Supported Regions - AWS Security Hub

Supported Regions

To view the Regions that AWS Security Hub is available in, see Security Hub Service Endpoints.

Cross-Region aggregation restrictions

Cross-Region aggregation is not available in the AWS GovCloud (US) Region. In the China Regions, cross-Region aggregation is only available across the China Regions (specifically, you can only aggregate data from China (Beijing) to China (Ningxia), or vice versa).

You cannot use a Region that is disabled by default as your aggregation Region. For a list of Regions that are disabled by default, see Enabling a Region in the AWS General Reference.

Integrations not supported in all Regions

Some integrations are not available in all Regions. If an integration is not supported, it is not listed on the Integrations page.

Integrations that are supported in China (Beijing) and China (Ningxia)

The China (Beijing) and China (Ningxia) Regions only support the following integrations with AWS services:

  • AWS Firewall Manager

  • Amazon GuardDuty

  • IAM Access Analyzer

  • Systems Manager Explorer and OpsCenter

  • Systems Manager Patch Manager

The China (Beijing) and China (Ningxia) Regions only support the following third-party integrations:

  • Cloud Custodian

  • FireEye Helix

  • Helecloud

  • IBM QRadar

  • PagerDuty

  • Palo Alto Networks Cortex XSOAR

  • Palo Alto Networks VM-Series

  • Prowler

  • RSA Archer

  • Splunk Enterprise

  • Splunk Phantom

  • ThreatModeler

Integrations that are supported in AWS GovCloud (US-East) and AWS GovCloud (US-West)

The AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions only support the following integrations with AWS services:

  • Amazon Detective

  • AWS Firewall Manager

  • Amazon GuardDuty

  • Amazon Inspector

  • IAM Access Analyzer

The AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions only support the following third-party integrations:

  • Atlassian Jira Service Manager

  • Atlassian OpsGenie

  • Caveonix Cloud

  • Cloud Custodian

  • Cloud Storage Security Antivirus for Amazon S3

  • cloudtamer.io

  • CrowdStrike Falcon

  • FireEye Helix

  • Forcepoint CASB

  • Forcepoint DLP

  • Forcepoint NGFW

  • MicroFocus ArcSight

  • NETSCOUT Cyber Investigator

  • PagerDuty

  • Palo Alto Networks – Prisma Cloud Compute

  • Palo Alto Networks – Prisma Cloud Enterprise

  • Palo Alto Networks – VM-Series

  • Prowler

  • Rackspace Technology – Cloud Native Security

  • Rapid7 InsightConnect

  • RSA Archer

  • SecureCloudDb

  • ServiceNow ITSM

  • Slack

  • ThreatModeler

  • Vectra AI Cognito Detect

Controls not supported in all Regions

The following Regions do not support all of the Security Hub controls. For each Region, this list shows the controls that are not supported.

US East (Ohio)

The following controls are not supported in US East (Ohio).

US West (N. California)

The following controls are not supported in US West (N. California).

US West (Oregon)

The following controls are not supported in US West (Oregon).

Africa (Cape Town)

The following controls are not supported in Africa (Cape Town).

CIS AWS Foundations Benchmark standard

1.4 – Ensure access keys are rotated every 90 days or less

1.20 - Ensure a support role has been created to manage incidents with AWS Support

4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.DMS.1] AWS Database Migration Service replication instances should not be public

[PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable

[PCI.EC2.4] Unused EC2 EIPs should be removed

[PCI.EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22

[PCI.ELBV2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.1] IAM root user access key should not exist

[PCI.RDS.1] Amazon RDS snapshots should prohibit public access

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

[PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

[PCI.SSM.2] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

AWS Foundational Security Best Practices standard

[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period

[APIGateway.1] API Gateway REST and WebSocket API logging should be enabled

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[DMS.1] AWS Database Migration Service replication instances should not be public

[EC2.1] Amazon EBS snapshots should not be public, determined by the availability to be restorable by anyone

[EC2.3] Attached EBS volumes should be encrypted at rest

[EC2.4] Stopped EC2 instances should be removed after a specified time period

[EC2.8] EC2 instances should use IMDSv2

[EC2.24] Paravirtual EC2 instance types should not be used

[EFS.1] Amazon EFS should be configured to encrypt file data at rest using AWS KMS

[EFS.2] Amazon EFS volumes should be in backup plans

[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager

[ELB.4] Application load balancers should be configured to drop HTTP headers

[ELB.8] Classic Load Balancers with HTTPS/SSL listeners should use a predefined security policy that has strong configuration

[ELBv2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[EMR.1] Amazon EMR cluster master nodes should not have public IP addresses

[ES.3] Elasticsearch domains should encrypt data sent between nodes

[GuardDuty.1] GuardDuty should be enabled

[IAM.3] IAM users' access keys should be rotated every 90 days or less

[IAM.4] IAM root user access key should not exist

[OpenSearch.7] OpenSearch domains should have fine-grained access control enabled

