
+ MicroFocus ArcSight
+ NETSCOUT Cyber Investigator
+ PagerDuty
+ Palo Alto Networks – Prisma Cloud Compute
+ Palo Alto Networks – Prisma Cloud Enterprise
+ Palo Alto Networks – VM-Series (available only in AWS GovCloud (US-West))
+ Prowler
+ Rackspace Technology – Cloud Native Security
+ Rapid7 InsightConnect
+ RSA Archer
+ ServiceNow ITSM
+ Slack
+ ThreatModeler
+ Vectra AI Cognito Detect

## Availability of standards by Region
<a name="securityhub-regions-standards-support"></a>

The [AWS Control Tower service-managed standard](service-managed-standard-aws-control-tower.md) is available only in AWS Regions that AWS Control Tower supports. For a list of Regions that AWS Control Tower currently supports, see [How AWS Regions Work With AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/region-how.html) in the *AWS Control Tower User Guide*.

The [AWS Resource Tagging standard](standards-tagging.md) isn't available in the Asia Pacific (Taipei) Region.

Other security standards are available in all the Regions where Security Hub CSPM is currently available.

## Availability of controls by Region
<a name="securityhub-regions-control-support"></a>

Some Security Hub CSPM controls aren't available in all AWS Regions. For a list of controls that aren't available in each Region, see [Regional limits on Security Hub CSPM controls](regions-controls.md).

On the Security Hub CSPM console, a control doesn't appear in the list of controls if it isn't available in the Region that you're currently signed in to. The exception is an aggregation Region. If you set an aggregation Region and sign in to that Region, the console shows controls that are available in the aggregation Region or one or more linked Regions.

# Regional limits on Security Hub CSPM controls
<a name="regions-controls"></a>

Some AWS Security Hub CSPM controls aren't available in all AWS Regions. This page specifies which controls aren't available in specific Regions.

On the Security Hub CSPM console, a control doesn't appear in the list of controls if it isn't available in the Region that you're currently signed in to. The exception is an aggregation Region. If you set an aggregation Region and sign in to that Region, the console shows controls that are available in the aggregation Region or one or more linked Regions.

**Topics**
+ [

## US East (N. Virginia)
](#securityhub-control-support-useast1)
+ [

## US East (Ohio)
](#securityhub-control-support-useast2)
+ [

## US West (N. California)
](#securityhub-control-support-uswest1)
+ [

## US West (Oregon)
](#securityhub-control-support-uswest2)
+ [

## Africa (Cape Town)
](#securityhub-control-support-afsouth1)
+ [

## Asia Pacific (Hong Kong)
](#securityhub-control-support-apeast1)
+ [

## Asia Pacific (Hyderabad)
](#securityhub-control-support-apsouth2)
+ [

## Asia Pacific (Jakarta)
](#securityhub-control-support-apsoutheast3)
+ [

## Asia Pacific (Malaysia)
](#securityhub-control-support-apsoutheast5)
+ [

## Asia Pacific (Melbourne)
](#securityhub-control-support-apsoutheast4)
+ [

## Asia Pacific (Mumbai)
](#securityhub-control-support-apsouth1)
+ [

## Asia Pacific (New Zealand)
](#securityhub-control-support-apsoutheast6)
+ [

## Asia Pacific (Osaka)
](#securityhub-control-support-apnortheast3)
+ [

## Asia Pacific (Seoul)
](#securityhub-control-support-apnortheast2)
+ [

## Asia Pacific (Singapore)
](#securityhub-control-support-apsoutheast1)
+ [

## Asia Pacific (Sydney)
](#securityhub-control-support-apsoutheast2)
+ [

## Asia Pacific (Taipei)
](#securityhub-control-support-apeast2)
+ [

## Asia Pacific (Thailand)
](#securityhub-control-support-apsoutheast7)
+ [

## Asia Pacific (Tokyo)
](#securityhub-control-support-apnortheast1)
+ [

## Canada (Central)
](#securityhub-control-support-cacentral1)
+ [

## Canada West (Calgary)
](#securityhub-control-support-cawest1)
+ [

## China (Beijing)
](#securityhub-control-support-cnnorth1)
+ [

## China (Ningxia)
](#securityhub-control-support-cnnorthwest1)
+ [

## Europe (Frankfurt)
](#securityhub-control-support-eucentral1)
+ [

## Europe (Ireland)
](#securityhub-control-support-euwest1)
+ [

## Europe (London)
](#securityhub-control-support-euwest2)
+ [

## Europe (Milan)
](#securityhub-control-support-eusouth1)
+ [

## Europe (Paris)
](#securityhub-control-support-euwest3)
+ [

## Europe (Spain)
](#securityhub-control-support-eusouth2)
+ [

## Europe (Stockholm)
](#securityhub-control-support-eunorth1)
+ [

## Europe (Zurich)
](#securityhub-control-support-eucentral2)
+ [

## Israel (Tel Aviv)
](#securityhub-control-support-ilcentral1)
+ [

## Mexico (Central)
](#securityhub-control-support-mxcentral1)
+ [

## Middle East (Bahrain)
](#securityhub-control-support-mesouth1)
+ [

## Middle East (UAE)
](#securityhub-control-support-mecentral1)
+ [

## South America (São Paulo)
](#securityhub-control-support-saeast1)
+ [

## AWS GovCloud (US-East)
](#securityhub-control-support-usgoveast1)
+ [

## AWS GovCloud (US-West)
](#securityhub-control-support-usgovwest1)

## US East (N. Virginia)
<a name="securityhub-control-support-useast1"></a>

The following controls are not supported in the US East (N. Virginia) Region.
+  [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) 
+  [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) 
+  [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) 
+  [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 

## US East (Ohio)
<a name="securityhub-control-support-useast2"></a>

The following controls are not supported in the US East (Ohio) Region.
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## US West (N. California)
<a name="securityhub-control-support-uswest1"></a>

The following controls are not supported in the US West (N. California) Region.
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) 
+  [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) 
+  [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) 
+  [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) 
+  [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) 
+  [[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-48) 
+  [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## US West (Oregon)
<a name="securityhub-control-support-uswest2"></a>

The following controls are not supported in the US West (Oregon) Region.
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 

## Africa (Cape Town)
<a name="securityhub-control-support-afsouth1"></a>

The following controls are not supported in the Africa (Cape Town) Region.
+  [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) 
+  [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) 
+  [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) 
+  [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) 
+  [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) 
+  [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) 
+  [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) 
+  [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) 
+  [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager](elb-controls.md#elb-2) 
+  [[ES.3] Elasticsearch domains should encrypt data sent between nodes](es-controls.md#es-3) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[IoT.1] AWS IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) 
+  [[IoT.2] AWS IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) 
+  [[IoT.3] AWS IoT Core dimensions should be tagged](iot-controls.md#iot-3) 
+  [[IoT.4] AWS IoT Core authorizers should be tagged](iot-controls.md#iot-4) 
+  [[IoT.5] AWS IoT Core role aliases should be tagged](iot-controls.md#iot-5) 
+  [[IoT.6] AWS IoT Core policies should be tagged](iot-controls.md#iot-6) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[RDS.1] RDS snapshot should be private](rds-controls.md#rds-1) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) 
+  [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed AWS KMS keys](redshiftserverless-controls.md#redshiftserverless-4) 
+  [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) 
+  [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) 
+  [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) 
+  [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) 
+  [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 

## Asia Pacific (Hong Kong)
<a name="securityhub-control-support-apeast1"></a>

The following controls are not supported in the Asia Pacific (Hong Kong) Region.
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) 
+  [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) 
+  [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## Asia Pacific (Hyderabad)
<a name="securityhub-control-support-apsouth2"></a>

The following controls are not supported in the Asia Pacific (Hyderabad) Region.
+  [[Account.2] AWS accounts should be part of an AWS Organizations organization](account-controls.md#account-2) 
+  [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) 
+  [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) 
+  [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) 
+  [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) 
+  [[AppConfig.1] AWS AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) 
+  [[AppConfig.2] AWS AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) 
+  [[AppConfig.3] AWS AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) 
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[Backup.1] AWS Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) 
+  [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) 
+  [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) 
+  [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) 
+  [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) 
+  [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) 
+  [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) 
+  [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) 
+  [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) 
+  [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) 
+  [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) 
+  [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) 
+  [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) 
+  [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) 
+  [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) 
+  [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) 
+  [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) 
+  [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) 
+  [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) 
+  [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) 
+  [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) 
+  [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) 
+  [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) 
+  [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) 
+  [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](efs-controls.md#efs-1) 
+  [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) 
+  [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) 
+  [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) 
+  [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) 
+  [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) 
+  [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) 
+  [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) 
+  [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) 
+  [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) 
+  [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) 
+  [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) 
+  [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[Glue.4] AWS Glue Spark jobs should run on supported versions of AWS Glue](glue-controls.md#glue-4) 
+  [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) 
+  [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) 
+  [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) 
+  [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) 
+  [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) 
+  [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) 
+  [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) 
+  [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) 
+  [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) 
+  [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) 
+  [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) 
+  [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) 
+  [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) 
+  [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) 
+  [[IoT.1] AWS IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) 
+  [[IoT.2] AWS IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) 
+  [[IoT.3] AWS IoT Core dimensions should be tagged](iot-controls.md#iot-3) 
+  [[IoT.4] AWS IoT Core authorizers should be tagged](iot-controls.md#iot-4) 
+  [[IoT.5] AWS IoT Core role aliases should be tagged](iot-controls.md#iot-5) 
+  [[IoT.6] AWS IoT Core policies should be tagged](iot-controls.md#iot-6) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) 
+  [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) 
+  [[Lambda.7] Lambda functions should have AWS X-Ray active tracing enabled](lambda-controls.md#lambda-7) 
+  [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) 
+  [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) 
+  [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) 
+  [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) 
+  [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) 
+  [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) 
+  [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) 
+  [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) 
+  [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) 
+  [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) 
+  [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) 
+  [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) 
+  [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) 
+  [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) 
+  [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) 
+  [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) 
+  [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) 
+  [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) 
+  [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) 
+  [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) 
+  [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) 
+  [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) 
+  [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) 
+  [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) 
+  [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) 
+  [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) 
+  [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) 
+  [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) 
+  [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) 
+  [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed AWS KMS keys](redshiftserverless-controls.md#redshiftserverless-4) 
+  [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) 
+  [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) 
+  [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) 
+  [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) 
+  [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) 
+  [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) 
+  [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) 
+  [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) 
+  [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) 
+  [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) 
+  [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) 
+  [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) 
+  [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) 
+  [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) 
+  [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) 
+  [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) 
+  [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) 
+  [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WAF.10] AWS WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## Asia Pacific (Jakarta)
<a name="securityhub-control-support-apsoutheast3"></a>

The following controls are not supported in the Asia Pacific (Jakarta) Region.
+  [[Account.2] AWS accounts should be part of an AWS Organizations organization](account-controls.md#account-2) 
+  [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) 
+  [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) 
+  [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) 
+  [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) 
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[Backup.1] AWS Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) 
+  [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) 
+  [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) 
+  [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) 
+  [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) 
+  [[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration](codebuild-controls.md#codebuild-4) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) 
+  [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) 
+  [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) 
+  [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) 
+  [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) 
+  [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) 
+  [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) 
+  [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) 
+  [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) 
+  [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) 
+  [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) 
+  [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) 
+  [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) 
+  [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) 
+  [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) 
+  [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) 
+  [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) 
+  [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) 
+  [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](efs-controls.md#efs-1) 
+  [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) 
+  [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) 
+  [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) 
+  [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) 
+  [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) 
+  [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) 
+  [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) 
+  [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[IoT.1] AWS IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) 
+  [[IoT.2] AWS IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) 
+  [[IoT.3] AWS IoT Core dimensions should be tagged](iot-controls.md#iot-3) 
+  [[IoT.4] AWS IoT Core authorizers should be tagged](iot-controls.md#iot-4) 
+  [[IoT.5] AWS IoT Core role aliases should be tagged](iot-controls.md#iot-5) 
+  [[IoT.6] AWS IoT Core policies should be tagged](iot-controls.md#iot-6) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) 
+  [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) 
+  [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) 
+  [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) 
+  [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) 
+  [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) 
+  [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) 
+  [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) 
+  [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) 
+  [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) 
+  [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) 
+  [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) 
+  [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) 
+  [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) 
+  [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization only](servicecatalog-controls.md#servicecatalog-1) 
+  [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) 
+  [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) 
+  [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WAF.10] AWS WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## Asia Pacific (Malaysia)
<a name="securityhub-control-support-apsoutheast5"></a>

