Impact of consolidation on ASFF fields and values
Security Hub offers two types of consolidation:
-
Consolidated controls view (always on; can't be turned off) – Each control has a single identifier across standards. The Controls page of the Security Hub console displays all your controls across standards.
-
Consolidated control findings (can be turned on or off) – When consolidated control findings is turned on, Security Hub produces a single finding for a security check even when a check is shared across multiple standards. This is intended to reduce finding noise. Consolidated control findings is turned on for you by default if you enabled Security Hub on or after February 23, 2023. Otherwise, it's turned off by default. However, consolidated control findings is turned on in Security Hub member accounts only if it's turned on in the administrator account. If the feature is turned off in the administrator account, it's turned off in member accounts. For instructions on turning on this feature, see Turning on consolidated control findings.
Both features bring changes to control finding fields and values in the AWS Security Finding Format (ASFF). This section summarizes those changes.
Consolidated controls view – ASFF changes
The consolidated controls view feature introduced the following changes to control finding fields and values in the ASFF.
If your workflows don’t rely on the values of these control finding fields, no action is required.
If you have workflows that rely on the specific values of these control finding fields, update your workflows to use the current values.
| ASFF field | Sample value before consolidated controls view | Sample value after consolidated controls view, plus description of change |
|---|---|---|
|
Compliance.SecurityControlId |
Not applicable (new field) |
EC2.2 Introduces a single control ID across standards.
|
|
Compliance.AssociatedStandards |
Not applicable (new field) |
[{"StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"}] Shows which standards a control is enabled in. |
|
ProductFields.ArchivalReasons:0/Description |
Not applicable (new field) |
"The finding is in an ARCHIVED state because consolidated control findings has been turned on or off. This causes findings in the previous state to be archived when new findings are being generated." Describes why Security Hub has archived existing findings. |
|
ProductFields.ArchivalReasons:0/ReasonCode |
Not applicable (new field) |
"CONSOLIDATED_CONTROL_FINDINGS_UPDATE" Provides the reason why Security Hub has archived existing findings. |
|
ProductFields.RecommendationUrl |
https://docs.aws.amazon.com/console/securityhub/PCI.EC2.2/remediation |
https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation This field no longer references a standard. |
|
Remediation.Recommendation.Text |
"For directions on how to fix this issue, consult the AWS Security Hub PCI DSS documentation." |
"For directions on how to correct this issue, consult the AWS Security Hub controls documentation." This field no longer references a standard. |
|
Remediation.Recommendation.Url |
https://docs.aws.amazon.com/console/securityhub/PCI.EC2.2/remediation |
https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation This field no longer references a standard. |
Consolidated control findings – ASFF changes
If you turn on consolidated control findings, you may be impacted by the following changes to control finding fields and values in the ASFF. These changes are in addition to the changes previously described for consolidated controls view.
If your workflows don’t rely on the values of these control finding fields, no action is required.
If you have workflows that rely on the specific values of these control finding fields, update your workflows to use the current values.
Note
Automated Security Response on AWS v2.0.0
| ASFF field | Example value before turning on consolidated control findings | Example value after turning on consolidated control findings, and description of change |
|---|---|---|
| GeneratorId | aws-foundational-security-best-practices/v/1.0.0/Config.1 |
security-control/Config.1
This field no longer references a standard. |
| Title | PCI.Config.1 AWS Config should be enabled |
AWS Config should be enabled
This field no longer references standard-specific information. |
| Id |
arn:aws:securityhub:eu-central-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.IAM.5/finding/ab6d6a26-a156-48f0-9403-115983e5a956 |
arn:aws:securityhub:eu-central-1:123456789012:security-control/iam.9/finding/ab6d6a26-a156-48f0-9403-115983e5a956 This field no longer references a standard. |
| ProductFields.ControlId | PCI.EC2.2 |
Removed.
See Compliance.SecurityControlId instead.
This field is removed in favor of a single, standard-agnostic control ID. |
| ProductFields.RuleId | 1.3 |
Removed. See Compliance.SecurityControlId instead.
This field is removed in favor of a single, standard-agnostic control ID. |
| Description | This PCI DSS control checks whether AWS Config is enabled in the current account and region. |
This AWS control checks whether AWS Config is enabled in the current account and region.
This field no longer references a standard. |
| Severity |
"Severity": { "Product": 90, "Label": "CRITICAL", "Normalized": 90, "Original": "CRITICAL" } |
"Severity": { "Label": "CRITICAL", "Normalized": 90, "Original": "CRITICAL" } Security Hub no longer uses the Product field to describe the severity of a finding. |
| Types | ["Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS"] |
["Software and Configuration Checks/Industry and Regulatory Standards"]
This field no longer references a standard. |
| Compliance.RelatedRequirements |
["PCI DSS 10.5.2", "PCI DSS 11.5"] |
["PCI DSS v3.2.1/10.5.2", "PCI DSS v3.2.1/11.5", "CIS AWS Foundations Benchmark v1.2.0/2.5"] This field shows related requirements in all enabled standards. |
| CreatedAt | 2022-05-05T08:18:13.138Z |
2022-09-25T08:18:13.138Z
Format remains the same, but value resets when you turn on consolidated control findings. |
| FirstObservedAt | 2022-05-07T08:18:13.138Z |
2022-09-28T08:18:13.138Z
Format remains the same, but value resets when you turn on consolidated control findings. |
| ProductFields.RecommendationUrl | https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation |
Removed. See Remediation.Recommendation.Url instead.
|
| ProductFields.StandardsArn |
arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0 |
Removed. See Compliance.AssociatedStandards instead.
|
| ProductFields.StandardsControlArn |
arn:aws:securityhub:us-east-1:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/Config.1 |
Removed. Security Hub generates one finding for a security check across standards. |
| ProductFields.StandardsGuideArn | arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0 |
Removed. See Compliance.AssociatedStandards instead.
|
| ProductFields.StandardsGuideSubscriptionArn | arn:aws:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0 | Removed. Security Hub generates one finding for a security check across standards. |
| ProductFields.StandardsSubscriptionArn | arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0 | Removed. Security Hub generates one finding for a security check across standards. |
| ProductFields.aws/securityhub/FindingId | arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/751c2173-7372-4e12-8656-a5210dfb1d67 |
arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:security-control/Config.1/finding/751c2173-7372-4e12-8656-a5210dfb1d67
This field no longer references a standard. |
Values for customer-provided ASFF fields after turning on consolidated control findings
If you turn on consolidated control findings,
Security Hub generates one finding across standards and archives the original findings (separate findings for each standard). To view archived findings, you can visit the Findings
page of the Security Hub console with the Record state filter set to ARCHIVED, or use the
GetFindings API action.
Updates you’ve made to the original findings in the Security Hub console
or using the BatchUpdateFindings API
won't be preserved in the new findings (if needed, you can recover this data by referring to the archived findings).
| Customer-provided ASFF field | Description of change after turning on consolidated control findings |
|---|---|
| Confidence | Resets to empty state. |
| Criticality | Resets to empty state. |
| Note | Resets to empty state. |
| RelatedFindings | Resets to empty state. |
| Severity | Default severity of the finding (matches the severity of the control). |
| Types | Resets to standard-agnostic value. |
| UserDefinedFields | Resets to empty state. |
| VerificationState | Resets to empty state. |
| Workflow |
New failed findings have a default value of
NEW. New passed findings have a
default value of RESOLVED.
|
Generator IDs before and after turning on consolidated control findings
Here's a list of generator ID changes for controls when you turn on consolidated control findings. These apply to controls that Security Hub supported as of February 15, 2023.