[RDS.1] RDS snapshots should be private

[RDS.9] Database logging should be enabled

[RDS.10] IAM authentication should be configured for RDS instances

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled

[S3.1] S3 Block Public Access setting should be enabled

[SageMaker.1] SageMaker notebook instances should not have direct internet access

[SSM.2] All EC2 instances managed by Systems Manager should be compliant with patching requirements

[SSM.3] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

[OpenSearch.1 ] OpenSearch domains should have encryption at rest enabled

[OpenSearch.2] OpenSearch domains should be in a VPC

[OpenSearch.3] OpenSearch domains should encrypt data sent between nodes

[OpenSearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled

[OpenSearch.5] OpenSearch domains should have audit logging enabled

[OpenSearch.6] OpenSearch domains should have at least three data nodes

[OpenSearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

Asia Pacific (Hong Kong)

The following controls are not supported in Asia Pacific (Hong Kong).

Asia Pacific (Jakarta)

The following controls are not supported in Asia Pacific (Jakarta).

CIS AWS Foundations Benchmark standard

1.12 – Ensure no root user access key exists

1.20 - Ensure a support role has been created to manage incidents with AWS Support

2.9 – Ensure VPC flow logging is enabled in all VPCs

4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

4.3 – Ensure the default security group of every VPC restricts all traffic

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.DMS.1] AWS Database Migration Service replication instances should not be public

[PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable

[PCI.EC2.2] VPC default security group should prohibit inbound and outbound traffic

[PCI.EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22

[PCI.EC2.6] VPC flow logging should be enabled in all VPCs

[PCI.ELBV2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[PCI.ES.1] Elasticsearch domains should be in a VPC

[PCI.ES.2] Elasticsearch domains should have encryption at rest enabled

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.1] IAM root user access key should not exist

[PCI.Lambda.2] Lambda functions should be in a VPC

[PCI.OpenSearch.1] Amazon OpenSearch Service domains should be in a VPC

[PCI.OpenSearch.2] OpenSearch domains should have encryption at rest enabled

[PCI.RDS.1] Amazon RDS snapshots should prohibit public access

[PCI.Redshift.1] Amazon Redshift clusters should prohibit public access

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

[PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

[PCI.SSM.2] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

[PCI.SSM.3] EC2 instances should be managed by AWS Systems Manager

AWS Foundational Security Best Practices standard

[APIGateway.1] API Gateway REST and WebSocket API logging should be enabled

[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication

[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL

[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones

[AutoScaling.3] Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)

[AutoScaling.4] Auto Scaling group launch configuration should not have metadata response hop limit greater than 1

[AutoScaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses

[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[CodeBuild.4] CodeBuild project environments should have a logging configuration

[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled

[DMS.1] AWS Database Migration Service replication instances should not be public

[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled

[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest

[EC2.1] Amazon EBS snapshots should not be public, determined by the availability to be restorable by anyone

[EC2.2] The VPC default security group should not allow inbound and outbound traffic

[EC2.3] Attached EBS volumes should be encrypted at rest

[EC2.4] Stopped EC2 instances should be removed after a specified time period

[EC2.6] VPC flow logging should be enabled in all VPCs

[EC2.7] EBS default encryption should be enabled

[EC2.8] EC2 instances should use IMDSv2

[EC2.9] EC2 instances should not have a public IP address

[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service

[EC2.15] EC2 subnets should not automatically assign public IP addresses

[EC2.16] Unused network access control lists should be removed

[EC2.17] EC2 instances should not use multiple ENIs

[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports

[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up

[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389

[EC2.22] Unused EC2 security groups should be removed

[EC2.24] Paravirtual EC2 instance types should not be used

[EC2.27] Running EC2 Instances should not use key pairs

[ECR.1] ECR private repositories should have image scanning configured

[ECR.2] ECR private repositories should have tag immutability configured

[ECR.3] ECR repositories should have at least one lifecycle policy configured

[ECS.3] ECS task definitions should not share the host's process namespace

[ECS.4] ECS containers should run as non-privileged

[ECS.5] ECS containers should be limited to read-only access to root filesystems

[ECS.8] Secrets should not be passed as container environment variables

[ECS.10] Fargate services should run on the latest Fargate platform version

[ECS.12] ECS clusters should have Container Insights enabled

[EFS.1] Amazon EFS should be configured to encrypt file data at rest using AWS KMS

[EFS.2] Amazon EFS volumes should be in backup plans

[EFS.3] EFS access points should enforce a root directory

[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled

[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled

[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager

[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination

[ELB.4] Application load balancers should be configured to drop HTTP headers

[ELB.6] Application Load Balancer deletion protection should be enabled

[ELB.8] Classic Load Balancers with HTTPS/SSL listeners should use a predefined security policy that has strong configuration