The following controls are not supported in the Asia Pacific (Malaysia) Region.
+  [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) 
+  [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) 
+  [[Account.1] Security contact information should be provided for an AWS account](account-controls.md#account-1) 
+  [[Account.2] AWS accounts should be part of an AWS Organizations organization](account-controls.md#account-2) 
+  [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) 
+  [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) 
+  [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) 
+  [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) 
+  [[AppConfig.1] AWS AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) 
+  [[AppConfig.2] AWS AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) 
+  [[AppConfig.3] AWS AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) 
+  [[AppConfig.4] AWS AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) 
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.2] AWS AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) 
+  [[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[Athena.4] Athena workgroups should have logging enabled](athena-controls.md#athena-4) 
+  [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) 
+  [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) 
+  [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) 
+  [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) 
+  [[Backup.1] AWS Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) 
+  [[Backup.2] AWS Backup recovery points should be tagged](backup-controls.md#backup-2) 
+  [[Backup.4] AWS Backup report plans should be tagged](backup-controls.md#backup-4) 
+  [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) 
+  [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) 
+  [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) 
+  [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) 
+  [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) 
+  [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) 
+  [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) 
+  [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed AWS KMS keys](cloudtrail-controls.md#cloudtrail-10) 
+  [[CloudWatch.17] CloudWatch alarm actions should be activated](cloudwatch-controls.md#cloudwatch-17) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) 
+  [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) 
+  [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) 
+  [[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration](codebuild-controls.md#codebuild-4) 
+  [[CodeBuild.7] CodeBuild report group exports should be encrypted at rest](codebuild-controls.md#codebuild-7) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) 
+  [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) 
+  [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) 
+  [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) 
+  [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) 
+  [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) 
+  [[DataSync.1] DataSync tasks should have logging enabled](datasync-controls.md#datasync-1) 
+  [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) 
+  [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) 
+  [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) 
+  [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) 
+  [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) 
+  [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) 
+  [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) 
+  [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) 
+  [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) 
+  [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) 
+  [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) 
+  [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) 
+  [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) 
+  [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) 
+  [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) 
+  [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) 
+  [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) 
+  [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) 
+  [[DynamoDB.6] DynamoDB tables should have deletion protection enabled](dynamodb-controls.md#dynamodb-6) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) 
+  [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) 
+  [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) 
+  [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) 
+  [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) 
+  [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) 
+  [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) 
+  [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) 
+  [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) 
+  [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) 
+  [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) 
+  [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) 
+  [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) 
+  [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) 
+  [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) 
+  [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) 
+  [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) 
+  [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) 
+  [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) 
+  [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) 
+  [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) 
+  [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) 
+  [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) 
+  [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[ECR.5] ECR repositories should be encrypted with customer managed AWS KMS keys](ecr-controls.md#ecr-5) 
+  [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) 
+  [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) 
+  [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) 
+  [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) 
+  [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) 
+  [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) 
+  [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) 
+  [[ECS.17] ECS task definitions should not use host network mode](ecs-controls.md#ecs-17) 
+  [[ECS.19] ECS capacity providers should have managed termination protection enabled](ecs-controls.md#ecs-19) 
+  [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](efs-controls.md#efs-1) 
+  [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) 
+  [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) 
+  [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) 
+  [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) 
+  [[EFS.7] EFS file systems should have automatic backups enabled](efs-controls.md#efs-7) 
+  [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) 
+  [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) 
+  [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) 
+  [[EKS.7] EKS identity provider configurations should be tagged](eks-controls.md#eks-7) 
+  [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) 
+  [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) 
+  [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) 
+  [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) 
+  [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) 
+  [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) 
+  [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) 
+  [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) 
+  [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) 
+  [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) 
+  [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) 
+  [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) 
+  [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) 
+  [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) 
+  [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) 
+  [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) 
+  [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) 
+  [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) 
+  [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) 
+  [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) 
+  [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) 
+  [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) 
+  [[ES.9] Elasticsearch domains should be tagged](es-controls.md#es-9) 
+  [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) 
+  [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) 
+  [[FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-3) 
+  [[FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-4) 
+  [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[Glue.1] AWS Glue jobs should be tagged](glue-controls.md#glue-1) 
+  [[Glue.3] AWS Glue machine learning transforms should be encrypted at rest](glue-controls.md#glue-3) 
+  [[Glue.4] AWS Glue Spark jobs should run on supported versions of AWS Glue](glue-controls.md#glue-4) 
+  [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) 
+  [[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled](guardduty-controls.md#guardduty-5) 
+  [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) 
+  [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) 
+  [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) 
+  [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) 
+  [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) 
+  [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) 
+  [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) 
+  [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) 
+  [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) 
+  [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) 
+  [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) 
+  [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) 
+  [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) 
+  [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) 
+  [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) 
+  [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) 
+  [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) 
+  [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) 
+  [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) 
+  [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) 
+  [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) 
+  [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) 
+  [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) 
+  [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) 
+  [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) 
+  [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) 
+  [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) 
+  [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) 
+  [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) 
+  [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) 
+  [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) 
+  [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) 
+  [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) 
+  [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) 
+  [[Kinesis.3] Kinesis streams should have an adequate data retention period](kinesis-controls.md#kinesis-3) 
+  [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) 
+  [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) 
+  [[KMS.5] KMS keys should not be publicly accessible](kms-controls.md#kms-5) 
+  [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) 
+  [[Lambda.7] Lambda functions should have AWS X-Ray active tracing enabled](lambda-controls.md#lambda-7) 
+  [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) 
+  [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) 
+  [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) 
+  [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) 
+  [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) 
+  [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) 
+  [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) 
+  [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) 
+  [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) 
+  [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) 
+  [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) 
+  [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) 
+  [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) 
+  [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) 
+  [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) 
+  [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) 
+  [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) 
+  [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) 
+  [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) 
+  [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) 
+  [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) 
+  [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) 
+  [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) 
+  [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) 
+  [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) 
+  [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) 
+  [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) 
+  [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) 
+  [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) 
+  [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) 
+  [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) 
+  [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) 
+  [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) 
+  [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) 
+  [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) 
+  [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) 
+  [[PCA.1] AWS Private CA root certificate authority should be disabled](pca-controls.md#pca-1) 
+  [[PCA.2] AWS Private CA certificate authorities should be tagged](pca-controls.md#pca-2) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.18] RDS instances should be deployed in a VPC](rds-controls.md#rds-18) 
+  [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) 
+  [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) 
+  [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) 
+  [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) 
+  [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) 
+  [[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-36) 
+  [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) 
+  [[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit](rds-controls.md#rds-38) 
+  [[RDS.39] RDS for MySQL DB instances should be encrypted in transit](rds-controls.md#rds-39) 
+  [[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-40) 
+  [[RDS.41] RDS for SQL Server DB instances should be encrypted in transit](rds-controls.md#rds-41) 
+  [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) 
+  [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) 
+  [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) 
+  [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) 
+  [[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways](rds-controls.md#rds-46) 
+  [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) 
+  [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) 
+  [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) 
+  [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) 
+  [[Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones](redshift-controls.md#redshift-16) 
+  [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) 
+  [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) 
+  [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed AWS KMS keys](redshiftserverless-controls.md#redshiftserverless-4) 
+  [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) 
+  [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) 
+  [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) 
+  [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) 
+  [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) 
+  [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) 
+  [[S3.19] S3 access points should have block public access settings enabled](s3-controls.md#s3-19) 
+  [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) 
+  [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) 
+  [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) 
+  [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) 
+  [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) 
+  [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) 
+  [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) 
+  [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) 
+  [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) 
+  [[SageMaker.8] SageMaker notebook instances should run on supported platforms](sagemaker-controls.md#sagemaker-8) 
+  [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) 
+  [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) 
+  [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) 
+  [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) 
+  [[ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization only](servicecatalog-controls.md#servicecatalog-1) 
+  [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) 
+  [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) 
+  [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) 
+  [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) 
+  [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) 
+  [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) 
+  [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) 
+  [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) 
+  [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) 
+  [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) 
+  [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) 
+  [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) 
+  [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) 
+  [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) 
+  [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.2] AWS WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) 
+  [[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) 
+  [[WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WAF.10] AWS WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) 
+  [[WAF.12] AWS WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## Asia Pacific (Melbourne)
<a name="securityhub-control-support-apsoutheast4"></a>

The following controls are not supported in the Asia Pacific (Melbourne) Region.
+  [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) 
+  [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) 
+  [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) 
+  [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) 
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.2] AWS AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) 
+  [[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[Backup.1] AWS Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) 
+  [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) 
+  [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) 
+  [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) 
+  [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) 
+  [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) 
+  [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) 
+  [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) 
+  [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) 
+  [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) 
+  [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) 
+  [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) 
+  [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) 
+  [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) 
+  [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) 
+  [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) 
+  [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) 
+  [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) 
+  [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) 
+  [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) 
+  [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) 
+  [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) 
+  [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) 
+  [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) 
+  [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) 
+  [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) 
+  [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) 
+  [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](efs-controls.md#efs-1) 
+  [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) 
+  [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) 
+  [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) 
+  [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) 
+  [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) 
+  [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) 
+  [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) 
+  [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) 
+  [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) 
+  [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) 
+  [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) 
+  [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) 
+  [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) 
+  [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) 
+  [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) 
+  [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) 
+  [[FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-3) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[Glue.4] AWS Glue Spark jobs should run on supported versions of AWS Glue](glue-controls.md#glue-4) 
+  [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) 
+  [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) 
+  [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) 
+  [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) 
+  [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) 
+  [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) 
+  [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) 
+  [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) 
+  [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) 
+  [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) 
+  [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) 
+  [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) 
+  [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) 
+  [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) 
+  [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) 
+  [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) 
+  [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) 
+  [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) 
+  [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) 
+  [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) 
+  [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) 
+  [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) 
+  [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) 
+  [[IoT.1] AWS IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) 
+  [[IoT.2] AWS IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) 
+  [[IoT.3] AWS IoT Core dimensions should be tagged](iot-controls.md#iot-3) 
+  [[IoT.4] AWS IoT Core authorizers should be tagged](iot-controls.md#iot-4) 
+  [[IoT.5] AWS IoT Core role aliases should be tagged](iot-controls.md#iot-5) 
+  [[IoT.6] AWS IoT Core policies should be tagged](iot-controls.md#iot-6) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) 
+  [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) 
+  [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) 
+  [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) 
+  [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) 
+  [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) 
+  [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) 
+  [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) 
+  [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) 
+  [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) 
+  [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) 
+  [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) 
+  [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) 
+  [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) 
+  [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) 
+  [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) 
+  [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) 
+  [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) 
+  [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) 
+  [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) 
+  [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) 
+  [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) 
+  [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) 
+  [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) 
+  [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) 
+  [[RDS.1] RDS snapshot should be private](rds-controls.md#rds-1) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) 
+  [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) 
+  [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed AWS KMS keys](redshiftserverless-controls.md#redshiftserverless-4) 
+  [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) 
+  [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) 
+  [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) 
+  [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) 
+  [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) 
+  [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) 
+  [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) 
+  [[SageMaker.8] SageMaker notebook instances should run on supported platforms](sagemaker-controls.md#sagemaker-8) 
+  [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) 
+  [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) 
+  [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) 
+  [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) 
+  [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) 
+  [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) 
+  [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) 
+  [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) 
+  [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) 
+  [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) 
+  [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) 
+  [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) 
+  [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) 
+  [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## Asia Pacific (Mumbai)
<a name="securityhub-control-support-apsouth1"></a>

The following controls are not supported in the Asia Pacific (Mumbai) Region.
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 

## Asia Pacific (New Zealand)
<a name="securityhub-control-support-apsoutheast6"></a>

The following controls are not supported in the Asia Pacific (New Zealand) Region.
+  [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) 
+  [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) 
+  [[Account.1] Security contact information should be provided for an AWS account](account-controls.md#account-1) 
+  [[Account.2] AWS accounts should be part of an AWS Organizations organization](account-controls.md#account-2) 
+  [[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled](apigateway-controls.md#apigateway-1) 
+  [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](apigateway-controls.md#apigateway-2) 
+  [[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled](apigateway-controls.md#apigateway-3) 
+  [[APIGateway.4] API Gateway should be associated with a WAF Web ACL](apigateway-controls.md#apigateway-4) 
+  [[APIGateway.5] API Gateway REST API cache data should be encrypted at rest](apigateway-controls.md#apigateway-5) 
+  [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) 
+  [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) 
+  [[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections](apigateway-controls.md#apigateway-10) 
+  [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) 
+  [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) 
+  [[AppConfig.1] AWS AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) 
+  [[AppConfig.2] AWS AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) 
+  [[AppConfig.3] AWS AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) 
+  [[AppConfig.4] AWS AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) 
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.2] AWS AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) 
+  [[AppSync.4] AWS AppSync GraphQL APIs should be tagged](appsync-controls.md#appsync-4) 
+  [[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[Athena.2] Athena data catalogs should be tagged](athena-controls.md#athena-2) 
+  [[Athena.3] Athena workgroups should be tagged](athena-controls.md#athena-3) 
+  [[Athena.4] Athena workgroups should have logging enabled](athena-controls.md#athena-4) 
+  [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) 
+  [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) 
+  [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) 
+  [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) 
+  [[Backup.1] AWS Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) 
+  [[Backup.2] AWS Backup recovery points should be tagged](backup-controls.md#backup-2) 
+  [[Backup.4] AWS Backup report plans should be tagged](backup-controls.md#backup-4) 
+  [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) 
+  [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) 
+  [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) 
+  [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) 
+  [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) 
+  [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) 
+  [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) 
+  [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed AWS KMS keys](cloudtrail-controls.md#cloudtrail-10) 
+  [[CloudWatch.17] CloudWatch alarm actions should be activated](cloudwatch-controls.md#cloudwatch-17) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) 
+  [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) 
+  [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) 
+  [[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration](codebuild-controls.md#codebuild-4) 
+  [[CodeBuild.7] CodeBuild report group exports should be encrypted at rest](codebuild-controls.md#codebuild-7) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) 
+  [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) 
+  [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) 
+  [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) 
+  [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) 
+  [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) 
+  [[DataSync.1] DataSync tasks should have logging enabled](datasync-controls.md#datasync-1) 
+  [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) 
+  [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) 
+  [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) 
+  [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) 
+  [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) 
+  [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) 
+  [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) 
+  [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) 
+  [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) 
+  [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) 
+  [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) 
+  [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) 
+  [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) 
+  [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) 
+  [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) 
+  [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) 
+  [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) 
+  [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) 
+  [[DynamoDB.6] DynamoDB tables should have deletion protection enabled](dynamodb-controls.md#dynamodb-6) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) 
+  [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) 
+  [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) 
+  [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) 
+  [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) 
+  [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) 
+  [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) 
+  [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) 
+  [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) 
+  [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) 
+  [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) 
+  [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) 
+  [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) 
+  [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) 
+  [[EC2.172] EC2 VPC Block Public Access settings should block internet gateway traffic](ec2-controls.md#ec2-172) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) 
+  [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) 
+  [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) 
+  [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) 
+  [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) 
+  [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) 
+  [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) 
+  [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) 
+  [[EC2.182] Block public access settings should be enabled for Amazon EBS snapshots](ec2-controls.md#ec2-182) 
+  [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) 
+  [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) 
+  [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[ECR.5] ECR repositories should be encrypted with customer managed AWS KMS keys](ecr-controls.md#ecr-5) 
+  [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) 
+  [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) 
+  [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) 
+  [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) 
+  [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) 
+  [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) 
+  [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) 
+  [[ECS.16] ECS task sets should not automatically assign public IP addresses](ecs-controls.md#ecs-16) 
+  [[ECS.17] ECS task definitions should not use host network mode](ecs-controls.md#ecs-17) 
+  [[ECS.18] ECS Task Definitions should use in-transit encryption for EFS volumes](ecs-controls.md#ecs-18) 
+  [[ECS.19] ECS capacity providers should have managed termination protection enabled](ecs-controls.md#ecs-19) 
+  [[ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions](ecs-controls.md#ecs-20) 
+  [[ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions](ecs-controls.md#ecs-21) 
+  [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](efs-controls.md#efs-1) 
+  [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) 
+  [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) 
+  [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) 
+  [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) 
+  [[EFS.7] EFS file systems should have automatic backups enabled](efs-controls.md#efs-7) 
+  [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) 
+  [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) 
+  [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) 
+  [[EKS.7] EKS identity provider configurations should be tagged](eks-controls.md#eks-7) 
+  [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) 
+  [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager](elb-controls.md#elb-2) 
+  [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) 
+  [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) 
+  [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) 
+  [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) 
+  [[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL](elb-controls.md#elb-16) 
+  [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) 
+  [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) 
+  [[ELB.21] Application and Network Load Balancer target groups should use encrypted health check protocols](elb-controls.md#elb-21) 
+  [[ELB.22] ELB target groups should use encrypted transport protocols](elb-controls.md#elb-22) 
+  [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) 
+  [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) 
+  [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) 
+  [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) 
+  [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) 
+  [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) 
+  [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) 
+  [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) 
+  [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) 
+  [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) 
+  [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) 
+  [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) 
+  [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) 
+  [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) 
+  [[ES.3] Elasticsearch domains should encrypt data sent between nodes](es-controls.md#es-3) 
+  [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) 
+  [[ES.9] Elasticsearch domains should be tagged](es-controls.md#es-9) 
+  [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) 
+  [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) 
+  [[FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-3) 
+  [[FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-4) 
+  [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[Glue.1] AWS Glue jobs should be tagged](glue-controls.md#glue-1) 
+  [[Glue.3] AWS Glue machine learning transforms should be encrypted at rest](glue-controls.md#glue-3) 
+  [[Glue.4] AWS Glue Spark jobs should run on supported versions of AWS Glue](glue-controls.md#glue-4) 
+  [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1) 
+  [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) 
+  [[GuardDuty.3] GuardDuty IPSets should be tagged](guardduty-controls.md#guardduty-3) 
+  [[GuardDuty.4] GuardDuty detectors should be tagged](guardduty-controls.md#guardduty-4) 
+  [[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled](guardduty-controls.md#guardduty-5) 
+  [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) 
+  [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) 
+  [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) 
+  [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) 
+  [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) 
+  [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) 
+  [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) 
+  [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) 
+  [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) 
+  [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) 
+  [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) 
+  [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) 
+  [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) 
+  [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) 
+  [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) 
+  [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) 
+  [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) 
+  [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) 
+  [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) 
+  [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) 
+  [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) 
+  [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) 
+  [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) 
+  [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) 
+  [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) 
+  [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) 
+  [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) 
+  [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) 
+  [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) 
+  [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) 
+  [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) 
+  [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) 
+  [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) 
+  [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) 
+  [[IoT.1] AWS IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) 
+  [[IoT.2] AWS IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) 
+  [[IoT.3] AWS IoT Core dimensions should be tagged](iot-controls.md#iot-3) 
+  [[IoT.4] AWS IoT Core authorizers should be tagged](iot-controls.md#iot-4) 
+  [[IoT.5] AWS IoT Core role aliases should be tagged](iot-controls.md#iot-5) 
+  [[IoT.6] AWS IoT Core policies should be tagged](iot-controls.md#iot-6) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) 
+  [[Kinesis.3] Kinesis streams should have an adequate data retention period](kinesis-controls.md#kinesis-3) 
+  [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) 
+  [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) 
+  [[KMS.5] KMS keys should not be publicly accessible](kms-controls.md#kms-5) 
+  [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) 
+  [[Lambda.7] Lambda functions should have AWS X-Ray active tracing enabled](lambda-controls.md#lambda-7) 
+  [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) 
+  [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) 
+  [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) 
+  [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) 
+  [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) 
+  [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) 
+  [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) 
+  [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) 
+  [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) 
+  [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) 
+  [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) 
+  [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) 
+  [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) 
+  [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) 
+  [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) 
+  [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) 
+  [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) 
+  [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) 
+  [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) 
+  [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) 
+  [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) 
+  [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) 
+  [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) 
+  [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) 
+  [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) 
+  [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) 
+  [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) 
+  [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) 
+  [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) 
+  [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) 
+  [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) 
+  [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) 
+  [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) 
+  [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) 
+  [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) 
+  [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) 
+  [[PCA.1] AWS Private CA root certificate authority should be disabled](pca-controls.md#pca-1) 
+  [[PCA.2] AWS Private CA certificate authorities should be tagged](pca-controls.md#pca-2) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.18] RDS instances should be deployed in a VPC](rds-controls.md#rds-18) 
+  [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) 
+  [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) 
+  [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) 
+  [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) 
+  [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) 
+  [[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-36) 
+  [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) 
+  [[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit](rds-controls.md#rds-38) 
+  [[RDS.39] RDS for MySQL DB instances should be encrypted in transit](rds-controls.md#rds-39) 
+  [[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-40) 
+  [[RDS.41] RDS for SQL Server DB instances should be encrypted in transit](rds-controls.md#rds-41) 
+  [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) 
+  [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) 
+  [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) 
+  [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) 
+  [[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways](rds-controls.md#rds-46) 
+  [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) 
+  [[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-48) 
+  [[RDS.50] RDS DB clusters should have enough backup retention period set](rds-controls.md#rds-50) 
+  [[Redshift.1] Amazon Redshift clusters should prohibit public access](redshift-controls.md#redshift-1) 
+  [[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled](redshift-controls.md#redshift-3) 
+  [[Redshift.4] Amazon Redshift clusters should have audit logging enabled](redshift-controls.md#redshift-4) 
+  [[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled](redshift-controls.md#redshift-6) 
+  [[Redshift.7] Redshift clusters should use enhanced VPC routing](redshift-controls.md#redshift-7) 
+  [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) 
+  [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) 
+  [[Redshift.11] Redshift clusters should be tagged](redshift-controls.md#redshift-11) 
+  [[Redshift.13] Redshift cluster snapshots should be tagged](redshift-controls.md#redshift-13) 
+  [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) 
+  [[Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones](redshift-controls.md#redshift-16) 
+  [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) 
+  [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) 
+  [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed AWS KMS keys](redshiftserverless-controls.md#redshiftserverless-4) 
+  [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) 
+  [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) 
+  [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) 
+  [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) 
+  [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) 
+  [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) 
+  [[S3.19] S3 access points should have block public access settings enabled](s3-controls.md#s3-19) 
+  [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) 
+  [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) 
+  [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) 
+  [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) 
+  [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) 
+  [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) 
+  [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) 
+  [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) 
+  [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) 
+  [[SageMaker.8] SageMaker notebook instances should run on supported platforms](sagemaker-controls.md#sagemaker-8) 
+  [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) 
+  [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) 
+  [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) 
+  [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) 
+  [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) 
+  [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) 
+  [[ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization only](servicecatalog-controls.md#servicecatalog-1) 
+  [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) 
+  [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) 
+  [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) 
+  [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) 
+  [[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager](ssm-controls.md#ssm-1) 
+  [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2) 
+  [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](ssm-controls.md#ssm-3) 
+  [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) 
+  [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) 
+  [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) 
+  [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) 
+  [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) 
+  [[Transfer.1] AWS Transfer Family workflows should be tagged](transfer-controls.md#transfer-1) 
+  [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) 
+  [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) 
+  [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) 
+  [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) 
+  [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) 
+  [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.2] AWS WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) 
+  [[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) 
+  [[WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WAF.10] AWS WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) 
+  [[WAF.11] AWS WAF web ACL logging should be enabled](waf-controls.md#waf-11) 
+  [[WAF.12] AWS WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## Asia Pacific (Osaka)
<a name="securityhub-control-support-apnortheast3"></a>

