Security Hub controls reference - AWS Security Hub

Security Hub controls reference

This controls reference provides a list of available AWS Security Hub controls with links to more information about each control. The overview table displays the controls in alphabetical order by control ID. The table provides the following information for each control:

  • Security control ID – This ID applies across standards and indicates the AWS service and resource that the control relates to. The Security Hub console displays security control IDs, regardless of whether consolidated control findings is turned on or off in your account. However, Security Hub findings reference security control IDs only if consolidated control findings is turned on in your account. If consolidated control findings is turned off in your account, Security Hub findings reference standard-specific control IDs.

  • Linked standards – Indicates which standards a control applies to. Select a control to see specific requirements from third-party compliance frameworks.

  • Security control title – This title applies across standards. The Security Hub console displays security control titles, regardless of whether consolidated control findings is turned on or off in your account. However, Security Hub findings reference security control titles only if consolidated control findings is turned on in your account. If consolidated control findings is turned off in your account, Security Hub findings reference standard-specific control titles.

  • Severity – The severity of a control identifies its importance from a security standpoint. For information about how Security Hub determines control severity, see Assigning severity to control findings.

  • Schedule type – Indicates when the control is evaluated. For more information, see Schedule for running security checks.

Select a control to view further details. Controls are listed in alphabetical order of the service name.

Note

Consolidated controls view and consolidated control findings aren't supported in the AWS GovCloud (US) Region and China Regions. In these Regions, control IDs and titles remain the same and may reference standard-specific information. For a list of control IDs and titles in these Regions, see How consolidation impacts control IDs and titles.

Security control ID Security control title Linked standards Severity Schedule type

Account.1

Security contact information should be provided for an AWS account

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

Account.2

AWS account should be part of an AWS Organizations organization

NIST SP 800-53 Rev. 5

HIGH

Periodic

ACM.1

Imported and ACM-issued certificates should be renewed after a specified time period

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ACM.2

RSA certificates managed by ACM should use a key length of at least 2,048 bits

AWS Foundational Security Best Practices v1.0.0

HIGH

Change triggered

APIGateway.1

API Gateway REST and WebSocket API execution logging should be enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

APIGateway.2

API Gateway REST API stages should be configured to use SSL certificates for backend authentication

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

APIGateway.3

API Gateway REST API stages should have AWS X-Ray tracing enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

LOW

Change triggered

APIGateway.4

API Gateway should be associated with a WAF Web ACL

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

APIGateway.5

API Gateway REST API cache data should be encrypted at rest

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

APIGateway.8

API Gateway routes should specify an authorization type

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

APIGateway.9

Access logging should be configured for API Gateway V2 Stages

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

AppSync.2

AWS AppSync should have request-level and field-level logging turned on

AWS Foundational Security Best Practices v1.0.0

MEDIUM

Change triggered

AutoScaling.1

Auto scaling groups associated with a Classic Load Balancer should use load balancer health checks

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

LOW

Change triggered

AutoScaling.2

Amazon EC2 Auto Scaling group should cover multiple Availability Zones

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

AutoScaling.3

Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

AutoScaling.4

Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

Autoscaling.5

Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

AutoScaling.6

Auto Scaling groups should use multiple instance types in multiple Availability Zones

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

AutoScaling.9

EC2 Auto Scaling groups should use EC2 launch templates

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

CloudFormation.1

CloudFormation stacks should be integrated with Simple Notification Service (SNS)