[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled

[ELB.10] Classic Load Balancers should span multiple Availability Zones

[ELB.12] Application Load Balancers should be configured with defensive or strictest desync mitigation mode

[ELB.13] Application, Network, and Gateway Load Balancers should span multiple Availability Zones

[ELBv2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[EMR.1] Amazon EMR cluster master nodes should not have public IP addresses

[ES.1] Elasticsearch domains should have encryption at rest enabled

[ES.2] Elasticsearch domains should be in a VPC

[ES.3] Elasticsearch domains should encrypt data sent between nodes

[GuardDuty.1] GuardDuty should be enabled

[IAM.4] IAM root user access key should not exist

[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services

[KMS.1] IAM customer managed policies should not allow decryption and re-encryption actions on all KMS keys

[KMS.2] IAM principals should not have IAM inline policies that allow decryption and re-encryption actions on all KMS keys

[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone

[Network Firewall.3] Network Firewall policies should have at least one rule group associated

[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets

[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets

[OpenSearch.1 ] OpenSearch domains should have encryption at rest enabled

[OpenSearch.2] OpenSearch domains should be in a VPC

[OpenSearch.3] OpenSearch domains should encrypt data sent between nodes

[OpenSearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled

[OpenSearch.5] OpenSearch domains should have audit logging enabled

[OpenSearch.6] OpenSearch domains should have at least three data nodes

[OpenSearch.7] OpenSearch domains should have fine-grained access control enabled

[OpenSearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2

[RDS.1] RDS snapshots should be private

[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest

[RDS.6] Enhanced monitoring should be configured for RDS DB instances and clusters

[RDS.7] RDS clusters should have deletion protection enabled

[RDS.8] RDS DB instances should have deletion protection enabled

[RDS.9] Database logging should be enabled

[RDS.10] IAM authentication should be configured for RDS instances

[RDS.11] Amazon RDS instances should have automatic backups enabled

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.13] RDS automatic minor version upgrades should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[RDS.16] RDS DB clusters should be configured to copy tags to snapshots

[RDS.24] RDS database clusters should use a custom administrator username

[RDS.25] RDS database instances should use a custom administrator username

[Redshift.1] Amazon Redshift clusters should prohibit public access

[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit

[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled

[Redshift.7] Amazon Redshift clusters should use enhanced VPC routing

[Redshift.8] Amazon Redshift clusters should not use the default Admin username

[Redshift.9] Redshift clusters should not use the default database name

[S3.8] S3 Block Public Access setting should be enabled at the bucket level

[S3.10] S3 buckets with versioning enabled should have lifecycle policies configured

[S3.11] S3 buckets should have event notifications enabled

[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets

[S3.13] S3 buckets should have lifecycle policies configured

[SageMaker.1] SageMaker notebook instances should not have direct internet access

[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled

[SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfully

[SecretsManager.3] Remove unused Secrets Manager secrets

[SNS.1] SNS topics should be encrypted at rest using AWS KMS

[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic

[SQS.1] Amazon SQS queues should be encrypted at rest

[SSM.1] EC2 instances should be managed by AWS Systems Manager

[SSM.2] All EC2 instances managed by Systems Manager should be compliant with patching requirements

[SSM.3] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.2] A WAF Regional rule should have at least one condition

[WAF.3] A WAF Regional rule group should have at least one rule

[WAF.4] A WAF Classic Regional web ACL should have at least one rule or rule group

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

Asia Pacific (Mumbai)

The following controls are not supported in Asia Pacific (Mumbai).

Asia Pacific (Osaka)

The following controls are not supported in Asia Pacific (Osaka).

CIS AWS Foundations Benchmark standard

1.12 – Ensure no root user access key exists

1.20 - Ensure a support role has been created to manage incidents with AWS Support

4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.DMS.1] AWS Database Migration Service replication instances should not be public

[PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable

[PCI.EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22

[PCI.ELBV2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[PCI.ES.1] Elasticsearch domains should be in a VPC

[PCI.ES.2] Elasticsearch domains should have encryption at rest enabled

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.1] IAM root user access key should not exist

[PCI.Lambda.1] Lambda functions should prohibit public access

[PCI.Lambda.2] Lambda functions should be in a VPC

[PCI.RDS.1] Amazon RDS snapshots should prohibit public access

[PCI.Redshift.1] Amazon Redshift clusters should prohibit public access

[PCI.S3.6] S3 Block Public Access setting should be enabled

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

[PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

[PCI.SSM.2] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

AWS Foundational Security Best Practices standard

[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication

[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL

[AutoScaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[CodeBuild.4] CodeBuild project environments should have a logging configuration

[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled

[EC2.15] EC2 subnets should not automatically assign public IP addresses

[EC2.16] Unused network access control lists should be removed

[EC2.17] EC2 instances should not use multiple ENIs

[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports

[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up

[EC2.22] Unused EC2 security groups should be removed

[EC2.23] EC2 Transit Gateways should not automatically accept VPC attachment requests