The following controls are not supported in the Asia Pacific (Osaka) Region.
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[Backup.1] AWS Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) 
+  [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) 
+  [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) 
+  [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) 
+  [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) 
+  [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) 
+  [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) 
+  [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) 
+  [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) 
+  [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) 
+  [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) 
+  [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) 
+  [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager](elb-controls.md#elb-2) 
+  [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) 
+  [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) 
+  [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[IoT.1] AWS IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) 
+  [[IoT.2] AWS IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) 
+  [[IoT.3] AWS IoT Core dimensions should be tagged](iot-controls.md#iot-3) 
+  [[IoT.4] AWS IoT Core authorizers should be tagged](iot-controls.md#iot-4) 
+  [[IoT.5] AWS IoT Core role aliases should be tagged](iot-controls.md#iot-5) 
+  [[IoT.6] AWS IoT Core policies should be tagged](iot-controls.md#iot-6) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) 
+  [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed AWS KMS keys](redshiftserverless-controls.md#redshiftserverless-4) 
+  [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) 
+  [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2) 
+  [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](ssm-controls.md#ssm-3) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WAF.10] AWS WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## Asia Pacific (Seoul)
<a name="securityhub-control-support-apnortheast2"></a>

The following controls are not supported in the Asia Pacific (Seoul) Region.
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[Glue.4] AWS Glue Spark jobs should run on supported versions of AWS Glue](glue-controls.md#glue-4) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[Lambda.7] Lambda functions should have AWS X-Ray active tracing enabled](lambda-controls.md#lambda-7) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) 
+  [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 

## Asia Pacific (Singapore)
<a name="securityhub-control-support-apsoutheast1"></a>

The following controls are not supported in the Asia Pacific (Singapore) Region.
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 

## Asia Pacific (Sydney)
<a name="securityhub-control-support-apsoutheast2"></a>

The following controls are not supported in the Asia Pacific (Sydney) Region.
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 