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

LOW

Change triggered

CloudFront.1

CloudFront distributions should have a default root object configured

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

CRITICAL

Change triggered

CloudFront.2

CloudFront distributions should have origin access identity enabled

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

CloudFront.3

CloudFront distributions should require encryption in transit

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

CloudFront.4

CloudFront distributions should have origin failover configured

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

LOW

Change triggered

CloudFront.5

CloudFront distributions should have logging enabled

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

CloudFront.6

CloudFront distributions should have WAF enabled

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

CloudFront.7

CloudFront distributions should use custom SSL/TLS certificates

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

CloudFront.8

CloudFront distributions should use SNI to serve HTTPS requests

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

LOW

Change triggered

CloudFront.9

CloudFront distributions should encrypt traffic to custom origins

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

CloudFront.10

CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

CloudFront.12

CloudFront distributions should not point to non-existent S3 origins

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

HIGH

Periodic

CloudFront.13

CloudFront distributions should use origin access control

AWS Foundational Security Best Practices v1.0.0

MEDIUM

Change triggered

CloudTrail.1

CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events

CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Periodic

CloudTrail.2

CloudTrail should have encryption at-rest enabled

CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

CloudTrail.3

CloudTrail should be enabled

PCI DSS v3.2.1

HIGH

Periodic

CloudTrail.4

CloudTrail log file validation should be enabled

CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

CloudTrail.5

CloudTrail trails should be integrated with Amazon CloudWatch Logs

CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

LOW

Periodic

CloudTrail.6

Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0

CRITICAL

Periodic and change triggered

CloudTrail.7

Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0

LOW

Periodic

CloudWatch.1

A log metric filter and alarm should exist for usage of the "root" user

CIS AWS Foundations Benchmark v1.2.0, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0

LOW

Periodic

CloudWatch.2

Ensure a log metric filter and alarm exist for unauthorized API calls

CIS AWS Foundations Benchmark v1.2.0

LOW

Periodic

CloudWatch.3

Ensure a log metric filter and alarm exist for Management Console sign-in without MFA

CIS AWS Foundations Benchmark v1.2.0

LOW

Periodic

CloudWatch.4

Ensure a log metric filter and alarm exist for IAM policy changes

CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0

LOW

Periodic

CloudWatch.5

Ensure a log metric filter and alarm exist for CloudTrail configuration changes

CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0

LOW

Periodic

CloudWatch.6

Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0

LOW

Periodic

CloudWatch.7

Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs

CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0

LOW

Periodic

CloudWatch.8

Ensure a log metric filter and alarm exist for S3 bucket policy changes

CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0

LOW

Periodic

CloudWatch.9

Ensure a log metric filter and alarm exist for AWS Config configuration changes

CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0

LOW

Periodic

CloudWatch.10

Ensure a log metric filter and alarm exist for security group changes

CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0

LOW

Periodic

CloudWatch.11

Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)

CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0

LOW

Periodic

CloudWatch.12

Ensure a log metric filter and alarm exist for changes to network gateways

CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0

LOW

Periodic

CloudWatch.13

Ensure a log metric filter and alarm exist for route table changes

CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0

LOW

Periodic

CloudWatch.14

Ensure a log metric filter and alarm exist for VPC changes

CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0

LOW

Periodic

CloudWatch.15

CloudWatch Alarms should have an action configured for the ALARM state

NIST SP 800-53 Rev. 5

HIGH

Change triggered

CloudWatch.16

CloudWatch log groups should be retained for at least 1 year

NIST SP 800-53 Rev. 5

MEDIUM

Periodic

CloudWatch.17

CloudWatch alarm actions should be enabled

NIST SP 800-53 Rev. 5

HIGH

Change triggered

CodeBuild.1

CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

CRITICAL

Change triggered

CodeBuild.2

CodeBuild project environment variables should not contain clear text credentials

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

CRITICAL

Change triggered

CodeBuild.3

CodeBuild S3 logs should be encrypted

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

LOW

Change triggered

CodeBuild.4

CodeBuild project environments should have a logging configuration

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

CodeBuild.5

CodeBuild project environments should not have privileged mode enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

Config.1

AWS Config should be enabled

CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

DMS.1

Database Migration Service replication instances should not be public

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

CRITICAL

Periodic

DynamoDB.1

DynamoDB tables should automatically scale capacity with demand

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

DynamoDB.2

DynamoDB tables should have point-in-time recovery enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

