Regional limits - AWS Security Hub

Regional limits

Some AWS Security Hub features are available in only some AWS Regions. The following sections specify these Regional limits.

For a list of Regions in which Security Hub is available, see AWS Security Hub endpoints and quotas in the AWS General Reference.

Cross-Region aggregation restrictions

In AWS GovCloud (US), cross-Region aggregation is available for findings, finding updates, and insights across AWS GovCloud (US) only. Specifically, you can only aggregate findings, finding updates, and insights between AWS GovCloud (US-East) and AWS GovCloud (US-West).

In the China Regions, cross-Region aggregation is available for findings, finding updates, and insights across the China Regions only. Specifically, you can only aggregate findings, finding updates, and insights between China (Beijing) and China (Ningxia).

You can't use a Region that is disabled by default as your aggregation Region. For a list of Regions that are disabled by default, see Enabling a Region in the AWS General Reference.

Availability of integrations by Region

Some integrations are not available in all Regions. If an integration is not available in a specific Region, it is not listed on the Integrations page of the Security Hub console when you choose that Region.

Integrations that are supported in China (Beijing) and China (Ningxia)

The China (Beijing) and China (Ningxia) Regions only support the following integrations with AWS services:

  • AWS Firewall Manager

  • Amazon GuardDuty

  • IAM Access Analyzer

  • AWS IoT Device Defender

  • Systems Manager Explorer

  • Systems Manager OpsCenter

  • Systems Manager Patch Manager

The China (Beijing) and China (Ningxia) Regions only support the following third-party integrations:

  • Cloud Custodian

  • FireEye Helix

  • Helecloud

  • IBM QRadar

  • PagerDuty

  • Palo Alto Networks Cortex XSOAR

  • Palo Alto Networks VM-Series

  • Prowler

  • RSA Archer

  • Splunk Enterprise

  • Splunk Phantom

  • ThreatModeler

Integrations that are supported in AWS GovCloud (US-East) and AWS GovCloud (US-West)

The AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions only support the following integrations with AWS services:

  • AWS Config

  • Amazon Detective

  • AWS Firewall Manager

  • Amazon GuardDuty

  • AWS Health

  • IAM Access Analyzer

  • Amazon Inspector

  • AWS IoT Device Defender

The AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions only support the following third-party integrations:

  • Atlassian Jira Service Management

  • Atlassian Jira Service Management Cloud

  • Atlassian OpsGenie

  • Caveonix Cloud

  • Cloud Custodian

  • Cloud Storage Security Antivirus for Amazon S3

  • CrowdStrike Falcon

  • FireEye Helix

  • Forcepoint CASB

  • Forcepoint DLP

  • Forcepoint NGFW

  • Fugue

  • Kion

  • MicroFocus ArcSight

  • NETSCOUT Cyber Investigator

  • PagerDuty

  • Palo Alto Networks – Prisma Cloud Compute

  • Palo Alto Networks – Prisma Cloud Enterprise

  • Palo Alto Networks – VM-Series (available only in AWS GovCloud (US-West))

  • Prowler

  • Rackspace Technology – Cloud Native Security

  • Rapid7 InsightConnect

  • RSA Archer

  • SecureCloudDb

  • ServiceNow ITSM

  • Slack

  • ThreatModeler

  • Vectra AI Cognito Detect

Availability of standards by Region

Service-Managed Standard: AWS Control Tower is only available in Regions that AWS Control Tower supports, including AWS GovCloud (US). For a list of Regions that AWS Control Tower supports, see How AWS Regions Work With AWS Control Tower in the AWS Control Tower User Guide.

Other security standards are available in all Regions.

Availability of controls by Region

The following Regions do not support all of the Security Hub controls. For each Region, this list shows the controls that are not supported.

Regional limits on controls that are part of Service-Managed Standard: AWS Control Tower match Regional limits on the corollary controls in the FSBP standard. For a list of controls in Service-Managed Standard: AWS Control Tower, see Service-Managed Standard: AWS Control Tower controls.

US East (Ohio)

The following controls are not supported in US East (Ohio).

US West (N. California)

The following controls are not supported in US West (N. California).

US West (Oregon)

The following controls are not supported in US West (Oregon).

Africa (Cape Town)

The following controls are not supported in Africa (Cape Town).

CIS AWS Foundations Benchmark v1.2.0

1.4 – Ensure access keys are rotated every 90 days or less

1.20 – Ensure a support role has been created to manage incidents with AWS Support

4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

CIS AWS Foundations Benchmark v1.4.0

1.14 – Ensure access keys are rotated every 90 days or less

1.17 - Ensure a support role has been created to manage incidents with AWS Support

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.DMS.1] AWS Database Migration Service replication instances should not be public

[PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable

[PCI.EC2.4] Unused EC2 EIPs should be removed

[PCI.EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22

[PCI.ELBV2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.1] IAM root user access key should not exist

[PCI.RDS.1] Amazon RDS snapshots should prohibit public access

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

[PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

[PCI.SSM.2] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

AWS Foundational Security Best Practices standard

[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period

[APIGateway.1] API Gateway REST and WebSocket API logging should be enabled

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins.

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[DMS.1] AWS Database Migration Service replication instances should not be public

[EC2.1] Amazon EBS snapshots should not be public, determined by the availability to be restorable by anyone

[EC2.3] Attached EBS volumes should be encrypted at rest

[EC2.4] Stopped EC2 instances should be removed after a specified time period

[EC2.8] EC2 instances should use IMDSv2

[EC2.24] Paravirtual EC2 instance types should not be used

[EFS.1] Amazon EFS should be configured to encrypt file data at rest using AWS KMS

[EFS.2] Amazon EFS volumes should be in backup plans

[ELB.2] Classic Load Balancers with HTTPS/SSL listeners should use a certificate provided by AWS Certificate Manager

[ELB.4] Application load balancers should be configured to drop HTTP headers

[ELB.8] Classic Load Balancers with HTTPS/SSL listeners should use a predefined security policy that has strong configuration

[ELBv2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[EMR.1] Amazon EMR cluster master nodes should not have public IP addresses

[ES.3] Elasticsearch domains should encrypt data sent between nodes

[GuardDuty.1] GuardDuty should be enabled

[IAM.3] IAM users' access keys should be rotated every 90 days or less

[OpenSearch.7] OpenSearch domains should have fine-grained access control enabled

[RDS.1] RDS snapshots should be private

[RDS.9] Database logging should be enabled

[RDS.10] IAM authentication should be configured for RDS instances

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled

[SageMaker.1] SageMaker notebook instances should not have direct internet access

[SSM.2] All EC2 instances managed by Systems Manager should be compliant with patching requirements

[SSM.3] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

[OpenSearch.1 ] OpenSearch domains should have encryption at rest enabled

[OpenSearch.2] OpenSearch domains should be in a VPC

[OpenSearch.3] OpenSearch domains should encrypt data sent between nodes

[OpenSearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled

[OpenSearch.5] OpenSearch domains should have audit logging enabled

[OpenSearch.6] OpenSearch domains should have at least three data nodes

[OpenSearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

Asia Pacific (Hong Kong)

The following controls are not supported in Asia Pacific (Hong Kong).