[EC2.24] Paravirtual EC2 instance types should not be used

[ECR.2] ECR private repositories should have tag immutability configured

[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions

[ECS.2] Amazon ECS services should not have public IP addresses assigned to them automatically

[ECS.3] ECS task definitions should not share the host's process namespace

[ECS.4] ECS containers should run as non-privileged

[ECS.8] Secrets should not be passed as container environment variables

[ECS.10] Fargate services should run on the latest Fargate platform version

[ECS.12] ECS clusters should have Container Insights enabled

[EFS.4] EFS access points should enforce a user identity

[EKS.2] EKS clusters should run on a supported Kubernetes version

[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled

[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled

[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager

[ELB.4] Application load balancers should be configured to drop HTTP headers

[ELB.8] Classic Load Balancers with HTTPS/SSL listeners should use a predefined security policy that has strong configuration

[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled

[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services

[KMS.3] AWS KMS keys should not be unintentionally deleted

[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone

[OpenSearch.1 ] OpenSearch domains should have encryption at rest enabled

[OpenSearch.2] OpenSearch domains should be in a VPC

[OpenSearch.3] OpenSearch domains should encrypt data sent between nodes

[OpenSearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled

[OpenSearch.5] OpenSearch domains should have audit logging enabled

[OpenSearch.6] OpenSearch domains should have at least three data nodes

[OpenSearch.7] OpenSearch domains should have fine-grained access control enabled

[OpenSearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2

[RDS.9] Database logging should be enabled

[RDS.10] IAM authentication should be configured for RDS instances

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.13] RDS automatic minor version upgrades should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled

[Redshift.7] Amazon Redshift clusters should use enhanced VPC routing

[S3.8] S3 Block Public Access setting should be enabled at the bucket level

[SecretsManager.3] Remove unused Secrets Manager secrets

[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.3] A WAF Regional rule group should have at least one rule

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

Asia Pacific (Seoul)

The following controls are not supported in Asia Pacific (Seoul).

Asia Pacific (Singapore)

The following controls are not supported in Asia Pacific (Singapore).

Asia Pacific (Sydney)

The following controls are not supported in Asia Pacific (Sydney).

Asia Pacific (Tokyo)

The following controls are not supported in Asia Pacific (Tokyo).

Canada (Central)

The following controls are not supported in Canada (Central).

China (Beijing)

The following controls are not supported in China (Beijing).

CIS AWS Foundations Benchmark standard

1.13 – Ensure MFA is enabled for the root user

1.14 – Ensure hardware MFA is enabled for the root user

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.4] Hardware MFA should be enabled for the root user

[PCI.IAM.5] Virtual MFA should be enabled for the root user

[PCI.Lambda.1] Lambda functions should prohibit public access

[PCI.Lambda.2] Lambda functions should be in a VPC

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

AWS Foundational Security Best Practices standard

[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period

[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication

[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL

[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones

[AutoScaling.3] Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)

[AutoScaling.4] Auto Scaling group launch configuration should not have metadata response hop limit greater than 1

[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[CodeBuild.4] CodeBuild project environments should have a logging configuration

[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled

[EC2.15] EC2 subnets should not automatically assign public IP addresses

[EC2.16] Unused network access control lists should be removed

[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up

[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389

[EC2.22] Unused EC2 security groups should be removed

[EC2.23] EC2 Transit Gateways should not automatically accept VPC attachment requests

[EC2.24] Paravirtual EC2 instance types should not be used

[EC2.27] Running EC2 Instances should not use key pairs

[ECR.1] ECR private repositories should have image scanning configured

[ECR.2] ECR private repositories should have tag immutability configured

[ECR.3] ECR repositories should have at least one lifecycle policy configured

[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions

[ECS.3] ECS task definitions should not share the host's process namespace

[ECS.4] ECS containers should run as non-privileged

[ECS.5] ECS containers should be limited to read-only access to root filesystems

[ECS.8] Secrets should not be passed as container environment variables

[ECS.10] Fargate services should run on the latest Fargate platform version

[ECS.12] ECS clusters should have Container Insights enabled

[EFS.3] EFS access points should enforce a root directory

[EFS.4] EFS access points should enforce a user identity

[EKS.2] EKS clusters should run on a supported Kubernetes version

[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled

[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled

[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager

[ELB.10] Classic Load Balancers should span multiple Availability Zones

[ELB.12] Application Load Balancers should be configured with defensive or strictest desync mitigation mode

[ELB.13] Application, Network, and Gateway Load Balancers should span multiple Availability Zones

[ELB.14] Classic Load Balancers should be configured with defensive or strictest desync mitigation mode

