Security Checks

AWS Security Checks

Browse our comprehensive catalog of 377 security checks organized by category.

ACMAPIGatewayAccountAppSyncAthenaAutoScalingBackupCloudFrontCloudTrailCloudWatchCodeBuildCognitoConnectDMSDataFirehoseDataSyncDetectDocumentDBDynamoDBEC2ECRECSEFSEKSELBEMRElastiCacheElasticBeanstalkElasticsearchEventBridgeFSxGlueGuardDutyIAMIdentifyInspectorKMSKinesisLambdaMacieNeptuneNetworkFirewallOpenSearchOpensearchPrivateCAProtectRDSRecoverRedshiftRoute53S3SNSSQSSSMSageMakerSecretsManagerServiceCatalogStepFunctionsTransferWAFWorkSpaces

ACM

Medium
Imported and ACM-issued certificates should be renewed after a specified time period

This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certif...

View Details
High
RSA certificates managed by ACM should use a key length of at least 2,048 bits

This control checks whether RSA certificates managed by AWS Certificate Manager use a key length of at least 2,048 bits. The control fails if the key ...

View Details

APIGateway

Medium
API Gateway REST and WebSocket API execution logging should be enabled

This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled. The control fails if logging is not enable...

View Details
Medium
API Gateway REST API stages should be configured to use SSL certificates for backend authentication

This control checks whether Amazon API Gateway REST API stages have SSL certificates configured for backend authentication.

View Details
Low
API Gateway REST API stages should have AWS X-Ray tracing enabled

This control checks whether AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages.

View Details
Medium
API Gateway should be associated with a WAF Web ACL

Checks whether an API Gateway stage uses an AWS WAF web access control list (ACL).

View Details
Medium
API Gateway REST API cache data should be encrypted at rest

This control checks whether API Gateway REST API stages with cache enabled have the cache data encrypted at rest.

View Details
Medium
API Gateway routes should specify an authorization type

This control checks if Amazon API Gateway routes have an authorization type specified.

View Details
Medium
Access logging should be configured for API Gateway V2 Stages

This control checks if Amazon API Gateway V2 stages have access logging configured.

View Details

Account

Medium
AWS account should have security contact information provided

Checks if AWS account has security contact information configured. The control fails if no security contact information is provided for the account.

View Details

AppSync

Medium
AWS AppSync API caches should be encrypted at rest

This control checks whether an AWS AppSync API cache is encrypted at rest. The control fails if the API cache isn't encrypted at rest. Data at re...

View Details
Medium
AWS AppSync should have field-level logging enabled

This control checks whether an AWS AppSync API has request-level and field-level logging turned on.

View Details
High
AWS AppSync GraphQL APIs should not be authenticated with API keys

This control checks whether your application uses an API key to interact with an AWS AppSync GraphQL API. The control fails if an AWS AppSync GraphQL ...

View Details
Medium
AWS AppSync API caches should be encrypted in transit

This control checks whether an AWS AppSync API cache is encrypted in transit. The control fails if the API cache isn't encrypted in transit. Data...

View Details

Athena

Medium
Athena workgroups should have logging enabled

This control checks whether an Amazon Athena workgroup has logging enabled. The control fails if the workgroup doesn't have logging enabled. Audi...

View Details

AutoScaling

Low
Auto Scaling groups associated with a load balancer should use ELB health checks

Checks whether Auto Scaling groups associated with Classic Load Balancers are using load balancer health checks.

View Details
Medium
Amazon EC2 Auto Scaling group should cover multiple Availability Zones

Checks whether Amazon EC2 Auto Scaling groups are covering multiple Availability Zones.

View Details
High
Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)

Checks whether Auto Scaling group launch configurations are configured to require EC2 instances to use Instance Metadata Service Version 2 (IMDSv2).

View Details
High
Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses

Checks whether Amazon EC2 instances launched using Auto Scaling group launch configurations have Public IP addresses.

View Details
Medium
Auto Scaling groups should use multiple instance types in multiple Availability Zones

Checks whether Auto Scaling groups are using multiple instance types in multiple Availability Zones.

View Details
Medium
EC2 Auto Scaling groups should use EC2 launch templates

Checks whether Amazon EC2 Auto Scaling groups are using Amazon EC2 launch templates.

View Details

Backup

Medium
AWS Backup recovery points should be encrypted at rest

This check verifies that AWS Backup recovery points are encrypted at rest. This check checks for last recovery point encryption status of backup enabl...

View Details

CloudFront

High
CloudFront distributions should have a default root object configured

Checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object.

View Details
Medium
CloudFront distributions should require encryption in transit

Checks whether an Amazon CloudFront distribution requires viewers to use HTTPS for encryption in transit.

View Details
Low
CloudFront distributions should have origin failover configured

Checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins for failover.

View Details
Medium
CloudFront distributions should have logging enabled

Checks whether server access logging is enabled on CloudFront distributions.

View Details
Medium
CloudFront distributions should have WAF enabled

Checks whether CloudFront distributions are associated with either AWS WAF Classic or AWS WAF web ACLs.

View Details
Medium
CloudFront distributions should use custom SSL/TLS certificates

Checks whether CloudFront distributions are using custom SSL/TLS certificates instead of the default CloudFront certificate.

View Details
Low
CloudFront distributions should use SNI to serve HTTPS requests

Checks if CloudFront distributions are using SNI to serve HTTPS requests. This control fails if a custom SSL/TLS certificate is associated but the SSL...

View Details
Medium
CloudFront distributions should encrypt traffic to custom origins

Checks if CloudFront distributions are encrypting traffic to custom origins. This control fails for a CloudFront distribution whose origin protocol po...

View Details
Medium
CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

Checks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins.

View Details
High
CloudFront distributions should not point to non-existent S3 origins

This control checks whether Amazon CloudFront distributions are pointing to non-existent Amazon S3 origins.

View Details
Medium
CloudFront distributions should use origin access control

This control checks whether an Amazon CloudFront distribution with an Amazon S3 origin has origin access control (OAC) configured. The control fails i...

View Details
Medium
CloudFront distributions should use the recommended TLS security policy

This control checks whether an Amazon CloudFront distribution is configured to use the recommended TLS security policy. The control fails if the Cloud...

View Details

CloudTrail

High
CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events

This control checks that there is at least one multi-Region CloudTrail trail. It also checks that the ExcludeManagementEventSources parameter is empty...

View Details
Medium
CloudTrail should have encryption at-rest enabled

This check verifies whether CloudTrail trails are configured to use server-side encryption (SSE) and AWS KMS key encryption. The check fails if the Km...

View Details
High
At least one CloudTrail trail should be enabled

This control checks whether CloudTrail is enabled in your AWS account. The control fails if your account doesn't have at least one CloudTrail tra

View Details
Low
CloudTrail log file validation should be enabled

This control checks whether log file integrity validation is enabled on a CloudTrail trail.

View Details
Low
CloudTrail trails should be integrated with Amazon CloudWatch Logs

This control checks whether CloudTrail trails are configured to send logs to CloudWatch Logs.

View Details
Critical
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

This control checks whether the S3 bucket used to store CloudTrail logs is publicly accessible.

View Details
Low
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

S3 bucket access logging generates a log that contains access records for each request made to your S3 bucket.

View Details
Medium
CloudTrail Lake event data stores should be encrypted with customer managed AWS KMS keys

This control checks whether an AWS CloudTrail Lake event data store is encrypted at rest with a customer managed AWS KMS key. The control fails if the...

View Details

CloudWatch

High
CloudWatch alarms should have specified actions configured

Check if CloudWatch alarms have an action configured for the ALARM state.

View Details
Medium
CloudWatch log groups should be retained for a specified time period

This check ensures that CloudWatch log groups have a retention policy of at least 1 year (365 days).

View Details
High
CloudWatch alarm actions should be enabled

This check ensures that CloudWatch alarms have actions enabled, allowing them to perform specified actions when a state change occurs.

View Details

CodeBuild

Critical
CodeBuild Bitbucket source repository URLs should not contain sensitive credentials

Checks whether the GitHub or Bitbucket source repository URL in AWS CodeBuild projects uses OAuth for authentication instead of personal access tokens...

View Details
Critical
CodeBuild project environment variables should not contain clear text credentials

Checks for the presence of clear text credentials in the environment variables of AWS CodeBuild projects such as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_...