| GeneratorID before turning on consolidated control findings | GeneratorID after turning on consolidated control findings |
|---|---|
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.1 |
security-control/CloudWatch.1 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.10 |
security-control/IAM.16 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.11 |
security-control/IAM.17 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.12 |
security-control/IAM.4 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.13 |
security-control/IAM.9 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.14 |
security-control/IAM.6 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.16 |
security-control/IAM.2 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.2 |
security-control/IAM.5 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.20 |
security-control/IAM.18 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.22 |
security-control/IAM.1 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.3 |
security-control/IAM.8 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.4 |
security-control/IAM.3 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.5 |
security-control/IAM.11 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.6 |
security-control/IAM.12 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.7 |
security-control/IAM.13 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.8 |
security-control/IAM.14 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.9 |
security-control/IAM.15 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.1 |
security-control/CloudTrail.1 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.2 |
security-control/CloudTrail.4 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.3 |
security-control/CloudTrail.6 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.4 |
security-control/CloudTrail.5 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.5 |
security-control/Config.1 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.6 |
security-control/CloudTrail.7 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.7 |
security-control/CloudTrail.2 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.8 |
security-control/KMS.4 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.9 |
security-control/EC2.6 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.1 |
security-control/CloudWatch.2 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.2 |
security-control/CloudWatch.3 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.3 |
security-control/CloudWatch.1 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.4 |
security-control/CloudWatch.4 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.5 |
security-control/CloudWatch.5 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.6 |
security-control/CloudWatch.6 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.7 |
security-control/CloudWatch.7 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.8 |
security-control/CloudWatch.8 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.9 |
security-control/CloudWatch.9 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.10 |
security-control/CloudWatch.10 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.11 |
security-control/CloudWatch.11 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.12 |
security-control/CloudWatch.12 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.13 |
security-control/CloudWatch.13 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.14 |
security-control/CloudWatch.14 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/4.1 |
security-control/EC2.13 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/4.2 |
security-control/EC2.14 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/4.3 |
security-control/EC2.2 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.10 |
security-control/IAM.5 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.14 |
security-control/IAM.3 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.16 |
security-control/IAM.1 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.17 |
security-control/IAM.18 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.4 |
security-control/IAM.4 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.5 |
security-control/IAM.9 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.6 |
security-control/IAM.6 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.7 |
security-control/CloudWatch.1 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.8 |
security-control/IAM.15 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.9 |
security-control/IAM.16 |
|
cis-aws-foundations-benchmark/v/1.4.0/2.1.2 |
security-control/S3.5 |
|
cis-aws-foundations-benchmark/v/1.4.0/2.1.5.1 |
security-control/S3.1 |
|
cis-aws-foundations-benchmark/v/1.4.0/2.1.5.2 |
security-control/S3.8 |
|
cis-aws-foundations-benchmark/v/1.4.0/2.2.1 |
security-control/EC2.7 |
|
cis-aws-foundations-benchmark/v/1.4.0/2.3.1 |
security-control/RDS.3 |
|
cis-aws-foundations-benchmark/v/1.4.0/3.1 |
security-control/CloudTrail.1 |
|
cis-aws-foundations-benchmark/v/1.4.0/3.2 |
security-control/CloudTrail.4 |
|
cis-aws-foundations-benchmark/v/1.4.0/3.4 |
security-control/CloudTrail.5 |
|
cis-aws-foundations-benchmark/v/1.4.0/3.5 |
security-control/Config.1 |
|
cis-aws-foundations-benchmark/v/1.4.0/3.6 |
security-control/S3.9 |
|
cis-aws-foundations-benchmark/v/1.4.0/3.7 |
security-control/CloudTrail.2 |
|
cis-aws-foundations-benchmark/v/1.4.0/3.8 |
security-control/KMS.4 |
|
cis-aws-foundations-benchmark/v/1.4.0/3.9 |
security-control/EC2.6 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.3 |
security-control/CloudWatch.1 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.4 |
security-control/CloudWatch.4 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.5 |
security-control/CloudWatch.5 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.6 |
security-control/CloudWatch.6 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.7 |
security-control/CloudWatch.7 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.8 |
security-control/CloudWatch.8 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.9 |
security-control/CloudWatch.9 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.10 |
security-control/CloudWatch.10 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.11 |
security-control/CloudWatch.11 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.12 |
security-control/CloudWatch.12 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.13 |
security-control/CloudWatch.13 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.14 |
security-control/CloudWatch.14 |
|
cis-aws-foundations-benchmark/v/1.4.0/5.1 |
security-control/EC2.21 |
|
cis-aws-foundations-benchmark/v/1.4.0/5.3 |
security-control/EC2.2 |
|
aws-foundational-security-best-practices/v/1.0.0/Account.1 |
security-control/Account.1 |
|
aws-foundational-security-best-practices/v/1.0.0/ACM.1 |
security-control/ACM.1 |
|
aws-foundational-security-best-practices/v/1.0.0/APIGateway.1 |
security-control/APIGateway.1 |
|
aws-foundational-security-best-practices/v/1.0.0/APIGateway.2 |
security-control/APIGateway.2 |
|
aws-foundational-security-best-practices/v/1.0.0/APIGateway.3 |
security-control/APIGateway.3 |
|
aws-foundational-security-best-practices/v/1.0.0/APIGateway.4 |
security-control/APIGateway.4 |
|
aws-foundational-security-best-practices/v/1.0.0/APIGateway.5 |
security-control/APIGateway.5 |
|
aws-foundational-security-best-practices/v/1.0.0/APIGateway.8 |
security-control/APIGateway.8 |
|
aws-foundational-security-best-practices/v/1.0.0/APIGateway.9 |
security-control/APIGateway.9 |
|
aws-foundational-security-best-practices/v/1.0.0/AutoScaling.1 |
security-control/AutoScaling.1 |
|
aws-foundational-security-best-practices/v/1.0.0/AutoScaling.2 |
security-control/AutoScaling.2 |
|
aws-foundational-security-best-practices/v/1.0.0/AutoScaling.3 |
security-control/AutoScaling.3 |
|
aws-foundational-security-best-practices/v/1.0.0/Autoscaling.5 |