[ES.3] Elasticsearch domains should encrypt data sent between nodes

[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled

[GuardDuty.1] GuardDuty should be enabled

[IAM.6] Hardware MFA should be enabled for the root user

[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services

[Kinesis.1] Kinesis Data Streams should be encrypted at rest

[Lambda.1] Lambda function policies should prohibit public access

[Lambda.2] Lambda functions should use supported runtimes

[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone

[Network Firewall.3] Network Firewall policies should have at least one rule group associated

[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets

[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets

[OpenSearch.1 ] OpenSearch domains should have encryption at rest enabled

[OpenSearch.2] OpenSearch domains should be in a VPC

[OpenSearch.3] OpenSearch domains should encrypt data sent between nodes

[OpenSearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled

[OpenSearch.5] OpenSearch domains should have audit logging enabled

[OpenSearch.6] OpenSearch domains should have at least three data nodes

[OpenSearch.7] OpenSearch domains should have fine-grained access control enabled

[OpenSearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2

[RDS.7] RDS clusters should have deletion protection enabled

[RDS.10] IAM authentication should be configured for RDS instances

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.13] RDS automatic minor version upgrades should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[RDS.16] RDS DB clusters should be configured to copy tags to snapshots

[RDS.24] RDS database clusters should use a custom administrator username

[RDS.25] RDS database instances should use a custom administrator username

[Redshift.7] Amazon Redshift clusters should use enhanced VPC routing

[Redshift.8] Amazon Redshift clusters should not use the default Admin username

[Redshift.9] Redshift clusters should not use the default database name

[S3.8] S3 Block Public Access setting should be enabled at the bucket level

[S3.11] S3 buckets should have event notifications enabled

[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets

[S3.13] S3 buckets should have lifecycle policies configured

[SageMaker.1] SageMaker notebook instances should not have direct internet access

[SecretsManager.3] Remove unused Secrets Manager secrets

[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic

[SSM.4] SSM documents should not be public

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.2] A WAF Regional rule should have at least one condition

[WAF.3] A WAF Regional rule group should have at least one rule

[WAF.4] A WAF Classic Regional web ACL should have at least one rule or rule group

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

China (Ningxia)

The following controls are not supported in China (Ningxia).

CIS AWS Foundations Benchmark standard

1.13 – Ensure MFA is enabled for the root user

1.14 – Ensure hardware MFA is enabled for the root user

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.4] Hardware MFA should be enabled for the root user

[PCI.IAM.5] Virtual MFA should be enabled for the root user

[PCI.Lambda.1] Lambda functions should prohibit public access

[PCI.Lambda.2] Lambda functions should be in a VPC

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

AWS Foundational Security Best Practices standard

[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period

[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication

[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL

[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones

[AutoScaling.3] Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)

[AutoScaling.4] Auto Scaling group launch configuration should not have metadata response hop limit greater than 1

[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[CodeBuild.4] CodeBuild project environments should have a logging configuration

[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled

[EC2.15] EC2 subnets should not automatically assign public IP addresses

[EC2.16] Unused network access control lists should be removed

[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up

[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389

[EC2.22] Unused EC2 security groups should be removed

[EC2.23] EC2 Transit Gateways should not automatically accept VPC attachment requests

[EC2.24] Paravirtual EC2 instance types should not be used

[EC2.27] Running EC2 Instances should not use key pairs

[ECR.1] ECR private repositories should have image scanning configured

[ECR.2] ECR private repositories should have tag immutability configured

[ECR.3] ECR repositories should have at least one lifecycle policy configured

[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions

[ECS.3] ECS task definitions should not share the host's process namespace

[ECS.4] ECS containers should run as non-privileged

[ECS.5] ECS containers should be limited to read-only access to root filesystems

[ECS.8] Secrets should not be passed as container environment variables

[ECS.10] Fargate services should run on the latest Fargate platform version

[ECS.12] ECS clusters should have Container Insights enabled

[EFS.3] EFS access points should enforce a root directory

[EFS.4] EFS access points should enforce a user identity

[EKS.2] EKS clusters should run on a supported Kubernetes version

[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled

[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled

[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager

[ELB.10] Classic Load Balancers should span multiple Availability Zones

[ELB.12] Application Load Balancers should be configured with defensive or strictest desync mitigation mode

[ELB.13] Application, Network, and Gateway Load Balancers should span multiple Availability Zones

[ELB.14] Classic Load Balancers should be configured with defensive or strictest desync mitigation mode

[ES.3] Elasticsearch domains should encrypt data sent between nodes

[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled

[GuardDuty.1] GuardDuty should be enabled

[IAM.6] Hardware MFA should be enabled for the root user

[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services

[Kinesis.1] Kinesis Data Streams should be encrypted at rest

[Lambda.1] Lambda function policies should prohibit public access

[Lambda.2] Lambda functions should use supported runtimes

[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone

[Network Firewall.3] Network Firewall policies should have at least one rule group associated