## Asia Pacific (Taipei)
<a name="securityhub-control-support-apeast2"></a>

The following controls are not supported in the Asia Pacific (Taipei) Region.
+  [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) 
+  [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) 
+  [[ACM.3] ACM certificates should be tagged](acm-controls.md#acm-3) 
+  [[Account.1] Security contact information should be provided for an AWS account](account-controls.md#account-1) 
+  [[Account.2] AWS accounts should be part of an AWS Organizations organization](account-controls.md#account-2) 
+  [[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled](apigateway-controls.md#apigateway-1) 
+  [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](apigateway-controls.md#apigateway-2) 
+  [[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled](apigateway-controls.md#apigateway-3) 
+  [[APIGateway.4] API Gateway should be associated with a WAF Web ACL](apigateway-controls.md#apigateway-4) 
+  [[APIGateway.5] API Gateway REST API cache data should be encrypted at rest](apigateway-controls.md#apigateway-5) 
+  [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) 
+  [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) 
+  [[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections](apigateway-controls.md#apigateway-10) 
+  [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) 
+  [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) 
+  [[AppConfig.1] AWS AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) 
+  [[AppConfig.2] AWS AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) 
+  [[AppConfig.3] AWS AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) 
+  [[AppConfig.4] AWS AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) 
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.2] AWS AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) 
+  [[AppSync.4] AWS AppSync GraphQL APIs should be tagged](appsync-controls.md#appsync-4) 
+  [[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[Athena.2] Athena data catalogs should be tagged](athena-controls.md#athena-2) 
+  [[Athena.3] Athena workgroups should be tagged](athena-controls.md#athena-3) 
+  [[Athena.4] Athena workgroups should have logging enabled](athena-controls.md#athena-4) 
+  [[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks](autoscaling-controls.md#autoscaling-1) 
+  [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) 
+  [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) 
+  [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) 
+  [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) 
+  [[AutoScaling.10] EC2 Auto Scaling groups should be tagged](autoscaling-controls.md#autoscaling-10) 
+  [[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses](autoscaling-controls.md#autoscaling-5) 
+  [[Backup.1] AWS Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) 
+  [[Backup.2] AWS Backup recovery points should be tagged](backup-controls.md#backup-2) 
+  [[Backup.3] AWS Backup vaults should be tagged](backup-controls.md#backup-3) 
+  [[Backup.4] AWS Backup report plans should be tagged](backup-controls.md#backup-4) 
+  [[Backup.5] AWS Backup backup plans should be tagged](backup-controls.md#backup-5) 
+  [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) 
+  [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) 
+  [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) 
+  [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) 
+  [[CloudFormation.2] CloudFormation stacks should be tagged](cloudformation-controls.md#cloudformation-2) 
+  [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) 
+  [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) 
+  [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) 
+  [[CloudTrail.9] CloudTrail trails should be tagged](cloudtrail-controls.md#cloudtrail-9) 
+  [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed AWS KMS keys](cloudtrail-controls.md#cloudtrail-10) 
+  [[CloudWatch.17] CloudWatch alarm actions should be activated](cloudwatch-controls.md#cloudwatch-17) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) 
+  [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) 
+  [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) 
+  [[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration](codebuild-controls.md#codebuild-4) 
+  [[CodeBuild.7] CodeBuild report group exports should be encrypted at rest](codebuild-controls.md#codebuild-7) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) 
+  [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) 
+  [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) 
+  [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) 
+  [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) 
+  [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) 
+  [[DataSync.1] DataSync tasks should have logging enabled](datasync-controls.md#datasync-1) 
+  [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) 
+  [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) 
+  [[DMS.1] Database Migration Service replication instances should not be public](dms-controls.md#dms-1) 
+  [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) 
+  [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) 
+  [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) 
+  [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) 
+  [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) 
+  [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) 
+  [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) 
+  [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) 
+  [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) 
+  [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) 
+  [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) 
+  [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) 
+  [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) 
+  [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) 
+  [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) 
+  [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) 
+  [[DynamoDB.5] DynamoDB tables should be tagged](dynamodb-controls.md#dynamodb-5) 
+  [[DynamoDB.6] DynamoDB tables should have deletion protection enabled](dynamodb-controls.md#dynamodb-6) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) 
+  [[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service](ec2-controls.md#ec2-10) 
+  [[EC2.19] Security groups should not allow unrestricted access to ports with high risk](ec2-controls.md#ec2-19) 
+  [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) 
+  [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) 
+  [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) 
+  [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) 
+  [[EC2.33] EC2 transit gateway attachments should be tagged](ec2-controls.md#ec2-33) 
+  [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) 
+  [[EC2.35] EC2 network interfaces should be tagged](ec2-controls.md#ec2-35) 
+  [[EC2.36] EC2 customer gateways should be tagged](ec2-controls.md#ec2-36) 
+  [[EC2.37] EC2 Elastic IP addresses should be tagged](ec2-controls.md#ec2-37) 
+  [[EC2.38] EC2 instances should be tagged](ec2-controls.md#ec2-38) 
+  [[EC2.39] EC2 internet gateways should be tagged](ec2-controls.md#ec2-39) 
+  [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) 
+  [[EC2.41] EC2 network ACLs should be tagged](ec2-controls.md#ec2-41) 
+  [[EC2.42] EC2 route tables should be tagged](ec2-controls.md#ec2-42) 
+  [[EC2.43] EC2 security groups should be tagged](ec2-controls.md#ec2-43) 
+  [[EC2.44] EC2 subnets should be tagged](ec2-controls.md#ec2-44) 
+  [[EC2.45] EC2 volumes should be tagged](ec2-controls.md#ec2-45) 
+  [[EC2.46] Amazon VPCs should be tagged](ec2-controls.md#ec2-46) 
+  [[EC2.47] Amazon VPC endpoint services should be tagged](ec2-controls.md#ec2-47) 
+  [[EC2.48] Amazon VPC flow logs should be tagged](ec2-controls.md#ec2-48) 
+  [[EC2.49] Amazon VPC peering connections should be tagged](ec2-controls.md#ec2-49) 
+  [[EC2.50] EC2 VPN gateways should be tagged](ec2-controls.md#ec2-50) 
+  [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) 
+  [[EC2.52] EC2 transit gateways should be tagged](ec2-controls.md#ec2-52) 
+  [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) 
+  [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) 
+  [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) 
+  [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) 
+  [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) 
+  [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) 
+  [[EC2.172] EC2 VPC Block Public Access settings should block internet gateway traffic](ec2-controls.md#ec2-172) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) 
+  [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) 
+  [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) 
+  [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) 
+  [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) 
+  [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) 
+  [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) 
+  [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) 
+  [[EC2.182] Block public access settings should be enabled for Amazon EBS snapshots](ec2-controls.md#ec2-182) 
+  [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) 
+  [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) 
+  [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[ECR.5] ECR repositories should be encrypted with customer managed AWS KMS keys](ecr-controls.md#ecr-5) 
+  [[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions](ecs-controls.md#ecs-1) 
+  [[ECS.2] ECS services should not have public IP addresses assigned to them automatically](ecs-controls.md#ecs-2) 
+  [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) 
+  [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) 
+  [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) 
+  [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) 
+  [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) 
+  [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) 
+  [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) 
+  [[ECS.13] ECS services should be tagged](ecs-controls.md#ecs-13) 
+  [[ECS.14] ECS clusters should be tagged](ecs-controls.md#ecs-14) 
+  [[ECS.15] ECS task definitions should be tagged](ecs-controls.md#ecs-15) 
+  [[ECS.16] ECS task sets should not automatically assign public IP addresses](ecs-controls.md#ecs-16) 
+  [[ECS.17] ECS task definitions should not use host network mode](ecs-controls.md#ecs-17) 
+  [[ECS.18] ECS Task Definitions should use in-transit encryption for EFS volumes](ecs-controls.md#ecs-18) 
+  [[ECS.19] ECS capacity providers should have managed termination protection enabled](ecs-controls.md#ecs-19) 
+  [[ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions](ecs-controls.md#ecs-20) 
+  [[ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions](ecs-controls.md#ecs-21) 
+  [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](efs-controls.md#efs-1) 
+  [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) 
+  [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) 
+  [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) 
+  [[EFS.5] EFS access points should be tagged](efs-controls.md#efs-5) 
+  [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) 
+  [[EFS.7] EFS file systems should have automatic backups enabled](efs-controls.md#efs-7) 
+  [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) 
+  [[EKS.1] EKS cluster endpoints should not be publicly accessible](eks-controls.md#eks-1) 
+  [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) 
+  [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) 
+  [[EKS.6] EKS clusters should be tagged](eks-controls.md#eks-6) 
+  [[EKS.7] EKS identity provider configurations should be tagged](eks-controls.md#eks-7) 
+  [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) 
+  [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager](elb-controls.md#elb-2) 
+  [[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination](elb-controls.md#elb-3) 
+  [[ELB.7] Classic Load Balancers should have connection draining enabled](elb-controls.md#elb-7) 
+  [[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration](elb-controls.md#elb-8) 
+  [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) 
+  [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) 
+  [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) 
+  [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) 
+  [[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL](elb-controls.md#elb-16) 
+  [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) 
+  [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) 
+  [[ELB.21] Application and Network Load Balancer target groups should use encrypted health check protocols](elb-controls.md#elb-21) 
+  [[ELB.22] ELB target groups should use encrypted transport protocols](elb-controls.md#elb-22) 
+  [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) 
+  [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) 
+  [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) 
+  [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) 
+  [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) 
+  [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) 
+  [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) 
+  [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) 
+  [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) 
+  [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) 
+  [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) 
+  [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) 
+  [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) 
+  [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) 
+  [[ES.1] Elasticsearch domains should have encryption at-rest enabled](es-controls.md#es-1) 
+  [[ES.2] Elasticsearch domains should not be publicly accessible](es-controls.md#es-2) 
+  [[ES.3] Elasticsearch domains should encrypt data sent between nodes](es-controls.md#es-3) 
+  [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) 
+  [[ES.5] Elasticsearch domains should have audit logging enabled](es-controls.md#es-5) 
+  [[ES.6] Elasticsearch domains should have at least three data nodes](es-controls.md#es-6) 
+  [[ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes](es-controls.md#es-7) 
+  [[ES.8] Connections to Elasticsearch domains should be encrypted using the latest TLS security policy](es-controls.md#es-8) 
+  [[ES.9] Elasticsearch domains should be tagged](es-controls.md#es-9) 
+  [[EventBridge.2] EventBridge event buses should be tagged](eventbridge-controls.md#eventbridge-2) 
+  [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) 
+  [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) 
+  [[FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-3) 
+  [[FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-4) 
+  [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[Glue.1] AWS Glue jobs should be tagged](glue-controls.md#glue-1) 
+  [[Glue.3] AWS Glue machine learning transforms should be encrypted at rest](glue-controls.md#glue-3) 
+  [[Glue.4] AWS Glue Spark jobs should run on supported versions of AWS Glue](glue-controls.md#glue-4) 
+  [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1) 
+  [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) 
+  [[GuardDuty.3] GuardDuty IPSets should be tagged](guardduty-controls.md#guardduty-3) 
+  [[GuardDuty.4] GuardDuty detectors should be tagged](guardduty-controls.md#guardduty-4) 
+  [[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled](guardduty-controls.md#guardduty-5) 
+  [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) 
+  [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) 
+  [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) 
+  [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) 
+  [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) 
+  [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) 
+  [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) 
+  [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) 
+  [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) 
+  [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) 
+  [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) 
+  [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) 
+  [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) 
+  [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) 
+  [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) 
+  [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) 
+  [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) 
+  [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) 
+  [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) 
+  [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) 
+  [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) 
+  [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) 
+  [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) 
+  [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) 
+  [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) 
+  [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) 
+  [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) 
+  [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) 
+  [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) 
+  [[IAM.23] IAM Access Analyzer analyzers should be tagged](iam-controls.md#iam-23) 
+  [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) 
+  [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) 
+  [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) 
+  [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) 
+  [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) 
+  [[IoT.1] AWS IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) 
+  [[IoT.2] AWS IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) 
+  [[IoT.3] AWS IoT Core dimensions should be tagged](iot-controls.md#iot-3) 
+  [[IoT.4] AWS IoT Core authorizers should be tagged](iot-controls.md#iot-4) 
+  [[IoT.5] AWS IoT Core role aliases should be tagged](iot-controls.md#iot-5) 
+  [[IoT.6] AWS IoT Core policies should be tagged](iot-controls.md#iot-6) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) 
+  [[Kinesis.2] Kinesis streams should be tagged](kinesis-controls.md#kinesis-2) 
+  [[Kinesis.3] Kinesis streams should have an adequate data retention period](kinesis-controls.md#kinesis-3) 
+  [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) 
+  [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) 
+  [[KMS.3] AWS KMS keys should not be deleted unintentionally](kms-controls.md#kms-3) 
+  [[KMS.5] KMS keys should not be publicly accessible](kms-controls.md#kms-5) 
+  [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) 
+  [[Lambda.6] Lambda functions should be tagged](lambda-controls.md#lambda-6) 
+  [[Lambda.7] Lambda functions should have AWS X-Ray active tracing enabled](lambda-controls.md#lambda-7) 
+  [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) 
+  [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) 
+  [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) 
+  [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) 
+  [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) 
+  [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) 
+  [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) 
+  [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) 
+  [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) 
+  [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) 
+  [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) 
+  [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) 
+  [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) 
+  [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) 
+  [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) 
+  [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) 
+  [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) 
+  [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) 
+  [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) 
+  [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) 
+  [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) 
+  [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) 
+  [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) 
+  [[NetworkFirewall.7] Network Firewall firewalls should be tagged](networkfirewall-controls.md#networkfirewall-7) 
+  [[NetworkFirewall.8] Network Firewall firewall policies should be tagged](networkfirewall-controls.md#networkfirewall-8) 
+  [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) 
+  [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) 
+  [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) 
+  [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) 
+  [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) 
+  [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) 
+  [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) 
+  [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) 
+  [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) 
+  [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) 
+  [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) 
+  [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) 
+  [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) 
+  [[PCA.1] AWS Private CA root certificate authority should be disabled](pca-controls.md#pca-1) 
+  [[PCA.2] AWS Private CA certificate authorities should be tagged](pca-controls.md#pca-2) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.16] Aurora DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-16) 
+  [[RDS.17] RDS DB instances should be configured to copy tags to snapshots](rds-controls.md#rds-17) 
+  [[RDS.18] RDS instances should be deployed in a VPC](rds-controls.md#rds-18) 
+  [[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events](rds-controls.md#rds-19) 
+  [[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events](rds-controls.md#rds-20) 
+  [[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events](rds-controls.md#rds-21) 
+  [[RDS.22] An RDS event notifications subscription should be configured for critical database security group events](rds-controls.md#rds-22) 
+  [[RDS.23] RDS instances should not use a database engine default port](rds-controls.md#rds-23) 
+  [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) 
+  [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) 
+  [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) 
+  [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) 
+  [[RDS.28] RDS DB clusters should be tagged](rds-controls.md#rds-28) 
+  [[RDS.29] RDS DB cluster snapshots should be tagged](rds-controls.md#rds-29) 
+  [[RDS.30] RDS DB instances should be tagged](rds-controls.md#rds-30) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RDS.32] RDS DB snapshots should be tagged](rds-controls.md#rds-32) 
+  [[RDS.33] RDS DB subnet groups should be tagged](rds-controls.md#rds-33) 
+  [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) 
+  [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) 
+  [[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-36) 
+  [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) 
+  [[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit](rds-controls.md#rds-38) 
+  [[RDS.39] RDS for MySQL DB instances should be encrypted in transit](rds-controls.md#rds-39) 
+  [[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-40) 
+  [[RDS.41] RDS for SQL Server DB instances should be encrypted in transit](rds-controls.md#rds-41) 
+  [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) 
+  [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) 
+  [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) 
+  [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) 
+  [[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways](rds-controls.md#rds-46) 
+  [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) 
+  [[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-48) 
+  [[RDS.50] RDS DB clusters should have enough backup retention period set](rds-controls.md#rds-50) 
+  [[Redshift.1] Amazon Redshift clusters should prohibit public access](redshift-controls.md#redshift-1) 
+  [[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit](redshift-controls.md#redshift-2) 
+  [[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled](redshift-controls.md#redshift-3) 
+  [[Redshift.4] Amazon Redshift clusters should have audit logging enabled](redshift-controls.md#redshift-4) 
+  [[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled](redshift-controls.md#redshift-6) 
+  [[Redshift.7] Redshift clusters should use enhanced VPC routing](redshift-controls.md#redshift-7) 
+  [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) 
+  [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) 
+  [[Redshift.11] Redshift clusters should be tagged](redshift-controls.md#redshift-11) 
+  [[Redshift.12] Redshift event notification subscriptions should be tagged](redshift-controls.md#redshift-12) 
+  [[Redshift.13] Redshift cluster snapshots should be tagged](redshift-controls.md#redshift-13) 
+  [[Redshift.14] Redshift cluster subnet groups should be tagged](redshift-controls.md#redshift-14) 
+  [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) 
+  [[Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones](redshift-controls.md#redshift-16) 
+  [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) 
+  [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) 
+  [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed AWS KMS keys](redshiftserverless-controls.md#redshiftserverless-4) 
+  [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) 
+  [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) 
+  [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) 
+  [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) 
+  [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) 
+  [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) 
+  [[S3.17] S3 general purpose buckets should be encrypted at rest with AWS KMS keys](s3-controls.md#s3-17) 
+  [[S3.19] S3 access points should have block public access settings enabled](s3-controls.md#s3-19) 
+  [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) 
+  [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) 
+  [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) 
+  [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) 
+  [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) 
+  [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) 
+  [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) 
+  [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) 
+  [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) 
+  [[SageMaker.8] SageMaker notebook instances should run on supported platforms](sagemaker-controls.md#sagemaker-8) 
+  [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) 
+  [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) 
+  [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) 
+  [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) 
+  [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) 
+  [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) 
+  [[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled](secretsmanager-controls.md#secretsmanager-1) 
+  [[SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfully](secretsmanager-controls.md#secretsmanager-2) 
+  [[SecretsManager.3] Remove unused Secrets Manager secrets](secretsmanager-controls.md#secretsmanager-3) 
+  [[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days](secretsmanager-controls.md#secretsmanager-4) 
+  [[SecretsManager.5] Secrets Manager secrets should be tagged](secretsmanager-controls.md#secretsmanager-5) 
+  [[ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization only](servicecatalog-controls.md#servicecatalog-1) 
+  [[SNS.3] SNS topics should be tagged](sns-controls.md#sns-3) 
+  [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) 
+  [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) 
+  [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) 
+  [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) 
+  [[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager](ssm-controls.md#ssm-1) 
+  [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2) 
+  [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](ssm-controls.md#ssm-3) 
+  [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) 
+  [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) 
+  [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) 
+  [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) 
+  [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) 
+  [[StepFunctions.2] Step Functions activities should be tagged](stepfunctions-controls.md#stepfunctions-2) 
+  [[Transfer.1] AWS Transfer Family workflows should be tagged](transfer-controls.md#transfer-1) 
+  [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) 
+  [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) 
+  [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) 
+  [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) 
+  [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) 
+  [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.2] AWS WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) 
+  [[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) 
+  [[WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WAF.10] AWS WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) 
+  [[WAF.11] AWS WAF web ACL logging should be enabled](waf-controls.md#waf-11) 
+  [[WAF.12] AWS WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## Asia Pacific (Thailand)
<a name="securityhub-control-support-apsoutheast7"></a>

