Supported Regions - AWS Security Hub

Supported Regions

To view the Regions that AWS Security Hub is available in, see Security Hub Service Endpoints.

AWS Organizations integration not supported in all Regions

The China (Beijing) and China (Ningxia) Regions do not support the Security Hub integration with Organizations.

Integrations not supported in all Regions

Some integrations are not available in all Regions. If an integration is not supported, it is not listed on the Integrations page.

Integrations that are supported in China (Beijing) and China (Ningxia)

The China (Beijing) and China (Ningxia) Regions only support the following integrations with AWS services:

  • Amazon GuardDuty

  • IAM Access Analyzer

  • Systems Manager Patch Manager

The China (Beijing) and China (Ningxia) Regions only support the following third-party integrations:

  • Cloud Custodian

  • FireEye Helix

  • Helecloud

  • IBM QRadar

  • PagerDuty

  • Palo Alto Networks Cortex XSOAR

  • Palo Alto Networks VM-Series

  • Prowler

  • RSA Archer

  • Splunk Enterprise

  • Splunk Phantom

  • ThreatModeler

Integrations that are supported in AWS GovCloud (US-East) and AWS GovCloud (US-West)

The AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions only support the following integrations with AWS services:

  • Amazon Detective

  • AWS Firewall Manager

  • Amazon GuardDuty

  • Amazon Inspector

  • IAM Access Analyzer

The AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions only support the following third-party integrations:

  • Atlassian Jira Service Manager

  • Atlassian OpsGenie

  • Cloud Custodian

  • Cloud Storage Security Antivirus for Amazon S3

  • cloudtamer.io

  • CrowdStrike Falcon

  • FireEye Helix

  • Forcepoint CASB

  • Forcepoint DLP

  • Forcepoint NGFW

  • MicroFocus ArcSight

  • NETSCOUT Cyber Investigator

  • PagerDuty

  • Palo Alto Networks – Prisma Cloud Compute

  • Palo Alto Networks – Prisma Cloud Enterprise

  • Palo Alto Networks – VM-Series

  • Prowler

  • Rackspace Technology – Cloud Native Security

  • Rapid7 InsightConnect

  • RSA Archer

  • SecureCloudDb

  • ServiceNow ITSM

  • Slack

  • ThreatModeler

  • Vectra AI Cognito Detect

Controls that are not supported in all Regions

The following Regions do not support all of the Security Hub controls. For each Region, the list provides the controls that are not supported.

US East (Ohio)

The following controls are not supported in US East (Ohio).

US West (N. California)

The following controls are not supported in US West (N. California).

US West (Oregon)

The following controls are not supported in US West (Oregon).

Africa (Cape Town)

The following controls are not supported in Africa (Cape Town).

CIS AWS Foundations Benchmark standard

1.4 – Ensure access keys are rotated every 90 days or less

1.12 – Ensure no root account access key exists

1.20 - Ensure a support role has been created to manage incidents with AWS Support

4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.DMS.1] AWS Database Migration Service replication instances should not be public

[PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable

[PCI.EC2.3] Unused EC2 security groups should be removed

[PCI.EC2.4] Unused EC2 EIPs should be removed

[PCI.EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22

[PCI.ELBV2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.1] IAM root user access key should not exist

[PCI.RDS.1] RDS snapshots should prohibit public access

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

[PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

[PCI.SSM.2] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

AWS Foundational Security Best Practices standard

[ACM.1] Imported ACM certificates should be renewed after a specified time period

[APIGateway.1] API Gateway REST and WebSocket API logging should be enabled

[APIGateway.5] API Gateway REST API cache data should be encrypted at rest

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[DMS.1] AWS Database Migration Service replication instances should not be public

[EC2.1] Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone

[EC2.3] Attached EBS volumes should be encrypted at rest

[EC2.4] Stopped EC2 instances should be removed after a specified time period

[EC2.8] EC2 instances should use IMDSv2

[EFS.1] Amazon EFS should be configured to encrypt file data at rest using AWS KMS

[EFS.2] Amazon EFS volumes should be in backup plans

[ELB.4] Application load balancers should be configured to drop HTTP headers

[ELBv2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[EMR.1] Amazon EMR cluster master nodes should not have public IP addresses

[ES.3] Amazon Elasticsearch Service domains should encrypt data sent between nodes

[GuardDuty.1] GuardDuty should be enabled

[IAM.3] IAM users' access keys should be rotated every 90 days or less

[IAM.4] IAM root user access key should not exist

[RDS.1] RDS snapshots should be private

[RDS.9] Database logging should be enabled

[RDS.10] IAM authentication should be configured for RDS instances

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled

[S3.1] S3 Block Public Access setting should be enabled

[SageMaker.1] SageMaker notebook instances should not have direct internet access

[SSM.2] All EC2 instances managed by Systems Manager should be compliant with patching requirements

[SSM.3] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

Asia Pacific (Hong Kong)

The following controls are not supported in Asia Pacific (Hong Kong).