AWS Foundational Security Best Practices standard

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins.

[EC2.23] EC2 Transit Gateways should not automatically accept VPC attachment requests

[EC2.24] Paravirtual EC2 instance types should not be used

[RDS.10] IAM authentication should be configured for RDS instances

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

Asia Pacific (Jakarta)

The following controls are not supported in Asia Pacific (Jakarta).

CIS AWS Foundations Benchmark v1.2.0

1.12 – Ensure no root user access key exists

1.20 – Ensure a support role has been created to manage incidents with AWS Support

2.9 – Ensure VPC flow logging is enabled in all VPCs

4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

4.3 – Ensure the default security group of every VPC restricts all traffic

CIS AWS Foundations Benchmark v1.4.0

2.2.1 – Ensure EBS volume encryption is enabled

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.DMS.1] AWS Database Migration Service replication instances should not be public

[PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable

[PCI.EC2.2] VPC default security group should prohibit inbound and outbound traffic

[PCI.EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22

[PCI.EC2.6] VPC flow logging should be enabled in all VPCs

[PCI.ELBV2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[PCI.ES.1] Elasticsearch domains should be in a VPC

[PCI.ES.2] Elasticsearch domains should have encryption at rest enabled

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.1] IAM root user access key should not exist

[PCI.Lambda.2] Lambda functions should be in a VPC

[PCI.OpenSearch.1] Amazon OpenSearch Service domains should be in a VPC

[PCI.OpenSearch.2] OpenSearch domains should have encryption at rest enabled

[PCI.RDS.1] Amazon RDS snapshots should prohibit public access

[PCI.Redshift.1] Amazon Redshift clusters should prohibit public access

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

[PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

[PCI.SSM.2] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

[PCI.SSM.3] EC2 instances should be managed by AWS Systems Manager

AWS Foundational Security Best Practices standard

[APIGateway.1] API Gateway REST and WebSocket API logging should be enabled

[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication

[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL

[APIGateway.8] API Gateway routes should specify an authorization type

[APIGateway.9] Access logging should be configured for API Gateway V2 Stages

[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones

[AutoScaling.3] Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)

[AutoScaling.4] Auto Scaling group launch configuration should not have metadata response hop limit greater than 1

[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses

[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones

[AutoScaling.9] EC2 Auto Scaling groups should use EC2 launch templates

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins.

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[CodeBuild.3] CodeBuild S3 logs should be encrypted

[CodeBuild.4] CodeBuild project environments should have a logging configuration

[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled

[DMS.1] AWS Database Migration Service replication instances should not be public

[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled

[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest

[EC2.1] Amazon EBS snapshots should not be public, determined by the availability to be restorable by anyone

[EC2.2] The VPC default security group should not allow inbound and outbound traffic

[EC2.3] Attached EBS volumes should be encrypted at rest

[EC2.4] Stopped EC2 instances should be removed after a specified time period

[EC2.6] VPC flow logging should be enabled in all VPCs

[EC2.7] EBS default encryption should be enabled

[EC2.8] EC2 instances should use IMDSv2

[EC2.9] EC2 instances should not have a public IP address

[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service

[EC2.15] EC2 subnets should not automatically assign public IP addresses

[EC2.16] Unused network access control lists should be removed

[EC2.17] EC2 instances should not use multiple ENIs

[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports

[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up

[EC2.22] Unused EC2 security groups should be removed

[EC2.24] Paravirtual EC2 instance types should not be used

[ECR.1] ECR private repositories should have image scanning configured

[ECR.2] ECR private repositories should have tag immutability configured

[ECR.3] ECR repositories should have at least one lifecycle policy configured

[ECS.3] ECS task definitions should not share the host's process namespace

[ECS.4] ECS containers should run as non-privileged

[ECS.5] ECS containers should be limited to read-only access to root filesystems

[ECS.8] Secrets should not be passed as container environment variables

[ECS.10] Fargate services should run on the latest Fargate platform version

[ECS.12] ECS clusters should have Container Insights enabled

[EFS.1] Amazon EFS should be configured to encrypt file data at rest using AWS KMS

[EFS.2] Amazon EFS volumes should be in backup plans

[EFS.3] EFS access points should enforce a root directory

[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled

[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled

[ELB.2] Classic Load Balancers with HTTPS/SSL listeners should use a certificate provided by AWS Certificate Manager

[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination

[ELB.4] Application load balancers should be configured to drop HTTP headers

[ELB.6] Application Load Balancer deletion protection should be enabled

[ELB.8] Classic Load Balancers with HTTPS/SSL listeners should use a predefined security policy that has strong configuration

[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled

[ELB.10] Classic Load Balancers should span multiple Availability Zones

[ELB.12] Application Load Balancers should be configured with defensive or strictest desync mitigation mode

[ELB.13] Application, Network, and Gateway Load Balancers should span multiple Availability Zones

[ELBv2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[EMR.1] Amazon EMR cluster master nodes should not have public IP addresses

[ES.1] Elasticsearch domains should have encryption at rest enabled

[ES.2] Elasticsearch domains should be in a VPC

[ES.3] Elasticsearch domains should encrypt data sent between nodes

[GuardDuty.1] GuardDuty should be enabled

[IAM.4] IAM root user access key should not exist

[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services

[KMS.1] IAM customer managed policies should not allow decryption and re-encryption actions on all KMS keys

[KMS.2] IAM principals should not have IAM inline policies that allow decryption and re-encryption actions on all KMS keys

[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone

[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated

[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets

[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets

[OpenSearch.1 ] OpenSearch domains should have encryption at rest enabled

[OpenSearch.2] OpenSearch domains should be in a VPC

[OpenSearch.3] OpenSearch domains should encrypt data sent between nodes

[OpenSearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled

[OpenSearch.5] OpenSearch domains should have audit logging enabled

[OpenSearch.6] OpenSearch domains should have at least three data nodes

[OpenSearch.7] OpenSearch domains should have fine-grained access control enabled

[OpenSearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2

[RDS.1] RDS snapshots should be private

[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest

[RDS.6] Enhanced monitoring should be configured for RDS DB instances and clusters