The following controls are not supported in the Asia Pacific (Thailand) Region.
+  [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) 
+  [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) 
+  [[Account.1] Security contact information should be provided for an AWS account](account-controls.md#account-1) 
+  [[Account.2] AWS accounts should be part of an AWS Organizations organization](account-controls.md#account-2) 
+  [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) 
+  [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) 
+  [[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections](apigateway-controls.md#apigateway-10) 
+  [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) 
+  [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) 
+  [[AppConfig.1] AWS AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) 
+  [[AppConfig.2] AWS AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) 
+  [[AppConfig.3] AWS AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) 
+  [[AppConfig.4] AWS AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) 
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.2] AWS AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) 
+  [[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[Athena.2] Athena data catalogs should be tagged](athena-controls.md#athena-2) 
+  [[Athena.3] Athena workgroups should be tagged](athena-controls.md#athena-3) 
+  [[Athena.4] Athena workgroups should have logging enabled](athena-controls.md#athena-4) 
+  [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) 
+  [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) 
+  [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) 
+  [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) 
+  [[Backup.1] AWS Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) 
+  [[Backup.2] AWS Backup recovery points should be tagged](backup-controls.md#backup-2) 
+  [[Backup.4] AWS Backup report plans should be tagged](backup-controls.md#backup-4) 
+  [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) 
+  [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) 
+  [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) 
+  [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) 
+  [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) 
+  [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) 
+  [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) 
+  [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed AWS KMS keys](cloudtrail-controls.md#cloudtrail-10) 
+  [[CloudWatch.17] CloudWatch alarm actions should be activated](cloudwatch-controls.md#cloudwatch-17) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) 
+  [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) 
+  [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) 
+  [[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration](codebuild-controls.md#codebuild-4) 
+  [[CodeBuild.7] CodeBuild report group exports should be encrypted at rest](codebuild-controls.md#codebuild-7) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) 
+  [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) 
+  [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) 
+  [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) 
+  [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) 
+  [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) 
+  [[DataSync.1] DataSync tasks should have logging enabled](datasync-controls.md#datasync-1) 
+  [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) 
+  [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) 
+  [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) 
+  [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) 
+  [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) 
+  [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) 
+  [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) 
+  [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) 
+  [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) 
+  [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) 
+  [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) 
+  [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) 
+  [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) 
+  [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) 
+  [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) 
+  [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) 
+  [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) 
+  [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) 
+  [[DynamoDB.6] DynamoDB tables should have deletion protection enabled](dynamodb-controls.md#dynamodb-6) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) 
+  [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) 
+  [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) 
+  [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) 
+  [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) 
+  [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) 
+  [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) 
+  [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) 
+  [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) 
+  [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) 
+  [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) 
+  [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) 
+  [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) 
+  [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) 
+  [[EC2.172] EC2 VPC Block Public Access settings should block internet gateway traffic](ec2-controls.md#ec2-172) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) 
+  [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) 
+  [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) 
+  [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) 
+  [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) 
+  [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) 
+  [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) 
+  [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) 
+  [[EC2.182] Block public access settings should be enabled for Amazon EBS snapshots](ec2-controls.md#ec2-182) 
+  [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) 
+  [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) 
+  [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[ECR.5] ECR repositories should be encrypted with customer managed AWS KMS keys](ecr-controls.md#ecr-5) 
+  [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) 
+  [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) 
+  [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) 
+  [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) 
+  [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) 
+  [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) 
+  [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) 
+  [[ECS.16] ECS task sets should not automatically assign public IP addresses](ecs-controls.md#ecs-16) 
+  [[ECS.17] ECS task definitions should not use host network mode](ecs-controls.md#ecs-17) 
+  [[ECS.18] ECS Task Definitions should use in-transit encryption for EFS volumes](ecs-controls.md#ecs-18) 
+  [[ECS.19] ECS capacity providers should have managed termination protection enabled](ecs-controls.md#ecs-19) 
+  [[ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions](ecs-controls.md#ecs-20) 
+  [[ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions](ecs-controls.md#ecs-21) 
+  [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](efs-controls.md#efs-1) 
+  [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) 
+  [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) 
+  [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) 
+  [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) 
+  [[EFS.7] EFS file systems should have automatic backups enabled](efs-controls.md#efs-7) 
+  [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) 
+  [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) 
+  [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) 
+  [[EKS.7] EKS identity provider configurations should be tagged](eks-controls.md#eks-7) 
+  [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) 
+  [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) 
+  [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) 
+  [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) 
+  [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) 
+  [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) 
+  [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) 
+  [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) 
+  [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) 
+  [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) 
+  [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) 
+  [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) 
+  [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) 
+  [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) 
+  [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) 
+  [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) 
+  [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) 
+  [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) 
+  [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) 
+  [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) 
+  [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) 
+  [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) 
+  [[ES.9] Elasticsearch domains should be tagged](es-controls.md#es-9) 
+  [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) 
+  [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) 
+  [[FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-3) 
+  [[FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-4) 
+  [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[Glue.1] AWS Glue jobs should be tagged](glue-controls.md#glue-1) 
+  [[Glue.3] AWS Glue machine learning transforms should be encrypted at rest](glue-controls.md#glue-3) 
+  [[Glue.4] AWS Glue Spark jobs should run on supported versions of AWS Glue](glue-controls.md#glue-4) 
+  [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1) 
+  [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) 
+  [[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled](guardduty-controls.md#guardduty-5) 
+  [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) 
+  [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) 
+  [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) 
+  [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) 
+  [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) 
+  [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) 
+  [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) 
+  [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) 
+  [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) 
+  [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) 
+  [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) 
+  [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) 
+  [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) 
+  [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) 
+  [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) 
+  [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) 
+  [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) 
+  [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) 
+  [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) 
+  [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) 
+  [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) 
+  [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) 
+  [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) 
+  [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) 
+  [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) 
+  [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) 
+  [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) 
+  [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) 
+  [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) 
+  [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) 
+  [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) 
+  [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) 
+  [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) 
+  [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) 
+  [[IoT.1] AWS IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) 
+  [[IoT.2] AWS IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) 
+  [[IoT.3] AWS IoT Core dimensions should be tagged](iot-controls.md#iot-3) 
+  [[IoT.4] AWS IoT Core authorizers should be tagged](iot-controls.md#iot-4) 
+  [[IoT.5] AWS IoT Core role aliases should be tagged](iot-controls.md#iot-5) 
+  [[IoT.6] AWS IoT Core policies should be tagged](iot-controls.md#iot-6) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) 
+  [[Kinesis.3] Kinesis streams should have an adequate data retention period](kinesis-controls.md#kinesis-3) 
+  [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) 
+  [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) 
+  [[KMS.5] KMS keys should not be publicly accessible](kms-controls.md#kms-5) 
+  [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) 
+  [[Lambda.7] Lambda functions should have AWS X-Ray active tracing enabled](lambda-controls.md#lambda-7) 
+  [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) 
+  [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) 
+  [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) 
+  [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) 
+  [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) 
+  [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) 
+  [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) 
+  [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) 
+  [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) 
+  [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) 
+  [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) 
+  [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) 
+  [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) 
+  [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) 
+  [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) 
+  [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) 
+  [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) 
+  [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) 
+  [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) 
+  [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) 
+  [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) 
+  [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) 
+  [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) 
+  [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) 
+  [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) 
+  [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) 
+  [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) 
+  [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) 
+  [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) 
+  [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) 
+  [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) 
+  [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) 
+  [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) 
+  [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) 
+  [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) 
+  [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) 
+  [[PCA.1] AWS Private CA root certificate authority should be disabled](pca-controls.md#pca-1) 
+  [[PCA.2] AWS Private CA certificate authorities should be tagged](pca-controls.md#pca-2) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.18] RDS instances should be deployed in a VPC](rds-controls.md#rds-18) 
+  [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) 
+  [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) 
+  [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) 
+  [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) 
+  [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) 
+  [[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-36) 
+  [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) 
+  [[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit](rds-controls.md#rds-38) 
+  [[RDS.39] RDS for MySQL DB instances should be encrypted in transit](rds-controls.md#rds-39) 
+  [[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-40) 
+  [[RDS.41] RDS for SQL Server DB instances should be encrypted in transit](rds-controls.md#rds-41) 
+  [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) 
+  [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) 
+  [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) 
+  [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) 
+  [[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways](rds-controls.md#rds-46) 
+  [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) 
+  [[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-48) 
+  [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) 
+  [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) 
+  [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) 
+  [[Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones](redshift-controls.md#redshift-16) 
+  [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) 
+  [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) 
+  [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed AWS KMS keys](redshiftserverless-controls.md#redshiftserverless-4) 
+  [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) 
+  [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) 
+  [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) 
+  [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) 
+  [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) 
+  [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) 
+  [[S3.19] S3 access points should have block public access settings enabled](s3-controls.md#s3-19) 
+  [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) 
+  [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) 
+  [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) 
+  [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) 
+  [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) 
+  [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) 
+  [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) 
+  [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) 
+  [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) 
+  [[SageMaker.8] SageMaker notebook instances should run on supported platforms](sagemaker-controls.md#sagemaker-8) 
+  [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) 
+  [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) 
+  [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) 
+  [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) 
+  [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) 
+  [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) 
+  [[ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization only](servicecatalog-controls.md#servicecatalog-1) 
+  [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) 
+  [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) 
+  [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) 
+  [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) 
+  [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](ssm-controls.md#ssm-3) 
+  [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) 
+  [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) 
+  [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) 
+  [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) 
+  [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) 
+  [[Transfer.1] AWS Transfer Family workflows should be tagged](transfer-controls.md#transfer-1) 
+  [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) 
+  [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) 
+  [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) 
+  [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) 
+  [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) 
+  [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.2] AWS WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) 
+  [[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) 
+  [[WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WAF.10] AWS WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) 
+  [[WAF.12] AWS WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## Asia Pacific (Tokyo)
<a name="securityhub-control-support-apnortheast1"></a>

The following controls are not supported in the Asia Pacific (Tokyo) Region.
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 

## Canada (Central)
<a name="securityhub-control-support-cacentral1"></a>

The following controls are not supported in the Canada (Central) Region.
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Kinesis.3] Kinesis streams should have an adequate data retention period](kinesis-controls.md#kinesis-3) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 

## Canada West (Calgary)
<a name="securityhub-control-support-cawest1"></a>

The following controls are not supported in the Canada West (Calgary) Region.
+  [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) 
+  [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) 
+  [[Account.1] Security contact information should be provided for an AWS account](account-controls.md#account-1) 
+  [[Account.2] AWS accounts should be part of an AWS Organizations organization](account-controls.md#account-2) 
+  [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) 
+  [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) 
+  [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) 
+  [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) 
+  [[AppConfig.1] AWS AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) 
+  [[AppConfig.2] AWS AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) 
+  [[AppConfig.3] AWS AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) 
+  [[AppConfig.4] AWS AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) 
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.2] AWS AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) 
+  [[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[Athena.4] Athena workgroups should have logging enabled](athena-controls.md#athena-4) 
+  [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) 
+  [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) 
+  [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) 
+  [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) 
+  [[Backup.1] AWS Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) 
+  [[Backup.4] AWS Backup report plans should be tagged](backup-controls.md#backup-4) 
+  [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) 
+  [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) 
+  [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) 
+  [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) 
+  [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) 
+  [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) 
+  [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed AWS KMS keys](cloudtrail-controls.md#cloudtrail-10) 
+  [[CloudWatch.17] CloudWatch alarm actions should be activated](cloudwatch-controls.md#cloudwatch-17) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) 
+  [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) 
+  [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) 
+  [[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration](codebuild-controls.md#codebuild-4) 
+  [[CodeBuild.7] CodeBuild report group exports should be encrypted at rest](codebuild-controls.md#codebuild-7) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) 
+  [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) 
+  [[DataSync.1] DataSync tasks should have logging enabled](datasync-controls.md#datasync-1) 
+  [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) 
+  [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) 
+  [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) 
+  [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) 
+  [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) 
+  [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) 
+  [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) 
+  [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) 
+  [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) 
+  [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) 
+  [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) 
+  [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) 
+  [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) 
+  [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) 
+  [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) 
+  [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) 
+  [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) 
+  [[DynamoDB.6] DynamoDB tables should have deletion protection enabled](dynamodb-controls.md#dynamodb-6) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) 
+  [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) 
+  [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) 
+  [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) 
+  [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) 
+  [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) 
+  [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) 
+  [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) 
+  [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) 
+  [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) 
+  [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) 
+  [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) 
+  [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) 
+  [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) 
+  [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) 
+  [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) 
+  [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) 
+  [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) 
+  [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) 
+  [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) 
+  [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[ECR.5] ECR repositories should be encrypted with customer managed AWS KMS keys](ecr-controls.md#ecr-5) 
+  [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) 
+  [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) 
+  [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) 
+  [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) 
+  [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) 
+  [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) 
+  [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) 
+  [[ECS.16] ECS task sets should not automatically assign public IP addresses](ecs-controls.md#ecs-16) 
+  [[ECS.17] ECS task definitions should not use host network mode](ecs-controls.md#ecs-17) 
+  [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](efs-controls.md#efs-1) 
+  [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) 
+  [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) 
+  [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) 
+  [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) 
+  [[EFS.7] EFS file systems should have automatic backups enabled](efs-controls.md#efs-7) 
+  [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) 
+  [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) 
+  [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) 
+  [[EKS.7] EKS identity provider configurations should be tagged](eks-controls.md#eks-7) 
+  [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) 
+  [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager](elb-controls.md#elb-2) 
+  [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) 
+  [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) 
+  [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) 
+  [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) 
+  [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) 
+  [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) 
+  [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) 
+  [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) 
+  [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) 
+  [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) 
+  [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) 
+  [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) 
+  [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) 
+  [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) 
+  [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) 
+  [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) 
+  [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) 
+  [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) 
+  [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) 
+  [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) 
+  [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) 
+  [[FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-3) 
+  [[FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-4) 
+  [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[Glue.3] AWS Glue machine learning transforms should be encrypted at rest](glue-controls.md#glue-3) 
+  [[Glue.4] AWS Glue Spark jobs should run on supported versions of AWS Glue](glue-controls.md#glue-4) 
+  [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) 
+  [[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled](guardduty-controls.md#guardduty-5) 
+  [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) 
+  [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) 
+  [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) 
+  [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) 
+  [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) 
+  [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) 
+  [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) 
+  [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) 
+  [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) 
+  [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) 
+  [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) 
+  [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) 
+  [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) 
+  [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) 
+  [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) 
+  [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) 
+  [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) 
+  [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) 
+  [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) 
+  [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) 
+  [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) 
+  [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) 
+  [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) 
+  [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) 
+  [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) 
+  [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) 
+  [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) 
+  [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) 
+  [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) 
+  [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) 
+  [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) 
+  [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) 
+  [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) 
+  [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) 
+  [[IoT.1] AWS IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) 
+  [[IoT.2] AWS IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) 
+  [[IoT.3] AWS IoT Core dimensions should be tagged](iot-controls.md#iot-3) 
+  [[IoT.4] AWS IoT Core authorizers should be tagged](iot-controls.md#iot-4) 
+  [[IoT.5] AWS IoT Core role aliases should be tagged](iot-controls.md#iot-5) 
+  [[IoT.6] AWS IoT Core policies should be tagged](iot-controls.md#iot-6) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) 
+  [[Kinesis.3] Kinesis streams should have an adequate data retention period](kinesis-controls.md#kinesis-3) 
+  [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) 
+  [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) 
+  [[KMS.5] KMS keys should not be publicly accessible](kms-controls.md#kms-5) 
+  [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) 
+  [[Lambda.7] Lambda functions should have AWS X-Ray active tracing enabled](lambda-controls.md#lambda-7) 
+  [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) 
+  [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) 
+  [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) 
+  [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) 
+  [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) 
+  [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) 
+  [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) 
+  [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) 
+  [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) 
+  [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) 
+  [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) 
+  [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) 
+  [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) 
+  [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) 
+  [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) 
+  [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) 
+  [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) 
+  [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) 
+  [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) 
+  [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) 
+  [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) 
+  [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) 
+  [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) 
+  [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) 
+  [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) 
+  [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) 
+  [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) 
+  [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) 
+  [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) 
+  [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) 
+  [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) 
+  [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) 
+  [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) 
+  [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) 
+  [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) 
+  [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) 
+  [[PCA.1] AWS Private CA root certificate authority should be disabled](pca-controls.md#pca-1) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.18] RDS instances should be deployed in a VPC](rds-controls.md#rds-18) 
+  [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) 
+  [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) 
+  [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) 
+  [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) 
+  [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) 
+  [[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-36) 
+  [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) 
+  [[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit](rds-controls.md#rds-38) 
+  [[RDS.39] RDS for MySQL DB instances should be encrypted in transit](rds-controls.md#rds-39) 
+  [[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-40) 
+  [[RDS.41] RDS for SQL Server DB instances should be encrypted in transit](rds-controls.md#rds-41) 
+  [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) 
+  [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) 
+  [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) 
+  [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) 
+  [[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways](rds-controls.md#rds-46) 
+  [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) 
+  [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) 
+  [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) 
+  [[Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones](redshift-controls.md#redshift-16) 
+  [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) 
+  [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed AWS KMS keys](redshiftserverless-controls.md#redshiftserverless-4) 
+  [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) 
+  [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) 
+  [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) 
+  [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) 
+  [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) 
+  [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) 
+  [[S3.19] S3 access points should have block public access settings enabled](s3-controls.md#s3-19) 
+  [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) 
+  [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) 
+  [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) 
+  [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) 
+  [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) 
+  [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) 
+  [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) 
+  [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) 
+  [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) 
+  [[SageMaker.8] SageMaker notebook instances should run on supported platforms](sagemaker-controls.md#sagemaker-8) 
+  [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) 
+  [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) 
+  [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) 
+  [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) 
+  [[ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization only](servicecatalog-controls.md#servicecatalog-1) 
+  [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) 
+  [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) 
+  [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) 
+  [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) 
+  [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) 
+  [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) 
+  [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) 
+  [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) 
+  [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) 
+  [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) 
+  [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.2] AWS WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) 
+  [[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) 
+  [[WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WAF.10] AWS WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) 
+  [[WAF.12] AWS WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## China (Beijing)
<a name="securityhub-control-support-cnnorth1"></a>

