Regional limits
Some AWS Security Hub features are available in only certain AWS Regions. The following sections specify these Regional limits.
For a list of Regions in which Security Hub is available, see AWS Security Hub endpoints and quotas in the AWS General Reference.
Contents
- Cross-Region aggregation restrictions
- Availability of integrations by Region
- Availability of standards by Region
- Availability of controls by Region
- US East (Ohio)
- US East (N. Virginia)
- US West (N. California)
- US West (Oregon)
- Africa (Cape Town)
- Asia Pacific (Hong Kong)
- Asia Pacific (Hyderabad)
- Asia Pacific (Jakarta)
- Asia Pacific (Mumbai)
- Asia Pacific (Melbourne)
- Asia Pacific (Osaka)
- Asia Pacific (Seoul)
- Asia Pacific (Singapore)
- Asia Pacific (Sydney)
- Asia Pacific (Tokyo)
- Canada (Central)
- China (Beijing)
- China (Ningxia)
- Europe (Frankfurt)
- Europe (Ireland)
- Europe (London)
- Europe (Milan)
- Europe (Paris)
- Europe (Spain)
- Europe (Stockholm)
- Europe (Zurich)
- Middle East (Bahrain)
- Middle East (UAE)
- South America (São Paulo)
- AWS GovCloud (US-East)
- AWS GovCloud (US-West)
Cross-Region aggregation restrictions
In AWS GovCloud (US), cross-Region aggregation is available for findings, finding updates, and insights across AWS GovCloud (US) only. Specifically, you can only aggregate findings, finding updates, and insights between AWS GovCloud (US-East) and AWS GovCloud (US-West).
In the China Regions, cross-Region aggregation is available for findings, finding updates, and insights across the China Regions only. Specifically, you can only aggregate findings, finding updates, and insights between China (Beijing) and China (Ningxia).
You can't use a Region that is disabled by default as your aggregation Region. For a list of Regions that are disabled by default, see Enabling a Region in the AWS General Reference.
Availability of integrations by Region
Some integrations are not available in all Regions. If an integration is not available in a specific Region, it is not listed on the Integrations page of the Security Hub console when you choose that Region.
Integrations that are supported in China (Beijing) and China (Ningxia)
The China (Beijing) and China (Ningxia) Regions only support the following integrations with AWS services:
-
AWS Firewall Manager
-
Amazon GuardDuty
-
IAM Access Analyzer
-
AWS IoT Device Defender
-
Systems Manager Explorer
-
Systems Manager OpsCenter
-
Systems Manager Patch Manager
The China (Beijing) and China (Ningxia) Regions only support the following third-party integrations:
-
Cloud Custodian
-
FireEye Helix
-
Helecloud
-
IBM QRadar
-
PagerDuty
-
Palo Alto Networks Cortex XSOAR
-
Palo Alto Networks VM-Series
-
Prowler
-
RSA Archer
-
Splunk Enterprise
-
Splunk Phantom
-
ThreatModeler
Integrations that are supported in AWS GovCloud (US-East) and AWS GovCloud (US-West)
The AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions only support the following integrations with AWS services:
-
AWS Config
-
Amazon Detective
-
AWS Firewall Manager
-
Amazon GuardDuty
-
AWS Health
-
IAM Access Analyzer
-
Amazon Inspector
-
AWS IoT Device Defender
The AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions only support the following third-party integrations:
-
Atlassian Jira Service Management
-
Atlassian Jira Service Management Cloud
-
Atlassian OpsGenie
-
Caveonix Cloud
-
Cloud Custodian
-
Cloud Storage Security Antivirus for Amazon S3
-
CrowdStrike Falcon
-
FireEye Helix
-
Forcepoint CASB
-
Forcepoint DLP
-
Forcepoint NGFW
-
Fugue
-
Kion
-
MicroFocus ArcSight
-
NETSCOUT Cyber Investigator
-
PagerDuty
-
Palo Alto Networks – Prisma Cloud Compute
-
Palo Alto Networks – Prisma Cloud Enterprise
-
Palo Alto Networks – VM-Series (available only in AWS GovCloud (US-West))
-
Prowler
-
Rackspace Technology – Cloud Native Security
-
Rapid7 InsightConnect
-
RSA Archer
-
SecureCloudDb
-
ServiceNow ITSM
-
Slack
-
ThreatModeler
-
Vectra AI Cognito Detect
Availability of standards by Region
Service-Managed Standard: AWS Control Tower is only available in Regions that AWS Control Tower supports, including AWS GovCloud (US). For a list of Regions that AWS Control Tower supports, see How AWS Regions Work With AWS Control Tower in the AWS Control Tower User Guide.
Other security standards are available in all Regions that Security Hub is available in.
Availability of controls by Region
The following Regions don't support all of the Security Hub controls. This section lists the security controls that are unavailable in each Region.
Note
Security control IDs aren't supported in the AWS GovCloud (US) Region and China Regions. In these Regions, the control IDs and titles may differ and may reference specific standards. To find corollary control IDs and titles in these Regions, see the second and third columns of the table in How consolidation impacts control IDs and titles.
US East (Ohio)
The following controls are not supported in US East (Ohio).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
US East (N. Virginia)
The following controls are not supported in US East (N. Virginia).
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
US West (N. California)
The following controls are not supported in US West (N. California).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
US West (Oregon)
The following controls are not supported in US West (Oregon).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
Africa (Cape Town)
The following controls are not supported in Africa (Cape Town).