Asia Pacific (Mumbai)

The following controls are not supported in Asia Pacific (Mumbai).

Asia Pacific (Osaka)

The following controls are not supported in Asia Pacific (Osaka).

CIS AWS Foundations Benchmark standard

1.12 – Ensure no root account access key exists

1.20 - Ensure a support role has been created to manage incidents with AWS Support

4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.DMS.1] AWS Database Migration Service replication instances should not be public

[PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable

[PCI.EC2.3] Unused EC2 security groups should be removed

[PCI.EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22

[PCI.ELBV2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[PCI.ES.1] Amazon Elasticsearch Service domains should be in a VPC

[PCI.ES.2] Amazon Elasticsearch Service domains should have encryption at rest enabled

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.1] IAM root user access key should not exist

[PCI.Lambda.1] Lambda functions should prohibit public access

[PCI.Lambda.2] Lambda functions should be in a VPC

[PCI.RDS.1] RDS snapshots should prohibit public access

[PCI.Redshift.1] Amazon Redshift clusters should prohibit public access

[PCI.S3.6] S3 Block Public Access setting should be enabled

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

[PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

[PCI.SSM.2] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

AWS Foundational Security Best Practices standard

[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication

[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL

[APIGateway.5] API Gateway REST API cache data should be encrypted at rest

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[EC2.15] EC2 subnets should not automatically assign public IP addresses

[EC2.16] Unused network access control lists should be removed

[EC2.17] EC2 instances should not use multiple ENIs

[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports

[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions

[ECS.2] Amazon ECS services should not have public IP addresses assigned to them automatically

[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled

[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled

[ELB.4] Application load balancers should be configured to drop HTTP headers

[ELB.7] Classic Load Balancers should have connection draining enabled

[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services

[Lambda.4] Lambda functions should have a dead-letter queue configured

[RDS.9] Database logging should be enabled

[RDS.10] IAM authentication should be configured for RDS instances

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.13] RDS automatic minor version upgrades should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[RDS.16] RDS DB clusters should be configured to copy tags to snapshots

[RDS.19] An RDS event notifications subscription should be configured for critical cluster events

[RDS.20] An RDS event notifications subscription should be configured for critical database instance events

[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events

[RDS.22] An RDS event notifications subscription should be configured for critical database security group events

[RDS.23] RDS databases and clusters should not use a database engine default port

[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled

[Redshift.7] Amazon Redshift clusters should use enhanced VPC routing

[S3.8] S3 Block Public Access setting should be enabled at the bucket level

[SecretsManager.3] Remove unused Secrets Manager secrets

[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

Asia Pacific (Seoul)

The following controls are not supported in Asia Pacific (Seoul).

Asia Pacific (Singapore)

The following controls are not supported in Asia Pacific (Singapore).

Asia Pacific (Sydney)

The following controls are not supported in Asia Pacific (Sydney).

Asia Pacific (Tokyo)

The following controls are not supported in Asia Pacific (Tokyo).

Canada (Central)

The following controls are not supported in Canada (Central).

China (Beijing)

The following controls are not supported in China (Beijing).

CIS AWS Foundations Benchmark standard

1.13 – Ensure MFA is enabled for the "root" account

1.14 – Ensure hardware MFA is enabled for the "root" account

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.4] Hardware MFA should be enabled for the root user

[PCI.IAM.5] Virtual MFA should be enabled for the root user

[PCI.Lambda.1] Lambda functions should prohibit public access

[PCI.Lambda.2] Lambda functions should be in a VPC

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

AWS Foundational Security Best Practices standard

[ACM.1] Imported ACM certificates should be renewed after a specified time period

[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication

[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[EC2.15] EC2 subnets should not automatically assign public IP addresses

[EC2.16] Unused network access control lists should be removed

[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions

[ECS.2] Amazon ECS services should not have public IP addresses assigned to them automatically

[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled

[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled

[ES.3] Amazon Elasticsearch Service domains should encrypt data sent between nodes

[ES.4] Amazon Elasticsearch Service domain error logging to CloudWatch Logs should be enabled