[RDS.7] RDS clusters should have deletion protection enabled

[RDS.8] RDS DB instances should have deletion protection enabled

[RDS.9] Database logging should be enabled

[RDS.10] IAM authentication should be configured for RDS instances

[RDS.11] Amazon RDS instances should have automatic backups enabled

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.13] RDS automatic minor version upgrades should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[RDS.16] RDS DB clusters should be configured to copy tags to snapshots

[RDS.24] RDS database clusters should use a custom administrator username

[RDS.25] RDS database instances should use a custom administrator username

[Redshift.1] Amazon Redshift clusters should prohibit public access

[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit

[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled

[Redshift.7] Amazon Redshift clusters should use enhanced VPC routing

[Redshift.8] Amazon Redshift clusters should not use the default Admin username

[Redshift.9] Redshift clusters should not use the default database name

[S3.8] S3 Block Public Access setting should be enabled at the bucket level

[S3.10] S3 buckets with versioning enabled should have lifecycle policies configured

[S3.11] S3 buckets should have event notifications enabled

[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets

[S3.13] S3 buckets should have lifecycle policies configured

[SageMaker.1] SageMaker notebook instances should not have direct internet access

[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC

[SageMaker.3] Users should not have root access to SageMaker notebook instances

[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled

[SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfully

[SecretsManager.3] Remove unused Secrets Manager secrets

[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

[SNS.1] SNS topics should be encrypted at rest using AWS KMS

[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic

[SQS.1] Amazon SQS queues should be encrypted at rest

[SSM.1] EC2 instances should be managed by AWS Systems Manager

[SSM.2] All EC2 instances managed by Systems Manager should be compliant with patching requirements

[SSM.3] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.2] A WAF Regional rule should have at least one condition

[WAF.3] A WAF Regional rule group should have at least one rule

[WAF.4] A WAF Classic Regional web ACL should have at least one rule or rule group

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

[WAF.10] A WAFV2 web ACL should have at least one rule or rule group

Asia Pacific (Mumbai)

The following controls are not supported in Asia Pacific (Mumbai).

Asia Pacific (Osaka)

The following controls are not supported in Asia Pacific (Osaka).

CIS AWS Foundations Benchmark v1.2.0

1.12 – Ensure no root user access key exists

1.20 – Ensure a support role has been created to manage incidents with AWS Support

4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

CIS AWS Foundations Benchmark v1.4.0

1.4 – Ensure no root user account access key exists

1.17 - Ensure a support role has been created to manage incidents with AWS Support

2.2.1 – Ensure EBS volume encryption is enabled

2.1.5.2 – S3 Block Public Access setting should be enabled at the bucket level

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.DMS.1] AWS Database Migration Service replication instances should not be public

[PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable

[PCI.EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22

[PCI.ELBV2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[PCI.ES.1] Elasticsearch domains should be in a VPC

[PCI.ES.2] Elasticsearch domains should have encryption at rest enabled

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.1] IAM root user access key should not exist

[PCI.Lambda.1] Lambda functions should prohibit public access

[PCI.Lambda.2] Lambda functions should be in a VPC

[PCI.RDS.1] Amazon RDS snapshots should prohibit public access

[PCI.Redshift.1] Amazon Redshift clusters should prohibit public access

[PCI.S3.6] S3 Block Public Access setting should be enabled

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

[PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

[PCI.SSM.2] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

AWS Foundational Security Best Practices standard

[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication

[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL

[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins.

[CodeBuild.3] CodeBuild S3 logs should be encrypted

[CodeBuild.4] CodeBuild project environments should have a logging configuration

[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled

[EC2.15] EC2 subnets should not automatically assign public IP addresses

[EC2.16] Unused network access control lists should be removed

[EC2.17] EC2 instances should not use multiple ENIs

[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports

[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up

[EC2.22] Unused EC2 security groups should be removed

[EC2.23] EC2 Transit Gateways should not automatically accept VPC attachment requests

[EC2.24] Paravirtual EC2 instance types should not be used

[ECR.1] ECR private repositories should have image scanning configured

[ECR.2] ECR private repositories should have tag immutability configured

[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions

[ECS.2] Amazon ECS services should not have public IP addresses assigned to them automatically

[ECS.3] ECS task definitions should not share the host's process namespace

[ECS.4] ECS containers should run as non-privileged

[ECS.8] Secrets should not be passed as container environment variables

[ECS.10] Fargate services should run on the latest Fargate platform version

[ECS.12] ECS clusters should have Container Insights enabled

[EFS.4] EFS access points should enforce a user identity

[EKS.2] EKS clusters should run on a supported Kubernetes version

[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled

[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled

[ELB.2] Classic Load Balancers with HTTPS/SSL listeners should use a certificate provided by AWS Certificate Manager

[ELB.4] Application load balancers should be configured to drop HTTP headers

[ELB.8] Classic Load Balancers with HTTPS/SSL listeners should use a predefined security policy that has strong configuration

[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled

[IAM.4] IAM root user access key should not exist

[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services

[KMS.1] IAM customer managed policies should not allow decryption and re-encryption actions on all KMS keys

[KMS.2] IAM principals should not have IAM inline policies that allow decryption and re-encryption actions on all KMS keys

[KMS.3] AWS KMS keys should not be unintentionally deleted

[Lambda.2] Lambda functions should use supported runtimes

[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone

[OpenSearch.1 ] OpenSearch domains should have encryption at rest enabled

[OpenSearch.2] OpenSearch domains should be in a VPC

[OpenSearch.3] OpenSearch domains should encrypt data sent between nodes

[OpenSearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled

[OpenSearch.5] OpenSearch domains should have audit logging enabled

[OpenSearch.6] OpenSearch domains should have at least three data nodes

[OpenSearch.7] OpenSearch domains should have fine-grained access control enabled

[OpenSearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2

[RDS.9] Database logging should be enabled

[RDS.10] IAM authentication should be configured for RDS instances

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.13] RDS automatic minor version upgrades should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled

[Redshift.7] Amazon Redshift clusters should use enhanced VPC routing

[S3.8] S3 Block Public Access setting should be enabled at the bucket level

[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled

[SecretsManager.3] Remove unused Secrets Manager secrets

[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.3] A WAF Regional rule group should have at least one rule

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

[WAF.10] A WAFV2 web ACL should have at least one rule or rule group

Asia Pacific (Seoul)

The following controls are not supported in Asia Pacific (Seoul).

Asia Pacific (Singapore)

The following controls are not supported in Asia Pacific (Singapore).

Asia Pacific (Sydney)

The following controls are not supported in Asia Pacific (Sydney).

Asia Pacific (Tokyo)

The following controls are not supported in Asia Pacific (Tokyo).

Canada (Central)

The following controls are not supported in Canada (Central).

China (Beijing)

The following controls are not supported in China (Beijing).