security-control/Autoscaling.5 |
|
aws-foundational-security-best-practices/v/1.0.0/AutoScaling.6 |
security-control/AutoScaling.6 |
|
aws-foundational-security-best-practices/v/1.0.0/AutoScaling.9 |
security-control/AutoScaling.9 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.1 |
security-control/CloudFront.1 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.3 |
security-control/CloudFront.3 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.4 |
security-control/CloudFront.4 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.5 |
security-control/CloudFront.5 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.6 |
security-control/CloudFront.6 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.7 |
security-control/CloudFront.7 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.8 |
security-control/CloudFront.8 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.9 |
security-control/CloudFront.9 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.10 |
security-control/CloudFront.10 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.12 |
security-control/CloudFront.12 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudTrail.1 |
security-control/CloudTrail.1 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2 |
security-control/CloudTrail.2 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudTrail.4 |
security-control/CloudTrail.4 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudTrail.5 |
security-control/CloudTrail.5 |
|
aws-foundational-security-best-practices/v/1.0.0/CodeBuild.1 |
security-control/CodeBuild.1 |
|
aws-foundational-security-best-practices/v/1.0.0/CodeBuild.2 |
security-control/CodeBuild.2 |
|
aws-foundational-security-best-practices/v/1.0.0/CodeBuild.3 |
security-control/CodeBuild.3 |
|
aws-foundational-security-best-practices/v/1.0.0/CodeBuild.4 |
security-control/CodeBuild.4 |
|
aws-foundational-security-best-practices/v/1.0.0/Config.1 |
security-control/Config.1 |
|
aws-foundational-security-best-practices/v/1.0.0/DMS.1 |
security-control/DMS.1 |
|
aws-foundational-security-best-practices/v/1.0.0/DynamoDB.1 |
security-control/DynamoDB.1 |
|
aws-foundational-security-best-practices/v/1.0.0/DynamoDB.2 |
security-control/DynamoDB.2 |
|
aws-foundational-security-best-practices/v/1.0.0/DynamoDB.3 |
security-control/DynamoDB.3 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.1 |
security-control/EC2.1 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.3 |
security-control/EC2.3 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.4 |
security-control/EC2.4 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.6 |
security-control/EC2.6 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.7 |
security-control/EC2.7 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.8 |
security-control/EC2.8 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.9 |
security-control/EC2.9 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.10 |
security-control/EC2.10 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.15 |
security-control/EC2.15 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.16 |
security-control/EC2.16 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.17 |
security-control/EC2.17 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.18 |
security-control/EC2.18 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.19 |
security-control/EC2.19 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.2 |
security-control/EC2.2 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.20 |
security-control/EC2.20 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.21 |
security-control/EC2.21 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.23 |
security-control/EC2.23 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.24 |
security-control/EC2.24 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.25 |
security-control/EC2.25 |
|
aws-foundational-security-best-practices/v/1.0.0/ECR.1 |
security-control/ECR.1 |
|
aws-foundational-security-best-practices/v/1.0.0/ECR.2 |
security-control/ECR.2 |
|
aws-foundational-security-best-practices/v/1.0.0/ECR.3 |
security-control/ECR.3 |
|
aws-foundational-security-best-practices/v/1.0.0/ECS.1 |
security-control/ECS.1 |
|
aws-foundational-security-best-practices/v/1.0.0/ECS.10 |
security-control/ECS.10 |
|
aws-foundational-security-best-practices/v/1.0.0/ECS.12 |
security-control/ECS.12 |
|
aws-foundational-security-best-practices/v/1.0.0/ECS.2 |
security-control/ECS.2 |
|
aws-foundational-security-best-practices/v/1.0.0/ECS.3 |
security-control/ECS.3 |
|
aws-foundational-security-best-practices/v/1.0.0/ECS.4 |
security-control/ECS.4 |
|
aws-foundational-security-best-practices/v/1.0.0/ECS.5 |
security-control/ECS.5 |
|
aws-foundational-security-best-practices/v/1.0.0/ECS.8 |
security-control/ECS.8 |
|
aws-foundational-security-best-practices/v/1.0.0/EFS.1 |
security-control/EFS.1 |
|
aws-foundational-security-best-practices/v/1.0.0/EFS.2 |
security-control/EFS.2 |
|
aws-foundational-security-best-practices/v/1.0.0/EFS.3 |
security-control/EFS.3 |
|
aws-foundational-security-best-practices/v/1.0.0/EFS.4 |
security-control/EFS.4 |
|
aws-foundational-security-best-practices/v/1.0.0/EKS.2 |
security-control/EKS.2 |
|
aws-foundational-security-best-practices/v/1.0.0/ElasticBeanstalk.1 |
security-control/ElasticBeanstalk.1 |
|
aws-foundational-security-best-practices/v/1.0.0/ElasticBeanstalk.2 |
security-control/ElasticBeanstalk.2 |
|
aws-foundational-security-best-practices/v/1.0.0/ELBv2.1 |
security-control/ELB.1 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.2 |
security-control/ELB.2 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.3 |
security-control/ELB.3 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.4 |
security-control/ELB.4 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.5 |
security-control/ELB.5 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.6 |
security-control/ELB.6 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.7 |
security-control/ELB.7 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.8 |
security-control/ELB.8 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.9 |
security-control/ELB.9 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.10 |
security-control/ELB.10 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.11 |
security-control/ELB.11 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.12 |
security-control/ELB.12 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.13 |
security-control/ELB.13 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.14 |
security-control/ELB.14 |
|
aws-foundational-security-best-practices/v/1.0.0/EMR.1 |
security-control/EMR.1 |
|
aws-foundational-security-best-practices/v/1.0.0/ES.1 |
security-control/ES.1 |
|
aws-foundational-security-best-practices/v/1.0.0/ES.2 |
security-control/ES.2 |
|
aws-foundational-security-best-practices/v/1.0.0/ES.3 |
security-control/ES.3 |
|
aws-foundational-security-best-practices/v/1.0.0/ES.4 |
security-control/ES.4 |
|
aws-foundational-security-best-practices/v/1.0.0/ES.5 |
security-control/ES.5 |
|
aws-foundational-security-best-practices/v/1.0.0/ES.6 |
security-control/ES.6 |
|
aws-foundational-security-best-practices/v/1.0.0/ES.7 |
security-control/ES.7 |
|
aws-foundational-security-best-practices/v/1.0.0/ES.8 |
security-control/ES.8 |
|
aws-foundational-security-best-practices/v/1.0.0/GuardDuty.1 |
security-control/GuardDuty.1 |
|
aws-foundational-security-best-practices/v/1.0.0/IAM.1 |
security-control/IAM.1 |
|
aws-foundational-security-best-practices/v/1.0.0/IAM.2 |
security-control/IAM.2 |
|
aws-foundational-security-best-practices/v/1.0.0/IAM.21 |
security-control/IAM.21 |
|
aws-foundational-security-best-practices/v/1.0.0/IAM.3 |
security-control/IAM.3 |
|
aws-foundational-security-best-practices/v/1.0.0/IAM.4 |
security-control/IAM.4 |
|
aws-foundational-security-best-practices/v/1.0.0/IAM.5 |
security-control/IAM.5 |
|
aws-foundational-security-best-practices/v/1.0.0/IAM.6 |
security-control/IAM.6 |
|