[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets

[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets

[OpenSearch.1 ] OpenSearch domains should have encryption at rest enabled

[OpenSearch.2] OpenSearch domains should be in a VPC

[OpenSearch.3] OpenSearch domains should encrypt data sent between nodes

[OpenSearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled

[OpenSearch.5] OpenSearch domains should have audit logging enabled

[OpenSearch.6] OpenSearch domains should have at least three data nodes

[OpenSearch.7] OpenSearch domains should have fine-grained access control enabled

[OpenSearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2

[RDS.7] RDS clusters should have deletion protection enabled

[RDS.9] Database logging should be enabled

[RDS.10] IAM authentication should be configured for RDS instances

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.13] RDS automatic minor version upgrades should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[RDS.24] RDS database clusters should use a custom administrator username

[RDS.25] RDS database instances should use a custom administrator username

[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled

[Redshift.7] Amazon Redshift clusters should use enhanced VPC routing

[Redshift.8] Amazon Redshift clusters should not use the default Admin username

[Redshift.9] Redshift clusters should not use the default database name

[S3.8] S3 Block Public Access setting should be enabled at the bucket level

[S3.11] S3 buckets should have event notifications enabled

[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets

[S3.13] S3 buckets should have lifecycle policies configured

[SageMaker.1] SageMaker notebook instances should not have direct internet access

[SecretsManager.3] Remove unused Secrets Manager secrets

[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic

[SSM.4] SSM documents should not be public

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.2] A WAF Regional rule should have at least one condition

[WAF.3] A WAF Regional rule group should have at least one rule

[WAF.4] A WAF Classic Regional web ACL should have at least one rule or rule group

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

Europe (Frankfurt)

The following controls are not supported in Europe (Frankfurt).

Europe (Ireland)

The following controls are not supported in Europe (Ireland).

Europe (London)

The following controls are not supported in Europe (London).

Europe (Milan)

The following controls are not supported in Europe (Milan).

CIS AWS Foundations Benchmark standard

1.4 – Ensure access keys are rotated every 90 days or less

1.20 - Ensure a support role has been created to manage incidents with AWS Support

4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.DMS.1] AWS Database Migration Service replication instances should not be public

[PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable

[PCI.EC2.4] Unused EC2 EIPs should be removed

[PCI.EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22

[PCI.ELBV2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.RDS.1] Amazon RDS snapshots should prohibit public access

[PCI.S3.6] S3 Block Public Access setting should be enabled

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

[PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

[PCI.SSM.2] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

AWS Foundational Security Best Practices standard

[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period

[APIGateway.1] API Gateway REST and WebSocket API logging should be enabled

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[DMS.1] AWS Database Migration Service replication instances should not be public

[EC2.1] Amazon EBS snapshots should not be public, determined by the availability to be restorable by anyone

[EC2.3] Attached EBS volumes should be encrypted at rest

[EC2.4] Stopped EC2 instances should be removed after a specified time period

[EC2.8] EC2 instances should use IMDSv2

[EC2.24] Paravirtual EC2 instance types should not be used

[EFS.1] Amazon EFS should be configured to encrypt file data at rest using AWS KMS

[EFS.2] Amazon EFS volumes should be in backup plans

[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager

[ELB.4] Application load balancers should be configured to drop HTTP headers

[ELB.8] Classic Load Balancers with HTTPS/SSL listeners should use a predefined security policy that has strong configuration

[ELBv2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[EMR.1] Amazon EMR cluster master nodes should not have public IP addresses

[ES.3] Elasticsearch domains should encrypt data sent between nodes

[GuardDuty.1] GuardDuty should be enabled

[IAM.3] IAM users' access keys should be rotated every 90 days or less

[KMS.3] AWS KMS keys should not be unintentionally deleted

[OpenSearch.1 ] OpenSearch domains should have encryption at rest enabled

[OpenSearch.2] OpenSearch domains should be in a VPC

[OpenSearch.3] OpenSearch domains should encrypt data sent between nodes

[OpenSearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled

[OpenSearch.5] OpenSearch domains should have audit logging enabled

[OpenSearch.6] OpenSearch domains should have at least three data nodes

[OpenSearch.7] OpenSearch domains should have fine-grained access control enabled

[OpenSearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2

[RDS.1] RDS snapshots should be private

[RDS.9] Database logging should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit

[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled

[S3.1] S3 Block Public Access setting should be enabled

[SageMaker.1] SageMaker notebook instances should not have direct internet access

[SSM.2] All EC2 instances managed by Systems Manager should be compliant with patching requirements

[SSM.3] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

Europe (Paris)

The following controls are not supported in Europe (Paris).

Europe (Stockholm)

The following controls are not supported in Europe (Stockholm).

Middle East (Bahrain)

The following controls are not supported in Middle East (Bahrain).