CIS AWS Foundations Benchmark v1.2.0

1.13 – Ensure MFA is enabled for the root user

1.14 – Ensure hardware MFA is enabled for the root user

CIS AWS Foundations Benchmark v1.4.0

1.5 – Ensure MFA is enabled for the root user account

1.6 – Ensure hardware MFA is enabled for the root user account

2.1.5.1 – S3 Block Public Access setting should be enabled

2.1.5.2 – S3 Block Public Access setting should be enabled at the bucket level

5.1 – Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.4] Hardware MFA should be enabled for the root user

[PCI.IAM.5] Virtual MFA should be enabled for the root user

[PCI.Lambda.1] Lambda functions should prohibit public access

[PCI.Lambda.2] Lambda functions should be in a VPC

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

AWS Foundational Security Best Practices standard

[Account.1] Security contact information should be provided for an AWS account

[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period

[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication

[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL

[APIGateway.8] API Gateway routes should specify an authorization type

[APIGateway.9] Access logging should be configured for API Gateway V2 Stages

[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones

[AutoScaling.3] Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)

[AutoScaling.4] Auto Scaling group launch configuration should not have metadata response hop limit greater than 1

[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones

[AutoScaling.9] EC2 Auto Scaling groups should use EC2 launch templates

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins.

[CodeBuild.3] CodeBuild S3 logs should be encrypted

[CodeBuild.4] CodeBuild project environments should have a logging configuration

[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled

[EC2.15] EC2 subnets should not automatically assign public IP addresses

[EC2.16] Unused network access control lists should be removed

[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up

[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389

[EC2.22] Unused EC2 security groups should be removed

[EC2.23] EC2 Transit Gateways should not automatically accept VPC attachment requests

[EC2.24] Paravirtual EC2 instance types should not be used

[EC2.25] EC2 launch templates should not assign public IPs to network interfaces

[ECR.1] ECR private repositories should have image scanning configured

[ECR.2] ECR private repositories should have tag immutability configured

[ECR.3] ECR repositories should have at least one lifecycle policy configured

[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions

[ECS.3] ECS task definitions should not share the host's process namespace

[ECS.4] ECS containers should run as non-privileged

[ECS.5] ECS containers should be limited to read-only access to root filesystems

[ECS.8] Secrets should not be passed as container environment variables

[ECS.10] Fargate services should run on the latest Fargate platform version

[ECS.12] ECS clusters should have Container Insights enabled

[EFS.3] EFS access points should enforce a root directory

[EFS.4] EFS access points should enforce a user identity

[EKS.2] EKS clusters should run on a supported Kubernetes version

[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled

[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled

[ELB.2] Classic Load Balancers with HTTPS/SSL listeners should use a certificate provided by AWS Certificate Manager

[ELB.10] Classic Load Balancers should span multiple Availability Zones

[ELB.12] Application Load Balancers should be configured with defensive or strictest desync mitigation mode

[ELB.13] Application, Network, and Gateway Load Balancers should span multiple Availability Zones

[ELB.14] Classic Load Balancers should be configured with defensive or strictest desync mitigation mode

[ES.3] Elasticsearch domains should encrypt data sent between nodes

[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled

[GuardDuty.1] GuardDuty should be enabled

[IAM.6] Hardware MFA should be enabled for the root user

[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services

[Kinesis.1] Kinesis Data Streams should be encrypted at rest

[Lambda.1] Lambda function policies should prohibit public access

[Lambda.2] Lambda functions should use supported runtimes

[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone

[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated

[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets

[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets

[OpenSearch.1 ] OpenSearch domains should have encryption at rest enabled

[OpenSearch.2] OpenSearch domains should be in a VPC

[OpenSearch.3] OpenSearch domains should encrypt data sent between nodes

[OpenSearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled

[OpenSearch.5] OpenSearch domains should have audit logging enabled

[OpenSearch.6] OpenSearch domains should have at least three data nodes

[OpenSearch.7] OpenSearch domains should have fine-grained access control enabled

[OpenSearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2

[RDS.7] RDS clusters should have deletion protection enabled

[RDS.10] IAM authentication should be configured for RDS instances

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.13] RDS automatic minor version upgrades should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[RDS.16] RDS DB clusters should be configured to copy tags to snapshots

[RDS.24] RDS database clusters should use a custom administrator username

[RDS.25] RDS database instances should use a custom administrator username

[Redshift.7] Amazon Redshift clusters should use enhanced VPC routing

[Redshift.8] Amazon Redshift clusters should not use the default Admin username

[Redshift.9] Redshift clusters should not use the default database name

[S3.1] S3 Block Public Access setting should be enabled

[S3.8] S3 Block Public Access setting should be enabled at the bucket level

[S3.11] S3 buckets should have event notifications enabled

[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets

[S3.13] S3 buckets should have lifecycle policies configured

[SageMaker.1] SageMaker notebook instances should not have direct internet access

[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC

[SageMaker.3] Users should not have root access to SageMaker notebook instances

[SecretsManager.3] Remove unused Secrets Manager secrets

[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.2] A WAF Regional rule should have at least one condition

[WAF.3] A WAF Regional rule group should have at least one rule

[WAF.4] A WAF Classic Regional web ACL should have at least one rule or rule group

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

[WAF.10] A WAFV2 web ACL should have at least one rule or rule group

China (Ningxia)

The following controls are not supported in China (Ningxia).

CIS AWS Foundations Benchmark v1.2.0

1.13 – Ensure MFA is enabled for the root user

1.14 – Ensure hardware MFA is enabled for the root user

CIS AWS Foundations Benchmark v1.4.0

1.5 – Ensure MFA is enabled for the root user account

1.6 – Ensure hardware MFA is enabled for the root user account

2.1.5.1 – S3 Block Public Access setting should be enabled

2.1.5.2 – S3 Block Public Access setting should be enabled at the bucket level

5.1 – Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.4] Hardware MFA should be enabled for the root user

[PCI.IAM.5] Virtual MFA should be enabled for the root user

[PCI.Lambda.1] Lambda functions should prohibit public access

[PCI.Lambda.2] Lambda functions should be in a VPC

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

AWS Foundational Security Best Practices standard

[Account.1] Security contact information should be provided for an AWS account

[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period

[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication

[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL

[APIGateway.8] API Gateway routes should specify an authorization type

[APIGateway.9] Access logging should be configured for API Gateway V2 Stages

[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones

[AutoScaling.3] Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)

[AutoScaling.4] Auto Scaling group launch configuration should not have metadata response hop limit greater than 1

[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones

[AutoScaling.9] EC2 Auto Scaling groups should use EC2 launch templates

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins.