aws-foundational-security-best-practices/v/1.0.0/IAM.7 |
security-control/IAM.7 |
|
aws-foundational-security-best-practices/v/1.0.0/IAM.8 |
security-control/IAM.8 |
|
aws-foundational-security-best-practices/v/1.0.0/Kinesis.1 |
security-control/Kinesis.1 |
|
aws-foundational-security-best-practices/v/1.0.0/KMS.1 |
security-control/KMS.1 |
|
aws-foundational-security-best-practices/v/1.0.0/KMS.2 |
security-control/KMS.2 |
|
aws-foundational-security-best-practices/v/1.0.0/KMS.3 |
security-control/KMS.3 |
|
aws-foundational-security-best-practices/v/1.0.0/Lambda.1 |
security-control/Lambda.1 |
|
aws-foundational-security-best-practices/v/1.0.0/Lambda.2 |
security-control/Lambda.2 |
|
aws-foundational-security-best-practices/v/1.0.0/Lambda.5 |
security-control/Lambda.5 |
|
aws-foundational-security-best-practices/v/1.0.0/NetworkFirewall.3 |
security-control/NetworkFirewall.3 |
|
aws-foundational-security-best-practices/v/1.0.0/NetworkFirewall.4 |
security-control/NetworkFirewall.4 |
|
aws-foundational-security-best-practices/v/1.0.0/NetworkFirewall.5 |
security-control/NetworkFirewall.5 |
|
aws-foundational-security-best-practices/v/1.0.0/NetworkFirewall.6 |
security-control/NetworkFirewall.6 |
|
aws-foundational-security-best-practices/v/1.0.0/Opensearch.1 |
security-control/Opensearch.1 |
|
aws-foundational-security-best-practices/v/1.0.0/Opensearch.2 |
security-control/Opensearch.2 |
|
aws-foundational-security-best-practices/v/1.0.0/Opensearch.3 |
security-control/Opensearch.3 |
|
aws-foundational-security-best-practices/v/1.0.0/Opensearch.4 |
security-control/Opensearch.4 |
|
aws-foundational-security-best-practices/v/1.0.0/Opensearch.5 |
security-control/Opensearch.5 |
|
aws-foundational-security-best-practices/v/1.0.0/Opensearch.6 |
security-control/Opensearch.6 |
|
aws-foundational-security-best-practices/v/1.0.0/Opensearch.7 |
security-control/Opensearch.7 |
|
aws-foundational-security-best-practices/v/1.0.0/Opensearch.8 |
security-control/Opensearch.8 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.1 |
security-control/RDS.1 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.10 |
security-control/RDS.10 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.11 |
security-control/RDS.11 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.12 |
security-control/RDS.12 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.13 |
security-control/RDS.13 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.14 |
security-control/RDS.14 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.15 |
security-control/RDS.15 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.16 |
security-control/RDS.16 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.17 |
security-control/RDS.17 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.18 |
security-control/RDS.18 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.19 |
security-control/RDS.19 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.2 |
security-control/RDS.2 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.20 |
security-control/RDS.20 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.21 |
security-control/RDS.21 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.22 |
security-control/RDS.22 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.23 |
security-control/RDS.23 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.24 |
security-control/RDS.24 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.25 |
security-control/RDS.25 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.3 |
security-control/RDS.3 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.4 |
security-control/RDS.4 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.5 |
security-control/RDS.5 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.6 |
security-control/RDS.6 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.7 |
security-control/RDS.7 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.8 |
security-control/RDS.8 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.9 |
security-control/RDS.9 |
|
aws-foundational-security-best-practices/v/1.0.0/Redshift.1 |
security-control/Redshift.1 |
|
aws-foundational-security-best-practices/v/1.0.0/Redshift.2 |
security-control/Redshift.2 |
|
aws-foundational-security-best-practices/v/1.0.0/Redshift.3 |
security-control/Redshift.3 |
|
aws-foundational-security-best-practices/v/1.0.0/Redshift.4 |
security-control/Redshift.4 |
|
aws-foundational-security-best-practices/v/1.0.0/Redshift.6 |
security-control/Redshift.6 |
|
aws-foundational-security-best-practices/v/1.0.0/Redshift.7 |
security-control/Redshift.7 |
|
aws-foundational-security-best-practices/v/1.0.0/Redshift.8 |
security-control/Redshift.8 |
|
aws-foundational-security-best-practices/v/1.0.0/Redshift.9 |
security-control/Redshift.9 |
|
aws-foundational-security-best-practices/v/1.0.0/S3.1 |
security-control/S3.1 |
|
aws-foundational-security-best-practices/v/1.0.0/S3.12 |
security-control/S3.12 |
|
aws-foundational-security-best-practices/v/1.0.0/S3.13 |
security-control/S3.13 |
|
aws-foundational-security-best-practices/v/1.0.0/S3.2 |
security-control/S3.2 |
|
aws-foundational-security-best-practices/v/1.0.0/S3.3 |
security-control/S3.3 |
|
aws-foundational-security-best-practices/v/1.0.0/S3.5 |
security-control/S3.5 |
|
aws-foundational-security-best-practices/v/1.0.0/S3.6 |
security-control/S3.6 |
|
aws-foundational-security-best-practices/v/1.0.0/S3.8 |
security-control/S3.8 |
|
aws-foundational-security-best-practices/v/1.0.0/S3.9 |
security-control/S3.9 |
|
aws-foundational-security-best-practices/v/1.0.0/SageMaker.1 |
security-control/SageMaker.1 |
|
aws-foundational-security-best-practices/v/1.0.0/SageMaker.2 |
security-control/SageMaker.2 |
|
aws-foundational-security-best-practices/v/1.0.0/SageMaker.3 |
security-control/SageMaker.3 |
|
aws-foundational-security-best-practices/v/1.0.0/SecretsManager.1 |
security-control/SecretsManager.1 |
|
aws-foundational-security-best-practices/v/1.0.0/SecretsManager.2 |
security-control/SecretsManager.2 |
|
aws-foundational-security-best-practices/v/1.0.0/SecretsManager.3 |
security-control/SecretsManager.3 |
|
aws-foundational-security-best-practices/v/1.0.0/SecretsManager.4 |
security-control/SecretsManager.4 |
|
aws-foundational-security-best-practices/v/1.0.0/SQS.1 |
security-control/SQS.1 |
|
aws-foundational-security-best-practices/v/1.0.0/SSM.1 |
security-control/SSM.1 |
|
aws-foundational-security-best-practices/v/1.0.0/SSM.2 |
security-control/SSM.2 |
|
aws-foundational-security-best-practices/v/1.0.0/SSM.3 |
security-control/SSM.3 |
|
aws-foundational-security-best-practices/v/1.0.0/SSM.4 |
security-control/SSM.4 |
|
aws-foundational-security-best-practices/v/1.0.0/WAF.1 |
security-control/WAF.1 |
|
aws-foundational-security-best-practices/v/1.0.0/WAF.2 |
security-control/WAF.2 |
|
aws-foundational-security-best-practices/v/1.0.0/WAF.3 |
security-control/WAF.3 |
|
aws-foundational-security-best-practices/v/1.0.0/WAF.4 |
security-control/WAF.4 |
|
aws-foundational-security-best-practices/v/1.0.0/WAF.6 |
security-control/WAF.6 |
|
aws-foundational-security-best-practices/v/1.0.0/WAF.7 |
security-control/WAF.7 |
|
aws-foundational-security-best-practices/v/1.0.0/WAF.8 |
security-control/WAF.8 |
|
aws-foundational-security-best-practices/v/1.0.0/WAF.10 |
security-control/WAF.10 |
|
pci-dss/v/3.2.1/PCI.AutoScaling.1 |
security-control/AutoScaling.1 |
|
pci-dss/v/3.2.1/PCI.CloudTrail.1 |
security-control/CloudTrail.2 |
|
pci-dss/v/3.2.1/PCI.CloudTrail.2 |
security-control/CloudTrail.3 |
|
pci-dss/v/3.2.1/PCI.CloudTrail.3 |
security-control/CloudTrail.4 |
|
pci-dss/v/3.2.1/PCI.CloudTrail.4 |
security-control/CloudTrail.5 |
|
pci-dss/v/3.2.1/PCI.CodeBuild.1 |
security-control/CodeBuild.1 |
|
pci-dss/v/3.2.1/PCI.CodeBuild.2 |
security-control/CodeBuild.2 |
|
pci-dss/v/3.2.1/PCI.Config.1 |
security-control/Config.1 |
|
pci-dss/v/3.2.1/PCI.CW.1 |
security-control/CloudWatch.1 |
|
pci-dss/v/3.2.1/PCI.DMS.1 |
security-control/DMS.1 |
|
pci-dss/v/3.2.1/PCI.EC2.1 |
security-control/EC2.1 |
|