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.S3.6] S3 Block Public Access setting should be enabled

AWS Foundational Security Best Practices standard

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up

[EC2.23] EC2 Transit Gateways should not automatically accept VPC attachment requests

[EC2.24] Paravirtual EC2 instance types should not be used

[GuardDuty.1] GuardDuty should be enabled

[RDS.7] RDS clusters should have deletion protection enabled

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[RDS.16] RDS DB clusters should be configured to copy tags to snapshots

[RDS.24] RDS database clusters should use a custom administrator username

[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled

[S3.1] S3 Block Public Access setting should be enabled

[SSM.2] All EC2 instances managed by Systems Manager should be compliant with patching requirements

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

South America (São Paulo)

The following controls are not supported in South America (São Paulo).

AWS Foundational Security Best Practices standard

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[RDS.7] RDS clusters should have deletion protection enabled

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[RDS.16] RDS DB clusters should be configured to copy tags to snapshots

[RDS.24] RDS database clusters should use a custom administrator username

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

AWS GovCloud (US-East)

The following controls are not supported in AWS GovCloud (US-East).

CIS AWS Foundations Benchmark standard

1.13 – Ensure MFA is enabled for the root user

1.14 – Ensure hardware MFA is enabled for the root user

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.4] Hardware MFA should be enabled for the root user

[PCI.IAM.5] Virtual MFA should be enabled for the root user

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

AWS Foundational Security Best Practices standard

[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication

[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL

[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones

[AutoScaling.3] Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)

[AutoScaling.4] Auto Scaling group launch configuration should not have metadata response hop limit greater than 1

[AutoScaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses

[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[CodeBuild.4] CodeBuild project environments should have a logging configuration

[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled

[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand

[EC2.15] EC2 subnets should not automatically assign public IP addresses

[EC2.16] Unused network access control lists should be removed

[EC2.17] EC2 instances should not use multiple ENIs

[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up

[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389

[EC2.22] Unused EC2 security groups should be removed

[EC2.23] EC2 Transit Gateways should not automatically accept VPC attachment requests

[EC2.24] Paravirtual EC2 instance types should not be used

[EC2.27] Running EC2 Instances should not use key pairs

[ECR.1] ECR private repositories should have image scanning configured

[ECR.2] ECR private repositories should have tag immutability configured

[ECR.3] ECR repositories should have at least one lifecycle policy configured

[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions

[ECS.2] Amazon ECS services should not have public IP addresses assigned to them automatically

[ECS.3] ECS task definitions should not share the host's process namespace

[ECS.4] ECS containers should run as non-privileged

[ECS.8] Secrets should not be passed as container environment variables

[ECS.10] Fargate services should run on the latest Fargate platform version

[ECS.12] ECS clusters should have Container Insights enabled

[EFS.2] Amazon EFS volumes should be in backup plans

[EFS.3] EFS access points should enforce a root directory

[EFS.4] EFS access points should enforce a user identity

[EKS.2] EKS clusters should run on a supported Kubernetes version

[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled

[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled

[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager

[ELB.8] Classic Load Balancers with HTTPS/SSL listeners should use a predefined security policy that has strong configuration

[ELB.10] Classic Load Balancers should span multiple Availability Zones

[ELB.12] Application Load Balancers should be configured with defensive or strictest desync mitigation mode

[ELB.13] Application, Network, and Gateway Load Balancers should span multiple Availability Zones

[ELB.14] Classic Load Balancers should be configured with defensive or strictest desync mitigation mode

[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled

[GuardDuty.1] GuardDuty should be enabled

[IAM.6] Hardware MFA should be enabled for the root user

[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services

[Kinesis.1] Kinesis Data Streams should be encrypted at rest

[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone

[Network Firewall.3] Network Firewall policies should have at least one rule group associated

[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets

[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets

[OpenSearch.1 ] OpenSearch domains should have encryption at rest enabled

[OpenSearch.2] OpenSearch domains should be in a VPC

[OpenSearch.3] OpenSearch domains should encrypt data sent between nodes

[OpenSearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled

[OpenSearch.5] OpenSearch domains should have audit logging enabled

[OpenSearch.6] OpenSearch domains should have at least three data nodes

[OpenSearch.7] OpenSearch domains should have fine-grained access control enabled

[OpenSearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.13] RDS automatic minor version upgrades should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[RDS.24] RDS database clusters should use a custom administrator username

[RDS.25] RDS database instances should use a custom administrator username

[Redshift.7] Amazon Redshift clusters should use enhanced VPC routing

[Redshift.8] Amazon Redshift clusters should not use the default Admin username

[Redshift.9] Redshift clusters should not use the default database name

[S3.8] S3 Block Public Access setting should be enabled at the bucket level

[S3.11] S3 buckets should have event notifications enabled

[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets

[S3.13] S3 buckets should have lifecycle policies configured

[SecretsManager.3] Remove unused Secrets Manager secrets

[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic

[SSM.4] SSM documents should not be public

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.2] A WAF Regional rule should have at least one condition

[WAF.3] A WAF Regional rule group should have at least one rule

[WAF.4] A WAF Classic Regional web ACL should have at least one rule or rule group

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group

AWS GovCloud (US-West)

The following controls are not supported in AWS GovCloud (US-West).