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled
-
[AppSync.2] AWS AppSync should have request-level and field-level logging turned on
-
[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[DMS.1] Database Migration Service replication instances should not be public
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
-
[EC2.4] Stopped Amazon EC2 instances should be removed after a specified time period
-
[EC2.8] Amazon EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 to port 22
-
[EC2.14] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
-
[ELB.4] Application Load Balancer should be configured to drop http headers
-
[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL
-
[EMR.1] Amazon Elastic MapReduce cluster master nodes should not have public IP addresses
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[IAM.3] IAM users' access keys should be rotated every 90 days or less
-
[IAM.18] Ensure a support role has been created to manage incidents with AWS Support
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2
-
[RDS.10] IAM authentication should be configured for RDS instances
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
Asia Pacific (Hong Kong)
The following controls are not supported in Asia Pacific (Hong Kong).
-
[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[RDS.10] IAM authentication should be configured for RDS instances
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
Asia Pacific (Hyderabad)
The following controls are not supported in Asia Pacific (Hyderabad).
-
[Account.2] AWS accounts should be part of an AWS Organizations organization
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
-
[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled
-
[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled
-
[APIGateway.4] API Gateway should be associated with a WAF Web ACL
-
[APIGateway.8] API Gateway routes should specify an authorization type
-
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
-
[AppSync.2] AWS AppSync should have request-level and field-level logging turned on
-
[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
-
[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
-
[CloudWatch.16] CloudWatch log groups should be retained for at least 1 year
-
[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration
-
[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled
-
[DMS.1] Database Migration Service replication instances should not be public
-
[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand
-
[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[EC2.1] Amazon EBS snapshots should not be publicly restorable
-
[EC2.2] The VPC default security group should not allow inbound and outbound traffic
-
[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
-
[EC2.4] Stopped Amazon EC2 instances should be removed after a specified time period
-
[EC2.8] Amazon EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
-
[EC2.9] Amazon EC2 instances should not have a public IPv4 address
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 to port 22
-
[EC2.14] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
-
[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses
-
[EC2.16] Unused Network Access Control Lists should be removed
-
[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports
-
[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECR.2] ECR private repositories should have tag immutability configured
-
[ECR.3] ECR repositories should have at least one lifecycle policy configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
-
[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination
-
[ELB.4] Application Load Balancer should be configured to drop http headers
-
[ELB.5] Application and Classic Load Balancers logging should be enabled
-
[ELB.6] Application Load Balancer deletion protection should be enabled
-
[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled
-
[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones
-
[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL
-
[EMR.1] Amazon Elastic MapReduce cluster master nodes should not have public IP addresses
-
[ES.1] Elasticsearch domains should have encryption at-rest enabled
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[IAM.1] IAM policies should not allow full "*" administrative privileges
-
[IAM.3] IAM users' access keys should be rotated every 90 days or less
-
[IAM.5] MFA should be enabled for all IAM users that have a console password
-
[IAM.18] Ensure a support role has been created to manage incidents with AWS Support
-
[IAM.22] IAM user credentials unused for 45 days should be removed
-
[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys
-
[Lambda.1] Lambda function policies should prohibit public access
-
[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2
-
[RDS.3] RDS DB instances should have encryption at-rest enabled
-
[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest
-
[RDS.5] RDS DB instances should be configured with multiple Availability Zones
-
[RDS.6] Enhanced monitoring should be configured for RDS DB instances
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.8] RDS DB instances should have deletion protection enabled
-
[RDS.10] IAM authentication should be configured for RDS instances
-
[RDS.11] RDS instances should have automatic backups enabled
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.13] RDS automatic minor version upgrades should be enabled
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.26] RDS DB instances should be covered by a backup plan
-
[Redshift.1] Amazon Redshift clusters should prohibit public access
-
[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled
-
[Redshift.7] Redshift clusters should use enhanced VPC routing
-
[S3.4] S3 buckets should have server-side encryption enabled
-
[S3.5] S3 buckets should require requests to use Secure Socket Layer
-
[S3.6] S3 permissions granted to other AWS accounts in bucket policies should be restricted
-
[S3.7] S3 buckets should have cross-Region replication enabled
-
[S3.8] S3 Block Public Access setting should be enabled at the bucket-level
-
[S3.17] S3 buckets should be encrypted at rest with AWS KMS keys
-
[SNS.1] SNS topics should be encrypted at-rest using AWS KMS
-
[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic
-
[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC
-
[SageMaker.3] Users should not have root access to SageMaker notebook instances
-
[StepFunctions.1] Step Functions state machines should have logging turned on
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.2] A WAF Regional rule should have at least one condition
-
[WAF.3] A WAF Regional rule group should have at least one rule
-
[WAF.4] A WAF Regional web ACL should have at least one rule or rule group
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
-
[WAF.10] A WAFv2 web ACL should have at least one rule or rule group
Asia Pacific (Jakarta)
The following controls are not supported in Asia Pacific (Jakarta).