pci-dss/v/3.2.1/PCI.EC2.2 |
security-control/EC2.2 |
|
pci-dss/v/3.2.1/PCI.EC2.4 |
security-control/EC2.12 |
|
pci-dss/v/3.2.1/PCI.EC2.5 |
security-control/EC2.13 |
|
pci-dss/v/3.2.1/PCI.EC2.6 |
security-control/EC2.6 |
|
pci-dss/v/3.2.1/PCI.ELBv2.1 |
security-control/ELB.1 |
|
pci-dss/v/3.2.1/PCI.ES.1 |
security-control/ES.2 |
|
pci-dss/v/3.2.1/PCI.ES.2 |
security-control/ES.1 |
|
pci-dss/v/3.2.1/PCI.GuardDuty.1 |
security-control/GuardDuty.1 |
|
pci-dss/v/3.2.1/PCI.IAM.1 |
security-control/IAM.4 |
|
pci-dss/v/3.2.1/PCI.IAM.2 |
security-control/IAM.2 |
|
pci-dss/v/3.2.1/PCI.IAM.3 |
security-control/IAM.1 |
|
pci-dss/v/3.2.1/PCI.IAM.4 |
security-control/IAM.6 |
|
pci-dss/v/3.2.1/PCI.IAM.5 |
security-control/IAM.9 |
|
pci-dss/v/3.2.1/PCI.IAM.6 |
security-control/IAM.19 |
|
pci-dss/v/3.2.1/PCI.IAM.7 |
security-control/IAM.8 |
|
pci-dss/v/3.2.1/PCI.IAM.8 |
security-control/IAM.10 |
|
pci-dss/v/3.2.1/PCI.KMS.1 |
security-control/KMS.4 |
|
pci-dss/v/3.2.1/PCI.Lambda.1 |
security-control/Lambda.1 |
|
pci-dss/v/3.2.1/PCI.Lambda.2 |
security-control/Lambda.3 |
|
pci-dss/v/3.2.1/PCI.Opensearch.1 |
security-control/Opensearch.2 |
|
pci-dss/v/3.2.1/PCI.Opensearch.2 |
security-control/Opensearch.1 |
|
pci-dss/v/3.2.1/PCI.RDS.1 |
security-control/RDS.1 |
|
pci-dss/v/3.2.1/PCI.RDS.2 |
security-control/RDS.2 |
|
pci-dss/v/3.2.1/PCI.Redshift.1 |
security-control/Redshift.1 |
|
pci-dss/v/3.2.1/PCI.S3.1 |
security-control/S3.3 |
|
pci-dss/v/3.2.1/PCI.S3.2 |
security-control/S3.2 |
|
pci-dss/v/3.2.1/PCI.S3.3 |
security-control/S3.7 |
|
pci-dss/v/3.2.1/PCI.S3.5 |
security-control/S3.5 |
|
pci-dss/v/3.2.1/PCI.S3.6 |
security-control/S3.1 |
|
pci-dss/v/3.2.1/PCI.SageMaker.1 |
security-control/SageMaker.1 |
|
pci-dss/v/3.2.1/PCI.SSM.1 |
security-control/SSM.2 |
|
pci-dss/v/3.2.1/PCI.SSM.2 |
security-control/SSM.3 |
|
pci-dss/v/3.2.1/PCI.SSM.3 |
security-control/SSM.1 |
|
service-managed-aws-control-tower/v/1.0.0/ACM.1 |
security-control/ACM.1 |
|
service-managed-aws-control-tower/v/1.0.0/APIGateway.1 |
security-control/APIGateway.1 |
|
service-managed-aws-control-tower/v/1.0.0/APIGateway.2 |
security-control/APIGateway.2 |
|
service-managed-aws-control-tower/v/1.0.0/APIGateway.3 |
security-control/APIGateway.3 |
|
service-managed-aws-control-tower/v/1.0.0/APIGateway.4 |
security-control/APIGateway.4 |
|
service-managed-aws-control-tower/v/1.0.0/APIGateway.5 |
security-control/APIGateway.5 |
|
service-managed-aws-control-tower/v/1.0.0/AutoScaling.1 |
security-control/AutoScaling.1 |
|
service-managed-aws-control-tower/v/1.0.0/AutoScaling.2 |
security-control/AutoScaling.2 |
|
service-managed-aws-control-tower/v/1.0.0/AutoScaling.3 |
security-control/AutoScaling.3 |
|
service-managed-aws-control-tower/v/1.0.0/AutoScaling.4 |
security-control/AutoScaling.4 |
|
service-managed-aws-control-tower/v/1.0.0/Autoscaling.5 |
security-control/Autoscaling.5 |
|
service-managed-aws-control-tower/v/1.0.0/AutoScaling.6 |
security-control/AutoScaling.6 |
|
service-managed-aws-control-tower/v/1.0.0/AutoScaling.9 |
security-control/AutoScaling.9 |
|
service-managed-aws-control-tower/v/1.0.0/CloudTrail.1 |
security-control/CloudTrail.1 |
|
service-managed-aws-control-tower/v/1.0.0/CloudTrail.2 |
security-control/CloudTrail.2 |
|
service-managed-aws-control-tower/v/1.0.0/CloudTrail.4 |
security-control/CloudTrail.4 |
|
service-managed-aws-control-tower/v/1.0.0/CloudTrail.5 |
security-control/CloudTrail.5 |
|
service-managed-aws-control-tower/v/1.0.0/CodeBuild.1 |
security-control/CodeBuild.1 |
|
service-managed-aws-control-tower/v/1.0.0/CodeBuild.2 |
security-control/CodeBuild.2 |
|
service-managed-aws-control-tower/v/1.0.0/CodeBuild.4 |
security-control/CodeBuild.4 |
|
service-managed-aws-control-tower/v/1.0.0/CodeBuild.5 |
security-control/CodeBuild.5 |
|
service-managed-aws-control-tower/v/1.0.0/DMS.1 |
security-control/DMS.1 |
|
service-managed-aws-control-tower/v/1.0.0/DynamoDB.1 |
security-control/DynamoDB.1 |
|
service-managed-aws-control-tower/v/1.0.0/DynamoDB.2 |
security-control/DynamoDB.2 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.1 |
security-control/EC2.1 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.2 |
security-control/EC2.2 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.3 |
security-control/EC2.3 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.4 |
security-control/EC2.4 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.6 |
security-control/EC2.6 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.7 |
security-control/EC2.7 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.8 |
security-control/EC2.8 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.9 |
security-control/EC2.9 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.10 |
security-control/EC2.10 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.15 |
security-control/EC2.15 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.16 |
security-control/EC2.16 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.17 |
security-control/EC2.17 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.18 |
security-control/EC2.18 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.19 |
security-control/EC2.19 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.20 |
security-control/EC2.20 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.21 |
security-control/EC2.21 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.22 |
security-control/EC2.22 |
|
service-managed-aws-control-tower/v/1.0.0/ECR.1 |
security-control/ECR.1 |
|
service-managed-aws-control-tower/v/1.0.0/ECR.2 |
security-control/ECR.2 |
|
service-managed-aws-control-tower/v/1.0.0/ECR.3 |
security-control/ECR.3 |
|
service-managed-aws-control-tower/v/1.0.0/ECS.1 |
security-control/ECS.1 |
|
service-managed-aws-control-tower/v/1.0.0/ECS.2 |
security-control/ECS.2 |
|
service-managed-aws-control-tower/v/1.0.0/ECS.3 |
security-control/ECS.3 |
|
service-managed-aws-control-tower/v/1.0.0/ECS.4 |
security-control/ECS.4 |
|
service-managed-aws-control-tower/v/1.0.0/ECS.5 |
security-control/ECS.5 |
|
service-managed-aws-control-tower/v/1.0.0/ECS.8 |
security-control/ECS.8 |
|
service-managed-aws-control-tower/v/1.0.0/ECS.10 |
security-control/ECS.10 |
|
service-managed-aws-control-tower/v/1.0.0/ECS.12 |
security-control/ECS.12 |
|
service-managed-aws-control-tower/v/1.0.0/EFS.1 |
security-control/EFS.1 |
|
service-managed-aws-control-tower/v/1.0.0/EFS.2 |
security-control/EFS.2 |
|
service-managed-aws-control-tower/v/1.0.0/EFS.3 |
security-control/EFS.3 |
|
service-managed-aws-control-tower/v/1.0.0/EFS.4 |
security-control/EFS.4 |
|
service-managed-aws-control-tower/v/1.0.0/EKS.2 |
security-control/EKS.2 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.2 |
security-control/ELB.2 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.3 |
security-control/ELB.3 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.4 |
security-control/ELB.4 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.5 |
security-control/ELB.5 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.6 |
security-control/ELB.6 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.7 |
security-control/ELB.7 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.8 |
security-control/ELB.8 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.9 |
security-control/ELB.9 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.10 |
security-control/ELB.10 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.12 |
security-control/ELB.12 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.13 |
security-control/ELB.13 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.14 |
security-control/ELB.14 |
|
service-managed-aws-control-tower/v/1.0.0/ELBv2.1 |
security-control/ELBv2.1 |
|
service-managed-aws-control-tower/v/1.0.0/EMR.1 |
security-control/EMR.1 |
|
service-managed-aws-control-tower/v/1.0.0/ES.1 |
security-control/ES.1 |
|
service-managed-aws-control-tower/v/1.0.0/ES.2 |
security-control/ES.2 |
|
service-managed-aws-control-tower/v/1.0.0/ES.3 |
security-control/ES.3 |
|