[ES.5] Elasticsearch domains should have audit logging enabled

[ES.6] Elasticsearch domains should have at least three data nodes

[ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes

[ES.8] Connections to Elasticsearch domains should be encrypted using TLS 1.2

[GuardDuty.1] GuardDuty should be enabled

[IAM.6] Hardware MFA should be enabled for the root user

[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services

[Lambda.1] Lambda function policies should prohibit public access

[Lambda.2] Lambda functions should use supported runtimes

[RDS.7] RDS clusters should have deletion protection enabled

[RDS.10] IAM authentication should be configured for RDS instances

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.13] RDS automatic minor version upgrades should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[RDS.16] RDS DB clusters should be configured to copy tags to snapshots

[RDS.19] An RDS event notifications subscription should be configured for critical cluster events

[Redshift.7] Amazon Redshift clusters should use enhanced VPC routing

[S3.8] S3 Block Public Access setting should be enabled at the bucket level

[SageMaker.1] SageMaker notebook instances should not have direct internet access

[SecretsManager.3] Remove unused Secrets Manager secrets

[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

China (Ningxia)

The following controls are not supported in China (Ningxia).

CIS AWS Foundations Benchmark standard

1.13 – Ensure MFA is enabled for the "root" account

1.14 – Ensure hardware MFA is enabled for the "root" account

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.4] Hardware MFA should be enabled for the root user

[PCI.IAM.5] Virtual MFA should be enabled for the root user

[PCI.Lambda.1] Lambda functions should prohibit public access

[PCI.Lambda.2] Lambda functions should be in a VPC

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

AWS Foundational Security Best Practices standard

[ACM.1] Imported ACM certificates should be renewed after a specified time period

[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication

[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[EC2.15] EC2 subnets should not automatically assign public IP addresses

[EC2.16] Unused network access control lists should be removed

[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions

[ECS.2] Amazon ECS services should not have public IP addresses assigned to them automatically

[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled

[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled

[ES.3] Amazon Elasticsearch Service domains should encrypt data sent between nodes

[ES.4] Amazon Elasticsearch Service domain error logging to CloudWatch Logs should be enabled

[ES.5] Elasticsearch domains should have audit logging enabled

[ES.6] Elasticsearch domains should have at least three data nodes

[ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes

[ES.8] Connections to Elasticsearch domains should be encrypted using TLS 1.2

[GuardDuty.1] GuardDuty should be enabled

[IAM.6] Hardware MFA should be enabled for the root user

[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services

[Lambda.1] Lambda function policies should prohibit public access

[Lambda.2] Lambda functions should use supported runtimes

[Lambda.4] Lambda functions should have a dead-letter queue configured

[RDS.7] RDS clusters should have deletion protection enabled

[RDS.9] Database logging should be enabled

[RDS.10] IAM authentication should be configured for RDS instances

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.13] RDS automatic minor version upgrades should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[RDS.16] RDS DB clusters should be configured to copy tags to snapshots

[RDS.19] An RDS event notifications subscription should be configured for critical cluster events

[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled

[Redshift.7] Amazon Redshift clusters should use enhanced VPC routing

[S3.8] S3 Block Public Access setting should be enabled at the bucket level

[SageMaker.1] SageMaker notebook instances should not have direct internet access

[SecretsManager.3] Remove unused Secrets Manager secrets

[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

Europe (Frankfurt)

The following controls are not supported in Europe (Frankfurt).

Europe (Ireland)

The following controls are not supported in Europe (Ireland).

Europe (London)

The following controls are not supported in Europe (London).

Europe (Milan)

The following controls are not supported in Europe (Milan).

CIS AWS Foundations Benchmark standard

1.4 – Ensure access keys are rotated every 90 days or less

1.20 - Ensure a support role has been created to manage incidents with AWS Support

4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.DMS.1] AWS Database Migration Service replication instances should not be public

[PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable

[PCI.EC2.3] Unused EC2 security groups should be removed

[PCI.EC2.4] Unused EC2 EIPs should be removed

[PCI.EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22

[PCI.ELBV2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.RDS.1] RDS snapshots should prohibit public access

[PCI.S3.6] S3 Block Public Access setting should be enabled

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

[PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

[PCI.SSM.2] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

AWS Foundational Security Best Practices standard

[ACM.1] Imported ACM certificates should be renewed after a specified time period

[APIGateway.1] API Gateway REST and WebSocket API logging should be enabled

[APIGateway.5] API Gateway REST API cache data should be encrypted at rest

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[DMS.1] AWS Database Migration Service replication instances should not be public