DynamoDB.3

DynamoDB Accelerator (DAX) clusters should be encrypted at rest

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

DynamoDB.4

DynamoDB tables should be present in a backup plan

NIST SP 800-53 Rev. 5

MEDIUM

Periodic

EC2.1

EBS snapshots should not be publicly restorable

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

CRITICAL

Periodic

EC2.2

The VPC default security group should not allow inbound and outbound traffic

CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

HIGH

Change triggered

EC2.3

Attached EBS volumes should be encrypted at-rest

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

EC2.4

Stopped EC2 instances should be removed after a specified time period

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

EC2.6

VPC flow logging should be enabled in all VPCs

CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

EC2.7

EBS default encryption should be enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

EC2.8

EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

EC2.9

EC2 instances should not have a public IPv4 address

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

EC2.10

Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

EC2.12

Unused EC2 EIPs should be removed

PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

LOW

Change triggered

EC2.13

Security groups should not allow ingress from 0.0.0.0/0 to port 22

CIS AWS Foundations Benchmark v1.2.0, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

HIGH

Change triggered

EC2.14

Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

CIS AWS Foundations Benchmark v1.2.0

HIGH

Change triggered

EC2.15

EC2 subnets should not automatically assign public IP addresses

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

EC2.16

Unused Network Access Control Lists should be removed

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

LOW

Change triggered

EC2.17

EC2 instances should not use multiple ENIs

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

LOW

Change triggered

EC2.18

Security groups should only allow unrestricted incoming traffic for authorized ports

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

EC2.19

Security groups should not allow unrestricted access to ports with high risk

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

CRITICAL

Change triggered

EC2.20

Both VPN tunnels for an AWS Site-to-Site VPN connection should be up

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

EC2.21

Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

EC2.22

Unused EC2 security groups should be removed

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

EC2.23

EC2 Transit Gateways should not automatically accept VPC attachment requests

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

HIGH

Change triggered

EC2.24

EC2 paravirtual instance types should not be used

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

EC2.25

EC2 launch templates should not assign public IPs to network interfaces

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

HIGH

Change triggered

EC2.28

EBS volumes should be in a backup plan

NIST SP 800-53 Rev. 5

LOW

Periodic

EC2.29

EC2 instances should be inside of a VPC

NIST SP 800-53 Rev. 5

HIGH

Change triggered

ECR.1

ECR private repositories should have image scanning configured

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

ECR.2

ECR private repositories should have tag immutability configured

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ECR.3

ECR repositories should have at least one lifecycle policy configured

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ECS.1

Amazon ECS task definitions should have secure networking modes and user definitions.

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

ECS.2

ECS services should not have public IP addresses assigned to them automatically

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

ECS.3

ECS task definitions should not share the host's process namespace

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

ECS.4

ECS containers should run as non-privileged

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

ECS.5

ECS containers should be limited to read-only access to root filesystems

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

ECS.8

Secrets should not be passed as container environment variables

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

ECS.10

ECS Fargate services should run on the latest Fargate platform version

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ECS.12

ECS clusters should use Container Insights

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

EFS.1

Elastic File System should be configured to encrypt file data at-rest using AWS KMS

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

EFS.2

Amazon EFS volumes should be in backup plans

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

EFS.3

EFS access points should enforce a root directory

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

EFS.4

EFS access points should enforce a user identity

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

EKS.1

EKS cluster endpoints should not be publicly accessible

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

HIGH

Periodic

EKS.2

EKS clusters should run on a supported Kubernetes version

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

ElastiCache.1

ElastiCache Redis clusters should have automatic backup enabled

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

HIGH

Periodic

ElastiCache.2

ElastiCache for Redis cache clusters should have auto minor version upgrades enabled

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

HIGH

Periodic

ElastiCache.3

ElastiCache replication groups should have automatic failover enabled

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

ElastiCache.4

ElastiCache replication groups should have encryption-at-rest enabled

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

ElastiCache.5

ElastiCache replication groups should have encryption-in-transit enabled

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

ElastiCache.6

ElastiCache replication groups of earlier Redis versions should have Redis AUTH enabled

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

ElastiCache.7

ElastiCache clusters should not use the default subnet group

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

HIGH

Periodic

ElasticBeanstalk.1

Elastic Beanstalk environments should have enhanced health reporting enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

LOW

Change triggered

ElasticBeanstalk.2

Elastic Beanstalk managed platform updates should be enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