View Details
Low
CodeBuild S3 logs should be encrypted

Checks if Amazon S3 logs for an AWS CodeBuild project are encrypted. The control fails if encryption is deactivated for S3 logs for a CodeBuild projec...

View Details
Medium
CodeBuild project environments should have a logging configuration

This control checks whether a CodeBuild project environment has at least one log option enabled, either to S3 or CloudWatch logs. It fails if a CodeBu...

View Details
Medium
CodeBuild report group exports should be encrypted at rest

This control checks whether the test results of an AWS CodeBuild report group that are exported to an Amazon Simple Storage Service (Amazon S3) bucket...

View Details

Cognito

Medium
Cognito user pools should have threat protection with full enforcement enabled

This control checks whether an Amazon Cognito user pool has advanced security enabled with full enforcement. The control fails if advanced security is...

View Details
Medium
Cognito identity pools should not allow unauthenticated identities

This control checks whether an Amazon Cognito identity pool is configured to allow unauthenticated identities. The control fails if guest access is ac...

View Details

Connect

Medium
Connect instances should have CloudWatch logging enabled

This control checks if an Amazon Connect instance is configured to generate and store flow logs in an Amazon CloudWatch log group. It fails if the ins...

View Details

DMS

Critical
Database Migration Service replication instances should not be public

Checks whether AWS DMS replication instances are public. It examines the value of the PubliclyAccessible field. A private replication instance should ...

View Details
Medium
DMS replication instances should have automatic minor version upgrade enabled

This control checks if automatic minor version upgrade is enabled for an AWS DMS replication instance. The control fails if automatic minor version up...

View Details
Medium
DMS replication tasks for the target database should have logging enabled

This control checks if logging is enabled with a minimum severity level of LOGGER_SEVERITY_DEFAULT for DMS replication tasks, specifically for TARGET_...

View Details
Medium
DMS replication tasks for the source database should have logging enabled

This control checks whether logging is enabled with the minimum severity level of LOGGER_SEVERITY_DEFAULT for DMS replication tasks, specifically SOUR...

View Details
Medium
DMS endpoints should have SSL enabled

This control checks whether an AWS DMS endpoint uses an SSL connection. The control fails if the endpoint doesn't use SSL. SSL/TLS connections pr...

View Details
Medium
DMS endpoints for Neptune databases should have IAM authorization enabled

This control checks whether an AWS DMS endpoint for an Amazon Neptune database is configured with IAM authorization. The control fails if the DMS endp...

View Details
Medium
DMS endpoints for MongoDB should have authentication enabled

This control checks if an AWS DMS endpoint configured for MongoDB has an authentication mechanism enabled. The control will fail if no authentication ...

View Details
Medium
DMS endpoints for Redis OSS should have TLS enabled

This control checks whether an AWS DMS endpoint for Redis OSS is configured with a TLS connection. The control fails if the endpoint doesn't have...

View Details

DataFirehose

Medium
Firehose delivery streams should be encrypted at rest

This control checks whether an Amazon Data Firehose delivery stream is encrypted at rest with server-side encryption. This control fails if a Firehose...

View Details

DataSync

Medium
DataSync tasks should have logging enabled

This control checks whether an AWS DataSync task has logging enabled. The control fails if the task doesn't have logging enabled. Audit logs trac...

View Details

Detect

Low
MSK clusters should have enhanced monitoring configured

This control checks whether an Amazon MSK (Managed Streaming for Apache Kafka) cluster has enhanced monitoring configured. The specific requirement is...

View Details

DocumentDB

Medium
Amazon DocumentDB clusters should be encrypted at rest

This control checks whether an Amazon DocumentDB cluster is encrypted at rest. The control fails if an Amazon DocumentDB cluster isn't encrypted ...

View Details
Medium
Amazon DocumentDB clusters should have adequate backup retention

This control checks whether an Amazon DocumentDB cluster has a backup retention period greater than or equal to the specified time frame. The control ...

View Details
Critical
Amazon DocumentDB manual cluster snapshots should not be public

This control checks whether an Amazon DocumentDB manual cluster snapshot is public. The control fails if the manual cluster snapshot is public. An Ama...

View Details
Medium
Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs

This control checks whether an Amazon DocumentDB cluster publishes audit logs to Amazon CloudWatch Logs. The control fails if the cluster doesn't...

View Details
Medium
Amazon DocumentDB clusters should have deletion protection enabled

This control checks whether an Amazon DocumentDB cluster has deletion protection enabled. The control fails if the cluster doesn't have deletion ...

View Details
Medium
Amazon DocumentDB clusters should be encrypted in transit

This control checks whether an Amazon DocumentDB cluster requires TLS for connections to the cluster. The control fails if the cluster parameter group...

View Details

DynamoDB

Medium
DynamoDB tables should automatically scale capacity with demand

This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. It passes if the table uses either on-demand cap...

View Details
Medium
DynamoDB tables should have point-in-time recovery enabled

This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table. Enabling PITR automates backups for DynamoDB tables...

View Details
Medium
DynamoDB Accelerator (DAX) clusters should be encrypted at rest

This control checks whether a DAX cluster is encrypted at rest. Encrypting data at rest reduces the risk of data stored on disk being accessed by unau...

View Details
Medium
DynamoDB tables should be present in a backup plan

This control checks whether DynamoDB tables are included in a backup plan. Including tables in backup plans helps protect data from unintended loss or...

View Details
Medium
DynamoDB tables should have deletion protection enabled

Checks whether Amazon DynamoDB table has deletion protection enabled. The control fails if a DynamoDB table doesn't have deletion protection enab...

View Details
Medium
DynamoDB Accelerator clusters should be encrypted in transit

Checks whether Amazon DynamoDB Accelerator (DAX) cluster is encrypted in transit, with the endpoint encryption type set to TLS. HTTPS (TLS) is recomme...

View Details

EC2

Critical
EBS snapshots should not be publicly restorable

Checks whether Amazon EBS snapshots are publicly restorable.

View Details
High
VPC default security groups should not allow inbound or outbound traffic

Checks whether the VPC default security group allows inbound and outbound traffic.

View Details
Medium
Attached EBS volumes should be encrypted at-rest

Checks whether attached Amazon EBS volumes are encrypted at rest.

View Details
Medium
Stopped EC2 instances should be removed after a specified time period

Checks whether stopped Amazon EC2 instances have been removed after a specified time period.

View Details
High
VPC flow logging should be enabled in all VPCs

Checks whether VPC flow logging is enabled in all VPCs.

View Details
Medium
Amazon EBS default encryption should be enabled

Checks whether Amazon EBS default encryption is enabled.

View Details
High
Amazon EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)

Checks whether Amazon EC2 instances are using IMDSv2.

View Details
High
EC2 instances should not have a public IPv4 address

Checks whether Amazon EC2 instances have a public IPv4 address.

View Details
Medium
Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service

Checks whether Amazon EC2 instances are configured to use VPC endpoints for the Amazon EC2 service.

View Details
Medium
Unused EC2 EIPs should be removed

Checks whether unused Amazon EC2 Elastic IPs have been removed.

View Details
High
Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22

Checks whether security groups allow ingress from 0.0.0.0/0 to port 22.

View Details
High
Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389

Checks whether security groups allow ingress from 0.0.0.0/0 to port 3389.

View Details
Medium
EC2 subnets should not automatically assign public IP addresses

Checks whether Amazon EC2 subnets automatically assign public IP addresses.

View Details
Medium
Unused Network Access Control Lists should be removed

Checks whether unused Network Access Control Lists have been removed.

View Details
Low
EC2 instances should not use multiple ENIs

Checks whether Amazon EC2 instances are using multiple Elastic Network Interfaces.

View Details
High
Security groups should only allow unrestricted incoming traffic for authorized ports

Checks whether security groups only allow unrestricted incoming traffic for authorized ports.

View Details
Critical
Security groups should not allow unrestricted access to high-risk ports

Checks whether security groups allow unrestricted access to high-risk ports.

View Details
Medium
Both VPN tunnels for an AWS Site-to-Site VPN connection should be up

Checks whether both VPN tunnels for an AWS Site-to-Site VPN connection are up.

View Details
Medium
Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389

Checks whether Network ACLs allow ingress from 0.0.0.0/0 to port 22 or port 3389.

View Details
Medium
Unused Amazon EC2 security groups should be removed

This control checks whether security groups are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances or to an elastic network interface. Th...