[CodeBuild.3] CodeBuild S3 logs should be encrypted

[CodeBuild.4] CodeBuild project environments should have a logging configuration

[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled

[EC2.15] EC2 subnets should not automatically assign public IP addresses

[EC2.16] Unused network access control lists should be removed

[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up

[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389

[EC2.22] Unused EC2 security groups should be removed

[EC2.23] EC2 Transit Gateways should not automatically accept VPC attachment requests

[EC2.24] Paravirtual EC2 instance types should not be used

[EC2.25] EC2 launch templates should not assign public IPs to network interfaces

[ECR.1] ECR private repositories should have image scanning configured

[ECR.2] ECR private repositories should have tag immutability configured

[ECR.3] ECR repositories should have at least one lifecycle policy configured

[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions

[ECS.3] ECS task definitions should not share the host's process namespace

[ECS.4] ECS containers should run as non-privileged

[ECS.5] ECS containers should be limited to read-only access to root filesystems

[ECS.8] Secrets should not be passed as container environment variables

[ECS.10] Fargate services should run on the latest Fargate platform version

[ECS.12] ECS clusters should have Container Insights enabled

[EFS.3] EFS access points should enforce a root directory

[EFS.4] EFS access points should enforce a user identity

[EKS.2] EKS clusters should run on a supported Kubernetes version

[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled

[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled

[ELB.2] Classic Load Balancers with HTTPS/SSL listeners should use a certificate provided by AWS Certificate Manager

[ELB.10] Classic Load Balancers should span multiple Availability Zones

[ELB.12] Application Load Balancers should be configured with defensive or strictest desync mitigation mode

[ELB.13] Application, Network, and Gateway Load Balancers should span multiple Availability Zones

[ELB.14] Classic Load Balancers should be configured with defensive or strictest desync mitigation mode

[ES.3] Elasticsearch domains should encrypt data sent between nodes

[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled

[GuardDuty.1] GuardDuty should be enabled

[IAM.6] Hardware MFA should be enabled for the root user

[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services

[Kinesis.1] Kinesis Data Streams should be encrypted at rest

[Lambda.1] Lambda function policies should prohibit public access

[Lambda.2] Lambda functions should use supported runtimes

[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone

[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated

[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets

[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets

[OpenSearch.1 ] OpenSearch domains should have encryption at rest enabled

[OpenSearch.2] OpenSearch domains should be in a VPC

[OpenSearch.3] OpenSearch domains should encrypt data sent between nodes

[OpenSearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled

[OpenSearch.5] OpenSearch domains should have audit logging enabled

[OpenSearch.6] OpenSearch domains should have at least three data nodes

[OpenSearch.7] OpenSearch domains should have fine-grained access control enabled

[OpenSearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2

[RDS.7] RDS clusters should have deletion protection enabled

[RDS.9] Database logging should be enabled

[RDS.10] IAM authentication should be configured for RDS instances

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.13] RDS automatic minor version upgrades should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[RDS.24] RDS database clusters should use a custom administrator username

[RDS.25] RDS database instances should use a custom administrator username

[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled

[Redshift.7] Amazon Redshift clusters should use enhanced VPC routing

[Redshift.8] Amazon Redshift clusters should not use the default Admin username

[Redshift.9] Redshift clusters should not use the default database name

[S3.1] S3 Block Public Access setting should be enabled

[S3.8] S3 Block Public Access setting should be enabled at the bucket level

[S3.11] S3 buckets should have event notifications enabled

[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets

[S3.13] S3 buckets should have lifecycle policies configured

[SageMaker.1] SageMaker notebook instances should not have direct internet access

[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC

[SageMaker.3] Users should not have root access to SageMaker notebook instances

[SecretsManager.3] Remove unused Secrets Manager secrets

[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.2] A WAF Regional rule should have at least one condition

[WAF.3] A WAF Regional rule group should have at least one rule

[WAF.4] A WAF Classic Regional web ACL should have at least one rule or rule group

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

Europe (Frankfurt)

The following controls are not supported in Europe (Frankfurt).

Europe (Ireland)

The following controls are not supported in Europe (Ireland).

Europe (London)

The following controls are not supported in Europe (London).

Europe (Milan)

The following controls are not supported in Europe (Milan).

CIS AWS Foundations Benchmark v1.2.0

1.4 – Ensure access keys are rotated every 90 days or less

1.20 – Ensure a support role has been created to manage incidents with AWS Support

4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

CIS AWS Foundations Benchmark v1.4.0

1.14 – Ensure access keys are rotated every 90 days or less

1.17 - Ensure a support role has been created to manage incidents with AWS Support

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.DMS.1] AWS Database Migration Service replication instances should not be public

[PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable

[PCI.EC2.4] Unused EC2 EIPs should be removed

[PCI.EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22

[PCI.ELBV2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.RDS.1] Amazon RDS snapshots should prohibit public access

[PCI.S3.6] S3 Block Public Access setting should be enabled

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

[PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

[PCI.SSM.2] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

AWS Foundational Security Best Practices standard

[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period

[APIGateway.1] API Gateway REST and WebSocket API logging should be enabled

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins.

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[DMS.1] AWS Database Migration Service replication instances should not be public

[EC2.1] Amazon EBS snapshots should not be public, determined by the availability to be restorable by anyone

[EC2.3] Attached EBS volumes should be encrypted at rest

[EC2.4] Stopped EC2 instances should be removed after a specified time period

[EC2.8] EC2 instances should use IMDSv2

[EC2.24] Paravirtual EC2 instance types should not be used

[EFS.1] Amazon EFS should be configured to encrypt file data at rest using AWS KMS

[EFS.2] Amazon EFS volumes should be in backup plans

[ELB.2] Classic Load Balancers with HTTPS/SSL listeners should use a certificate provided by AWS Certificate Manager

[ELB.4] Application load balancers should be configured to drop HTTP headers

[ELB.8] Classic Load Balancers with HTTPS/SSL listeners should use a predefined security policy that has strong configuration

[ELBv2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[EMR.1] Amazon EMR cluster master nodes should not have public IP addresses

[ES.3] Elasticsearch domains should encrypt data sent between nodes

[GuardDuty.1] GuardDuty should be enabled

[IAM.3] IAM users' access keys should be rotated every 90 days or less

[KMS.3] AWS KMS keys should not be unintentionally deleted

[OpenSearch.1 ] OpenSearch domains should have encryption at rest enabled

[OpenSearch.2] OpenSearch domains should be in a VPC

[OpenSearch.3] OpenSearch domains should encrypt data sent between nodes

[OpenSearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled

[OpenSearch.5] OpenSearch domains should have audit logging enabled

[OpenSearch.6] OpenSearch domains should have at least three data nodes

[OpenSearch.7] OpenSearch domains should have fine-grained access control enabled

[OpenSearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2

[RDS.1] RDS snapshots should be private

[RDS.9] Database logging should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit

[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled

[SageMaker.1] SageMaker notebook instances should not have direct internet access

[SSM.2] All EC2 instances managed by Systems Manager should be compliant with patching requirements

[SSM.3] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

Europe (Paris)

The following controls are not supported in Europe (Paris).