service-managed-aws-control-tower/v/1.0.0/ES.4 |
security-control/ES.4 |
|
service-managed-aws-control-tower/v/1.0.0/ES.5 |
security-control/ES.5 |
|
service-managed-aws-control-tower/v/1.0.0/ES.6 |
security-control/ES.6 |
|
service-managed-aws-control-tower/v/1.0.0/ES.7 |
security-control/ES.7 |
|
service-managed-aws-control-tower/v/1.0.0/ES.8 |
security-control/ES.8 |
|
service-managed-aws-control-tower/v/1.0.0/ElasticBeanstalk.1 |
security-control/ElasticBeanstalk.1 |
|
service-managed-aws-control-tower/v/1.0.0/ElasticBeanstalk.2 |
security-control/ElasticBeanstalk.2 |
|
service-managed-aws-control-tower/v/1.0.0/GuardDuty.1 |
security-control/GuardDuty.1 |
|
service-managed-aws-control-tower/v/1.0.0/IAM.1 |
security-control/IAM.1 |
|
service-managed-aws-control-tower/v/1.0.0/IAM.2 |
security-control/IAM.2 |
|
service-managed-aws-control-tower/v/1.0.0/IAM.3 |
security-control/IAM.3 |
|
service-managed-aws-control-tower/v/1.0.0/IAM.4 |
security-control/IAM.4 |
|
service-managed-aws-control-tower/v/1.0.0/IAM.5 |
security-control/IAM.5 |
|
service-managed-aws-control-tower/v/1.0.0/IAM.6 |
security-control/IAM.6 |
|
service-managed-aws-control-tower/v/1.0.0/IAM.7 |
security-control/IAM.7 |
|
service-managed-aws-control-tower/v/1.0.0/IAM.8 |
security-control/IAM.8 |
|
service-managed-aws-control-tower/v/1.0.0/IAM.21 |
security-control/IAM.21 |
|
service-managed-aws-control-tower/v/1.0.0/Kinesis.1 |
security-control/Kinesis.1 |
|
service-managed-aws-control-tower/v/1.0.0/KMS.1 |
security-control/KMS.1 |
|
service-managed-aws-control-tower/v/1.0.0/KMS.2 |
security-control/KMS.2 |
|
service-managed-aws-control-tower/v/1.0.0/KMS.3 |
security-control/KMS.3 |
|
service-managed-aws-control-tower/v/1.0.0/Lambda.1 |
security-control/Lambda.1 |
|
service-managed-aws-control-tower/v/1.0.0/Lambda.2 |
security-control/Lambda.2 |
|
service-managed-aws-control-tower/v/1.0.0/Lambda.5 |
security-control/Lambda.5 |
|
service-managed-aws-control-tower/v/1.0.0/NetworkFirewall.3 |
security-control/NetworkFirewall.3 |
|
service-managed-aws-control-tower/v/1.0.0/NetworkFirewall.4 |
security-control/NetworkFirewall.4 |
|
service-managed-aws-control-tower/v/1.0.0/NetworkFirewall.5 |
security-control/NetworkFirewall.5 |
|
service-managed-aws-control-tower/v/1.0.0/NetworkFirewall.6 |
security-control/NetworkFirewall.6 |
|
service-managed-aws-control-tower/v/1.0.0/Opensearch.1 |
security-control/Opensearch.1 |
|
service-managed-aws-control-tower/v/1.0.0/Opensearch.2 |
security-control/Opensearch.2 |
|
service-managed-aws-control-tower/v/1.0.0/Opensearch.3 |
security-control/Opensearch.3 |
|
service-managed-aws-control-tower/v/1.0.0/Opensearch.4 |
security-control/Opensearch.4 |
|
service-managed-aws-control-tower/v/1.0.0/Opensearch.5 |
security-control/Opensearch.5 |
|
service-managed-aws-control-tower/v/1.0.0/Opensearch.6 |
security-control/Opensearch.6 |
|
service-managed-aws-control-tower/v/1.0.0/Opensearch.7 |
security-control/Opensearch.7 |
|
service-managed-aws-control-tower/v/1.0.0/Opensearch.8 |
security-control/Opensearch.8 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.1 |
security-control/RDS.1 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.2 |
security-control/RDS.2 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.3 |
security-control/RDS.3 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.4 |
security-control/RDS.4 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.5 |
security-control/RDS.5 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.6 |
security-control/RDS.6 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.8 |
security-control/RDS.8 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.9 |
security-control/RDS.9 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.10 |
security-control/RDS.10 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.11 |
security-control/RDS.11 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.13 |
security-control/RDS.13 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.17 |
security-control/RDS.17 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.18 |
security-control/RDS.18 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.19 |
security-control/RDS.19 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.20 |
security-control/RDS.20 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.21 |
security-control/RDS.21 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.22 |
security-control/RDS.22 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.23 |
security-control/RDS.23 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.25 |
security-control/RDS.25 |
|
service-managed-aws-control-tower/v/1.0.0/Redshift.1 |
security-control/Redshift.1 |
|
service-managed-aws-control-tower/v/1.0.0/Redshift.2 |
security-control/Redshift.2 |
|
service-managed-aws-control-tower/v/1.0.0/Redshift.4 |
security-control/Redshift.4 |
|
service-managed-aws-control-tower/v/1.0.0/Redshift.6 |
security-control/Redshift.6 |
|
service-managed-aws-control-tower/v/1.0.0/Redshift.7 |
security-control/Redshift.7 |
|
service-managed-aws-control-tower/v/1.0.0/Redshift.8 |
security-control/Redshift.8 |
|
service-managed-aws-control-tower/v/1.0.0/Redshift.9 |
security-control/Redshift.9 |
|
service-managed-aws-control-tower/v/1.0.0/S3.1 |
security-control/S3.1 |
|
service-managed-aws-control-tower/v/1.0.0/S3.2 |
security-control/S3.2 |
|
service-managed-aws-control-tower/v/1.0.0/S3.3 |
security-control/S3.3 |
|
service-managed-aws-control-tower/v/1.0.0/S3.5 |
security-control/S3.5 |
|
service-managed-aws-control-tower/v/1.0.0/S3.6 |
security-control/S3.6 |
|
service-managed-aws-control-tower/v/1.0.0/S3.8 |
security-control/S3.8 |
|
service-managed-aws-control-tower/v/1.0.0/S3.9 |
security-control/S3.9 |
|
service-managed-aws-control-tower/v/1.0.0/S3.12 |
security-control/S3.12 |
|
service-managed-aws-control-tower/v/1.0.0/S3.13 |
security-control/S3.13 |
|
service-managed-aws-control-tower/v/1.0.0/SageMaker.1 |
security-control/SageMaker.1 |
|
service-managed-aws-control-tower/v/1.0.0/SecretsManager.1 |
security-control/SecretsManager.1 |
|
service-managed-aws-control-tower/v/1.0.0/SecretsManager.2 |
security-control/SecretsManager.2 |
|
service-managed-aws-control-tower/v/1.0.0/SecretsManager.3 |
security-control/SecretsManager.3 |
|
service-managed-aws-control-tower/v/1.0.0/SecretsManager.4 |
security-control/SecretsManager.4 |
|
service-managed-aws-control-tower/v/1.0.0/SQS.1 |
security-control/SQS.1 |
|
service-managed-aws-control-tower/v/1.0.0/SSM.1 |
security-control/SSM.1 |
|
service-managed-aws-control-tower/v/1.0.0/SSM.2 |
security-control/SSM.2 |
|
service-managed-aws-control-tower/v/1.0.0/SSM.3 |
security-control/SSM.3 |
|
service-managed-aws-control-tower/v/1.0.0/SSM.4 |
security-control/SSM.4 |
|
service-managed-aws-control-tower/v/1.0.0/WAF.2 |
security-control/WAF.2 |
|
service-managed-aws-control-tower/v/1.0.0/WAF.3 |
security-control/WAF.3 |
|
service-managed-aws-control-tower/v/1.0.0/WAF.4 |
security-control/WAF.4 |
How consolidation impacts control IDs and titles
Consolidated controls view and consolidated control findings standardize control IDs and titles across standards. The terms security control ID and security control title refer to these standard-agnostic values. The following table shows the mapping of security control IDs and titles to standard-specific control IDs and titles. IDs and titles for controls that belong to the AWS Foundational Security Best Practices (FSBP) standard unchanged.
The Security Hub console displays security control IDs and security control titles, regardless of whether consolidated control findings is turned on or off in your account. However, Security Hub findings contain security control IDs and security control titles only if consolidated control findings is turned on in your account. If consolidated control findings is turned off in your account, Security Hub findings contain standard-specific control IDs and titles. For more information about how consolidation impacts control findings, see Sample control findings.