View Details
Medium
EC2 Transit Gateways should not automatically accept VPC attachment requests

Checks whether Amazon EC2 Transit Gateways are configured not to automatically accept VPC attachment requests.

View Details
Medium
EC2 paravirtual instance types should not be used

Checks whether any Amazon EC2 paravirtual instance types are being used.

View Details
High
EC2 launch templates should not assign public IPs to network interfaces

Checks whether Amazon EC2 launch templates are configured to assign public IPs to network interfaces.

View Details
Low
EBS volumes should be in a backup plan

Checks whether Amazon EBS volumes are covered by a backup plan.

View Details
Low
AWS Client VPN endpoints should have connection logging enabled

This control checks whether an AWS Client VPN endpoint has client connection logging enabled. The control fails if the endpoint doesn't have clie...

View Details
Medium
VPC interface endpoints should be enabled for ECR API

This control checks whether VPC interface endpoints are enabled for Amazon Elastic Container Registry (ECR) API. The control fails if there is no VPC ...

View Details
Medium
VPC interface endpoints should be enabled for ECR Docker registry

This control checks whether VPC interface endpoints are enabled for Amazon Elastic Container Registry (ECR) Docker registry. The control fails if ther...

View Details
Medium
VPC interface endpoints should be enabled for Systems Manager

This control checks whether VPC interface endpoints are enabled for AWS Systems Manager (SSM). The control fails if there is no VPC interface endpoint...

View Details
Medium
VPC interface endpoints should be enabled for Systems Manager Incident Manager Contacts

This control checks whether VPC interface endpoints are enabled for AWS Systems Manager Incident Manager Contacts. The control fails if there is no VP...

View Details
Medium
VPC interface endpoints should be enabled for Systems Manager Incident Manager

This control checks whether VPC interface endpoints are enabled for AWS Systems Manager Incident Manager. The control fails if there is no VPC interfa...

View Details
Low
EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)

This check verifies whether an Amazon EC2 launch template default version is configured with Instance Metadata Service Version 2 (IMDSv2). The check f...

View Details
Medium
EC2 VPN connections should have logging enabled

This control checks whether EC2 VPN connections have logging enabled. The control fails if VPN connection logging is not configured.

View Details
Medium
EC2 VPC Block Public Access should block internet gateway traffic

This control checks whether Amazon EC2 VPC Block Public Access (BPA) settings are configured to block internet gateway traffic for all Amazon VPCs in ...

View Details
Medium
EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes

This control checks whether an Amazon EC2 Spot Fleet request that specifies launch parameters is configured to enable encryption for all Amazon Elasti...

View Details
Medium
EC2 network interfaces should have source/destination checking enabled

This control checks whether source/destination checking is enabled for an Amazon EC2 elastic network interface (ENI) that's managed by users. The...

View Details

ECR

High
ECR private repositories should have image scanning configured

This control checks whether a private Amazon ECR repository has image scanning configured.

View Details
Medium
ECR private repositories should have tag immutability configured

This control checks whether a private ECR repository has tag immutability enabled.

View Details
Medium
ECR repositories should have at least one lifecycle policy configured

This control checks whether an Amazon ECR repository has at least one lifecycle policy configured.

View Details
Medium
ECR repositories should be encrypted with customer managed AWS KMS keys

This control checks whether an Amazon ECR repository is encrypted at rest with a customer managed AWS KMS key. The control fails if the ECR repository...

View Details

ECS

High
Amazon ECS task definitions should have secure networking modes and user definitions

Checks if an active Amazon ECS task definition with host networking mode has privileged or user container definitions. This check fails for task defin...

View Details
High
ECS services should not have public IP addresses assigned to them automatically

Checks whether Amazon ECS services are configured to automatically assign public IP addresses. The control fails if AssignPublicIP is ENABLED.

View Details
High
ECS task definitions should not share the host's process namespace

Checks if Amazon ECS task definitions are configured to share a host's process namespace with its containers. The control fails if the task defin...

View Details
High
ECS containers should run as non-privileged

Checks if the privileged parameter in the container definition of Amazon ECS Task Definitions is set to true. The control fails if this parameter is e...

View Details
High
ECS containers should be limited to read-only access to root filesystems

Checks if ECS containers are limited to read-only access to root filesystems.

View Details
High
Secrets should not be passed as container environment variables

Checks if ECS containers are not passing secrets as plain text environment variables such as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, PASSWORD, TOKEN...

View Details
High
ECS task definitions should have a logging configuration

This control checks if the latest active Amazon ECS task definition has a logging configuration specified. The control fails if the task definition do...

View Details
Medium
ECS Fargate services should run on the latest Fargate platform version

This control checks if Amazon ECS Fargate services are running the latest Fargate platform version.

View Details
Medium
ECS clusters should use Container Insights

This control checks if ECS clusters use Container Insights. It fails if Container Insights are not set up for a cluster.

View Details
High
ECS task sets should not automatically assign public IP addresses

This control checks whether an Amazon ECS task set is configured to automatically assign public IP addresses. The control fails if AssignPublicIP is s...

View Details
Medium
ECS task definitions should not use host network mode

This control checks whether the latest active revision of an Amazon ECS task definition uses host network mode. The control fails if the latest active...

View Details

EFS

Medium
Elastic File System should be configured to encrypt file data at-rest using AWS KMS

Checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS.

View Details
Medium
Amazon EFS volumes should be in backup plans

This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in AWS Backup.

View Details
Medium
EFS access points should enforce a root directory

This control checks if Amazon EFS access points are configured to enforce a root directory. The control fails if the value of Path is set to / (the de...

View Details
Medium
EFS access points should enforce a user identity

This control checks whether Amazon EFS access points are configured to enforce a user identity. The control fails if a POSIX user identity is not defi...

View Details
Medium
EFS mount targets should not be associated with subnets that assign public IP addresses on launch

This control checks whether an Amazon EFS mount target is associated with subnets that assign public IP addresses on launch. The control fails if the ...

View Details
Medium
EFS file systems should have automatic backups enabled

This control checks whether an Amazon EFS file system has automatic backups enabled. This control fails if the EFS file system doesn't have autom...

View Details
Medium
EFS file systems should be encrypted at rest

This control checks whether an Amazon EFS file system encrypts data with AWS Key Management Service (AWS KMS). The control fails if a file system isn&...

View Details

EKS

High
EKS cluster endpoints should not be publicly accessible

Checks whether an Amazon EKS cluster endpoint is not publicly accessible. The control fails if an EKS cluster has an endpoint that is publicly accessi...

View Details
High
EKS clusters should run on a supported Kubernetes version

This control checks whether an Amazon EKS cluster is running on a supported Kubernetes version. The control fails if the EKS cluster is running on an ...

View Details
Medium
EKS clusters should use encrypted Kubernetes secrets

This control checks whether an Amazon EKS cluster uses encrypted Kubernetes secrets. The control fails if the cluster's Kubernetes secrets aren&#...

View Details
Medium
EKS clusters should have audit logging enabled

This control checks whether an Amazon EKS cluster has audit logging enabled. The control fails if audit logging isn't enabled for the cluster. EK...

View Details

ELB

Medium
Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

This check ensures that Application Load Balancers are configured to redirect all HTTP requests to HTTPS, enforcing the use of SSL/TLS for security be...

View Details
Medium
Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager

This check ensures that Classic Load Balancers with SSL/HTTPS listeners are using certificates provided by AWS Certificate Manager (ACM). This helps i...

View Details
Medium
Classic Load Balancer listeners should be configured with HTTPS or TLS termination

This check ensures that Classic Load Balancer listeners are configured with HTTPS or TLS termination to encrypt traffic between the clients and the lo...

View Details
Medium
Application Load Balancer should be configured to drop invalid http headers

This check ensures that Application Load Balancers are configured to drop invalid HTTP headers. Dropping invalid headers can protect against potential...

View Details
Medium
Application and Classic Load Balancers logging should be enabled

This check verifies that logging is enabled for Application and Classic Load Balancers to capture detailed information about requests sent to the load...

View Details
Medium
Application, Gateway, and Network Load Balancers should have deletion protection enabled

This check ensures that deletion protection is enabled on Application Load Balancers. Deletion protection safeguards against accidental or unauthorize...

View Details
Medium
Classic Load Balancers should have connection draining enabled

This check ensures that connection draining is enabled on Classic Load Balancers. Connection draining helps maintain service continuity during planned...