Europe (Stockholm)

The following controls are not supported in Europe (Stockholm).

Middle East (Bahrain)

The following controls are not supported in Middle East (Bahrain).

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.S3.6] S3 Block Public Access setting should be enabled

AWS Foundational Security Best Practices standard

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins.

[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up

[EC2.23] EC2 Transit Gateways should not automatically accept VPC attachment requests

[EC2.24] Paravirtual EC2 instance types should not be used

[GuardDuty.1] GuardDuty should be enabled

[RDS.7] RDS clusters should have deletion protection enabled

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[RDS.16] RDS DB clusters should be configured to copy tags to snapshots

[RDS.24] RDS database clusters should use a custom administrator username

[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled

[SSM.2] All EC2 instances managed by Systems Manager should be compliant with patching requirements

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

Middle East (UAE)

The following controls are not supported in Middle East (UAE).

CIS AWS Foundations Benchmark v1.2.0

1.13 – Ensure MFA is enabled for the root user

1.14 – Ensure hardware MFA is enabled for the root user

1.16 – Ensure IAM policies are attached only to groups or roles

1.2 – Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password

1.20 – Ensure a support role has been created to manage incidents with AWS Support

1.22 – Ensure IAM policies that allow full "*:*" administrative privileges are not created

1.3 – Ensure credentials unused for 90 days or greater are disabled

1.4 – Ensure access keys are rotated every 90 days or less

2.1 – Ensure CloudTrail is enabled in all Regions

2.3 – Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

2.8 – Ensure rotation for customer-created KMS keys is enabled

2.9 – Ensure VPC flow logging is enabled in all VPCs

4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

CIS AWS Foundations Benchmark v1.4.0

1.10 – Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password

1.12 – Ensure credentials unused for 45 days or greater are disabled

1.14 – Ensure access keys are rotated every 90 days or less

1.16 – Ensure IAM policies that allow full "*:*" administrative privileges are not attached

1.17 - Ensure a support role has been created to manage incidents with AWS Support

1.5 – Ensure MFA is enabled for the root user account

1.6 – Ensure hardware MFA is enabled for the root user account

2.1.1 – Ensure all S3 buckets employ encryption-at-rest

2.1.2 – Ensure S3 Bucket Policy is set to deny HTTP requests

2.2.1 – Ensure EBS volume encryption is enabled

2.3.1 – Ensure that encryption is enabled for RDS instances

3.1 – Ensure CloudTrail is enabled in all Regions

3.3 – Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

3.8 – Ensure rotation for customer-created KMS keys is enabled

3.9 – Ensure VPC flow logging is enabled in all VPCs

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.AutoScaling.1] Auto Scaling groups associated with a load balancer should use health checks

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.DMS.1] AWS Database Migration Service replication instances should not be public

[PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable

[PCI.EC2.2] VPC default security group should prohibit inbound and outbound traffic

[PCI.EC2.4] Unused EC2 EIPs should be removed

[PCI.EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22

[PCI.EC2.6] VPC flow logging should be enabled in all VPCs

[PCI.ELBV2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.1] IAM root user access key should not exist

[PCI.IAM.2] IAM users should not have IAM policies attached

[PCI.IAM.3] IAM policies should not allow full "*" administrative privileges

[PCI.IAM.4] Hardware MFA should be enabled for the root user

[PCI.IAM.5] Virtual MFA should be enabled for the root user

[PCI.IAM.6] MFA should be enabled for all IAM users

[PCI.IAM.7] IAM user credentials should be disabled if not used within a predefined number of days

[PCI.KMS.1] KMS key rotation should be enabled

[PCI.OpenSearch.1] Amazon OpenSearch Service domains should be in a VPC

[PCI.OpenSearch.2] OpenSearch domains should have encryption at rest enabled

[PCI.S3.1] S3 buckets should prohibit public write access

[PCI.S3.2] S3 buckets should prohibit public read access

[PCI.S3.3] S3 buckets should have cross-region replication enabled

[PCI.S3.4] S3 buckets should have server-side encryption enabled

[PCI.S3.5] S3 buckets should require requests to use Secure Socket Layer

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

[PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

[PCI.SSM.2] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

[PCI.SSM.3] EC2 instances should be managed by AWS Systems Manager

AWS Foundational Security Best Practices standard

[APIGateway.1] API Gateway REST and WebSocket API logging should be enabled

[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled

[APIGateway.8] API Gateway routes should specify an authorization type

[APIGateway.9] Access logging should be configured for API Gateway V2 Stages

[AutoScaling.1] Auto Scaling groups associated with a Classic Load Balancer should use load balancer health checks

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins.

[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[CodeBuild.3] CodeBuild S3 logs should be encrypted

[CodeBuild.4] CodeBuild project environments should have a logging configuration

[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled

[DMS.1] AWS Database Migration Service replication instances should not be public

[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest

[EC2.1] Amazon EBS snapshots should not be public, determined by the availability to be restorable by anyone

[EC2.3] Attached EBS volumes should be encrypted at rest

[EC2.4] Stopped EC2 instances should be removed after a specified time period

[EC2.6] VPC flow logging should be enabled in all VPCs

[EC2.7] EBS default encryption should be enabled

[EC2.8] EC2 instances should use IMDSv2

[EC2.22] Unused EC2 security groups should be removed

[EC2.23] EC2 Transit Gateways should not automatically accept VPC attachment requests

[EC2.24] Paravirtual EC2 instance types should not be used

[EC2.25] EC2 launch templates should not assign public IPs to network interfaces

[ECR.1] ECR private repositories should have image scanning configured

[ECR.2] ECR private repositories should have tag immutability configured

[ECR.3] ECR repositories should have at least one lifecycle policy configured

[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions

[EFS.1] Amazon EFS should be configured to encrypt file data at rest using AWS KMS

[EFS.2] Amazon EFS volumes should be in backup plans

[EFS.3] EFS access points should enforce a root directory

[EFS.4] EFS access points should enforce a user identity

[EKS.2] EKS clusters should run on a supported Kubernetes version

[ELBv2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination

[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled

[ELB.14] Classic Load Balancers should be configured with defensive or strictest desync mitigation mode