For controls that are part of Service-Managed Standard: AWS Control Tower,
the prefix CT. is removed from the control ID and title in findings when consolidated control findings is turned on.
To run your own scripts on this table, download it as a .csv file.
| Standard | Standard control ID and title | Security control ID and title |
|---|---|---|
|
CIS v1.2.0 |
1.1 Avoid the use of the root user |
[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user |
|
CIS v1.2.0 |
1.10 Ensure IAM password policy prevents password reuse |
|
|
CIS v1.2.0 |
1.11 Ensure IAM password policy expires passwords within 90 days or less |
[IAM.17] Ensure IAM password policy expires passwords within 90 days or less |
|
CIS v1.2.0 |
1.12 Ensure no root user access key exists |
|
|
CIS v1.2.0 |
1.13 Ensure MFA is enabled for the root user |
|
|
CIS v1.2.0 |
1.14 Ensure hardware MFA is enabled for the root user |
|
|
CIS v1.2.0 |
1.16 Ensure IAM policies are attached only to groups or roles |
|
|
CIS v1.2.0 |
1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password |
[IAM.5] MFA should be enabled for all IAM users that have a console password |
|
CIS v1.2.0 |
1.20 Ensure a support role has been created to manage incidents with AWS Support |
[IAM.18] Ensure a support role has been created to manage incidents with AWS Support |
|
CIS v1.2.0 |
1.22 Ensure IAM policies that allow full "*:*" administrative privileges are not created |
[IAM.1] IAM policies should not allow full "*" administrative privileges |
|
CIS v1.2.0 |
1.3 Ensure credentials unused for 90 days or greater are disabled |
|
|
CIS v1.2.0 |
1.4 Ensure access keys are rotated every 90 days or less |
[IAM.3] IAM users' access keys should be rotated every 90 days or less |
|
CIS v1.2.0 |
1.5 Ensure IAM password policy requires at least one uppercase letter |
[IAM.11] Ensure IAM password policy requires at least one uppercase letter |
|
CIS v1.2.0 |
1.6 Ensure IAM password policy requires at least one lowercase letter |
[IAM.12] Ensure IAM password policy requires at least one lowercase letter |
|
CIS v1.2.0 |
1.7 Ensure IAM password policy requires at least one symbol |
[IAM.13] Ensure IAM password policy requires at least one symbol |
|
CIS v1.2.0 |
1.8 Ensure IAM password policy requires at least one number |
[IAM.14] Ensure IAM password policy requires at least one number |
|
CIS v1.2.0 |
1.9 Ensure IAM password policy requires minimum password length of 14 or greater |
[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater |
|
CIS v1.2.0 |
2.1 Ensure CloudTrail is enabled in all regions |
|
|
CIS v1.2.0 |
2.2 Ensure CloudTrail log file validation is enabled |
[CloudTrail.4] CloudTrail log file validation should be enabled |
|
CIS v1.2.0 |
2.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible |
[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible |
|
CIS v1.2.0 |
2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs |
[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs |
|
CIS v1.2.0 |
2.5 Ensure AWS Config is enabled |
|
|
CIS v1.2.0 |
2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket |
[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket |
|
CIS v1.2.0 |
2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
[CloudTrail.2] CloudTrail should have encryption at-rest enabled |
|
CIS v1.2.0 |
2.8 Ensure rotation for customer created CMKs is enabled |
|
|
CIS v1.2.0 |
2.9 Ensure VPC flow logging is enabled in all VPCs |
|
|
CIS v1.2.0 |
3.1 Ensure a log metric filter and alarm exist for unauthorized API calls |
[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls |
|
CIS v1.2.0 |
3.10 Ensure a log metric filter and alarm exist for security group changes |
[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes |
|
CIS v1.2.0 |
3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) |
|
|
CIS v1.2.0 |
3.12 Ensure a log metric filter and alarm exist for changes to network gateways |
[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways |
|
CIS v1.2.0 |
3.13 Ensure a log metric filter and alarm exist for route table changes |
[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes |
|
CIS v1.2.0 |
3.14 Ensure a log metric filter and alarm exist for VPC changes |
[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes |
|
CIS v1.2.0 |
3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA |
[CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA |
|
CIS v1.2.0 |
3.3 Ensure a log metric filter and alarm exist for usage of root user |
[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user |
|
CIS v1.2.0 |
3.4 Ensure a log metric filter and alarm exist for IAM policy changes |
[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes |
|
CIS v1.2.0 |
3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes |
[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes |
|
CIS v1.2.0 |
3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures |
|
|
CIS v1.2.0 |
3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs |
|
|
CIS v1.2.0 |
3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes |
[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes |
|
CIS v1.2.0 |
3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes |
[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes |
|
CIS v1.2.0 |
4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 |
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 |
|
CIS v1.2.0 |
4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 |
[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389 |
|
CIS v1.2.0 |
4.3 Ensure the default security group of every VPC restricts all traffic |
[EC2.2] VPC default security groups should not allow inbound or outbound traffic |
|
CIS v1.4.0 |
1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password |
[IAM.5] MFA should be enabled for all IAM users that have a console password |
|
CIS v1.4.0 |
1.14 Ensure access keys are rotated every 90 days or less |
[IAM.3] IAM users' access keys should be rotated every 90 days or less |
|
CIS v1.4.0 |
1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached |
[IAM.1] IAM policies should not allow full "*" administrative privileges |
|
CIS v1.4.0 |
1.17 Ensure a support role has been created to manage incidents with AWS Support |
[IAM.18] Ensure a support role has been created to manage incidents with AWS Support |
|
CIS v1.4.0 |
1.4 Ensure no root user account access key exists |
|
|
CIS v1.4.0 |
1.5 Ensure MFA is enabled for the root user account |
|
|
CIS v1.4.0 |
1.6 Ensure hardware MFA is enabled for the root user account |
|
|
CIS v1.4.0 |
1.7 Eliminate use of the root user for administrative and daily tasks |
[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user |
|
CIS v1.4.0 |
1.8 Ensure IAM password policy requires minimum length of 14 or greater |
[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater |
|
CIS v1.4.0 |
1.9 Ensure IAM password policy prevents password reuse |
|
|
CIS v1.4.0 |
2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests |
[S3.5] S3 general purpose buckets should require requests to use SSL |
|
CIS v1.4.0 |
2.1.5.1 S3 Block Public Access setting should be enabled |
[S3.1] S3 general purpose buckets should have block public access settings enabled |
|
CIS v1.4.0 |
2.1.5.2 S3 Block Public Access setting should be enabled at the bucket level |
[S3.8] S3 general purpose buckets should block public access |
|
CIS v1.4.0 |
2.2.1 Ensure EBS volume encryption is enabled |
|
|
CIS v1.4.0 |
2.3.1 Ensure that encryption is enabled for RDS Instances |
[RDS.3] RDS DB instances should have encryption at-rest enabled |
|
CIS v1.4.0 |
3.1 Ensure CloudTrail is enabled in all regions |
|
|
CIS v1.4.0 |
3.2 Ensure CloudTrail log file validation is enabled |
[CloudTrail.4] CloudTrail log file validation should be enabled |
|
CIS v1.4.0 |
3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs |
[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs |
|
CIS v1.4.0 |
3.5 Ensure AWS Config is enabled in all regions |
|
|
CIS v1.4.0 |
3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket |
[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket |
|
CIS v1.4.0 |
3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