The following controls are not supported in the China (Beijing) Region.
+  [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) 
+  [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) 
+  [[Account.2] AWS accounts should be part of an AWS Organizations organization](account-controls.md#account-2) 
+  [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](apigateway-controls.md#apigateway-2) 
+  [[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections](apigateway-controls.md#apigateway-10) 
+  [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) 
+  [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) 
+  [[AppConfig.1] AWS AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) 
+  [[AppConfig.2] AWS AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) 
+  [[AppConfig.3] AWS AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) 
+  [[AppConfig.4] AWS AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) 
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[Backup.1] AWS Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) 
+  [[Backup.4] AWS Backup report plans should be tagged](backup-controls.md#backup-4) 
+  [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) 
+  [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) 
+  [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) 
+  [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed AWS KMS keys](cloudtrail-controls.md#cloudtrail-10) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) 
+  [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) 
+  [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) 
+  [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) 
+  [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) 
+  [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) 
+  [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) 
+  [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) 
+  [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) 
+  [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) 
+  [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) 
+  [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) 
+  [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) 
+  [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up](ec2-controls.md#ec2-20) 
+  [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) 
+  [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) 
+  [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) 
+  [[EC2.36] EC2 customer gateways should be tagged](ec2-controls.md#ec2-36) 
+  [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) 
+  [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) 
+  [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) 
+  [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) 
+  [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) 
+  [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) 
+  [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) 
+  [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) 
+  [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) 
+  [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) 
+  [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) 
+  [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager](elb-controls.md#elb-2) 
+  [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) 
+  [[ELB.21] Application and Network Load Balancer target groups should use encrypted health check protocols](elb-controls.md#elb-21) 
+  [[ELB.22] ELB target groups should use encrypted transport protocols](elb-controls.md#elb-22) 
+  [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) 
+  [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) 
+  [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) 
+  [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) 
+  [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) 
+  [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) 
+  [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) 
+  [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[GuardDuty.3] GuardDuty IPSets should be tagged](guardduty-controls.md#guardduty-3) 
+  [[GuardDuty.4] GuardDuty detectors should be tagged](guardduty-controls.md#guardduty-4) 
+  [[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled](guardduty-controls.md#guardduty-5) 
+  [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) 
+  [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) 
+  [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) 
+  [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) 
+  [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) 
+  [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) 
+  [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) 
+  [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) 
+  [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) 
+  [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) 
+  [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) 
+  [[IAM.23] IAM Access Analyzer analyzers should be tagged](iam-controls.md#iam-23) 
+  [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) 
+  [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) 
+  [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) 
+  [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) 
+  [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) 
+  [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) 
+  [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) 
+  [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) 
+  [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) 
+  [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) 
+  [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) 
+  [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) 
+  [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) 
+  [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) 
+  [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) 
+  [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) 
+  [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) 
+  [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) 
+  [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) 
+  [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) 
+  [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) 
+  [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) 
+  [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) 
+  [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) 
+  [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) 
+  [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) 
+  [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) 
+  [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) 
+  [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) 
+  [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) 
+  [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) 
+  [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) 
+  [[PCA.1] AWS Private CA root certificate authority should be disabled](pca-controls.md#pca-1) 
+  [[PCA.2] AWS Private CA certificate authorities should be tagged](pca-controls.md#pca-2) 
+  [[RDS.7] RDS clusters should have deletion protection enabled](rds-controls.md#rds-7) 
+  [[RDS.12] IAM authentication should be configured for RDS clusters](rds-controls.md#rds-12) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.15] RDS DB clusters should be configured for multiple Availability Zones](rds-controls.md#rds-15) 
+  [[RDS.16] Aurora DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-16) 
+  [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) 
+  [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) 
+  [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) 
+  [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) 
+  [[RDS.28] RDS DB clusters should be tagged](rds-controls.md#rds-28) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) 
+  [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) 
+  [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) 
+  [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) 
+  [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) 
+  [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) 
+  [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) 
+  [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) 
+  [[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-48) 
+  [[RDS.50] RDS DB clusters should have enough backup retention period set](rds-controls.md#rds-50) 
+  [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) 
+  [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) 
+  [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) 
+  [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) 
+  [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) 
+  [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) 
+  [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) 
+  [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) 
+  [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) 
+  [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) 
+  [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) 
+  [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) 
+  [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) 
+  [[ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization only](servicecatalog-controls.md#servicecatalog-1) 
+  [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) 
+  [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) 
+  [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) 
+  [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) 
+  [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) 
+  [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) 
+  [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## China (Ningxia)
<a name="securityhub-control-support-cnnorthwest1"></a>

The following controls are not supported in the China (Ningxia) Region.
+  [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) 
+  [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) 
+  [[Account.2] AWS accounts should be part of an AWS Organizations organization](account-controls.md#account-2) 
+  [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](apigateway-controls.md#apigateway-2) 
+  [[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections](apigateway-controls.md#apigateway-10) 
+  [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) 
+  [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) 
+  [[AppConfig.1] AWS AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) 
+  [[AppConfig.2] AWS AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) 
+  [[AppConfig.3] AWS AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) 
+  [[AppConfig.4] AWS AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) 
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[Backup.1] AWS Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) 
+  [[Backup.4] AWS Backup report plans should be tagged](backup-controls.md#backup-4) 
+  [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) 
+  [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) 
+  [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) 
+  [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed AWS KMS keys](cloudtrail-controls.md#cloudtrail-10) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) 
+  [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) 
+  [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) 
+  [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) 
+  [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) 
+  [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) 
+  [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) 
+  [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) 
+  [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) 
+  [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) 
+  [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up](ec2-controls.md#ec2-20) 
+  [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) 
+  [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) 
+  [[EC2.36] EC2 customer gateways should be tagged](ec2-controls.md#ec2-36) 
+  [[EC2.50] EC2 VPN gateways should be tagged](ec2-controls.md#ec2-50) 
+  [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) 
+  [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) 
+  [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) 
+  [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) 
+  [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) 
+  [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) 
+  [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) 
+  [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) 
+  [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) 
+  [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) 
+  [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager](elb-controls.md#elb-2) 
+  [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) 
+  [[ELB.21] Application and Network Load Balancer target groups should use encrypted health check protocols](elb-controls.md#elb-21) 
+  [[ELB.22] ELB target groups should use encrypted transport protocols](elb-controls.md#elb-22) 
+  [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) 
+  [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) 
+  [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) 
+  [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) 
+  [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) 
+  [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) 
+  [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) 
+  [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[Glue.3] AWS Glue machine learning transforms should be encrypted at rest](glue-controls.md#glue-3) 
+  [[GuardDuty.3] GuardDuty IPSets should be tagged](guardduty-controls.md#guardduty-3) 
+  [[GuardDuty.4] GuardDuty detectors should be tagged](guardduty-controls.md#guardduty-4) 
+  [[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled](guardduty-controls.md#guardduty-5) 
+  [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) 
+  [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) 
+  [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) 
+  [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) 
+  [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) 
+  [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) 
+  [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) 
+  [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) 
+  [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) 
+  [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) 
+  [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) 
+  [[IAM.23] IAM Access Analyzer analyzers should be tagged](iam-controls.md#iam-23) 
+  [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) 
+  [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) 
+  [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) 
+  [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) 
+  [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[Lambda.1] Lambda function policies should prohibit public access](lambda-controls.md#lambda-1) 
+  [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) 
+  [[Lambda.3] Lambda functions should be in a VPC](lambda-controls.md#lambda-3) 
+  [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) 
+  [[Lambda.6] Lambda functions should be tagged](lambda-controls.md#lambda-6) 
+  [[Lambda.7] Lambda functions should have AWS X-Ray active tracing enabled](lambda-controls.md#lambda-7) 
+  [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) 
+  [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) 
+  [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) 
+  [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) 
+  [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) 
+  [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) 
+  [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) 
+  [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) 
+  [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) 
+  [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) 
+  [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) 
+  [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) 
+  [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) 
+  [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) 
+  [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) 
+  [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) 
+  [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) 
+  [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) 
+  [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) 
+  [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) 
+  [[PCA.1] AWS Private CA root certificate authority should be disabled](pca-controls.md#pca-1) 
+  [[PCA.2] AWS Private CA certificate authorities should be tagged](pca-controls.md#pca-2) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) 
+  [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) 
+  [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) 
+  [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) 
+  [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) 
+  [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) 
+  [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) 
+  [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) 
+  [[RDS.50] RDS DB clusters should have enough backup retention period set](rds-controls.md#rds-50) 
+  [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) 
+  [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) 
+  [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) 
+  [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) 
+  [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) 
+  [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) 
+  [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) 
+  [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) 
+  [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) 
+  [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) 
+  [[ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization only](servicecatalog-controls.md#servicecatalog-1) 
+  [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) 
+  [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) 
+  [[StepFunctions.2] Step Functions activities should be tagged](stepfunctions-controls.md#stepfunctions-2) 
+  [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) 
+  [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) 
+  [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) 
+  [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) 
+  [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 

## Europe (Frankfurt)
<a name="securityhub-control-support-eucentral1"></a>

The following controls are not supported in the Europe (Frankfurt) Region.
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 

## Europe (Ireland)
<a name="securityhub-control-support-euwest1"></a>

The following controls are not supported in the Europe (Ireland) Region.
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 

## Europe (London)
<a name="securityhub-control-support-euwest2"></a>

The following controls are not supported in the Europe (London) Region.
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 

## Europe (Milan)
<a name="securityhub-control-support-eusouth1"></a>

The following controls are not supported in the Europe (Milan) Region.
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) 
+  [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager](elb-controls.md#elb-2) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[IoT.1] AWS IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) 
+  [[IoT.2] AWS IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) 
+  [[IoT.3] AWS IoT Core dimensions should be tagged](iot-controls.md#iot-3) 
+  [[IoT.4] AWS IoT Core authorizers should be tagged](iot-controls.md#iot-4) 
+  [[IoT.5] AWS IoT Core role aliases should be tagged](iot-controls.md#iot-5) 
+  [[IoT.6] AWS IoT Core policies should be tagged](iot-controls.md#iot-6) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) 
+  [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) 
+  [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) 
+  [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) 
+  [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) 
+  [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) 
+  [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) 
+  [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) 
+  [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) 
+  [[RDS.1] RDS snapshot should be private](rds-controls.md#rds-1) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) 
+  [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed AWS KMS keys](redshiftserverless-controls.md#redshiftserverless-4) 
+  [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) 
+  [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) 
+  [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) 
+  [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) 
+  [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## Europe (Paris)
<a name="securityhub-control-support-euwest3"></a>

The following controls are not supported in the Europe (Paris) Region.
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## Europe (Spain)
<a name="securityhub-control-support-eusouth2"></a>

The following controls are not supported in the Europe (Spain) Region.
+  [[Account.2] AWS accounts should be part of an AWS Organizations organization](account-controls.md#account-2) 
+  [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) 
+  [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) 
+  [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) 
+  [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) 
+  [[AppConfig.1] AWS AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) 
+  [[AppConfig.2] AWS AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) 
+  [[AppConfig.3] AWS AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) 
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[Backup.1] AWS Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) 
+  [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) 
+  [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) 
+  [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) 
+  [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) 
+  [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) 
+  [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) 
+  [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) 
+  [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) 
+  [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) 
+  [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) 
+  [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) 
+  [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) 
+  [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) 
+  [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) 
+  [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) 
+  [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) 
+  [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) 
+  [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) 
+  [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.1] Amazon EBS snapshots should not be configured to be publicly restorable](ec2-controls.md#ec2-1) 
+  [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) 
+  [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) 
+  [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) 
+  [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) 
+  [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) 
+  [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) 
+  [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) 
+  [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) 
+  [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) 
+  [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](efs-controls.md#efs-1) 
+  [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) 
+  [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager](elb-controls.md#elb-2) 
+  [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) 
+  [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) 
+  [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) 
+  [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) 
+  [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) 
+  [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) 
+  [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) 
+  [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) 
+  [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) 
+  [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) 
+  [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[Glue.4] AWS Glue Spark jobs should run on supported versions of AWS Glue](glue-controls.md#glue-4) 
+  [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) 
+  [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) 
+  [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) 
+  [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) 
+  [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) 
+  [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) 
+  [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) 
+  [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) 
+  [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) 
+  [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) 
+  [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) 
+  [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) 
+  [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) 
+  [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) 
+  [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) 
+  [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) 
+  [[Lambda.1] Lambda function policies should prohibit public access](lambda-controls.md#lambda-1) 
+  [[Lambda.7] Lambda functions should have AWS X-Ray active tracing enabled](lambda-controls.md#lambda-7) 
+  [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) 
+  [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) 
+  [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) 
+  [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) 
+  [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) 
+  [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) 
+  [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) 
+  [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) 
+  [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) 
+  [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) 
+  [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) 
+  [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) 
+  [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) 
+  [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) 
+  [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) 
+  [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) 
+  [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) 
+  [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) 
+  [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) 
+  [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) 
+  [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) 
+  [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) 
+  [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) 
+  [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) 
+  [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) 
+  [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) 
+  [[RDS.1] RDS snapshot should be private](rds-controls.md#rds-1) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) 
+  [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) 
+  [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) 
+  [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) 
+  [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) 
+  [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) 
+  [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) 
+  [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) 
+  [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) 
+  [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) 
+  [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) 
+  [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) 
+  [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) 
+  [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) 
+  [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) 
+  [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) 
+  [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) 
+  [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) 
+  [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) 
+  [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WAF.10] AWS WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## Europe (Stockholm)
<a name="securityhub-control-support-eunorth1"></a>

The following controls are not supported in the Europe (Stockholm) Region.
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) 
+  [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) 
+  [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) 
+  [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## Europe (Zurich)
<a name="securityhub-control-support-eucentral2"></a>

The following controls are not supported in the Europe (Zurich) Region.
+  [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) 
+  [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) 
+  [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) 
+  [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) 
+  [[AppConfig.1] AWS AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) 
+  [[AppConfig.2] AWS AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) 
+  [[AppConfig.3] AWS AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) 
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[Backup.1] AWS Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) 
+  [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) 
+  [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) 
+  [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) 
+  [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) 
+  [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) 
+  [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) 
+  [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) 
+  [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) 
+  [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) 
+  [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) 
+  [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) 
+  [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) 
+  [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) 
+  [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) 
+  [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) 
+  [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) 
+  [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) 
+  [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) 
+  [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) 
+  [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) 
+  [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) 
+  [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) 
+  [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) 
+  [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](efs-controls.md#efs-1) 
+  [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) 
+  [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager](elb-controls.md#elb-2) 
+  [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) 
+  [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) 
+  [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) 
+  [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) 
+  [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) 
+  [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) 
+  [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) 
+  [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) 
+  [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) 
+  [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) 
+  [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[Glue.4] AWS Glue Spark jobs should run on supported versions of AWS Glue](glue-controls.md#glue-4) 
+  [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) 
+  [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) 
+  [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) 
+  [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) 
+  [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) 
+  [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) 
+  [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) 
+  [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) 
+  [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) 
+  [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) 
+  [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) 
+  [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) 
+  [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[IoT.1] AWS IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) 
+  [[IoT.2] AWS IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) 
+  [[IoT.3] AWS IoT Core dimensions should be tagged](iot-controls.md#iot-3) 
+  [[IoT.4] AWS IoT Core authorizers should be tagged](iot-controls.md#iot-4) 
+  [[IoT.5] AWS IoT Core role aliases should be tagged](iot-controls.md#iot-5) 
+  [[IoT.6] AWS IoT Core policies should be tagged](iot-controls.md#iot-6) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) 
+  [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) 
+  [[Lambda.7] Lambda functions should have AWS X-Ray active tracing enabled](lambda-controls.md#lambda-7) 
+  [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) 
+  [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) 
+  [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) 
+  [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) 
+  [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) 
+  [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) 
+  [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) 
+  [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) 
+  [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) 
+  [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) 
+  [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) 
+  [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) 
+  [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) 
+  [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) 
+  [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) 
+  [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) 
+  [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) 
+  [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) 
+  [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) 
+  [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) 
+  [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) 
+  [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) 
+  [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) 
+  [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) 
+  [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) 
+  [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) 
+  [[RDS.1] RDS snapshot should be private](rds-controls.md#rds-1) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) 
+  [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) 
+  [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) 
+  [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) 
+  [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) 
+  [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) 
+  [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) 
+  [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) 
+  [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) 
+  [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) 
+  [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) 
+  [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) 
+  [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) 
+  [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) 
+  [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) 
+  [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) 
+  [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) 
+  [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WAF.10] AWS WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## Israel (Tel Aviv)
<a name="securityhub-control-support-ilcentral1"></a>