View Details
Medium
Classic Load Balancers with SSL listeners should use a predefined security policy that has strong configuration

This check verifies that Classic Load Balancers with SSL listeners are using a predefined security policy with strong security configurations to ensur...

View Details
Medium
Classic Load Balancers should have cross-zone load balancing enabled

This check ensures that cross-zone load balancing is enabled for Classic Load Balancers. Cross-zone load balancing distributes traffic evenly across a...

View Details
Medium
Classic Load Balancer should span multiple Availability Zones

This check ensures that Classic Load Balancers are configured to span multiple Availability Zones. This configuration increases the fault tolerance of...

View Details
Medium
Application Load Balancer should be configured with defensive or strictest desync mitigation mode

This check ensures that Application Load Balancers are configured with either defensive or strictest desync mitigation mode to protect against HTTP de...

View Details
Medium
Application, Network and Gateway Load Balancers should span multiple Availability Zones

This check ensures that Application, Network, and Gateway Load Balancers are configured to span multiple Availability Zones. This configuration increa...

View Details
Medium
Classic Load Balancer should be configured with defensive or strictest desync mitigation mode

This check ensures that Classic Load Balancers with SSL/HTTPS listeners are configured with a security policy that includes defensive or strictest des...

View Details
Medium
Application Load Balancers should be associated with an AWS WAF web ACL

This check ensures that Application Load Balancers are associated with an AWS WAF web ACL to protect against web exploits that could affect availabili...

View Details
Medium
Application Load Balancer and Network Load Balancer listeners should use recommended security policies

This control checks whether the HTTPS listener for an Application Load Balancer or the TLS listener for a Network Load Balancer is configured to encry...

View Details
Medium
Application Load Balancer and Network Load Balancer listeners should use secure protocols to encrypt data in transit

This control checks whether the listener for an Application Load Balancer or Network Load Balancer is configured to use a secure protocol for encrypti...

View Details

EMR

High
Amazon EMR cluster primary nodes should not have public IP addresses

Checks whether master nodes on Amazon EMR clusters have public IP addresses.

View Details
Critical
EMR clusters should not be publicly accessible

This control checks whether your account is configured with Amazon EMR block public access. The control fails if the block public access setting isn&#...

View Details
Medium
Amazon EMR security configurations should be encrypted at rest

This control checks whether an Amazon EMR security configuration has encryption at rest enabled. The control fails if the security configuration doesn...

View Details
Medium
Amazon EMR security configurations should be encrypted in transit

This control checks whether an Amazon EMR security configuration has encryption in transit enabled. The control fails if the security configuration do...

View Details

ElastiCache

High
ElastiCache (Redis OSS) clusters should have automatic backups enabled

This control checks if ElastiCache for Redis clusters have automatic backup scheduled. It fails if the SnapshotRetentionLimit for the Redis cluster is...

View Details
High
ElastiCache (Redis OSS) clusters should have auto minor version upgrades enabled

This control checks if ElastiCache for Redis cache clusters automatically apply minor version upgrades.

View Details
Medium
ElastiCache replication groups should have automatic failover enabled

This control checks if ElastiCache Replication groups have automatic failover enabled.

View Details
Medium
ElastiCache replication groups should be encrypted at rest

Checks if ElastiCache Replication groups are encrypted at rest.

View Details
Medium
ElastiCache replication groups should be encrypted in transit

Checks if ElastiCache for Replication groups are encrypted in transit.

View Details
Medium
ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled

Checks if ElastiCache for Redis replication groups have Redis AUTH enabled for versions below 6.0.

View Details
High
ElastiCache clusters should not use the default subnet group

This control checks if ElastiCache clusters are configured with a custom subnet group instead of the default.

View Details

ElasticBeanstalk

Low
Elastic Beanstalk environments should have enhanced health reporting enabled

Checks whether enhanced health reporting is enabled for AWS Elastic Beanstalk environments.

View Details
High
Elastic Beanstalk managed platform updates should be enabled

Checks whether managed platform updates are enabled for the Elastic Beanstalk environment.

View Details
High
Elastic Beanstalk should stream logs to CloudWatch

Checks whether an Elastic Beanstalk environment is configured to send logs to CloudWatch Logs.

View Details

Elasticsearch

Medium
Elasticsearch domains should have encryption at-rest enabled

This check ensures that Elasticsearch domains have encryption at-rest enabled to secure data stored on the service's persistent volumes.

View Details
Critical
Elasticsearch domains should not be publicly accessible

This check ensures that Elasticsearch domains are within a VPC, which provides an additional layer of network security.

View Details
Medium
Elasticsearch domains should encrypt data sent between nodes

This check ensures that Elasticsearch domains have node-to-node encryption enabled, securing data in transit between nodes within the domain.

View Details
Medium
Elasticsearch domain error logging to CloudWatch Logs should be enabled

This check ensures that Elasticsearch domains have error logging to CloudWatch Logs enabled for better monitoring and troubleshooting.

View Details
Medium
Elasticsearch domains should have audit logging enabled

This check ensures that Elasticsearch domains have audit logging enabled, which is crucial for security and compliance auditing.

View Details
Medium
Elasticsearch domains should have at least three data nodes

This check ensures that Elasticsearch domains are configured with at least three data nodes to ensure high availability and resilience.

View Details
Medium
Elasticsearch domains should be configured with at least three dedicated master nodes

This check ensures that Elasticsearch domains are configured with at least three dedicated master nodes to ensure cluster stability and high availabil...

View Details

EventBridge

Low
EventBridge custom event buses should have resource policies attached

This control checks whether custom Amazon EventBridge event buses have a resource-based policy attached. The control fails if a custom event bus doesn...

View Details
Medium
EventBridge global endpoints should have event replication enabled

This control checks if event replication is enabled for an Amazon EventBridge global endpoint. The control fails if event replication isn't enabl...

View Details

FSx

Low
FSx for OpenZFS file systems should be configured to copy tags to backups and volumes

This control checks whether an Amazon FSx for OpenZFS file system is configured to copy tags to backups and volumes. The control fails if the OpenZFS ...

View Details
Low
FSx for Lustre file systems should be configured to copy tags to backups

This control checks whether an Amazon FSx for Lustre file system is configured to copy tags to backups and volumes. The control fails if the Lustre fi...

View Details
Medium
FSx for OpenZFS file systems should be configured for Multi-AZ deployment

This control checks whether an Amazon FSx for OpenZFS file system is configured to use the multiple Availability Zones (Multi-AZ) deployment type. The...

View Details
Medium
FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment

This control checks whether an Amazon FSx for NetApp ONTAP file system is configured to use a multiple Availability Zones (Multi-AZ) deployment type. ...

View Details
Medium
FSx for Windows File Server file systems should be configured for Multi-AZ deployment

This control checks whether an Amazon FSx for Windows File Server file system is configured to use the Multi-AZ (multiple Availability Zones) deployme...

View Details

Glue

Medium
AWS Glue machine learning transforms should be encrypted at rest

This control checks whether an AWS Glue machine learning transform is encrypted at rest. The control fails if the machine learning transform isn'...

View Details
Medium
AWS Glue Spark jobs should run on supported versions of AWS Glue

This control checks whether an AWS Glue for Spark job is configured to run on a supported version of AWS Glue. The control fails if the Spark job is c...

View Details

GuardDuty

High
GuardDuty should be enabled

Checks whether Amazon GuardDuty is enabled in your GuardDuty account and Region.

View Details
High
GuardDuty EKS Audit Log Monitoring should be enabled

This control checks whether GuardDuty EKS Audit Log Monitoring is enabled. For a standalone account, the control fails if GuardDuty EKS Audit Log Moni...

View Details
High
GuardDuty Lambda Protection should be enabled

This control checks whether GuardDuty Lambda Protection is enabled. For a standalone account, the control fails if GuardDuty Lambda Protection is disa...

View Details
Medium
GuardDuty EKS Runtime Monitoring should be enabled

This control checks whether GuardDuty EKS Runtime Monitoring with automated agent management is enabled. For a standalone account, the control fails i...

View Details
High
GuardDuty Malware Protection for EC2 should be enabled

This control checks whether GuardDuty Malware Protection is enabled. For a standalone account, the control fails if GuardDuty Malware Protection is di...

View Details
High
GuardDuty RDS Protection should be enabled

This control checks whether GuardDuty RDS Protection is enabled. For a standalone account, the control fails if GuardDuty RDS Protection is disabled. ...