-
[Account.2] AWS accounts should be part of an AWS Organizations organization
-
[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled
-
[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled
-
[APIGateway.4] API Gateway should be associated with a WAF Web ACL
-
[APIGateway.8] API Gateway routes should specify an authorization type
-
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
-
[AppSync.2] AWS AppSync should have request-level and field-level logging turned on
-
[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates
-
[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudWatch.15] CloudWatch alarms should have an action configured for the ALARM state
-
[CloudWatch.16] CloudWatch log groups should be retained for at least 1 year
-
[CloudWatch.17] CloudWatch alarm actions should be activated
-
[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration
-
[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled
-
[DMS.1] Database Migration Service replication instances should not be public
-
[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[EC2.1] Amazon EBS snapshots should not be publicly restorable
-
[EC2.2] The VPC default security group should not allow inbound and outbound traffic
-
[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
-
[EC2.4] Stopped Amazon EC2 instances should be removed after a specified time period
-
[EC2.8] Amazon EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
-
[EC2.9] Amazon EC2 instances should not have a public IPv4 address
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 to port 22
-
[EC2.14] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
-
[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses
-
[EC2.16] Unused Network Access Control Lists should be removed
-
[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports
-
[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECR.2] ECR private repositories should have tag immutability configured
-
[ECR.3] ECR repositories should have at least one lifecycle policy configured
-
[ECS.2] ECS services should not have public IP addresses assigned to them automatically
-
[ECS.3] ECS task definitions should not share the host's process namespace
-
[ECS.5] ECS containers should be limited to read-only access to root filesystems
-
[ECS.8] Secrets should not be passed as container environment variables
-
[ECS.10] ECS Fargate services should run on the latest Fargate platform version
-
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
-
[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination
-
[ELB.4] Application Load Balancer should be configured to drop http headers
-
[ELB.6] Application Load Balancer deletion protection should be enabled
-
[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled
-
[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones
-
[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL
-
[EMR.1] Amazon Elastic MapReduce cluster master nodes should not have public IP addresses
-
[ES.1] Elasticsearch domains should have encryption at-rest enabled
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[IAM.18] Ensure a support role has been created to manage incidents with AWS Support
-
[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys
-
[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2
-
[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest
-
[RDS.6] Enhanced monitoring should be configured for RDS DB instances
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.8] RDS DB instances should have deletion protection enabled
-
[RDS.10] IAM authentication should be configured for RDS instances
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.13] RDS automatic minor version upgrades should be enabled
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.26] RDS DB instances should be covered by a backup plan
-
[Redshift.1] Amazon Redshift clusters should prohibit public access
-
[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[Redshift.7] Redshift clusters should use enhanced VPC routing
-
[Redshift.9] Redshift clusters should not use the default database name
-
[S3.8] S3 Block Public Access setting should be enabled at the bucket-level
-
[S3.13] S3 buckets should have lifecycle policies configured
-
[SNS.1] SNS topics should be encrypted at-rest using AWS KMS
-
[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic
-
[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC
-
[SageMaker.3] Users should not have root access to SageMaker notebook instances
-
[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.2] A WAF Regional rule should have at least one condition
-
[WAF.3] A WAF Regional rule group should have at least one rule
-
[WAF.4] A WAF Regional web ACL should have at least one rule or rule group
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
-
[WAF.10] A WAFv2 web ACL should have at least one rule or rule group
Asia Pacific (Mumbai)
The following controls are not supported in Asia Pacific (Mumbai).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
Asia Pacific (Melbourne)
The following controls are not supported in Asia Pacific (Melbourne).
-
[Account.2] AWS accounts should be part of an AWS Organizations organization
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
-
[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled
-
[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled
-
[APIGateway.4] API Gateway should be associated with a WAF Web ACL
-
[APIGateway.8] API Gateway routes should specify an authorization type
-
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
-
[AppSync.2] AWS AppSync should have request-level and field-level logging turned on
-
[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration
-
[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled
-
[DMS.1] Database Migration Service replication instances should not be public
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[EC2.1] Amazon EBS snapshots should not be publicly restorable
-
[EC2.4] Stopped Amazon EC2 instances should be removed after a specified time period
-
[EC2.8] Amazon EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
-
[EC2.9] Amazon EC2 instances should not have a public IPv4 address
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 to port 22
-
[EC2.14] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
-
[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports
-
[EC2.19] Security groups should not allow unrestricted access to ports with high risk
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ELB.5] Application and Classic Load Balancers logging should be enabled
-
[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones
-
[EMR.1] Amazon Elastic MapReduce cluster master nodes should not have public IP addresses
-
[ES.1] Elasticsearch domains should have encryption at-rest enabled
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[IAM.1] IAM policies should not allow full "*" administrative privileges
-
[IAM.3] IAM users' access keys should be rotated every 90 days or less
-
[IAM.5] MFA should be enabled for all IAM users that have a console password
-
[IAM.7] Password policies for IAM users should have strong AWS Configurations
-
[IAM.10] Password policies for IAM users should have strong AWS Configurations
-
[IAM.11] Ensure IAM password policy requires at least one uppercase letter
-
[IAM.12] Ensure IAM password policy requires at least one lowercase letter
-
[IAM.13] Ensure IAM password policy requires at least one symbol
-
[IAM.14] Ensure IAM password policy requires at least one number
-
[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater
-
[IAM.17] Ensure IAM password policy expires passwords within 90 days or less
-
[IAM.18] Ensure a support role has been created to manage incidents with AWS Support
-
[IAM.22] IAM user credentials unused for 45 days should be removed
-
[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys
-
[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2
-
[RDS.3] RDS DB instances should have encryption at-rest enabled
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.26] RDS DB instances should be covered by a backup plan
-
[Redshift.1] Amazon Redshift clusters should prohibit public access
-
[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled
-
[Redshift.7] Redshift clusters should use enhanced VPC routing
-
[S3.6] S3 permissions granted to other AWS accounts in bucket policies should be restricted
-
[S3.17] S3 buckets should be encrypted at rest with AWS KMS keys
-
[SNS.1] SNS topics should be encrypted at-rest using AWS KMS
-
[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic
-
[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC
-
[SageMaker.3] Users should not have root access to SageMaker notebook instances
-
[StepFunctions.1] Step Functions state machines should have logging turned on
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
Asia Pacific (Osaka)
The following controls are not supported in Asia Pacific (Osaka).