ElasticBeanstalk.3

Elastic Beanstalk should stream logs to CloudWatch

AWS Foundational Security Best Practices v1.0.0

HIGH

Change triggered

ELB.1

Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

ELB.2

Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ELB.3

Classic Load Balancer listeners should be configured with HTTPS or TLS termination

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ELB.4

Application Load Balancer should be configured to drop http headers

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ELB.5

Application and Classic Load Balancers logging should be enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ELB.6

Application Load Balancer deletion protection should be enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ELB.7

Classic Load Balancers should have connection draining enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ELB.8

Classic Load Balancers with SSL listeners should use a predefined security policy that has strong configuration

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ELB.9

Classic Load Balancers should have cross-zone load balancing enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ELB.10

Classic Load Balancer should span multiple Availability Zones

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ELB.12

Application Load Balancer should be configured with defensive or strictest desync mitigation mode

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ELB.13

Application, Network and Gateway Load Balancers should span multiple Availability Zones

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ELB.14

Classic Load Balancer should be configured with defensive or strictest desync mitigation mode

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ELB.16

Application Load Balancers should be associated with an AWS WAF web ACL

NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

EMR.1

Amazon Elastic MapReduce cluster master nodes should not have public IP addresses

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Periodic

ES.1

Elasticsearch domains should have encryption at-rest enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

ES.2

Elasticsearch domains should be in a VPC

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

CRITICAL

Periodic

ES.3

Elasticsearch domains should encrypt data sent between nodes

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ES.4

Elasticsearch domain error logging to CloudWatch Logs should be enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ES.5

Elasticsearch domains should have audit logging enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ES.6

Elasticsearch domains should have at least three data nodes

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ES.7

Elasticsearch domains should be configured with at least three dedicated master nodes

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

ES.8

Connections to Elasticsearch domains should be encrypted using TLS 1.2

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

GuardDuty.1

GuardDuty should be enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

HIGH

Periodic

IAM.1

IAM policies should not allow full "*" administrative privileges

CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

HIGH

Change triggered

IAM.2

IAM users should not have IAM policies attached

CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

LOW

Change triggered

IAM.3

IAM users' access keys should be rotated every 90 days or less

CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

IAM.4

IAM root user access key should not exist

CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

CRITICAL

Periodic

IAM.5

MFA should be enabled for all IAM users that have a console password

CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

IAM.6

Hardware MFA should be enabled for the root user

CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

CRITICAL

Periodic

IAM.7

Password policies for IAM users should have strong configurations

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

IAM.8

Unused IAM user credentials should be removed

CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

IAM.9

Virtual MFA should be enabled for the root user

CIS AWS Foundations Benchmark v1.2.0, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

CRITICAL

Periodic

IAM.10

Password policies for IAM users should have strong configurations

PCI DSS v3.2.1

MEDIUM

Periodic

IAM.11

Ensure IAM password policy requires at least one uppercase letter

CIS AWS Foundations Benchmark v1.2.0

MEDIUM

Periodic

IAM.12

Ensure IAM password policy requires at least one lowercase letter

CIS AWS Foundations Benchmark v1.2.0

MEDIUM

Periodic

IAM.13

Ensure IAM password policy requires at least one symbol

CIS AWS Foundations Benchmark v1.2.0

MEDIUM

Periodic

IAM.14

Ensure IAM password policy requires at least one number

CIS AWS Foundations Benchmark v1.2.0

MEDIUM

Periodic

IAM.15

Ensure IAM password policy requires minimum password length of 14 or greater

CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0

MEDIUM

Periodic

IAM.16

Ensure IAM password policy prevents password reuse

CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0

LOW

Periodic

IAM.17

Ensure IAM password policy expires passwords within 90 days or less

CIS AWS Foundations Benchmark v1.2.0

LOW

Periodic

IAM.18

Ensure a support role has been created to manage incidents with AWS Support

CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0

LOW

Periodic

IAM.19

MFA should be enabled for all IAM users

PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

IAM.20

Avoid the use of the root user

CIS AWS Foundations Benchmark v1.2.0

LOW

Periodic

IAM.21

IAM customer managed policies that you create should not allow wildcard actions for services