View Details
High
GuardDuty S3 Protection should be enabled

This control checks whether GuardDuty S3 Protection is enabled. For a standalone account, the control fails if GuardDuty S3 Protection is disabled in ...

View Details
High
GuardDuty Runtime Monitoring should be enabled

This control checks whether GuardDuty Runtime Monitoring is enabled. For a standalone account, the control fails if GuardDuty Runtime Monitoring is di...

View Details
Medium
GuardDuty ECS Runtime Monitoring should be enabled

This control checks whether the Amazon GuardDuty automated security agent is enabled for runtime monitoring of Amazon ECS clusters on AWS Fargate. For...

View Details
Medium
GuardDuty EC2 Runtime Monitoring should be enabled

This control checks whether the Amazon GuardDuty automated security agent is enabled for runtime monitoring of Amazon EC2 instances. For a standalone ...

View Details

IAM

High
IAM policies should not allow full administrative privileges

Checks if any IAM policies in the account have full administrative privileges by allowing all actions as "Effect": "Allow" with Ac...

View Details
Low
IAM users should not have IAM policies attached

Checks whether your IAM users have policies attached. The control fails if your IAM users have policies attached.

View Details
Medium
IAM users' access keys should be rotated every 90 days or less

Checks whether the access keys for your IAM users have been rotated within the last 90 days.

View Details
Critical
IAM root user access key should not exist

Checks if the IAM root user access key exists. The root user should not have an access key.

View Details
Medium
MFA should be enabled for all IAM users that have a console password

Checks if MFA is enabled for all IAM users that have a console password.

View Details
Critical
Hardware MFA should be enabled for the root user

Checks if Hardware MFA is enabled for the root user.

View Details
Medium
Password policies for IAM users should have strong configurations

Checks if password policies for IAM users have strong AWS configurations.

View Details
Medium
Unused IAM user credentials should be removed

Checks whether IAM users have passwords or active access keys that have not been used for 90 days. Disabling or removing unnecessary credentials reduc...

View Details
Critical
MFA should be enabled for the root user

Checks if Virtual MFA is enabled for the root user.

View Details
Low
Ensure IAM password policy expires passwords within 90 days or less

This check ensures that the IAM password policy is configured to expire passwords within 90 days or less.

View Details
Low
Ensure a support role has been created to manage incidents with AWS Support

This check ensures that a support role exists for managing incidents with AWS Support.

View Details
Medium
MFA should be enabled for all IAM users

This check ensures that MFA is enabled for all IAM users.

View Details
Low
IAM customer managed policies that you create should not allow wildcard actions for services

Checks whether IAM customer managed policies have statements with 'Effect': 'Allow' with 'Action': 'Service:*'

View Details
Medium
IAM user credentials should be removed if not used within 45 days

This control checks whether IAM users have passwords or active access keys that have not been used for 45 days or more. Users can access AWS resources...

View Details
Medium
IAM server certificates should not be expired

This control checks whether an active SSL/TLS server certificate that is managed in IAM has expired. The control fails if the expired SSL/TLS server c...

View Details
Medium
IAM identities should not have AWSCloudShellFullAccess policy

This control checks if an IAM identity (user, role, or group) has the AWS managed policy AWSCloudShellFullAccess attached. The control fails if an IAM...

View Details
High
IAM Access Analyzer external access analyzer should be enabled

This control checks whether an AWS account has an IAM Access Analyzer external access analyzer enabled. It fails if the account does not have an exter...

View Details

Identify

Medium
ActiveMQ brokers should stream audit logs to CloudWatch

This control checks whether an Amazon MQ ActiveMQ broker streams audit logs to Amazon CloudWatch Logs. The control fails if the broker doesn't st...

View Details
Low
Amazon MQ brokers should have automatic minor version upgrade enabled

This control checks whether an Amazon MQ broker has automatic minor version upgrade enabled. The control fails if the broker doesn't have automat...

View Details
Medium
MSK connectors should have logging enabled

This control checks whether logging is enabled for an Amazon MSK connector. The control fails if logging is disabled for the MSK connector. Amazon MSK...

View Details

Inspector

High
Amazon Inspector EC2 scanning should be enabled

This control checks whether Amazon Inspector EC2 scanning is enabled. For a standalone account, the control fails if Amazon Inspector EC2 scanning is ...

View Details
High
Amazon Inspector ECR scanning should be enabled

This control checks whether Amazon Inspector ECR scanning is enabled. For a standalone account, the control fails if Amazon Inspector ECR scanning is ...

View Details
High
Amazon Inspector Lambda code scanning should be enabled

This control checks whether Amazon Inspector Lambda code scanning is enabled. For a standalone account, the control fails if Amazon Inspector Lambda c...

View Details
High
Amazon Inspector Lambda standard scanning should be enabled

This control verifies whether Amazon Inspector Lambda standard scanning is enabled. For a standalone account, the control fails if Amazon Inspector La...

View Details

KMS

High
IAM customer managed policies should not allow decryption actions on all KMS keys

This check ensures that IAM customer managed policies do not allow decryption actions on all KMS keys, which can lead to unauthorized access to encryp...

View Details
Medium
IAM customer managed policies should not allow decryption actions on all KMS keys

Checks whether IAM customer managed policies allow decryption actions on all KMS keys, which could lead to unauthorized decryption of sensitive data.

View Details
Critical
AWS KMS keys should not be deleted unintentionally

Checks if AWS KMS keys are scheduled for deletion, which may be unintentional.

View Details
Medium
AWS KMS key rotation should be enabled

Checks if AWS KMS keys have key rotation enabled. Key rotation helps manage the lifecycle of cryptographic material.

View Details
Critical
KMS keys should not be publicly accessible

This control checks whether an AWS Key Management Service (KMS) key is publicly accessible. The control fails if the KMS key is found to be publicly a...

View Details

Kinesis

Medium
Kinesis streams should be encrypted at rest

Checks if Kinesis Data Streams are encrypted at rest with server-side encryption.

View Details
Medium
Kinesis stream should have adequate data retention

This control checks whether an Amazon Kinesis data stream has a data retention period greater than or equal to the specified time frame. The control f...

View Details

Lambda

Critical
Lambda function policies should prohibit public access

Checks whether the Lambda function resource-based policy prohibits public access outside of your account.

View Details
Medium
Lambda functions should use supported runtimes

This control checks that the AWS Lambda function settings for runtimes match the expected values set for the supported runtimes for each language.

View Details
Low
Lambda functions should be in a VPC

Checks whether a Lambda function is in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability.

View Details
Medium
VPC Lambda functions should operate in multiple Availability Zones

This control checks if a Lambda function that connects to a VPC is associated with more than one Availability Zone. The control fails if only one AZ i...

View Details
Low
Lambda functions should have AWS X-Ray active tracing enabled

This control checks whether active tracing with AWS X-Ray is enabled for an AWS Lambda function. The control fails if active tracing with X-Ray is dis...

View Details

Macie

Medium
Amazon Macie should be enabled

This control checks whether Amazon Macie is enabled for an account. The control fails if Macie isn't enabled for the account. Amazon Macie discov...

View Details
High
Macie automated sensitive data discovery should be enabled

This control checks whether automated sensitive data discovery is enabled for an Amazon Macie administrator account. The control fails if automated se...

View Details

Neptune

Medium
Neptune DB clusters should be encrypted at rest

This control checks whether a Neptune DB cluster is encrypted at rest. The control fails if a Neptune DB cluster isn't encrypted at rest. Data at...

View Details
Medium
Neptune DB clusters should publish audit logs to CloudWatch Logs

This control checks whether a Neptune DB cluster publishes audit logs to Amazon CloudWatch Logs. The control fails if a Neptune DB cluster doesn'...

View Details
Critical
Neptune DB cluster snapshots should not be public

This control checks whether a Neptune manual DB cluster snapshot is public. The control fails if a Neptune manual DB cluster snapshot is public. A Nep...

View Details
Low
Neptune DB clusters should have deletion protection enabled

This control checks if a Neptune DB cluster has deletion protection enabled. The control fails if a Neptune DB cluster doesn't have deletion prot...

View Details
Medium
Neptune DB clusters should have automated backups enabled

This control checks whether a Neptune DB cluster has automated backups enabled, and a backup retention period greater than or equal to the specified t...