The following controls are not supported in the Israel (Tel Aviv) Region.
+  [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) 
+  [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) 
+  [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) 
+  [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) 
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.2] AWS AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) 
+  [[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[Backup.1] AWS Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) 
+  [[Backup.4] AWS Backup report plans should be tagged](backup-controls.md#backup-4) 
+  [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) 
+  [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) 
+  [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) 
+  [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) 
+  [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) 
+  [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) 
+  [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) 
+  [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) 
+  [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) 
+  [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) 
+  [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) 
+  [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) 
+  [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) 
+  [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) 
+  [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) 
+  [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) 
+  [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) 
+  [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) 
+  [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) 
+  [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) 
+  [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) 
+  [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) 
+  [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) 
+  [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) 
+  [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) 
+  [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) 
+  [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) 
+  [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) 
+  [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) 
+  [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) 
+  [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) 
+  [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) 
+  [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) 
+  [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) 
+  [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) 
+  [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[ECR.5] ECR repositories should be encrypted with customer managed AWS KMS keys](ecr-controls.md#ecr-5) 
+  [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](efs-controls.md#efs-1) 
+  [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) 
+  [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) 
+  [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) 
+  [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) 
+  [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) 
+  [[EKS.7] EKS identity provider configurations should be tagged](eks-controls.md#eks-7) 
+  [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) 
+  [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager](elb-controls.md#elb-2) 
+  [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) 
+  [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) 
+  [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) 
+  [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) 
+  [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) 
+  [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) 
+  [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) 
+  [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) 
+  [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) 
+  [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) 
+  [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) 
+  [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) 
+  [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) 
+  [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) 
+  [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[Glue.4] AWS Glue Spark jobs should run on supported versions of AWS Glue](glue-controls.md#glue-4) 
+  [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) 
+  [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) 
+  [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) 
+  [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) 
+  [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) 
+  [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) 
+  [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) 
+  [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) 
+  [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) 
+  [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) 
+  [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) 
+  [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) 
+  [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) 
+  [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) 
+  [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) 
+  [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) 
+  [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) 
+  [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) 
+  [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) 
+  [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) 
+  [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) 
+  [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) 
+  [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) 
+  [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) 
+  [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) 
+  [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) 
+  [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) 
+  [[IoT.1] AWS IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) 
+  [[IoT.2] AWS IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) 
+  [[IoT.3] AWS IoT Core dimensions should be tagged](iot-controls.md#iot-3) 
+  [[IoT.4] AWS IoT Core authorizers should be tagged](iot-controls.md#iot-4) 
+  [[IoT.5] AWS IoT Core role aliases should be tagged](iot-controls.md#iot-5) 
+  [[IoT.6] AWS IoT Core policies should be tagged](iot-controls.md#iot-6) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) 
+  [[Kinesis.3] Kinesis streams should have an adequate data retention period](kinesis-controls.md#kinesis-3) 
+  [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) 
+  [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) 
+  [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) 
+  [[Lambda.7] Lambda functions should have AWS X-Ray active tracing enabled](lambda-controls.md#lambda-7) 
+  [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) 
+  [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) 
+  [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) 
+  [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) 
+  [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) 
+  [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) 
+  [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) 
+  [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) 
+  [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) 
+  [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) 
+  [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) 
+  [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) 
+  [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) 
+  [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) 
+  [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) 
+  [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) 
+  [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) 
+  [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) 
+  [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) 
+  [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) 
+  [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) 
+  [[RDS.1] RDS snapshot should be private](rds-controls.md#rds-1) 
+  [[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest](rds-controls.md#rds-4) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) 
+  [[RDS.29] RDS DB cluster snapshots should be tagged](rds-controls.md#rds-29) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) 
+  [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) 
+  [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) 
+  [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) 
+  [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) 
+  [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) 
+  [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) 
+  [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) 
+  [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) 
+  [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) 
+  [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization only](servicecatalog-controls.md#servicecatalog-1) 
+  [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) 
+  [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) 
+  [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) 
+  [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) 
+  [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) 
+  [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) 
+  [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) 
+  [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) 
+  [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## Mexico (Central)
<a name="securityhub-control-support-mxcentral1"></a>

The following controls are not supported in the Mexico (Central) Region.
+  [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) 
+  [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) 
+  [[Account.1] Security contact information should be provided for an AWS account](account-controls.md#account-1) 
+  [[Account.2] AWS accounts should be part of an AWS Organizations organization](account-controls.md#account-2) 
+  [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) 
+  [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) 
+  [[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections](apigateway-controls.md#apigateway-10) 
+  [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) 
+  [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) 
+  [[AppConfig.1] AWS AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) 
+  [[AppConfig.2] AWS AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) 
+  [[AppConfig.3] AWS AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) 
+  [[AppConfig.4] AWS AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) 
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.2] AWS AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) 
+  [[AppSync.4] AWS AppSync GraphQL APIs should be tagged](appsync-controls.md#appsync-4) 
+  [[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[Athena.4] Athena workgroups should have logging enabled](athena-controls.md#athena-4) 
+  [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) 
+  [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) 
+  [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) 
+  [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) 
+  [[Backup.1] AWS Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) 
+  [[Backup.2] AWS Backup recovery points should be tagged](backup-controls.md#backup-2) 
+  [[Backup.4] AWS Backup report plans should be tagged](backup-controls.md#backup-4) 
+  [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) 
+  [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) 
+  [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) 
+  [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) 
+  [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) 
+  [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) 
+  [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) 
+  [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed AWS KMS keys](cloudtrail-controls.md#cloudtrail-10) 
+  [[CloudWatch.17] CloudWatch alarm actions should be activated](cloudwatch-controls.md#cloudwatch-17) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) 
+  [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) 
+  [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) 
+  [[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration](codebuild-controls.md#codebuild-4) 
+  [[CodeBuild.7] CodeBuild report group exports should be encrypted at rest](codebuild-controls.md#codebuild-7) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) 
+  [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) 
+  [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) 
+  [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) 
+  [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) 
+  [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) 
+  [[DataSync.1] DataSync tasks should have logging enabled](datasync-controls.md#datasync-1) 
+  [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) 
+  [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) 
+  [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) 
+  [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) 
+  [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) 
+  [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) 
+  [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) 
+  [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) 
+  [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) 
+  [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) 
+  [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) 
+  [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) 
+  [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) 
+  [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) 
+  [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) 
+  [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) 
+  [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) 
+  [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) 
+  [[DynamoDB.6] DynamoDB tables should have deletion protection enabled](dynamodb-controls.md#dynamodb-6) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) 
+  [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) 
+  [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) 
+  [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) 
+  [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) 
+  [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) 
+  [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) 
+  [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) 
+  [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) 
+  [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) 
+  [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) 
+  [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) 
+  [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) 
+  [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) 
+  [[EC2.172] EC2 VPC Block Public Access settings should block internet gateway traffic](ec2-controls.md#ec2-172) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) 
+  [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) 
+  [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) 
+  [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) 
+  [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) 
+  [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) 
+  [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) 
+  [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) 
+  [[EC2.182] Block public access settings should be enabled for Amazon EBS snapshots](ec2-controls.md#ec2-182) 
+  [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) 
+  [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) 
+  [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[ECR.5] ECR repositories should be encrypted with customer managed AWS KMS keys](ecr-controls.md#ecr-5) 
+  [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) 
+  [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) 
+  [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) 
+  [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) 
+  [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) 
+  [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) 
+  [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) 
+  [[ECS.16] ECS task sets should not automatically assign public IP addresses](ecs-controls.md#ecs-16) 
+  [[ECS.17] ECS task definitions should not use host network mode](ecs-controls.md#ecs-17) 
+  [[ECS.18] ECS Task Definitions should use in-transit encryption for EFS volumes](ecs-controls.md#ecs-18) 
+  [[ECS.19] ECS capacity providers should have managed termination protection enabled](ecs-controls.md#ecs-19) 
+  [[ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions](ecs-controls.md#ecs-20) 
+  [[ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions](ecs-controls.md#ecs-21) 
+  [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](efs-controls.md#efs-1) 
+  [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) 
+  [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) 
+  [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) 
+  [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) 
+  [[EFS.7] EFS file systems should have automatic backups enabled](efs-controls.md#efs-7) 
+  [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) 
+  [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) 
+  [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) 
+  [[EKS.7] EKS identity provider configurations should be tagged](eks-controls.md#eks-7) 
+  [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) 
+  [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) 
+  [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) 
+  [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) 
+  [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) 
+  [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) 
+  [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) 
+  [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) 
+  [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) 
+  [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) 
+  [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) 
+  [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) 
+  [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) 
+  [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) 
+  [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) 
+  [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) 
+  [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) 
+  [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) 
+  [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) 
+  [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) 
+  [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) 
+  [[ES.3] Elasticsearch domains should encrypt data sent between nodes](es-controls.md#es-3) 
+  [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) 
+  [[ES.9] Elasticsearch domains should be tagged](es-controls.md#es-9) 
+  [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) 
+  [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) 
+  [[FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-3) 
+  [[FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-4) 
+  [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[Glue.1] AWS Glue jobs should be tagged](glue-controls.md#glue-1) 
+  [[Glue.3] AWS Glue machine learning transforms should be encrypted at rest](glue-controls.md#glue-3) 
+  [[Glue.4] AWS Glue Spark jobs should run on supported versions of AWS Glue](glue-controls.md#glue-4) 
+  [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1) 
+  [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) 
+  [[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled](guardduty-controls.md#guardduty-5) 
+  [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) 
+  [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) 
+  [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) 
+  [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) 
+  [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) 
+  [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) 
+  [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) 
+  [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) 
+  [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) 
+  [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) 
+  [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) 
+  [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) 
+  [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) 
+  [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) 
+  [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) 
+  [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) 
+  [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) 
+  [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) 
+  [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) 
+  [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) 
+  [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) 
+  [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) 
+  [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) 
+  [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) 
+  [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) 
+  [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) 
+  [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) 
+  [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) 
+  [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) 
+  [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) 
+  [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) 
+  [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) 
+  [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) 
+  [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) 
+  [[IoT.1] AWS IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) 
+  [[IoT.2] AWS IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) 
+  [[IoT.3] AWS IoT Core dimensions should be tagged](iot-controls.md#iot-3) 
+  [[IoT.4] AWS IoT Core authorizers should be tagged](iot-controls.md#iot-4) 
+  [[IoT.5] AWS IoT Core role aliases should be tagged](iot-controls.md#iot-5) 
+  [[IoT.6] AWS IoT Core policies should be tagged](iot-controls.md#iot-6) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) 
+  [[Kinesis.3] Kinesis streams should have an adequate data retention period](kinesis-controls.md#kinesis-3) 
+  [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) 
+  [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) 
+  [[KMS.5] KMS keys should not be publicly accessible](kms-controls.md#kms-5) 
+  [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) 
+  [[Lambda.7] Lambda functions should have AWS X-Ray active tracing enabled](lambda-controls.md#lambda-7) 
+  [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) 
+  [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) 
+  [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) 
+  [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) 
+  [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) 
+  [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) 
+  [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) 
+  [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) 
+  [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) 
+  [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) 
+  [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) 
+  [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) 
+  [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) 
+  [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) 
+  [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) 
+  [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) 
+  [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) 
+  [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) 
+  [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) 
+  [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) 
+  [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) 
+  [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) 
+  [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) 
+  [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) 
+  [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) 
+  [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) 
+  [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) 
+  [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) 
+  [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) 
+  [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) 
+  [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) 
+  [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) 
+  [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) 
+  [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) 
+  [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) 
+  [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) 
+  [[PCA.1] AWS Private CA root certificate authority should be disabled](pca-controls.md#pca-1) 
+  [[PCA.2] AWS Private CA certificate authorities should be tagged](pca-controls.md#pca-2) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.18] RDS instances should be deployed in a VPC](rds-controls.md#rds-18) 
+  [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) 
+  [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) 
+  [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) 
+  [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) 
+  [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) 
+  [[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-36) 
+  [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) 
+  [[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit](rds-controls.md#rds-38) 
+  [[RDS.39] RDS for MySQL DB instances should be encrypted in transit](rds-controls.md#rds-39) 
+  [[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-40) 
+  [[RDS.41] RDS for SQL Server DB instances should be encrypted in transit](rds-controls.md#rds-41) 
+  [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) 
+  [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) 
+  [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) 
+  [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) 
+  [[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways](rds-controls.md#rds-46) 
+  [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) 
+  [[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-48) 
+  [[Redshift.1] Amazon Redshift clusters should prohibit public access](redshift-controls.md#redshift-1) 
+  [[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit](redshift-controls.md#redshift-2) 
+  [[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled](redshift-controls.md#redshift-3) 
+  [[Redshift.4] Amazon Redshift clusters should have audit logging enabled](redshift-controls.md#redshift-4) 
+  [[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled](redshift-controls.md#redshift-6) 
+  [[Redshift.7] Redshift clusters should use enhanced VPC routing](redshift-controls.md#redshift-7) 
+  [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) 
+  [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) 
+  [[Redshift.11] Redshift clusters should be tagged](redshift-controls.md#redshift-11) 
+  [[Redshift.13] Redshift cluster snapshots should be tagged](redshift-controls.md#redshift-13) 
+  [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) 
+  [[Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones](redshift-controls.md#redshift-16) 
+  [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) 
+  [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) 
+  [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed AWS KMS keys](redshiftserverless-controls.md#redshiftserverless-4) 
+  [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) 
+  [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) 
+  [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) 
+  [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) 
+  [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) 
+  [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) 
+  [[S3.19] S3 access points should have block public access settings enabled](s3-controls.md#s3-19) 
+  [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) 
+  [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) 
+  [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) 
+  [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) 
+  [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) 
+  [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) 
+  [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) 
+  [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) 
+  [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) 
+  [[SageMaker.8] SageMaker notebook instances should run on supported platforms](sagemaker-controls.md#sagemaker-8) 
+  [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) 
+  [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) 
+  [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) 
+  [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) 
+  [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) 
+  [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) 
+  [[ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization only](servicecatalog-controls.md#servicecatalog-1) 
+  [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) 
+  [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) 
+  [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) 
+  [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) 
+  [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](ssm-controls.md#ssm-3) 
+  [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) 
+  [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) 
+  [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) 
+  [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) 
+  [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) 
+  [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) 
+  [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) 
+  [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) 
+  [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) 
+  [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) 
+  [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.2] AWS WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) 
+  [[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) 
+  [[WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WAF.10] AWS WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) 
+  [[WAF.12] AWS WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## Middle East (Bahrain)
<a name="securityhub-control-support-mesouth1"></a>