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

LOW

Change triggered

IAM.22

IAM user credentials unused for 45 days should be removed

CIS AWS Foundations Benchmark v1.4.0

MEDIUM

Periodic

Kinesis.1

Kinesis streams should be encrypted at rest

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

KMS.1

IAM customer managed policies should not allow decryption actions on all KMS keys

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

KMS.2

IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

KMS.3

AWS KMS keys should not be deleted unintentionally

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

CRITICAL

Periodic

KMS.4

AWS KMS key rotation should be enabled

CIS AWS Foundations Benchmark v1.2.0, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

Lambda.1

Lambda function policies should prohibit public access

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

CRITICAL

Change triggered

Lambda.2

Lambda functions should use supported runtimes

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

Lambda.3

Lambda functions should be in a VPC

PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

LOW

Change triggered

Lambda.5

VPC Lambda functions should operate in more than one Availability Zone

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

NetworkFirewall.3

Network Firewall policies should have at least one rule group associated

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

NetworkFirewall.4

The default stateless action for Network Firewall policies should be drop or forward for full packets

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

NetworkFirewall.5

The default stateless action for Network Firewall policies should be drop or forward for fragmented packets

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

NetworkFirewall.6

Stateless network firewall rule group should not be empty

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

Opensearch.1

OpenSearch domains should have encryption at rest enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

Opensearch.2

OpenSearch domains should be in a VPC

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

CRITICAL

Change triggered

Opensearch.3

OpenSearch domains should encrypt data sent between nodes

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

Opensearch.4

OpenSearch domain error logging to CloudWatch Logs should be enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

Opensearch.5

OpenSearch domains should have audit logging enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

Opensearch.6

OpenSearch domains should have at least three data nodes

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

Opensearch.7

OpenSearch domains should have fine-grained access control enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

Opensearch.8

Connections to OpenSearch domains should be encrypted using TLS 1.2

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

RDS.1

RDS snapshot should be private

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

CRITICAL

Change triggered

RDS.2

RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

CRITICAL

Change triggered

RDS.3

RDS DB instances should have encryption at-rest enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

RDS.4

RDS cluster snapshots and database snapshots should be encrypted at rest

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

RDS.5

RDS DB instances should be configured with multiple Availability Zones

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

RDS.6

Enhanced monitoring should be configured for RDS DB instances

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

LOW

Change triggered

RDS.7

RDS clusters should have deletion protection enabled

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

LOW

Change triggered

RDS.8

RDS DB instances should have deletion protection enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

LOW

Change triggered

RDS.9

Database logging should be enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

RDS.10

IAM authentication should be configured for RDS instances

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

RDS.11

RDS instances should have automatic backups enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

RDS.12

IAM authentication should be configured for RDS clusters

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

RDS.13

RDS automatic minor version upgrades should be enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

RDS.14

Amazon Aurora clusters should have backtracking enabled

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

RDS.15

RDS DB clusters should be configured for multiple Availability Zones

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

RDS.16

RDS DB clusters should be configured to copy tags to snapshots

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

LOW

Change triggered

RDS.17

RDS DB instances should be configured to copy tags to snapshots

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

LOW

Change triggered

RDS.18

RDS instances should be deployed in a VPC

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

RDS.19

An RDS event notifications subscription should be configured for critical cluster events

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

LOW

Change triggered

RDS.20

An RDS event notifications subscription should be configured for critical database instance events

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

LOW

Change triggered

RDS.21

An RDS event notifications subscription should be configured for critical database parameter group events

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

LOW

Change triggered

RDS.22

An RDS event notifications subscription should be configured for critical database security group events