View Details
Medium
Neptune DB cluster snapshots should be encrypted at rest

This control checks whether a Neptune DB cluster snapshot is encrypted at rest. The control fails if a Neptune DB cluster isn't encrypted at rest...

View Details
Medium
Neptune DB clusters should have IAM database authentication enabled

This control checks if IAM database authentication is enabled for a Neptune DB cluster. The control fails if IAM database authentication is not enable...

View Details
Low
Neptune DB clusters should be configured to copy tags to snapshots

This control checks if a Neptune DB cluster is configured to copy all tags to snapshots when the snapshots are created. The control fails if a Neptune...

View Details
Medium
Neptune DB clusters should be deployed across multiple Availability Zones

This control checks if an Amazon Neptune DB cluster has read-replica instances in multiple Availability Zones (AZs). The control fails if the cluster ...

View Details

NetworkFirewall

Medium
Network Firewall firewalls should be deployed across multiple Availability Zones

This control evaluates whether a firewall managed through AWS Network Firewall is deployed across multiple Availability Zones (AZs). The control fails...

View Details
Medium
Network Firewall logging should be enabled

This control checks whether logging is enabled for an AWS Network Firewall firewall. The control fails if logging isn't enabled for at least one ...

View Details
Medium
Network Firewall policies should have at least one rule group associated

Checks whether a Network Firewall policy has any stateful or stateless rule groups associated.

View Details
Medium
The default stateless action for Network Firewall policies should be drop or forward for full packets

Checks if the default stateless action for full packets in a Network Firewall policy is set to drop or forward.

View Details
Medium
The default stateless action for Network Firewall policies should be drop or forward for fragmented packets

Checks if the default stateless action for fragmented packets in a Network Firewall policy is set to drop or forward.

View Details
Medium
Stateless network firewall rule group should not be empty

Checks if a stateless rule group in AWS Network Firewall contains rules. The control fails if there are no rules in the rule group.

View Details
Medium
Network Firewall firewalls should have deletion protection enabled

This control checks whether an AWS Network Firewall firewall has deletion protection enabled. The control fails if deletion protection isn't enab...

View Details
Medium
Network Firewall firewalls should have subnet change protection enabled

This control checks whether subnet change protection is enabled for an AWS Network Firewall firewall. The control fails if subnet change protection is...

View Details

OpenSearch

Low
OpenSearch domains should have the latest software update installed

This control checks whether an Amazon OpenSearch Service domain has the latest software update installed. The control fails if a software update is av...

View Details
Low
OpenSearch domains should have at least three dedicated primary nodes

This control checks whether an Amazon OpenSearch Service domain is configured with at least three dedicated primary (master) nodes. The control fails ...

View Details

Opensearch

Medium
OpenSearch domains should have encryption at rest enabled

This check ensures that OpenSearch domains have encryption at rest enabled to secure data against unauthorized access.

View Details
Critical
OpenSearch domains should not be publicly accessible

This check ensures that OpenSearch domains are placed within a VPC, which provides a more secure and manageable networking environment.

View Details
Medium
OpenSearch domains should encrypt data sent between nodes

This check ensures that OpenSearch domains have node-to-node encryption enabled to secure data in transit between nodes within the cluster.

View Details
Medium
OpenSearch domain error logging to CloudWatch Logs should be enabled

This check ensures that OpenSearch domains have error logging to CloudWatch Logs enabled for better monitoring and troubleshooting.

View Details
Medium
OpenSearch domains should have audit logging enabled

This check ensures that OpenSearch domains have audit logging enabled to record and track changes to ensure security and compliance.

View Details
Medium
OpenSearch domains should have at least three data nodes

This check ensures that OpenSearch domains are configured with at least three data nodes to ensure high availability and resilience.

View Details
High
OpenSearch domains should have fine-grained access control enabled

This check ensures that OpenSearch domains have fine-grained access control enabled to provide secure access to the domain's data and configurati

View Details

PrivateCA

Low
AWS Private CA root certificate authority should be disabled

This control checks if AWS Private CA has a root certificate authority (CA) that is disabled. The control fails if a root CA is enabled. Root CAs shou...

View Details

Protect

Medium
MSK clusters should be encrypted in transit among broker nodes

This control checks whether an Amazon Managed Streaming for Apache Kafka (MSK) cluster is configured to encrypt data in transit using HTTPS (TLS) betw...

View Details
Medium
MSK Connect connectors should be encrypted in transit

This control checks whether an Amazon MSK Connect connector is encrypted in transit. It fails if the connector is not encrypted in transit. Data in tr...

View Details
Critical
MSK clusters should have public access disabled

This control checks whether public access is disabled for an Amazon MSK cluster. The control fails if public access is enabled for the MSK cluster. By...

View Details
Medium
MSK clusters should disable unauthenticated access

This control checks whether unauthenticated access is enabled for an Amazon MSK cluster. The control fails if unauthenticated access is enabled for th...

View Details

RDS

Critical
RDS snapshot should be private

Checks whether the RDS snapshot is private.

View Details
Critical
RDS DB Instances should prohibit public access

Checks whether the RDS DB Instances prohibit public access.

View Details
Medium
RDS DB instances should have encryption at-rest enabled

Checks whether the RDS DB instances have encryption at-rest enabled.

View Details
Medium
RDS cluster snapshots and database snapshots should be encrypted at rest

Checks whether the RDS cluster snapshots and database snapshots are encrypted at rest.

View Details
Medium
RDS DB instances should be configured with multiple Availability Zones

Checks if RDS instances are configured with multiple Availability Zones. This check also fetches the tags associated with each RDS instance.

View Details
Low
Enhanced monitoring should be configured for RDS DB instances

Checks if RDS instances have enhanced monitoring configured. This check also fetches the tags associated with each RDS instance.

View Details
Low
RDS clusters should have deletion protection enabled

Checks if RDS clusters have deletion protection enabled. This check also fetches the tags associated with each RDS cluster.

View Details
Low
RDS DB instances should have deletion protection enabled

Checks if RDS instances have deletion protection enabled. This check also fetches the tags associated with each RDS instance.

View Details
Medium
RDS DB instances should publish logs to CloudWatch Logs

Checks if RDS instances have database logging enabled. This check also fetches the tags associated with each RDS instance.

View Details
Medium
IAM authentication should be configured for RDS instances

Checks if RDS instances have IAM authentication configured. This check also fetches the tags associated with each RDS instance.

View Details
Medium
RDS instances should have automatic backups enabled

Checks if RDS instances have automatic backups enabled. This check also fetches the tags associated with each RDS instance.

View Details
Medium
IAM authentication should be configured for RDS clusters

Checks if RDS clusters have IAM authentication enabled. This check also fetches the tags associated with each RDS cluster.

View Details
High
RDS automatic minor version upgrades should be enabled

Checks if RDS instances have automatic minor version upgrades enabled. This check also fetches the tags associated with each RDS instance.

View Details
Medium
Amazon Aurora clusters should have backtracking enabled

Checks if Amazon Aurora clusters have backtracking enabled. This check also fetches the tags associated with each RDS cluster.

View Details
Medium
RDS DB clusters should be configured for multiple Availability Zones

Checks if RDS DB clusters are configured for multiple Availability Zones. This check also fetches the tags associated with each RDS DB cluster.

View Details
Low
RDS DB clusters should be configured to copy tags to snapshots

Checks if RDS DB clusters are configured to copy tags to snapshots. This check also fetches the tags associated with each RDS DB cluster.

View Details
Low
RDS DB instances should be configured to copy tags to snapshots

Checks if RDS instances are configured to copy tags to snapshots. This check also fetches the tags associated with each RDS instance.

View Details
Low
Existing RDS event notification subscriptions should be configured for critical cluster events

This check verifies whether an Amazon RDS event subscription for database clusters has notifications enabled for both 'maintenance' and ...

View Details
Low
Existing RDS event notification subscriptions should be configured for critical database instance events

This check verifies whether an Amazon RDS event subscription for database instances has notifications enabled for 'maintenance', 'confi...

View Details
Low
An RDS event notifications subscription should be configured for critical database parameter group events

Checks if an RDS event notifications subscription is configured for critical database parameter group events. This check also fetches the tags associa...

View Details
Low
An RDS event notifications subscription should be configured for critical database security group events

Checks if an RDS event notifications subscription is configured for critical database security group events. This check also fetches the tags associat...

View Details
Low
RDS instances should not use a database engine default port

Checks if RDS instances are using custom ports instead of the default ports for their respective database engines. This check also fetches the tags as...

