diff --git a/docs/nist800-53.md b/docs/nist800-53.md index 28953bc..9189d04 100644 --- a/docs/nist800-53.md +++ b/docs/nist800-53.md @@ -1,109 +1,126 @@ - - -| Rule ID | Explanation | NIST 800-53 Control ID(s) | SOC 2 Control ID(s) | PCI DSS Control ID(s) | -| ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------- | ---------------------- | ---------------------- | -|VPCDefaultSecurityGroupClosed|The VPC's default security group denies inbound or outbound traffic.|AC-4(21), AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), CM-6a, CM-9b, SC-7a, SC-7c, SC-7(5), SC-7(7), SC-7(11), SC-7(12), SC-7(16), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28)| | | -|ALBHttpToHttpsRedirection|Enforcing ALB's HTTP listeners to redirect to HTTPS.|AC-4, AC-4(22), AC-17(2), AC-24(1), AU-9(3), CA-9b, IA-5(1)(c), PM-17b, SC-7(4)(b), SC-7(4)(g), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4), SC-8(5), SC-13a, SC-23, SI-1a.2, SI-1a.2, SI-1c.2| | | -|ALBWAFEnabled| | | | | -|APIGWAssociatedWithWAF| | | | | -|APIGWCacheEnabledAndEncrypted| | | | | -|APIGWExecutionLoggingEnabled| | | | | -|APIGWSSLEnabled| | | | | -|AutoScalingGroupELBHealthCheckRequired| | | | | -|AutoScalingLaunchConfigPublicIpDisabled| | | | | -|CloudTrailCloudWatchLogsEnabled| | | | | -|CloudTrailEncryptionEnabled| | | | | -|CloudTrailLogFileValidationEnabled| | | | | -|CloudWatchAlarmAction| | | | | -|CloudWatchLogGroupEncrypted| | | | | -|CloudWatchLogGroupRetentionPeriod| | | | | -|DMSReplicationNotPublic| | | | | -|DynamoDBAutoScalingEnabled| | | | | -|DynamoDBInBackupPlan| | | | | -|DynamoDBPITREnabled| | | | | -|EC2EBSInBackupPlan| | | | | -|EC2EBSOptimizedInstance| | | | | -|EC2IMDSv2Enabled| | | | | -|EC2InstanceNoPublicIp| | | | | -|EC2InstanceProfileAttached| | | | | -|EC2InstancesInVPC| | | | | -|EC2RestrictedCommonPorts| | | | | -|EC2RestrictedSSH| | | | | -|ECSTaskDefinitionUserForHostMode| | | | | -|EFSEncrypted| | | | | -|EFSInBackupPlan| | | | | -|ElastiCacheRedisClusterAutomaticBackup| | | | | -|ElasticBeanstalkEnhancedHealthReportingEnabled| | | | | -|ElasticBeanstalkManagedUpdatesEnabled| | | | | -|ELBACMCertificateRequired| | | | | -|ELBCrossZoneLoadBalancingEnabled| | | | | -|ELBDeletionProtectionEnabled| | | | | -|ELBLoggingEnabled| | | | | -|ELBTlsHttpsListenersOnly| | | | | -|ELBv2ACMCertificateRequired| | | | | -|IAMNoInlinePolicy| | | | | -|IAMPolicyNoStatementsWithAdminAccess| | | | | -|IAMPolicyNoStatementsWithFullAccess| | | | | -|IAMUserGroupMembership| | | | | -|IAMUserNoPolicies| | | | | -|KMSBackingKeyRotationEnabled| | | | | -|LambdaConcurrency| | | | | -|LambdaDLQ| | | | | -|LambdaFunctionPublicAccessProhibited| | | | | -|LambdaInsideVPC| | | | | -|OpenSearchEncryptedAtRest| | | | | -|OpenSearchErrorLogsToCloudWatch| | | | | -|OpenSearchInVPCOnly| | | | | -|OpenSearchNodeToNodeEncryption| | | | | -|RDSEnhancedMonitoringEnabled| | | | | -|RDSInBackupPlan| | | | | -|RDSInstanceBackupEnabled| | | | | -|RDSInstanceDeletionProtectionEnabled| | | | | -|RDSInstancePublicAccess| | | | | -|RDSLoggingEnabled| | | | | -|RDSMultiAZSupport| | | | | -|RDSStorageEncrypted| | | | | -|RedshiftBackupEnabled| | | | | -|RedshiftClusterConfiguration| | | | | -|RedshiftClusterMaintenanceSettings| | | | | -|RedshiftClusterPublicAccess| | | | | -|RedshiftEnhancedVPCRoutingEnabled| | | | | -|RedshiftRequireTlsSSL| | | | | -|S3BucketLevelPublicAccessProhibited| | | | | -|S3BucketLoggingEnabled| | | | | -|S3BucketPublicReadProhibited| | | | | -|S3BucketPublicWriteProhibited| | | | | -|S3BucketReplicationEnabled| | | | | -|S3BucketSSLRequestsOnly| | | | | -|S3BucketVersioningEnabled| | | | | -|S3DefaultEncryptionKMS| | | | | -|SageMakerEndpointConfigurationKMSKeyConfigured| | | | | -|SageMakerNotebookInstanceKMSKeyConfigured| | | | | -|SageMakerNotebookNoDirectInternetAccess| | | | | -|SecretsManagerRotationEnabled| | | | | -|SecretsManagerUsingKMSKey| | | | | -|SNSEncryptedKMS| | | | | -|VPCFlowLogsEnabled| | | | | -|VPCNoUnrestrictedRouteToIGW| | | | | -|VPCSubnetAutoAssignPublicIpDisabled| | | | | -|WAFv2LoggingEnabled| | | | | -| | | | | | -| | | | | | -| | | | | | -| | | | | | -| | | | | | -| | | | | | -| | | | | | -| | | | | | -| | | | | | -| | | | | | -| | | | | | -| | | | | | -| | | | | | -| | | | | | - - - - - - +| Rule