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[Account.2] AWS accounts should be part of an AWS Organizations organization
-
[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled
-
[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled
-
[APIGateway.4] API Gateway should be associated with a WAF Web ACL
-
[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudWatch.15] CloudWatch alarms should have an action configured for the ALARM state
-
[CloudWatch.16] CloudWatch log groups should be retained for at least 1 year
-
[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration
-
[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled
-
[DMS.1] Database Migration Service replication instances should not be public
-
[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[EC2.1] Amazon EBS snapshots should not be publicly restorable
-
[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
-
[EC2.4] Stopped Amazon EC2 instances should be removed after a specified time period
-
[EC2.8] Amazon EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
-
[EC2.9] Amazon EC2 instances should not have a public IPv4 address
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 to port 22
-
[EC2.14] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
-
[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses
-
[EC2.16] Unused Network Access Control Lists should be removed
-
[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports
-
[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECR.2] ECR private repositories should have tag immutability configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[ECS.2] ECS services should not have public IP addresses assigned to them automatically
-
[ECS.3] ECS task definitions should not share the host's process namespace
-
[ECS.8] Secrets should not be passed as container environment variables
-
[ECS.10] ECS Fargate services should run on the latest Fargate platform version
-
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
-
[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination
-
[ELB.4] Application Load Balancer should be configured to drop http headers
-
[ELB.6] Application Load Balancer deletion protection should be enabled
-
[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled
-
[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL
-
[EMR.1] Amazon Elastic MapReduce cluster master nodes should not have public IP addresses
-
[ES.1] Elasticsearch domains should have encryption at-rest enabled
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[IAM.18] Ensure a support role has been created to manage incidents with AWS Support
-
[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys
-
[Lambda.1] Lambda function policies should prohibit public access
-
[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2
-
[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest
-
[RDS.6] Enhanced monitoring should be configured for RDS DB instances
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.8] RDS DB instances should have deletion protection enabled
-
[RDS.10] IAM authentication should be configured for RDS instances
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.13] RDS automatic minor version upgrades should be enabled
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.26] RDS DB instances should be covered by a backup plan
-
[Redshift.1] Amazon Redshift clusters should prohibit public access
-
[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[Redshift.7] Redshift clusters should use enhanced VPC routing
-
[S3.8] S3 Block Public Access setting should be enabled at the bucket-level
-
[S3.17] S3 buckets should be encrypted at rest with AWS KMS keys
-
[SNS.1] SNS topics should be encrypted at-rest using AWS KMS
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled
-
[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.3] A WAF Regional rule group should have at least one rule
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
-
[WAF.10] A WAFv2 web ACL should have at least one rule or rule group
Asia Pacific (Seoul)
The following controls are not supported in Asia Pacific (Seoul).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
Asia Pacific (Singapore)
The following controls are not supported in Asia Pacific (Singapore).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
Asia Pacific (Sydney)
The following controls are not supported in Asia Pacific (Sydney).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
Asia Pacific (Tokyo)
The following controls are not supported in Asia Pacific (Tokyo).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
Canada (Central)
The following controls are not supported in Canada (Central).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
China (Beijing)
The following controls are not supported in China (Beijing).
-
[Account.1] Security contact information should be provided for an AWS account.
-
[Account.2] AWS accounts should be part of an AWS Organizations organization
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
-
[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled
-
[APIGateway.4] API Gateway should be associated with a WAF Web ACL
-
[APIGateway.8] API Gateway routes should specify an authorization type
-
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
-
[AppSync.2] AWS AppSync should have request-level and field-level logging turned on
-
[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones
-
[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates
-
[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudWatch.15] CloudWatch alarms should have an action configured for the ALARM state
-
[CloudWatch.16] CloudWatch log groups should be retained for at least 1 year
-
[CloudWatch.17] CloudWatch alarm actions should be activated
-
[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration
-
[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses
-
[EC2.16] Unused Network Access Control Lists should be removed
-
[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up
-
[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECR.2] ECR private repositories should have tag immutability configured
-
[ECR.3] ECR repositories should have at least one lifecycle policy configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[ECS.3] ECS task definitions should not share the host's process namespace
-
[ECS.5] ECS containers should be limited to read-only access to root filesystems
-
[ECS.8] Secrets should not be passed as container environment variables
-
[ECS.10] ECS Fargate services should run on the latest Fargate platform version
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ELB.10] Classic Load Balancer should span multiple Availability Zones
-
[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones
-
[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.10] IAM authentication should be configured for RDS instances
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.13] RDS automatic minor version upgrades should be enabled
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.25] RDS database instances should use a custom administrator username
-
[RDS.26] RDS DB instances should be covered by a backup plan
-
[Redshift.7] Redshift clusters should use enhanced VPC routing
-
[Redshift.8] Amazon Redshift clusters should not use the default Admin username
-
[Redshift.9] Redshift clusters should not use the default database name
-
[S3.8] S3 Block Public Access setting should be enabled at the bucket-level
-
[S3.10] S3 buckets with versioning enabled should have lifecycle policies configured
-
[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets
-
[S3.13] S3 buckets should have lifecycle policies configured
-
[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC
-
[SageMaker.3] Users should not have root access to SageMaker notebook instances
-
[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days
-
[StepFunctions.1] Step Functions state machines should have logging turned on
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.2] A WAF Regional rule should have at least one condition
-
[WAF.3] A WAF Regional rule group should have at least one rule
-
[WAF.4] A WAF Regional web ACL should have at least one rule or rule group
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
-
[WAF.10] A WAFv2 web ACL should have at least one rule or rule group
China (Ningxia)
The following controls are not supported in China (Ningxia).