View Details
Medium
RDS Database Clusters should use a custom administrator username

Checks if Amazon RDS database clusters have changed the admin username from default values such as 'admin', 'root', 'sa'...

View Details
Medium
RDS database instances should use a custom administrator username

Checks if Amazon RDS database instances have changed the admin username from default values such as 'admin', 'root', 'sa'...

View Details
Medium
RDS DB instances should be protected by a backup plan

Checks if RDS DB instances have a backup retention period greater than zero. This check also fetches the tags associated with each RDS instance.

View Details
Medium
RDS DB clusters should be encrypted at rest

Checks if an RDS DB cluster is encrypted at rest. Data at rest refers to any data that's stored in persistent, non-volatile storage for any durat...

View Details
Medium
Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs

Checks whether an Amazon Aurora MySQL DB cluster is configured to publish audit logs to Amazon CloudWatch Logs. Audit logs capture a record of databas...

View Details
Medium
RDS DB clusters should have automatic minor version upgrade enabled

Checks if automatic minor version upgrade is enabled for an Amazon RDS Multi-AZ DB cluster. RDS provides automatic minor version upgrade so that you c...

View Details
Medium
RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs

Checks if Amazon RDS for PostgreSQL DB instances are configured to publish logs to Amazon CloudWatch Logs. The control fails if the PostgreSQL DB inst...

View Details
Medium
Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs

Checks if Amazon Aurora PostgreSQL DB clusters are configured to publish logs to Amazon CloudWatch Logs. The control fails if the Aurora PostgreSQL cl...

View Details
Medium
RDS for PostgreSQL DB instances should be encrypted in transit

Checks if Amazon RDS for PostgreSQL DB instances are configured to use encryption in transit. The control fails if the PostgreSQL DB instance is not c...

View Details
Medium
RDS for MySQL DB instances should be encrypted in transit

Checks if Amazon RDS for MySQL DB instances are configured to use encryption in transit. The control fails if the MySQL DB instance is not configured ...

View Details
Medium
RDS for SQL Server DB instances should publish logs to CloudWatch Logs

Checks if Amazon RDS for SQL Server DB instances are configured to publish logs to Amazon CloudWatch Logs. The control fails if the SQL Server DB inst...

View Details
Medium
RDS for SQL Server DB instances should be encrypted in transit

Checks if Amazon RDS for SQL Server DB instances are configured to use encryption in transit. The control fails if the SQL Server DB instance is not c...

View Details
Medium
RDS for MariaDB DB instances should publish logs to CloudWatch Logs

Checks if Amazon RDS for MariaDB DB instances are configured to publish logs to Amazon CloudWatch Logs. The control fails if the MariaDB DB instance i...

View Details
Medium
RDS for MariaDB DB instances should be encrypted in transit

Checks if Amazon RDS for MariaDB DB instances are configured to use encryption in transit. The control fails if the MariaDB DB instance is not configu...

View Details
Medium
Aurora MySQL DB clusters should have audit logging enabled

Checks if Amazon Aurora MySQL DB clusters are configured to have audit logging enabled. The control fails if the Aurora MySQL cluster is not configure...

View Details

Recover

Low
ActiveMQ brokers should use active/standby deployment mode

This control checks whether the deployment mode for an Amazon MQ ActiveMQ broker is set to active/standby. The control fails if a single-instance brok...

View Details
Low
RabbitMQ brokers should use cluster deployment mode

This control verifies that an Amazon MQ RabbitMQ broker's deployment mode is set to cluster deployment. It fails if a single-instance broker (whi...

View Details

Redshift

Critical
Amazon Redshift clusters should prohibit public access

This control checks whether Amazon Redshift clusters are publicly accessible.

View Details
Medium
Connections to Amazon Redshift clusters should be encrypted in transit

This control checks whether connections to Amazon Redshift clusters are required to use encryption in transit.

View Details
Medium
Amazon Redshift clusters should have automatic snapshots enabled

This control checks whether Amazon Redshift clusters have automated snapshots enabled and retained for at least seven days.

View Details
Medium
Amazon Redshift Serverless workgroups should use enhanced VPC routing

Checks if Amazon Redshift Serverless workgroups are configured to use enhanced VPC routing. The control fails if the workgroup is not configured with ...

View Details
Medium
Amazon Redshift clusters should have audit logging enabled

This control checks whether an Amazon Redshift cluster has audit logging enabled.

View Details
Medium
Connections to Redshift Serverless workgroups should be required to use SSL

Checks if Amazon Redshift Serverless workgroups are configured to require SSL connections. The control fails if the workgroup is not configured to req...

View Details
High
Redshift Serverless workgroups should prohibit public access

Checks if Amazon Redshift Serverless workgroups are configured to prohibit public access. The control fails if the workgroup is configured to allow pu...

View Details
Medium
Amazon Redshift should have automatic upgrades to major versions enabled

This control checks whether automatic major version upgrades are enabled for Amazon Redshift clusters.

View Details
Medium
Redshift Serverless namespaces should be encrypted with customer managed AWS KMS keys

Checks if Amazon Redshift Serverless namespaces are configured to use customer managed AWS KMS keys for encryption. The control fails if the namespace...

View Details
Medium
Redshift clusters should use enhanced VPC routing

This control checks whether an Amazon Redshift cluster has EnhancedVpcRouting enabled.

View Details
Medium
Redshift Serverless namespaces should not use the default admin username

Checks if Amazon Redshift Serverless namespaces are configured to use a non-default admin username. The control fails if the namespace is using the de...

View Details
Medium
Amazon Redshift clusters should not use the default Admin username

This control checks whether an Amazon Redshift cluster has changed the admin username from its default value.

View Details
Medium
Redshift Serverless namespaces should export logs to CloudWatch Logs

Checks if Amazon Redshift Serverless namespaces are configured to export logs to Amazon CloudWatch Logs. The control fails if the namespace is not con...

View Details
Medium
Redshift clusters should not use the default database name

This control checks whether an Amazon Redshift cluster has changed the database name from its default value.

View Details
Medium
Redshift clusters should be encrypted at rest

This control checks if Amazon Redshift clusters are encrypted at rest. The control fails if a Redshift cluster isn't encrypted at rest or if the ...

View Details
High
Redshift security groups should allow ingress on the cluster port only from restricted origins

Checks whether a security group associated with an Amazon Redshift cluster has ingress rules that permit access to the cluster port from the internet ...

View Details
Medium
Redshift cluster subnet groups should have subnets from multiple Availability Zones

The control checks whether an Amazon Redshift cluster subnet group has subnets from more than one Availability Zone (AZ). The control fails if the clu...

View Details
Medium
Redshift clusters should have Multi-AZ deployments enabled

Checks whether multiple Availability Zones (Multi-AZ) deployments are enabled for an Amazon Redshift cluster. The control fails if Multi-AZ deployment...

View Details

Route53

Medium
Route 53 public hosted zones should log DNS queries

Checks if DNS query logging is enabled for an Amazon Route 53 public hosted zone. The control fails if DNS query logging isn't enabled for a Rout...

View Details

S3

Medium
S3 general purpose buckets should have block public access settings enabled

Checks if the S3 Block Public Access setting is enabled at the account level for all S3 buckets in the account.

View Details
Critical
S3 general purpose buckets should block public read access

Checks if S3 buckets block public read access through both ACLs and bucket policies, including policies that allow 's3:GetObject' or overly ...

View Details
Critical
S3 general purpose buckets should block public write access

Checks if S3 buckets block public write access through both ACLs and bucket policies.

View Details
Medium
S3 general purpose buckets should require requests to use SSL

Checks if S3 buckets require requests to use SSL.

View Details
High
S3 general purpose bucket policies should restrict access to other AWS accounts

Checks if S3 bucket policies restrict permissions granted to other AWS accounts.

View Details
Low
S3 general purpose buckets should use cross-Region replication

Checks if S3 buckets have cross-Region replication enabled.

View Details
High
S3 general purpose buckets should block public access

Checks if the S3 Block Public Access setting is enabled at the bucket level.

View Details
Medium
S3 general purpose buckets should have server access logging enabled

Checks if S3 bucket server access logging is enabled.

View Details
Medium
S3 general purpose buckets with versioning enabled should have Lifecycle configurations

Checks whether an Amazon S3 general purpose versioned bucket has a Lifecycle configuration. The control fails if the versioned bucket doesn't hav...