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

LOW

Change triggered

RDS.23

RDS instances should not use a database engine default port

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

LOW

Change triggered

RDS.24

RDS Database Clusters should use a custom administrator username

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

RDS.25

RDS database instances should use a custom administrator username

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

RDS.26

RDS DB instances should be protected by a backup plan

NIST SP 800-53 Rev. 5

MEDIUM

Periodic

Redshift.1

Amazon Redshift clusters should prohibit public access

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

CRITICAL

Change triggered

Redshift.2

Connections to Amazon Redshift clusters should be encrypted in transit

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

Redshift.3

Amazon Redshift clusters should have automatic snapshots enabled

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

Redshift.4

Amazon Redshift clusters should have audit logging enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

Redshift.6

Amazon Redshift should have automatic upgrades to major versions enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

Redshift.7

Redshift clusters should use enhanced VPC routing

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

Redshift.8

Amazon Redshift clusters should not use the default Admin username

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

Redshift.9

Redshift clusters should not use the default database name

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

Redshift.10

Redshift clusters should be encrypted at rest

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

S3.1

S3 Block Public Access setting should be enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

S3.2

S3 buckets should prohibit public read access

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

CRITICAL

Periodic and change triggered

S3.3

S3 buckets should prohibit public write access

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

CRITICAL

Periodic and change triggered

S3.4

S3 buckets should have server-side encryption enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

S3.5

S3 buckets should require requests to use Secure Socket Layer

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

S3.6

S3 permissions granted to other AWS accounts in bucket policies should be restricted

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

HIGH

Change triggered

S3.7

S3 buckets should have cross-Region replication enabled

PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

LOW

Change triggered

S3.8

S3 Block Public Access setting should be enabled at the bucket-level

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5

HIGH

Change triggered

S3.9

S3 bucket server access logging should be enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

S3.10

S3 buckets with versioning enabled should have lifecycle policies configured

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

S3.11

S3 buckets should have event notifications enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

S3.12

S3 access control lists (ACLs) should not be used to manage user access to buckets

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

S3.13

S3 buckets should have lifecycle policies configured

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

LOW

Change triggered

S3.14

S3 buckets should have versioning enabled

NIST SP 800-53 Rev. 5

LOW

Change triggered

S3.15

S3 buckets should be configured to use Object Lock

NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

S3.17

S3 buckets should be encrypted at rest with AWS KMS keys

NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

SageMaker.1

Amazon SageMaker notebook instances should not have direct internet access

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

HIGH

Periodic

SageMaker.2

SageMaker notebook instances should be launched in a custom VPC

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

HIGH

Change triggered

SageMaker.3

Users should not have root access to SageMaker notebook instances

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

HIGH

Change triggered

SecretsManager.1

Secrets Manager secrets should have automatic rotation enabled

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

SecretsManager.2

Secrets Manager secrets configured with automatic rotation should rotate successfully

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

SecretsManager.3

Remove unused Secrets Manager secrets

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

SecretsManager.4

Secrets Manager secrets should be rotated within a specified number of days

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

SNS.1

SNS topics should be encrypted at-rest using AWS KMS

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

SNS.2

Logging of delivery status should be enabled for notification messages sent to a topic

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

SQS.1

Amazon SQS queues should be encrypted at rest

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

SSM.1

EC2 instances should be managed by AWS Systems Manager

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

SSM.2

EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

HIGH

Change triggered

SSM.3

EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5

LOW

Change triggered

SSM.4

SSM documents should not be public

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

CRITICAL

Periodic

StepFunctions.1

Step Functions state machines should have logging turned on

AWS Foundational Security Best Practices

MEDIUM

Change triggered

WAF.1

AWS WAF Classic Global Web ACL logging should be enabled

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Periodic

WAF.2

A WAF Regional rule should have at least one condition

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

WAF.3

A WAF Regional rule group should have at least one rule

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

WAF.4

A WAF Regional web ACL should have at least one rule or rule group

AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

WAF.6

A WAF global rule should have at least one condition

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

WAF.7

A WAF global rule group should have at least one rule

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

WAF.8

A WAF global web ACL should have at least one rule or rule group

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

WAF.10

A WAFV2 web ACL should have at least one rule or rule group

AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5

MEDIUM

Change triggered

WAF.11

AWS WAFv2 web ACL logging should be enabled

NIST SP 800-53 Rev. 5

LOW

Periodic