-
[Account.1] Security contact information should be provided for an AWS account.
-
[Account.2] AWS accounts should be part of an AWS Organizations organization
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
-
[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled
-
[APIGateway.4] API Gateway should be associated with a WAF Web ACL
-
[APIGateway.8] API Gateway routes should specify an authorization type
-
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
-
[AppSync.2] AWS AppSync should have request-level and field-level logging turned on
-
[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones
-
[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates
-
[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudWatch.15] CloudWatch alarms should have an action configured for the ALARM state
-
[CloudWatch.16] CloudWatch log groups should be retained for at least 1 year
-
[CloudWatch.17] CloudWatch alarm actions should be activated
-
[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration
-
[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses
-
[EC2.16] Unused Network Access Control Lists should be removed
-
[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up
-
[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECR.2] ECR private repositories should have tag immutability configured
-
[ECR.3] ECR repositories should have at least one lifecycle policy configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[ECS.3] ECS task definitions should not share the host's process namespace
-
[ECS.5] ECS containers should be limited to read-only access to root filesystems
-
[ECS.8] Secrets should not be passed as container environment variables
-
[ECS.10] ECS Fargate services should run on the latest Fargate platform version
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ELB.10] Classic Load Balancer should span multiple Availability Zones
-
[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones
-
[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL
-
[ES.1] Elasticsearch domains should have encryption at-rest enabled
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[Lambda.1] Lambda function policies should prohibit public access
-
[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.10] IAM authentication should be configured for RDS instances
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.13] RDS automatic minor version upgrades should be enabled
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.25] RDS database instances should use a custom administrator username
-
[RDS.26] RDS DB instances should be covered by a backup plan
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[Redshift.7] Redshift clusters should use enhanced VPC routing
-
[Redshift.8] Amazon Redshift clusters should not use the default Admin username
-
[Redshift.9] Redshift clusters should not use the default database name
-
[S3.8] S3 Block Public Access setting should be enabled at the bucket-level
-
[S3.10] S3 buckets with versioning enabled should have lifecycle policies configured
-
[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets
-
[S3.13] S3 buckets should have lifecycle policies configured
-
[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC
-
[SageMaker.3] Users should not have root access to SageMaker notebook instances
-
[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days
-
[StepFunctions.1] Step Functions state machines should have logging turned on
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.2] A WAF Regional rule should have at least one condition
-
[WAF.3] A WAF Regional rule group should have at least one rule
-
[WAF.4] A WAF Regional web ACL should have at least one rule or rule group
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
-
[WAF.10] A WAFv2 web ACL should have at least one rule or rule group
Europe (Frankfurt)
The following controls are not supported in Europe (Frankfurt).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
Europe (Ireland)
The following controls are not supported in Europe (Ireland).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
Europe (London)
The following controls are not supported in Europe (London).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
Europe (Milan)
The following controls are not supported in Europe (Milan).
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled
-
[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[DMS.1] Database Migration Service replication instances should not be public
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
-
[EC2.4] Stopped Amazon EC2 instances should be removed after a specified time period
-
[EC2.8] Amazon EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 to port 22
-
[EC2.14] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
-
[ELB.4] Application Load Balancer should be configured to drop http headers
-
[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL
-
[EMR.1] Amazon Elastic MapReduce cluster master nodes should not have public IP addresses
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[IAM.3] IAM users' access keys should be rotated every 90 days or less
-
[IAM.18] Ensure a support role has been created to manage incidents with AWS Support
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2
-
[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
Europe (Paris)
The following controls are not supported in Europe (Paris).
-
[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
Europe (Spain)
The following controls are not supported in Europe (Spain).
-
[Account.2] AWS accounts should be part of an AWS Organizations organization
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
-
[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled
-
[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled
-
[APIGateway.4] API Gateway should be associated with a WAF Web ACL
-
[APIGateway.8] API Gateway routes should specify an authorization type
-
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
-
[AppSync.2] AWS AppSync should have request-level and field-level logging turned on
-
[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
-
[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
-
[CloudWatch.16] CloudWatch log groups should be retained for at least 1 year
-
[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration
-
[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled
-
[DMS.1] Database Migration Service replication instances should not be public
-
[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand
-
[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[EC2.1] Amazon EBS snapshots should not be publicly restorable
-
[EC2.2] The VPC default security group should not allow inbound and outbound traffic
-
[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
-
[EC2.4] Stopped Amazon EC2 instances should be removed after a specified time period
-
[EC2.8] Amazon EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
-
[EC2.9] Amazon EC2 instances should not have a public IPv4 address
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 to port 22
-
[EC2.14] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
-
[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses
-
[EC2.16] Unused Network Access Control Lists should be removed
-
[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports
-
[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECR.2] ECR private repositories should have tag immutability configured
-
[ECR.3] ECR repositories should have at least one lifecycle policy configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
-
[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination
-
[ELB.4] Application Load Balancer should be configured to drop http headers
-
[ELB.5] Application and Classic Load Balancers logging should be enabled
-
[ELB.6] Application Load Balancer deletion protection should be enabled
-
[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled
-
[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL
-
[EMR.1] Amazon Elastic MapReduce cluster master nodes should not have public IP addresses
-
[ES.1] Elasticsearch domains should have encryption at-rest enabled
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[IAM.1] IAM policies should not allow full "*" administrative privileges
-
[IAM.3] IAM users' access keys should be rotated every 90 days or less