View Details
Medium
S3 general purpose buckets should have event notifications enabled

Checks whether Amazon S3 Event Notifications are enabled on an S3 general purpose bucket. The control fails if event notifications are not enabled.

View Details
Medium
ACLs should not be used to manage user access to S3 general purpose buckets

Checks if S3 access control lists (ACLs) are not used to manage user access to buckets.

View Details
Low
S3 general purpose buckets should have Lifecycle configurations

Checks if S3 buckets have lifecycle policies configured.

View Details
Low
S3 general purpose buckets should have versioning enabled

Checks if S3 buckets use versioning.

View Details
Medium
S3 general purpose buckets should have Object Lock enabled

Checks if S3 buckets are configured to use Object Lock.

View Details
Medium
S3 general purpose buckets should be encrypted at rest with AWS KMS keys

Checks if S3 buckets are encrypted at rest with AWS KMS keys.

View Details
Critical
S3 access points should have block public access settings enabled

Checks whether an Amazon S3 access point has block public access settings enabled. The control fails if block public access settings aren't enabl...

View Details
Low
S3 general purpose buckets should have MFA delete enabled

Checks whether multi-factor authentication (MFA) delete is enabled for an Amazon S3 general purpose bucket. The control fails if MFA delete is not ena...

View Details
Medium
S3 general purpose buckets should log object-level write events

This control checks whether an AWS account has at least one AWS CloudTrail multi-Region trail configured to log all write data events for Amazon S3 bu...

View Details
Medium
S3 general purpose buckets should log object-level read events

This control checks whether an AWS account has at least one AWS CloudTrail multi-Region trail configured to log all read data events for Amazon S3 buc...

View Details
High
S3 Multi-Region Access Points should have block public access settings enabled

This control checks whether an Amazon S3 Multi-Region Access Point has block public access settings enabled. The control fails when the Multi-Region A...

View Details
Low
S3 Express Directory Buckets should have lifecycle configuration enabled

This control checks if lifecycle rules are configured for an S3 directory bucket. It fails if lifecycle rules are not configured for the directory buc...

View Details

SNS

Medium
SNS topics should be encrypted at-rest using AWS KMS

This control checks whether an Amazon SNS topic is encrypted at rest using keys managed by AWS Key Management Service (AWS KMS). The control fails if ...

View Details
High
SNS topic access policies should not allow public access

This control checks if the Amazon SNS topic access policy allows public access. This control fails if the SNS topic access policy allows public access...

View Details

SQS

Medium
Amazon SQS queues should be encrypted at rest

This control checks whether Amazon SQS queues are encrypted at rest using SSE-SQS or an AWS KMS key.

View Details
High
SQS queue access policies should not allow public access

This control checks whether an Amazon SQS access policy allows public access to an SQS queue. The control fails if an SQS access policy allows public ...

View Details

SSM

Medium
EC2 instances should be managed by AWS Systems Manager

This control checks whether EC2 instances are managed by AWS Systems Manager.

View Details
High
EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

This control checks the compliance status of Systems Manager patch compliance on EC2 instances.

View Details
Low
EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT

This control checks the compliance status of Systems Manager associations on EC2 instances.

View Details
Critical
SSM documents should not be public

This control checks if SSM documents owned by the account are public, which might expose sensitive information.

View Details
Medium
SSM Automation should have CloudWatch logging enabled

This control verifies whether Amazon CloudWatch logging is enabled for AWS Systems Manager (SSM) Automation. The control will fail if CloudWatch loggi...

View Details
Critical
SSM documents should have the block public sharing setting enabled

This control checks whether the block public sharing setting is enabled for AWS Systems Manager (SSM) documents. The control fails if this setting is ...

View Details

SageMaker

High
Amazon SageMaker notebook instances should not have direct internet access

This control checks whether direct internet access is disabled for a SageMaker notebook instance.

View Details
High
SageMaker notebook instances should be launched in a custom VPC

This control checks if a SageMaker notebook instance is launched within a custom VPC.

View Details
High
Users should not have root access to SageMaker notebook instances

This control checks whether root access is turned on for a SageMaker notebook instance.

View Details
Medium
SageMaker endpoint production variants should have an initial instance count greater than 1

This control checks whether production variants of an Amazon SageMaker AI endpoint have an initial instance count greater than 1. The control fails if...

View Details
Medium
SageMaker models should have network isolation enabled

This control checks whether an Amazon SageMaker AI hosted model has network isolation enabled. The control fails if the EnableNetworkIsolation paramet...

View Details
Medium
SageMaker notebook instances should run on supported platforms

This control checks whether an Amazon SageMaker AI notebook instance is configured to run on a supported platform, based on the platform identifier sp...

View Details

SecretsManager

Medium
Secrets Manager secrets should have automatic rotation enabled

This control checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation.

View Details
Medium
Secrets Manager secrets configured with automatic rotation should rotate successfully

This control checks whether an AWS Secrets Manager secret rotated successfully based on the rotation schedule.

View Details
Medium
Remove unused Secrets Manager secrets

This control checks whether your secrets have been accessed within a specified number of days. The default value is 90 days. If a secret was not acces...

View Details
Medium
Secrets Manager secrets should be rotated within a specified number of days

This control checks whether your secrets are rotated at least once within 90 days. The control fails if you don't rotate your secrets at least th...

View Details

ServiceCatalog

High
Service Catalog portfolios should be shared within an AWS organization only

This control checks whether AWS Service Catalog shares portfolios within an organization when the integration with AWS Organizations is enabled. The c...

View Details

StepFunctions

Medium
Step Functions state machines should have logging turned on

This control checks if Step Functions state machines have logging turned on.

View Details

Transfer

Medium
Transfer Family servers should not use FTP protocol for endpoint connection

This control checks whether an AWS Transfer Family server uses a protocol other than FTP for endpoint connection. The control fails if the server uses...

View Details
Medium
Transfer Family connectors should have CloudWatch logging enabled

This control checks whether Amazon CloudWatch logging is enabled for an AWS Transfer Family connector. The control fails if CloudWatch logging isn...

View Details

WAF

Medium
AWS WAF Classic Global Web ACL logging should be enabled

This control checks whether logging is enabled for an AWS WAF global web ACL.

View Details
Medium
AWS WAF Classic Regional rules should have at least one condition

This control checks whether an AWS WAF Regional rule has at least one condition. The control fails if no conditions are present within a rule.

View Details
Medium
AWS WAF Classic Regional rule groups should have at least one rule

This control checks whether an AWS WAF Regional rule group has at least one rule. The control fails if no rules are present within a rule group.

View Details
Medium
AWS WAF Classic Regional web ACLs should have at least one rule or rule group

This control checks whether an AWS WAF Regional web ACL contains any WAF rules or WAF rule groups. The control fails if a web ACL does not contain any...

View Details
Medium
AWS WAF Classic global rules should have at least one condition

This control checks whether an AWS WAF global rule contains any conditions. The control fails if no conditions are present within a rule.

View Details
Medium
AWS WAF Classic global rule groups should have at least one rule

This control checks whether an AWS WAF global rule group contains any rules. The control fails if no rules are present within a rule group.

View Details
Medium
AWS WAF Classic global web ACLs should have at least one rule or rule group

This control checks whether an AWS WAF global web ACL contains at least one WAF rule or WAF rule group. The control fails if a web ACL does not contai...

View Details
Medium
AWS WAF web ACLs should have at least one rule or rule group

This control checks whether an AWS WAFv2 web ACL contains at least one rule or rule group. The control fails if a web ACL does not contain any rules o...

View Details
Low
AWS WAF web ACL logging should be enabled

This control checks whether logging is activated for an AWS WAFv2 web ACL. The control fails if logging is deactivated for the web ACL.

View Details
Medium
AWS WAF rules should have CloudWatch metrics enabled

This control checks whether an AWS WAF rule or rule group has Amazon CloudWatch metrics enabled. The control fails if the rule or rule group doesn...

View Details

WorkSpaces

Medium
WorkSpaces user volumes should be encrypted at rest

This control checks whether a user volume in an Amazon WorkSpaces WorkSpace is encrypted at rest. The control fails if the WorkSpace user volume isn&#...

View Details
Medium
WorkSpaces root volumes should be encrypted at rest

This control checks whether a root volume in an Amazon WorkSpaces WorkSpace is encrypted at rest. The control fails if the WorkSpace root volume isn&#...

View Details