[EC2.1] Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone

[EC2.3] Attached EBS volumes should be encrypted at rest

[EC2.4] Stopped EC2 instances should be removed after a specified time period

[EC2.8] EC2 instances should use IMDSv2

[EFS.1] Amazon EFS should be configured to encrypt file data at rest using AWS KMS

[EFS.2] Amazon EFS volumes should be in backup plans

[ELB.4] Application load balancers should be configured to drop HTTP headers

[ELBv2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[EMR.1] Amazon EMR cluster master nodes should not have public IP addresses

[ES.3] Amazon Elasticsearch Service domains should encrypt data sent between nodes

[GuardDuty.1] GuardDuty should be enabled

[IAM.3] IAM users' access keys should be rotated every 90 days or less

[KMS.3] AWS KMS keys should not be unintentionally deleted

[RDS.1] RDS snapshots should be private

[RDS.9] Database logging should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit

[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled

[S3.1] S3 Block Public Access setting should be enabled

[SageMaker.1] SageMaker notebook instances should not have direct internet access

[SSM.2] All EC2 instances managed by Systems Manager should be compliant with patching requirements

[SSM.3] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

Europe (Paris)

The following controls are not supported in Europe (Paris).

Europe (Stockholm)

The following controls are not supported in Europe (Stockholm).

Middle East (Bahrain)

The following controls are not supported in Middle East (Bahrain).

South America (São Paulo)

The following controls are not supported in South America (São Paulo).

AWS GovCloud (US-East)

The following controls are not supported in AWS GovCloud (US-East).

CIS AWS Foundations Benchmark standard

1.13 – Ensure MFA is enabled for the "root" account

1.14 – Ensure hardware MFA is enabled for the "root" account

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.4] Hardware MFA should be enabled for the root user

[PCI.IAM.5] Virtual MFA should be enabled for the root user

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

AWS Foundational Security Best Practices standard

[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication

[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand

[EC2.15] EC2 subnets should not automatically assign public IP addresses

[EC2.16] Unused network access control lists should be removed

[EC2.17] EC2 instances should not use multiple ENIs

[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions

[ECS.2] Amazon ECS services should not have public IP addresses assigned to them automatically

[EFS.2] Amazon EFS volumes should be in backup plans

[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled

[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled

[ES.4] Amazon Elasticsearch Service domain error logging to CloudWatch Logs should be enabled

[ES.5] Elasticsearch domains should have audit logging enabled

[ES.6] Elasticsearch domains should have at least three data nodes

[ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes

[ES.8] Connections to Elasticsearch domains should be encrypted using TLS 1.2

[GuardDuty.1] GuardDuty should be enabled

[IAM.6] Hardware MFA should be enabled for the root user

[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.13] RDS automatic minor version upgrades should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[Redshift.7] Amazon Redshift clusters should use enhanced VPC routing

[S3.8] S3 Block Public Access setting should be enabled at the bucket level

[SecretsManager.3] Remove unused Secrets Manager secrets

[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

AWS GovCloud (US-West)

The following controls are not supported in AWS GovCloud (US-West).

CIS AWS Foundations Benchmark standard

1.13 – Ensure MFA is enabled for the "root" account

1.14 – Ensure hardware MFA is enabled for the "root" account

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.IAM.4] Hardware MFA should be enabled for the root user

[PCI.IAM.5] Virtual MFA should be enabled for the root user

AWS Foundational Security Best Practices standard

[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication

[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand

[EC2.15] EC2 subnets should not automatically assign public IP addresses

[EC2.16] Unused network access control lists should be removed

[EC2.17] EC2 instances should not use multiple ENIs

[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions

[ECS.2] Amazon ECS services should not have public IP addresses assigned to them automatically

[EFS.2] Amazon EFS volumes should be in backup plans

[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled

[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled

[ES.4] Amazon Elasticsearch Service domain error logging to CloudWatch Logs should be enabled

[ES.5] Elasticsearch domains should have audit logging enabled

[ES.6] Elasticsearch domains should have at least three data nodes

[ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes

[ES.8] Connections to Elasticsearch domains should be encrypted using TLS 1.2

[IAM.6] Hardware MFA should be enabled for the root user

[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.13] RDS automatic minor version upgrades should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[Redshift.7] Amazon Redshift clusters should use enhanced VPC routing

[S3.8] S3 Block Public Access setting should be enabled at the bucket level

[SecretsManager.3] Remove unused Secrets Manager secrets

[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

[WAF.1] AWS WAF Classic global web ACL logging should be enabled