-
[IAM.5] MFA should be enabled for all IAM users that have a console password
-
[IAM.18] Ensure a support role has been created to manage incidents with AWS Support
-
[IAM.22] IAM user credentials unused for 45 days should be removed
-
[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys
-
[Lambda.1] Lambda function policies should prohibit public access
-
[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2
-
[RDS.3] RDS DB instances should have encryption at-rest enabled
-
[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest
-
[RDS.5] RDS DB instances should be configured with multiple Availability Zones
-
[RDS.6] Enhanced monitoring should be configured for RDS DB instances
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.8] RDS DB instances should have deletion protection enabled
-
[RDS.10] IAM authentication should be configured for RDS instances
-
[RDS.11] RDS instances should have automatic backups enabled
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.13] RDS automatic minor version upgrades should be enabled
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.26] RDS DB instances should be covered by a backup plan
-
[Redshift.1] Amazon Redshift clusters should prohibit public access
-
[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled
-
[Redshift.7] Redshift clusters should use enhanced VPC routing
-
[S3.4] S3 buckets should have server-side encryption enabled
-
[S3.5] S3 buckets should require requests to use Secure Socket Layer
-
[S3.6] S3 permissions granted to other AWS accounts in bucket policies should be restricted
-
[S3.7] S3 buckets should have cross-Region replication enabled
-
[S3.8] S3 Block Public Access setting should be enabled at the bucket-level
-
[S3.17] S3 buckets should be encrypted at rest with AWS KMS keys
-
[SNS.1] SNS topics should be encrypted at-rest using AWS KMS
-
[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic
-
[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC
-
[SageMaker.3] Users should not have root access to SageMaker notebook instances
-
[StepFunctions.1] Step Functions state machines should have logging turned on
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.2] A WAF Regional rule should have at least one condition
-
[WAF.3] A WAF Regional rule group should have at least one rule
-
[WAF.4] A WAF Regional web ACL should have at least one rule or rule group
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
-
[WAF.10] A WAFv2 web ACL should have at least one rule or rule group
Europe (Stockholm)
The following controls are not supported in Europe (Stockholm).
-
[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
Europe (Zurich)
The following controls are not supported in Europe (Zurich).
-
[Account.2] AWS accounts should be part of an AWS Organizations organization
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
-
[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled
-
[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled
-
[APIGateway.4] API Gateway should be associated with a WAF Web ACL
-
[APIGateway.8] API Gateway routes should specify an authorization type
-
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
-
[AppSync.2] AWS AppSync should have request-level and field-level logging turned on
-
[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
-
[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
-
[CloudWatch.16] CloudWatch log groups should be retained for at least 1 year
-
[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration
-
[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled
-
[DMS.1] Database Migration Service replication instances should not be public
-
[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand
-
[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[EC2.1] Amazon EBS snapshots should not be publicly restorable
-
[EC2.2] The VPC default security group should not allow inbound and outbound traffic
-
[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
-
[EC2.4] Stopped Amazon EC2 instances should be removed after a specified time period
-
[EC2.8] Amazon EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
-
[EC2.9] Amazon EC2 instances should not have a public IPv4 address
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 to port 22
-
[EC2.14] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
-
[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses
-
[EC2.16] Unused Network Access Control Lists should be removed
-
[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports
-
[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECR.2] ECR private repositories should have tag immutability configured
-
[ECR.3] ECR repositories should have at least one lifecycle policy configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
-
[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination
-
[ELB.4] Application Load Balancer should be configured to drop http headers
-
[ELB.5] Application and Classic Load Balancers logging should be enabled
-
[ELB.6] Application Load Balancer deletion protection should be enabled
-
[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled
-
[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL
-
[EMR.1] Amazon Elastic MapReduce cluster master nodes should not have public IP addresses
-
[ES.1] Elasticsearch domains should have encryption at-rest enabled
-
[ES.3] Elasticsearch domains should encrypt data sent between nodes
-
[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[IAM.1] IAM policies should not allow full "*" administrative privileges
-
[IAM.3] IAM users' access keys should be rotated every 90 days or less
-
[IAM.5] MFA should be enabled for all IAM users that have a console password
-
[IAM.18] Ensure a support role has been created to manage incidents with AWS Support
-
[IAM.22] IAM user credentials unused for 45 days should be removed
-
[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys
-
[Lambda.1] Lambda function policies should prohibit public access
-
[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2
-
[RDS.3] RDS DB instances should have encryption at-rest enabled
-
[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest
-
[RDS.5] RDS DB instances should be configured with multiple Availability Zones
-
[RDS.6] Enhanced monitoring should be configured for RDS DB instances
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.8] RDS DB instances should have deletion protection enabled
-
[RDS.10] IAM authentication should be configured for RDS instances
-
[RDS.11] RDS instances should have automatic backups enabled
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.13] RDS automatic minor version upgrades should be enabled
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.26] RDS DB instances should be covered by a backup plan
-
[Redshift.1] Amazon Redshift clusters should prohibit public access
-
[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit
-
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
-
[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled
-
[Redshift.7] Redshift clusters should use enhanced VPC routing
-
[S3.4] S3 buckets should have server-side encryption enabled
-
[S3.5] S3 buckets should require requests to use Secure Socket Layer
-
[S3.6] S3 permissions granted to other AWS accounts in bucket policies should be restricted
-
[S3.7] S3 buckets should have cross-Region replication enabled
-
[S3.8] S3 Block Public Access setting should be enabled at the bucket-level
-
[S3.17] S3 buckets should be encrypted at rest with AWS KMS keys
-
[SNS.1] SNS topics should be encrypted at-rest using AWS KMS
-
[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic
-
[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC
-
[SageMaker.3] Users should not have root access to SageMaker notebook instances
-
[StepFunctions.1] Step Functions state machines should have logging turned on
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.2] A WAF Regional rule should have at least one condition
-
[WAF.3] A WAF Regional rule group should have at least one rule
-
[WAF.4] A WAF Regional web ACL should have at least one rule or rule group
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
-
[WAF.10] A WAFv2 web ACL should have at least one rule or rule group
Middle East (Bahrain)
The following controls are not supported in Middle East (Bahrain).