[CloudTrail.2] CloudTrail should have encryption at-rest enabled |
|
CIS v1.4.0 |
3.8 Ensure rotation for customer created CMKs is enabled |
|
|
CIS v1.4.0 |
3.9 Ensure VPC flow logging is enabled in all VPCs |
|
|
CIS v1.4.0 |
4.4 Ensure a log metric filter and alarm exist for IAM policy changes |
[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes |
|
CIS v1.4.0 |
4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes |
[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes |
|
CIS v1.4.0 |
4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures |
|
|
CIS v1.4.0 |
4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs |
|
|
CIS v1.4.0 |
4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes |
[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes |
|
CIS v1.4.0 |
4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes |
[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes |
|
CIS v1.4.0 |
4.10 Ensure a log metric filter and alarm exist for security group changes |
[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes |
|
CIS v1.4.0 |
4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) |
|
|
CIS v1.4.0 |
4.12 Ensure a log metric filter and alarm exist for changes to network gateways |
[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways |
|
CIS v1.4.0 |
4.13 Ensure a log metric filter and alarm exist for route table changes |
[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes |
|
CIS v1.4.0 |
4.14 Ensure a log metric filter and alarm exist for VPC changes |
[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes |
|
CIS v1.4.0 |
5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports |
[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 |
|
CIS v1.4.0 |
5.3 Ensure the default security group of every VPC restricts all traffic |
[EC2.2] VPC default security groups should not allow inbound or outbound traffic |
|
PCI DSS v3.2.1 |
PCI.AutoScaling.1 Auto scaling groups associated with a load balancer should use load balancer health checks |
|
|
PCI DSS v3.2.1 |
PCI.CloudTrail.1 CloudTrail logs should be encrypted at rest using AWS KMS CMKs |
[CloudTrail.2] CloudTrail should have encryption at-rest enabled |
|
PCI DSS v3.2.1 |
PCI.CloudTrail.2 CloudTrail should be enabled |
|
|
PCI DSS v3.2.1 |
PCI.CloudTrail.3 CloudTrail log file validation should be enabled |
[CloudTrail.4] CloudTrail log file validation should be enabled |
|
PCI DSS v3.2.1 |
PCI.CloudTrail.4 CloudTrail trails should be integrated with Amazon CloudWatch Logs |
[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs |
|
PCI DSS v3.2.1 |
PCI.CodeBuild.1 CodeBuild GitHub or Bitbucket source repository URLs should use OAuth |
[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials |
|
PCI DSS v3.2.1 |
PCI.CodeBuild.2 CodeBuild project environment variables should not contain clear text credentials |
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials |
|
PCI DSS v3.2.1 |
PCI.Config.1 AWS Config should be enabled |
|
|
PCI DSS v3.2.1 |
PCI.CW.1 A log metric filter and alarm should exist for usage of the "root" user |
[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user |
|
PCI DSS v3.2.1 |
PCI.DMS.1 Database Migration Service replication instances should not be public |
[DMS.1] Database Migration Service replication instances should not be public |
|
PCI DSS v3.2.1 |
PCI.EC2.1 EBS snapshots should not be publicly restorable |
[EC2.1] Amazon EBS snapshots should not be publicly restorable |
|
PCI DSS v3.2.1 |
PCI.EC2.2 VPC default security group should prohibit inbound and outbound traffic |
[EC2.2] VPC default security groups should not allow inbound or outbound traffic |
|
PCI DSS v3.2.1 |
PCI.EC2.4 Unused EC2 EIPs should be removed |
|
|
PCI DSS v3.2.1 |
PCI.EC2.5 Security groups should not allow ingress from 0.0.0.0/0 to port 22 |
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 |
|
PCI DSS v3.2.1 |
PCI.EC2.6 VPC flow logging should be enabled in all VPCs |
|
|
PCI DSS v3.2.1 |
PCI.ELBv2.1 Application Load Balancer should be configured to redirect all HTTP requests to HTTPS |
[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS |
|
PCI DSS v3.2.1 |
PCI.ES.1 Elasticsearch domains should be in a VPC |
[ES.2] Elasticsearch domains should not be publicly accessible |
|
PCI DSS v3.2.1 |
PCI.ES.2 Elasticsearch domains should have encryption at-rest enabled |
[ES.1] Elasticsearch domains should have encryption at-rest enabled |
|
PCI DSS v3.2.1 |
PCI.GuardDuty.1 GuardDuty should be enabled |
|
|
PCI DSS v3.2.1 |
PCI.IAM.1 IAM root user access key should not exist |
|
|
PCI DSS v3.2.1 |
PCI.IAM.2 IAM users should not have IAM policies attached |
|
|
PCI DSS v3.2.1 |
PCI.IAM.3 IAM policies should not allow full "*" administrative privileges |
[IAM.1] IAM policies should not allow full "*" administrative privileges |
|
PCI DSS v3.2.1 |
PCI.IAM.4 Hardware MFA should be enabled for the root user |
|
|
PCI DSS v3.2.1 |
PCI.IAM.5 Virtual MFA should be enabled for the root user |
|
|
PCI DSS v3.2.1 |
PCI.IAM.6 MFA should be enabled for all IAM users |
|
|
PCI DSS v3.2.1 |
PCI.IAM.7 IAM user credentials should be disabled if not used within a pre-defined number days |
|
|
PCI DSS v3.2.1 |
PCI.IAM.8 Password policies for IAM users should have strong configurations |
[IAM.10] Password policies for IAM users should have strong AWS Configurations |
|
PCI DSS v3.2.1 |
PCI.KMS.1 Customer master key (CMK) rotation should be enabled |
|
|
PCI DSS v3.2.1 |
PCI.Lambda.1 Lambda functions should prohibit public access |
[Lambda.1] Lambda function policies should prohibit public access |
|
PCI DSS v3.2.1 |
PCI.Lambda.2 Lambda functions should be in a VPC |
|
|
PCI DSS v3.2.1 |
PCI.Opensearch.1 OpenSearch domains should be in a VPC |
[Opensearch.2] OpenSearch domains should not be publicly accessible |
|
PCI DSS v3.2.1 |
PCI.Opensearch.2 EBS snapshots should not be publicly restorable |
[Opensearch.1] OpenSearch domains should have encryption at rest enabled |
|
PCI DSS v3.2.1 |
PCI.RDS.1 RDS snapshot should be private |
|
|
PCI DSS v3.2.1 |
PCI.RDS.2 RDS DB Instances should prohibit public access |
|
|
PCI DSS v3.2.1 |
PCI.Redshift.1 Amazon Redshift clusters should prohibit public access |
[Redshift.1] Amazon Redshift clusters should prohibit public access |
|
PCI DSS v3.2.1 |
PCI.S3.1 S3 buckets should prohibit public write access |
[S3.3] S3 general purpose buckets should block public write access |
|
PCI DSS v3.2.1 |
PCI.S3.2 S3 buckets should prohibit public read access |
[S3.2] S3 general purpose buckets should block public read access |
|
PCI DSS v3.2.1 |
PCI.S3.3 S3 buckets should have cross-region replication enabled |
[S3.7] S3 general purpose buckets should use cross-Region replication |
|
PCI DSS v3.2.1 |
PCI.S3.5 S3 buckets should require requests to use Secure Socket Layer |
[S3.5] S3 general purpose buckets should require requests to use SSL |
|
PCI DSS v3.2.1 |
PCI.S3.6 S3 Block Public Access setting should be enabled |
[S3.1] S3 general purpose buckets should have block public access settings enabled |
|
PCI DSS v3.2.1 |
PCI.SageMaker.1 Amazon SageMaker notebook instances should not have direct internet access |
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access |
|
PCI DSS v3.2.1 |
PCI.SSM.1 EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation |
|
|
PCI DSS v3.2.1 |
PCI.SSM.2 EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT |
|
|
PCI DSS v3.2.1 |
PCI.SSM.3 EC2 instances should be managed by AWS Systems Manager |
[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager |
Updating workflows for consolidation
If your workflows don’t rely on the specific format of any control finding fields, no action is required.
If your workflows rely on the specific format of any control finding fields noted in the tables, you should update your workflows.
For example, If you created a Amazon CloudWatch Events rule that triggered an action for a specific control ID (such as invoking an AWS Lambda function
if the control ID equals CIS 2.7), update the rule to use CloudTrail.2, the Compliance.SecurityControlId field for that control.
If you created custom insights using any of the control finding fields or values that changed, update those insights to use the current fields or values.