[EMR.1] Amazon EMR cluster master nodes should not have public IP addresses

[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled

[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled

[GuardDuty.1] GuardDuty should be enabled

[IAM.1] IAM policies should not allow full "*" administrative privileges

[IAM.2] IAM users should not have IAM policies attached

[IAM.3] IAM users' access keys should be rotated every 90 days or less

[IAM.5] MFA should be enabled for all IAM users that have a console password

[IAM.6] Hardware MFA should be enabled for the root user

[IAM.8] Unused IAM user credentials should be removed

[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services

[Kinesis.1] Kinesis Data Streams should be encrypted at rest

[KMS.1] IAM customer managed policies should not allow decryption and re-encryption actions on all KMS keys

[KMS.2] IAM principals should not have IAM inline policies that allow decryption and re-encryption actions on all KMS keys

[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone

[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated

[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets

[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets

[NetworkFirewall.6] Stateless Network Firewall rule groups should not be empty

[OpenSearch.1 ] OpenSearch domains should have encryption at rest enabled

[OpenSearch.2] OpenSearch domains should be in a VPC

[OpenSearch.3] OpenSearch domains should encrypt data sent between nodes

[OpenSearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled

[OpenSearch.5] OpenSearch domains should have audit logging enabled

[OpenSearch.6] OpenSearch domains should have at least three data nodes

[OpenSearch.7] OpenSearch domains should have fine-grained access control enabled

[OpenSearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2

[RDS.1] RDS snapshots should be private

[RDS.2] Amazon RDS DB instances should prohibit public access, as determined by the PubliclyAccessible configuration

[RDS.3] RDS DB instances should have encryption at rest enabled

[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest

[RDS.5] RDS DB instances should be configured with multiple Availability Zones

[RDS.6] Enhanced monitoring should be configured for RDS DB instances and clusters

[RDS.7] RDS clusters should have deletion protection enabled

[RDS.8] RDS DB instances should have deletion protection enabled

[RDS.11] Amazon RDS instances should have automatic backups enabled

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[RDS.16] RDS DB clusters should be configured to copy tags to snapshots

[RDS.24] RDS database clusters should use a custom administrator username

[Redshift.9] Redshift clusters should not use the default database name

[S3.2] S3 buckets should prohibit public read access

[S3.3] S3 buckets should prohibit public write access

[S3.4] S3 buckets should have server-side encryption enabled

[S3.5] S3 buckets should require requests to use Secure Socket Layer

[S3.6] Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted

[SageMaker.1] SageMaker notebook instances should not have direct internet access

[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC

[SageMaker.3] Users should not have root access to SageMaker notebook instances

[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled

[SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfully

[SecretsManager.3] Remove unused Secrets Manager secrets

[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

[SNS.1] SNS topics should be encrypted at rest using AWS KMS

[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic

[SQS.1] Amazon SQS queues should be encrypted at rest

[SSM.1] EC2 instances should be managed by AWS Systems Manager

[SSM.2] All EC2 instances managed by Systems Manager should be compliant with patching requirements

[SSM.3] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.2] A WAF Regional rule should have at least one condition

[WAF.3] A WAF Regional rule group should have at least one rule

[WAF.4] A WAF Classic Regional web ACL should have at least one rule or rule group

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

[WAF.10] A WAFV2 web ACL should have at least one rule or rule group

South America (São Paulo)

The following controls are not supported in South America (São Paulo).

AWS Foundational Security Best Practices standard

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins.

[RDS.7] RDS clusters should have deletion protection enabled

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[RDS.16] RDS DB clusters should be configured to copy tags to snapshots

[RDS.24] RDS database clusters should use a custom administrator username

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

AWS GovCloud (US-East)

The following controls are not supported in AWS GovCloud (US-East).

CIS AWS Foundations Benchmark v1.2.0

1.13 – Ensure MFA is enabled for the root user

1.14 – Ensure hardware MFA is enabled for the root user

CIS AWS Foundations Benchmark v1.4.0

1.5 – Ensure MFA is enabled for the root user account

1.6 – Ensure hardware MFA is enabled for the root user account

2.1.5.1 – S3 Block Public Access setting should be enabled

2.1.5.2 – S3 Block Public Access setting should be enabled at the bucket level

5.1 – Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.4] Hardware MFA should be enabled for the root user

[PCI.IAM.5] Virtual MFA should be enabled for the root user

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

AWS Foundational Security Best Practices standard

[Account.1] Security contact information should be provided for an AWS account

[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication

[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL

[APIGateway.8] API Gateway routes should specify an authorization type

[APIGateway.9] Access logging should be configured for API Gateway V2 Stages

[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones

[AutoScaling.3] Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)

[AutoScaling.4] Auto Scaling group launch configuration should not have metadata response hop limit greater than 1

[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses

[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones

[AutoScaling.9] EC2 Auto Scaling groups should use EC2 launch templates

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins.

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[CodeBuild.3] CodeBuild S3 logs should be encrypted

[CodeBuild.4] CodeBuild project environments should have a logging configuration

[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled

[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand

[EC2.15] EC2 subnets should not automatically assign public IP addresses

[EC2.16] Unused network access control lists should be removed

[EC2.17] EC2 instances should not use multiple ENIs

[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up

[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389

[EC2.22] Unused EC2 security groups should be removed

[EC2.23] EC2 Transit Gateways should not automatically accept VPC attachment requests

[EC2.24] Paravirtual EC2 instance types should not be used

[EC2.25] EC2 launch templates should not assign public IPs to network interfaces

[ECR.1] ECR private repositories should have image scanning configured

[ECR.2] ECR private repositories should have tag immutability configured

[ECR.3] ECR repositories should have at least one lifecycle policy configured

[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions

[ECS.2] Amazon ECS services should not have public IP addresses assigned to them automatically

[ECS.3] ECS task definitions should not share the host's process namespace

[ECS.4] ECS containers should run as non-privileged

[ECS.5] ECS containers should be limited to read-only access to root filesystems

[ECS.8] Secrets should not be passed as container environment variables

[ECS.10] Fargate services should run on the latest Fargate platform version

[ECS.12] ECS clusters should have Container Insights enabled

[EFS.2] Amazon EFS volumes should be in backup plans

[EFS.3] EFS access points should enforce a root directory

[EFS.4] EFS access points should enforce a user identity

[EKS.2] EKS clusters should run on a supported Kubernetes version

[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled

[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled

[ELB.2] Classic Load Balancers with HTTPS/SSL listeners should use a certificate provided by AWS Certificate Manager

[ELB.8] Classic Load Balancers with HTTPS/SSL listeners should use a predefined security policy that has strong configuration

[ELB.10] Classic Load Balancers should span multiple Availability Zones

[ELB.12] Application Load Balancers should be configured with defensive or strictest desync mitigation mode

[ELB.13] Application, Network, and Gateway Load Balancers should span multiple Availability Zones

[ELB.14] Classic Load Balancers should be configured with defensive or strictest desync mitigation mode