-
[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
Middle East (UAE)
The following controls are not supported in Middle East (UAE).
-
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
-
[Account.2] AWS accounts should be part of an AWS Organizations organization
-
[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled
-
[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled
-
[APIGateway.8] API Gateway routes should specify an authorization type
-
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
-
[AppSync.2] AWS AppSync should have request-level and field-level logging turned on
-
[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
-
[CloudWatch.15] CloudWatch alarms should have an action configured for the ALARM state
-
[CloudWatch.16] CloudWatch log groups should be retained for at least 1 year
-
[CloudWatch.17] CloudWatch alarm actions should be activated
-
[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration
-
[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled
-
[DMS.1] Database Migration Service replication instances should not be public
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[EC2.1] Amazon EBS snapshots should not be publicly restorable
-
[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
-
[EC2.4] Stopped Amazon EC2 instances should be removed after a specified time period
-
[EC2.8] Amazon EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 to port 22
-
[EC2.14] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECR.2] ECR private repositories should have tag immutability configured
-
[ECR.3] ECR repositories should have at least one lifecycle policy configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
-
[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination
-
[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled
-
[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL
-
[EMR.1] Amazon Elastic MapReduce cluster master nodes should not have public IP addresses
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[IAM.1] IAM policies should not allow full "*" administrative privileges
-
[IAM.3] IAM users' access keys should be rotated every 90 days or less
-
[IAM.5] MFA should be enabled for all IAM users that have a console password
-
[IAM.18] Ensure a support role has been created to manage incidents with AWS Support
-
[IAM.22] IAM user credentials unused for 45 days should be removed
-
[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys
-
[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2
-
[RDS.3] RDS DB instances should have encryption at-rest enabled
-
[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest
-
[RDS.5] RDS DB instances should be configured with multiple Availability Zones
-
[RDS.6] Enhanced monitoring should be configured for RDS DB instances
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.8] RDS DB instances should have deletion protection enabled
-
[RDS.11] RDS instances should have automatic backups enabled
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.26] RDS DB instances should be covered by a backup plan
-
[Redshift.9] Redshift clusters should not use the default database name
-
[S3.4] S3 buckets should have server-side encryption enabled
-
[S3.5] S3 buckets should require requests to use Secure Socket Layer
-
[S3.6] S3 permissions granted to other AWS accounts in bucket policies should be restricted
-
[S3.7] S3 buckets should have cross-Region replication enabled
-
[S3.17] S3 buckets should be encrypted at rest with AWS KMS keys
-
[SNS.1] SNS topics should be encrypted at-rest using AWS KMS
-
[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic
-
[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC
-
[SageMaker.3] Users should not have root access to SageMaker notebook instances
-
[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled
-
[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days
-
[StepFunctions.1] Step Functions state machines should have logging turned on
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.2] A WAF Regional rule should have at least one condition
-
[WAF.3] A WAF Regional rule group should have at least one rule
-
[WAF.4] A WAF Regional web ACL should have at least one rule or rule group
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
-
[WAF.10] A WAFv2 web ACL should have at least one rule or rule group
South America (São Paulo)
The following controls are not supported in South America (São Paulo).
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[RDS.7] RDS clusters should have deletion protection enabled
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
AWS GovCloud (US-East)
The following controls are not supported in AWS GovCloud (US-East).
-
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
-
[Account.1] Security contact information should be provided for an AWS account.
-
[Account.2] AWS accounts should be part of an AWS Organizations organization
-
[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled
-
[APIGateway.4] API Gateway should be associated with a WAF Web ACL
-
[APIGateway.8] API Gateway routes should specify an authorization type
-
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
-
[AppSync.2] AWS AppSync should have request-level and field-level logging turned on
-
[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones
-
[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates
-
[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudWatch.15] CloudWatch alarms should have an action configured for the ALARM state
-
[CloudWatch.16] CloudWatch log groups should be retained for at least 1 year
-
[CloudWatch.17] CloudWatch alarm actions should be activated
-
[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration
-
[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled
-
[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses
-
[EC2.16] Unused Network Access Control Lists should be removed
-
[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECR.2] ECR private repositories should have tag immutability configured
-
[ECR.3] ECR repositories should have at least one lifecycle policy configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[ECS.3] ECS task definitions should not share the host's process namespace
-
[ECS.5] ECS containers should be limited to read-only access to root filesystems
-
[ECS.8] Secrets should not be passed as container environment variables
-
[ECS.10] ECS Fargate services should run on the latest Fargate platform version
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ELB.10] Classic Load Balancer should span multiple Availability Zones
-
[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones
-
[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL
-
[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.13] RDS automatic minor version upgrades should be enabled
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.25] RDS database instances should use a custom administrator username
-
[RDS.26] RDS DB instances should be covered by a backup plan
-
[Redshift.7] Redshift clusters should use enhanced VPC routing
-
[Redshift.8] Amazon Redshift clusters should not use the default Admin username
-
[Redshift.9] Redshift clusters should not use the default database name
-
[S3.8] S3 Block Public Access setting should be enabled at the bucket-level
-
[S3.10] S3 buckets with versioning enabled should have lifecycle policies configured
-
[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets
-
[S3.13] S3 buckets should have lifecycle policies configured
-
[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic
-
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
-
[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC
-
[SageMaker.3] Users should not have root access to SageMaker notebook instances
-
[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days
-
[StepFunctions.1] Step Functions state machines should have logging turned on
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.2] A WAF Regional rule should have at least one condition
-
[WAF.3] A WAF Regional rule group should have at least one rule
-
[WAF.4] A WAF Regional web ACL should have at least one rule or rule group
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
-
[WAF.10] A WAFv2 web ACL should have at least one rule or rule group
AWS GovCloud (US-West)
The following controls are not supported in AWS GovCloud (US-West).