CIS AWS Foundations Benchmark standard

1.13 – Ensure MFA is enabled for the root user

1.14 – Ensure hardware MFA is enabled for the root user

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.IAM.4] Hardware MFA should be enabled for the root user

[PCI.IAM.5] Virtual MFA should be enabled for the root user

AWS Foundational Security Best Practices standard

[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication

[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL

[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones

[AutoScaling.3] Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)

[AutoScaling.4] Auto Scaling group launch configuration should not have metadata response hop limit greater than 1

[AutoScaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses

[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones

[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CloudFront.5] CloudFront distributions should have logging enabled

[CloudFront.6] CloudFront distributions should have AWS WAF enabled

[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[CodeBuild.4] CodeBuild project environments should have a logging configuration

[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled

[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand

[EC2.15] EC2 subnets should not automatically assign public IP addresses

[EC2.16] Unused network access control lists should be removed

[EC2.17] EC2 instances should not use multiple ENIs

[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up

[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389

[EC2.22] Unused EC2 security groups should be removed

[EC2.23] EC2 Transit Gateways should not automatically accept VPC attachment requests

[EC2.24] Paravirtual EC2 instance types should not be used

[EC2.27] Running EC2 Instances should not use key pairs

[ECR.1] ECR private repositories should have image scanning configured

[ECR.2] ECR private repositories should have tag immutability configured

[ECR.3] ECR repositories should have at least one lifecycle policy configured

[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions

[ECS.2] Amazon ECS services should not have public IP addresses assigned to them automatically

[ECS.3] ECS task definitions should not share the host's process namespace

[ECS.4] ECS containers should run as non-privileged

[ECS.8] Secrets should not be passed as container environment variables

[ECS.10] Fargate services should run on the latest Fargate platform version

[ECS.12] ECS clusters should have Container Insights enabled

[EFS.2] Amazon EFS volumes should be in backup plans

[EFS.3] EFS access points should enforce a root directory

[EFS.4] EFS access points should enforce a user identity

[EKS.2] EKS clusters should run on a supported Kubernetes version

[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled

[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled

[ELB.10] Classic Load Balancers should span multiple Availability Zones

[ELB.12] Application Load Balancers should be configured with defensive or strictest desync mitigation mode

[ELB.13] Application, Network, and Gateway Load Balancers should span multiple Availability Zones

[ELB.14] Classic Load Balancers should be configured with defensive or strictest desync mitigation mode

[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled

[IAM.6] Hardware MFA should be enabled for the root user

[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services

[Kinesis.1] Kinesis Data Streams should be encrypted at rest

[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone

[Network Firewall.3] Network Firewall policies should have at least one rule group associated

[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets

[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets

[OpenSearch.1 ] OpenSearch domains should have encryption at rest enabled

[OpenSearch.2] OpenSearch domains should be in a VPC

[OpenSearch.3] OpenSearch domains should encrypt data sent between nodes

[OpenSearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled

[OpenSearch.5] OpenSearch domains should have audit logging enabled

[OpenSearch.6] OpenSearch domains should have at least three data nodes

[OpenSearch.7] OpenSearch domains should have fine-grained access control enabled

[OpenSearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2

[RDS.12] IAM authentication should be configured for RDS clusters

[RDS.13] RDS automatic minor version upgrades should be enabled

[RDS.14] Amazon Aurora clusters should have backtracking enabled

[RDS.15] RDS DB clusters should be configured for multiple Availability Zones

[RDS.24] RDS database clusters should use a custom administrator username

[RDS.25] RDS database instances should use a custom administrator username

[Redshift.7] Amazon Redshift clusters should use enhanced VPC routing

[Redshift.8] Amazon Redshift clusters should not use the default Admin username

[Redshift.9] Redshift clusters should not use the default database name

[S3.8] S3 Block Public Access setting should be enabled at the bucket level

[S3.11] S3 buckets should have event notifications enabled

[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets

[S3.13] S3 buckets should have lifecycle policies configured

[SecretsManager.3] Remove unused Secrets Manager secrets

[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic

[SSM.4] SSM documents should not be public

[WAF.1] AWS WAF Classic global web ACL logging should be enabled

[WAF.2] A WAF Regional rule should have at least one condition

[WAF.3] A WAF Regional rule group should have at least one rule

[WAF.4] A WAF Classic Regional web ACL should have at least one rule or rule group

[WAF.6] A WAF global rule should have at least one condition

[WAF.7] A WAF global rule group should have at least one rule

[WAF.8] A WAF global web ACL should have at least one rule or rule group