[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled

[GuardDuty.1] GuardDuty should be enabled

[IAM.6] Hardware MFA should be enabled for the root user

[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services

[Kinesis.1] Kinesis Data Streams should be encrypted at rest

[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone

[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated

[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets

[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets

[OpenSearch.1 ] OpenSearch domains should have encryption at rest enabled

[OpenSearch.2] OpenSearch domains should be in a VPC

[OpenSearch.3] OpenSearch domains should encrypt data sent between nodes

[OpenSearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled

[OpenSearch.5] OpenSearch domains should have audit logging enabled

[OpenSearch.6] OpenSearch domains should have at least three data nodes

[OpenSearch.7] OpenSearch domains should have fine-grained access control enabled

[OpenSearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.13] RDS automatic minor version upgrades should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[RDS.24] RDS database clusters should use a custom administrator username

[RDS.25] RDS database instances should use a custom administrator username

[Redshift.7] Amazon Redshift clusters should use enhanced VPC routing

[Redshift.8] Amazon Redshift clusters should not use the default Admin username

[Redshift.9] Redshift clusters should not use the default database name

[S3.1] S3 Block Public Access setting should be enabled

[S3.8] S3 Block Public Access setting should be enabled at the bucket level

[S3.11] S3 buckets should have event notifications enabled

[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets

[S3.13] S3 buckets should have lifecycle policies configured

[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC

[SageMaker.3] Users should not have root access to SageMaker notebook instances

[SecretsManager.3] Remove unused Secrets Manager secrets

[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic

[SSM.4] SSM documents should not be public

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.2] A WAF Regional rule should have at least one condition

[WAF.3] A WAF Regional rule group should have at least one rule

[WAF.4] A WAF Classic Regional web ACL should have at least one rule or rule group

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

[WAF.10] A WAFV2 web ACL should have at least one rule or rule group

AWS GovCloud (US-West)

The following controls are not supported in AWS GovCloud (US-West).

CIS AWS Foundations Benchmark v1.2.0

1.13 – Ensure MFA is enabled for the root user

1.14 – Ensure hardware MFA is enabled for the root user

CIS AWS Foundations Benchmark v1.4.0

1.5 – Ensure MFA is enabled for the root user account

1.6 – Ensure hardware MFA is enabled for the root user account

2.1.5.1 – S3 Block Public Access setting should be enabled

2.1.5.2 – S3 Block Public Access setting should be enabled at the bucket level

5.1 – Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.IAM.4] Hardware MFA should be enabled for the root user

[PCI.IAM.5] Virtual MFA should be enabled for the root user

AWS Foundational Security Best Practices standard

[Account.1] Security contact information should be provided for an AWS account

[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication

[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL

[APIGateway.8] API Gateway routes should specify an authorization type

[APIGateway.9] Access logging should be configured for API Gateway V2 Stages

[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones

[AutoScaling.3] Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)

[AutoScaling.4] Auto Scaling group launch configuration should not have metadata response hop limit greater than 1

[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses

[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones

[AutoScaling.9] EC2 Auto Scaling groups should use EC2 launch templates

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins.

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[CodeBuild.3] CodeBuild S3 logs should be encrypted

[CodeBuild.4] CodeBuild project environments should have a logging configuration

[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled

[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand

[EC2.15] EC2 subnets should not automatically assign public IP addresses

[EC2.16] Unused network access control lists should be removed

[EC2.17] EC2 instances should not use multiple ENIs

[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up

[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389

[EC2.22] Unused EC2 security groups should be removed

[EC2.23] EC2 Transit Gateways should not automatically accept VPC attachment requests

[EC2.24] Paravirtual EC2 instance types should not be used

[EC2.25] EC2 launch templates should not assign public IPs to network interfaces

[ECR.1] ECR private repositories should have image scanning configured

[ECR.2] ECR private repositories should have tag immutability configured

[ECR.3] ECR repositories should have at least one lifecycle policy configured

[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions

[ECS.2] Amazon ECS services should not have public IP addresses assigned to them automatically

[ECS.3] ECS task definitions should not share the host's process namespace

[ECS.4] ECS containers should run as non-privileged

[ECS.5] ECS containers should be limited to read-only access to root filesystems

[ECS.8] Secrets should not be passed as container environment variables

[ECS.10] Fargate services should run on the latest Fargate platform version

[ECS.12] ECS clusters should have Container Insights enabled

[EFS.2] Amazon EFS volumes should be in backup plans

[EFS.3] EFS access points should enforce a root directory

[EFS.4] EFS access points should enforce a user identity

[EKS.2] EKS clusters should run on a supported Kubernetes version

[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled

[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled

[ELB.10] Classic Load Balancers should span multiple Availability Zones

[ELB.12] Application Load Balancers should be configured with defensive or strictest desync mitigation mode

[ELB.13] Application, Network, and Gateway Load Balancers should span multiple Availability Zones

[ELB.14] Classic Load Balancers should be configured with defensive or strictest desync mitigation mode

[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled

[IAM.6] Hardware MFA should be enabled for the root user

[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services

[Kinesis.1] Kinesis Data Streams should be encrypted at rest

[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone

[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated

[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets

[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets

[OpenSearch.1 ] OpenSearch domains should have encryption at rest enabled

[OpenSearch.2] OpenSearch domains should be in a VPC

[OpenSearch.3] OpenSearch domains should encrypt data sent between nodes

[OpenSearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled

[OpenSearch.5] OpenSearch domains should have audit logging enabled

[OpenSearch.6] OpenSearch domains should have at least three data nodes

[OpenSearch.7] OpenSearch domains should have fine-grained access control enabled

[OpenSearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.13] RDS automatic minor version upgrades should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[RDS.24] RDS database clusters should use a custom administrator username

[RDS.25] RDS database instances should use a custom administrator username

[Redshift.7] Amazon Redshift clusters should use enhanced VPC routing

[Redshift.8] Amazon Redshift clusters should not use the default Admin username

[Redshift.9] Redshift clusters should not use the default database name

[S3.1] S3 Block Public Access setting should be enabled

[S3.8] S3 Block Public Access setting should be enabled at the bucket level

[S3.11] S3 buckets should have event notifications enabled

[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets

[S3.13] S3 buckets should have lifecycle policies configured

[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC

[SageMaker.3] Users should not have root access to SageMaker notebook instances

[SecretsManager.3] Remove unused Secrets Manager secrets

[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic

[SSM.4] SSM documents should not be public

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.2] A WAF Regional rule should have at least one condition

[WAF.3] A WAF Regional rule group should have at least one rule

[WAF.4] A WAF Classic Regional web ACL should have at least one rule or rule group

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

[WAF.10] A WAFV2 web ACL should have at least one rule or rule group