-
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
-
[Account.1] Security contact information should be provided for an AWS account.
-
[Account.2] AWS accounts should be part of an AWS Organizations organization
-
[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled
-
[APIGateway.4] API Gateway should be associated with a WAF Web ACL
-
[APIGateway.8] API Gateway routes should specify an authorization type
-
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
-
[AppSync.2] AWS AppSync should have request-level and field-level logging turned on
-
[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones
-
[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates
-
[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)
-
[CloudFront.1] CloudFront distributions should have a default root object configured
-
[CloudFront.2] CloudFront distributions should have origin access identity enabled
-
[CloudFront.3] CloudFront distributions should require encryption in transit
-
[CloudFront.4] CloudFront distributions should have origin failover configured
-
[CloudFront.5] CloudFront distributions should have logging enabled
-
[CloudFront.6] CloudFront distributions should have WAF enabled
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
-
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
-
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
-
[CloudFront.13] CloudFront distributions should use origin access control
-
[CloudWatch.15] CloudWatch alarms should have an action configured for the ALARM state
-
[CloudWatch.16] CloudWatch log groups should be retained for at least 1 year
-
[CloudWatch.17] CloudWatch alarm actions should be activated
-
[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
-
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
-
[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration
-
[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled
-
[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand
-
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
-
[DynamoDB.4] DynamoDB tables should be present in a backup plan
-
[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses
-
[EC2.16] Unused Network Access Control Lists should be removed
-
[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
-
[EC2.22] Unused Amazon EC2 security groups should be removed
-
[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
-
[EC2.24] Amazon EC2 paravirtual instance types should not be used
-
[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces
-
[ECR.1] ECR private repositories should have image scanning configured
-
[ECR.2] ECR private repositories should have tag immutability configured
-
[ECR.3] ECR repositories should have at least one lifecycle policy configured
-
[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
-
[ECS.3] ECS task definitions should not share the host's process namespace
-
[ECS.5] ECS containers should be limited to read-only access to root filesystems
-
[ECS.8] Secrets should not be passed as container environment variables
-
[ECS.10] ECS Fargate services should run on the latest Fargate platform version
-
[EKS.2] EKS clusters should run on a supported Kubernetes version
-
[EKS.1] EKS cluster endpoints should not be publicly accessible
-
[ElastiCache.1] ElastiCache for Redis clusters should have automatic backups scheduled
-
[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled
-
[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest
-
[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit
-
[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
-
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
-
[ELB.10] Classic Load Balancer should span multiple Availability Zones
-
[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones
-
[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL
-
[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled
-
[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
-
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
-
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
-
[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
-
[Opensearch.3] OpenSearch domains should encrypt data sent between nodes
-
[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
-
[Opensearch.5] OpenSearch domains should have audit logging enabled
-
[Opensearch.6] OpenSearch domains should have at least three data nodes
-
[Opensearch.7] OpenSearch domains should have fine-grained access control enabled
-
[Opensearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2
-
[RDS.12] IAM authentication should be configured for RDS clusters
-
[RDS.13] RDS automatic minor version upgrades should be enabled
-
[RDS.14] Amazon Aurora clusters should have backtracking enabled
-
[RDS.15] RDS DB clusters should be configured for multiple Availability Zones
-
[RDS.24] RDS Database clusters should use a custom administrator username
-
[RDS.25] RDS database instances should use a custom administrator username
-
[RDS.26] RDS DB instances should be covered by a backup plan
-
[Redshift.7] Redshift clusters should use enhanced VPC routing
-
[Redshift.8] Amazon Redshift clusters should not use the default Admin username
-
[Redshift.9] Redshift clusters should not use the default database name
-
[S3.8] S3 Block Public Access setting should be enabled at the bucket-level
-
[S3.10] S3 buckets with versioning enabled should have lifecycle policies configured
-
[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets
-
[S3.13] S3 buckets should have lifecycle policies configured
-
[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic
-
[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC
-
[SageMaker.3] Users should not have root access to SageMaker notebook instances
-
[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days
-
[StepFunctions.1] Step Functions state machines should have logging turned on
-
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
-
[WAF.2] A WAF Regional rule should have at least one condition
-
[WAF.3] A WAF Regional rule group should have at least one rule
-
[WAF.4] A WAF Regional web ACL should have at least one rule or rule group
-
[WAF.6] A WAF global rule should have at least one condition
-
[WAF.7] A WAF global rule group should have at least one rule
-
[WAF.8] A WAF global web ACL should have at least one rule or rule group
-
[WAF.10] A WAFv2 web ACL should have at least one rule or rule group