The following controls are not supported in the Middle East (Bahrain) Region.
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed AWS KMS keys](cloudtrail-controls.md#cloudtrail-10) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) 
+  [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) 
+  [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) 
+  [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up](ec2-controls.md#ec2-20) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[ECR.5] ECR repositories should be encrypted with customer managed AWS KMS keys](ecr-controls.md#ecr-5) 
+  [[ECS.17] ECS task definitions should not use host network mode](ecs-controls.md#ecs-17) 
+  [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-3) 
+  [[FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-4) 
+  [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[Glue.4] AWS Glue Spark jobs should run on supported versions of AWS Glue](glue-controls.md#glue-4) 
+  [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) 
+  [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) 
+  [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RDS.41] RDS for SQL Server DB instances should be encrypted in transit](rds-controls.md#rds-41) 
+  [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) 
+  [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) 
+  [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) 
+  [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) 
+  [[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways](rds-controls.md#rds-46) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) 
+  [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed AWS KMS keys](redshiftserverless-controls.md#redshiftserverless-4) 
+  [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) 
+  [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.8] SageMaker notebook instances should run on supported platforms](sagemaker-controls.md#sagemaker-8) 
+  [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) 
+  [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## Middle East (UAE)
<a name="securityhub-control-support-mecentral1"></a>

The following controls are not supported in the Middle East (UAE) Region.
+  [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) 
+  [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) 
+  [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) 
+  [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) 
+  [[AppConfig.1] AWS AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) 
+  [[AppConfig.2] AWS AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) 
+  [[AppConfig.3] AWS AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) 
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[Backup.1] AWS Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) 
+  [[Backup.4] AWS Backup report plans should be tagged](backup-controls.md#backup-4) 
+  [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) 
+  [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) 
+  [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) 
+  [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) 
+  [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) 
+  [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) 
+  [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) 
+  [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) 
+  [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) 
+  [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) 
+  [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) 
+  [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) 
+  [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) 
+  [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) 
+  [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) 
+  [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) 
+  [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) 
+  [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) 
+  [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) 
+  [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) 
+  [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) 
+  [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](efs-controls.md#efs-1) 
+  [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) 
+  [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) 
+  [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) 
+  [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) 
+  [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) 
+  [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) 
+  [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) 
+  [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) 
+  [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) 
+  [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) 
+  [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) 
+  [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) 
+  [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) 
+  [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) 
+  [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[Glue.4] AWS Glue Spark jobs should run on supported versions of AWS Glue](glue-controls.md#glue-4) 
+  [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) 
+  [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) 
+  [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) 
+  [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) 
+  [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) 
+  [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) 
+  [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) 
+  [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) 
+  [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) 
+  [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) 
+  [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) 
+  [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) 
+  [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) 
+  [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) 
+  [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) 
+  [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) 
+  [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) 
+  [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) 
+  [[Lambda.7] Lambda functions should have AWS X-Ray active tracing enabled](lambda-controls.md#lambda-7) 
+  [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) 
+  [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) 
+  [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) 
+  [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) 
+  [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) 
+  [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) 
+  [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) 
+  [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) 
+  [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) 
+  [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) 
+  [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) 
+  [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) 
+  [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) 
+  [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) 
+  [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) 
+  [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) 
+  [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) 
+  [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) 
+  [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) 
+  [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) 
+  [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) 
+  [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) 
+  [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) 
+  [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) 
+  [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) 
+  [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) 
+  [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) 
+  [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WAF.10] AWS WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## South America (São Paulo)
<a name="securityhub-control-support-saeast1"></a>

The following controls are not supported in the South America (São Paulo) Region.
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[IoT.1] AWS IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) 
+  [[IoT.2] AWS IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) 
+  [[IoT.3] AWS IoT Core dimensions should be tagged](iot-controls.md#iot-3) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 

## AWS GovCloud (US-East)
<a name="securityhub-control-support-usgoveast1"></a>

The following controls are not supported in the AWS GovCloud (US-East) Region.
+  [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) 
+  [[Account.1] Security contact information should be provided for an AWS account](account-controls.md#account-1) 
+  [[Account.2] AWS accounts should be part of an AWS Organizations organization](account-controls.md#account-2) 
+  [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](apigateway-controls.md#apigateway-2) 
+  [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) 
+  [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) 
+  [[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections](apigateway-controls.md#apigateway-10) 
+  [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) 
+  [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) 
+  [[AppConfig.1] AWS AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) 
+  [[AppConfig.2] AWS AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) 
+  [[AppConfig.3] AWS AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) 
+  [[AppConfig.4] AWS AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) 
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.2] AWS AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) 
+  [[AppSync.4] AWS AppSync GraphQL APIs should be tagged](appsync-controls.md#appsync-4) 
+  [[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) 
+  [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) 
+  [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) 
+  [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) 
+  [[Backup.4] AWS Backup report plans should be tagged](backup-controls.md#backup-4) 
+  [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) 
+  [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) 
+  [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) 
+  [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CloudWatch.17] CloudWatch alarm actions should be activated](cloudwatch-controls.md#cloudwatch-17) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) 
+  [[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration](codebuild-controls.md#codebuild-4) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) 
+  [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) 
+  [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) 
+  [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) 
+  [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) 
+  [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) 
+  [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) 
+  [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) 
+  [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) 
+  [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) 
+  [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) 
+  [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) 
+  [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) 
+  [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) 
+  [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) 
+  [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) 
+  [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) 
+  [[EC2.47] Amazon VPC endpoint services should be tagged](ec2-controls.md#ec2-47) 
+  [[EC2.52] EC2 transit gateways should be tagged](ec2-controls.md#ec2-52) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) 
+  [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) 
+  [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) 
+  [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) 
+  [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) 
+  [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) 
+  [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) 
+  [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) 
+  [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) 
+  [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) 
+  [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) 
+  [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) 
+  [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) 
+  [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) 
+  [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) 
+  [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) 
+  [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) 
+  [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) 
+  [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) 
+  [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) 
+  [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) 
+  [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) 
+  [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) 
+  [[ELB.21] Application and Network Load Balancer target groups should use encrypted health check protocols](elb-controls.md#elb-21) 
+  [[ELB.22] ELB target groups should use encrypted transport protocols](elb-controls.md#elb-22) 
+  [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) 
+  [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) 
+  [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) 
+  [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) 
+  [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) 
+  [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) 
+  [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) 
+  [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) 
+  [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) 
+  [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) 
+  [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) 
+  [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) 
+  [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) 
+  [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) 
+  [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) 
+  [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[Glue.3] AWS Glue machine learning transforms should be encrypted at rest](glue-controls.md#glue-3) 
+  [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) 
+  [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) 
+  [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) 
+  [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) 
+  [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) 
+  [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) 
+  [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) 
+  [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) 
+  [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) 
+  [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) 
+  [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) 
+  [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) 
+  [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) 
+  [[KMS.5] KMS keys should not be publicly accessible](kms-controls.md#kms-5) 
+  [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) 
+  [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) 
+  [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) 
+  [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) 
+  [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) 
+  [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) 
+  [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) 
+  [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) 
+  [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) 
+  [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) 
+  [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) 
+  [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) 
+  [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) 
+  [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) 
+  [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) 
+  [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) 
+  [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) 
+  [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) 
+  [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) 
+  [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) 
+  [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) 
+  [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) 
+  [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) 
+  [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) 
+  [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) 
+  [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) 
+  [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) 
+  [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) 
+  [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) 
+  [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) 
+  [[PCA.1] AWS Private CA root certificate authority should be disabled](pca-controls.md#pca-1) 
+  [[PCA.2] AWS Private CA certificate authorities should be tagged](pca-controls.md#pca-2) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.15] RDS DB clusters should be configured for multiple Availability Zones](rds-controls.md#rds-15) 
+  [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) 
+  [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) 
+  [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) 
+  [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) 
+  [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) 
+  [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) 
+  [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) 
+  [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) 
+  [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) 
+  [[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-48) 
+  [[RDS.50] RDS DB clusters should have enough backup retention period set](rds-controls.md#rds-50) 
+  [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) 
+  [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) 
+  [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) 
+  [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) 
+  [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) 
+  [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) 
+  [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) 
+  [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) 
+  [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) 
+  [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) 
+  [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) 
+  [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) 
+  [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) 
+  [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) 
+  [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) 
+  [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) 
+  [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) 
+  [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) 
+  [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) 
+  [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) 
+  [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) 
+  [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) 
+  [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) 
+  [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) 
+  [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) 
+  [[StepFunctions.2] Step Functions activities should be tagged](stepfunctions-controls.md#stepfunctions-2) 
+  [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) 
+  [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) 
+  [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) 
+  [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.2] AWS WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) 
+  [[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) 
+  [[WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WAF.10] AWS WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) 
+  [[WAF.12] AWS WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) 
+  [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) 
+  [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) 

## AWS GovCloud (US-West)
<a name="securityhub-control-support-usgovwest1"></a>

The following controls are not supported in the AWS GovCloud (US-West) Region.
+  [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) 
+  [[Account.1] Security contact information should be provided for an AWS account](account-controls.md#account-1) 
+  [[Account.2] AWS accounts should be part of an AWS Organizations organization](account-controls.md#account-2) 
+  [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](apigateway-controls.md#apigateway-2) 
+  [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) 
+  [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) 
+  [[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections](apigateway-controls.md#apigateway-10) 
+  [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) 
+  [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) 
+  [[AppConfig.1] AWS AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) 
+  [[AppConfig.2] AWS AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) 
+  [[AppConfig.3] AWS AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) 
+  [[AppConfig.4] AWS AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) 
+  [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) 
+  [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) 
+  [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) 
+  [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) 
+  [[AppSync.2] AWS AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) 
+  [[AppSync.4] AWS AppSync GraphQL APIs should be tagged](appsync-controls.md#appsync-4) 
+  [[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) 
+  [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) 
+  [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) 
+  [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) 
+  [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) 
+  [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) 
+  [[Backup.4] AWS Backup report plans should be tagged](backup-controls.md#backup-4) 
+  [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) 
+  [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) 
+  [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) 
+  [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) 
+  [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) 
+  [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) 
+  [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) 
+  [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) 
+  [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) 
+  [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) 
+  [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) 
+  [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) 
+  [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) 
+  [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) 
+  [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) 
+  [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) 
+  [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) 
+  [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) 
+  [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) 
+  [[CloudWatch.17] CloudWatch alarm actions should be activated](cloudwatch-controls.md#cloudwatch-17) 
+  [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) 
+  [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) 
+  [[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration](codebuild-controls.md#codebuild-4) 
+  [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) 
+  [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) 
+  [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) 
+  [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) 
+  [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) 
+  [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) 
+  [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) 
+  [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) 
+  [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) 
+  [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) 
+  [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) 
+  [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) 
+  [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) 
+  [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) 
+  [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) 
+  [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) 
+  [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) 
+  [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) 
+  [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) 
+  [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) 
+  [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) 
+  [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) 
+  [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) 
+  [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) 
+  [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) 
+  [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) 
+  [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) 
+  [[EC2.38] EC2 instances should be tagged](ec2-controls.md#ec2-38) 
+  [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) 
+  [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) 
+  [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) 
+  [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) 
+  [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) 
+  [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) 
+  [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) 
+  [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) 
+  [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) 
+  [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) 
+  [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) 
+  [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) 
+  [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) 
+  [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) 
+  [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) 
+  [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) 
+  [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) 
+  [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) 
+  [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) 
+  [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) 
+  [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) 
+  [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) 
+  [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) 
+  [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) 
+  [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) 
+  [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) 
+  [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) 
+  [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) 
+  [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) 
+  [[ELB.21] Application and Network Load Balancer target groups should use encrypted health check protocols](elb-controls.md#elb-21) 
+  [[ELB.22] ELB target groups should use encrypted transport protocols](elb-controls.md#elb-22) 
+  [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) 
+  [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) 
+  [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) 
+  [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) 
+  [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) 
+  [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) 
+  [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) 
+  [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) 
+  [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) 
+  [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) 
+  [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) 
+  [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) 
+  [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) 
+  [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) 
+  [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) 
+  [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) 
+  [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) 
+  [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) 
+  [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) 
+  [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) 
+  [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) 
+  [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) 
+  [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) 
+  [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) 
+  [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) 
+  [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) 
+  [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) 
+  [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) 
+  [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) 
+  [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) 
+  [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) 
+  [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) 
+  [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) 
+  [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) 
+  [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) 
+  [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) 
+  [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) 
+  [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) 
+  [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) 
+  [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) 
+  [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) 
+  [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) 
+  [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) 
+  [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) 
+  [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) 
+  [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) 
+  [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) 
+  [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) 
+  [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) 
+  [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) 
+  [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) 
+  [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) 
+  [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) 
+  [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) 
+  [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) 
+  [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) 
+  [[KMS.5] KMS keys should not be publicly accessible](kms-controls.md#kms-5) 
+  [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) 
+  [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) 
+  [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) 
+  [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) 
+  [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) 
+  [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) 
+  [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) 
+  [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) 
+  [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) 
+  [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) 
+  [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) 
+  [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) 
+  [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) 
+  [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) 
+  [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) 
+  [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) 
+  [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) 
+  [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) 
+  [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) 
+  [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) 
+  [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) 
+  [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) 
+  [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) 
+  [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) 
+  [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) 
+  [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) 
+  [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) 
+  [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) 
+  [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) 
+  [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) 
+  [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) 
+  [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) 
+  [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) 
+  [[PCA.1] AWS Private CA root certificate authority should be disabled](pca-controls.md#pca-1) 
+  [[PCA.2] AWS Private CA certificate authorities should be tagged](pca-controls.md#pca-2) 
+  [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) 
+  [[RDS.15] RDS DB clusters should be configured for multiple Availability Zones](rds-controls.md#rds-15) 
+  [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) 
+  [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) 
+  [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) 
+  [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) 
+  [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) 
+  [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) 
+  [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) 
+  [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) 
+  [[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-48) 
+  [[RDS.50] RDS DB clusters should have enough backup retention period set](rds-controls.md#rds-50) 
+  [[Redshift.7] Redshift clusters should use enhanced VPC routing](redshift-controls.md#redshift-7) 
+  [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) 
+  [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) 
+  [[Redshift.11] Redshift clusters should be tagged](redshift-controls.md#redshift-11) 
+  [[Redshift.13] Redshift cluster snapshots should be tagged](redshift-controls.md#redshift-13) 
+  [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) 
+  [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) 
+  [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) 
+  [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) 
+  [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) 
+  [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) 
+  [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) 
+  [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) 
+  [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) 
+  [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) 
+  [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) 
+  [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) 
+  [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) 
+  [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) 
+  [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) 
+  [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) 
+  [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) 
+  [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) 
+  [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) 
+  [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) 
+  [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) 
+  [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) 
+  [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) 
+  [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) 
+  [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) 
+  [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) 
+  [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) 
+  [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) 
+  [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) 
+  [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) 
+  [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) 
+  [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) 
+  [[StepFunctions.2] Step Functions activities should be tagged](stepfunctions-controls.md#stepfunctions-2) 
+  [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) 
+  [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) 
+  [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) 
+  [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) 
+  [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) 
+  [[WAF.2] AWS WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) 
+  [[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) 
+  [[WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) 
+  [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) 
+  [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) 
+  [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) 
+  [[WAF.10] AWS WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) 
+  [[WAF.12] AWS WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12)