ID | Summary | NIST 800-53 Control ID(s) | SOC 2 Control ID(s) | PCI DSS Control ID(s) | ISO 27001/27002 Control ID(s) | HIPAA Security | HITRUST Control ID(s) | +| --------------------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------- | --------------------- | ----------------------------- | ------------------------------------------------------------ | --------------------- | +| AccessKeysRotated | IAM active access keys are rotated within the number of days specified in maxAccessKeyAge. | AC-2(1), AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-24, CM-5(1)(a), CM-6a, CM-9b, SC-23(3) | | | | | | +| AccountPartofOrganizations | The AWS Account is part of AWS Organizations. | CM-2b, CM-2b.1, CM-2b.2, CM-2b.3, CM-3(3), CM-6a, CM-9b | | | | | | +| ACMCertificateExpirationCheck | AWS Certificate Manager Certificates in your account are valid and not marked for expiration within the specified number of days. | SC-7(12), SC-7(16) | | | | | | +| ALBHttpDropInvalidHeaderEnabled | The ALB does have invalid HTTP header dropping enabled. | | | 4.1, 8.2.1 | | 164.312(a)(2)(iv), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii) | | +| ALBHttpToHttpsRedirection | The ALB's HTTP listeners are configured to redirect to HTTPS. | AC-4, AC-4(22), AC-17(2), AC-24(1), AU-9(3), CA-9b, IA-5(1)(c), PM-17b, SC-7(4)(b), SC-7(4)(g), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4), SC-8(5), SC-13a, SC-23, SI-1a.2, SI-1a.2, SI-1c.2 | | 2.3, 4.1, 8.2.1 | | 164.312(a)(2)(iv), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii) | | +| ALBWAFEnabled | The ALB is associated with AWS WAFv2 web ACL. | AC-4(21) | | 6.6 | | 164.312(a)(2)(iv), 164.312(e)(2)(ii)) | | +| APIGWAssociatedWithWAF | The REST API stage is associated with AWS WAFv2 web ACL. | AC-4(21) | | 6.6 | | 164.312(b) | | +| APIGWCacheEnabledAndEncrypted | The API Gateway stage does have caching enabled and encrypted for all methods. | AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4) | | | | 164.312(a)(2)(iv), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii) | | +| APIGWExecutionLoggingEnabled | The API Gateway stage does not have execution logging enabled for all methods. | AC-4(26), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-4(17), SI-7(8) | | | | 164.312(b) | | +| APIGWSSLEnabled | The API Gateway REST API stage is configured with SSL certificates. | AC-4, AC-4(22), AC-17(2), AC-24(1), AU-9(3), CA-9b, IA-5(1)(c), PM-17b, SC-7(4)(b), SC-7(4)(g), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4), SC-8(5), SC-13a, SC-23, SI-1a.2, SI-1a.2, SI-1c.2 | | | | 164.312(b) | | +| AutoScalingGroupELBHealthCheckRequired | The Auto Scaling group (which is associated with a load balancer) does utilize ELB health checks. | AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, CM-6a, CM-9b, PM-14a.1, PM-14b, PM-31, SC-6, SC-36(1)(a), SI-2a | | | | 164.308(a)(3)(i), 164.308(a)(3)(ii)(B), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1), 164.312(e)(1) | | +| AutoScalingLaunchConfigPublicIpDisabled | The Auto Scaling launch configuration does have public IP addresses disabled. | AC-3, AC-4(21), CM-6a, SC-7(3) | | | | | | +| CloudTrailCloudWatchLogsEnabled | The trail does have CloudWatch logs enabled. | AC-2(4), AC-3(1), AC-3(10), AC-4(26), AC-6(9), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-4(1), AU-6(1), AU-6(3), AU-6(4), AU-6(5), AU-6(6), AU-6(9), AU-7(1), AU-8b, AU-9(7), AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), AU-16, CA-7b, CM-5(1)(b), CM-6a, CM-9b, IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-1(1)(c), SI-3(8)(b), SI-4(2), SI-4(17), SI-4(20), SI-7(8), SI-10(1)(c) | | | | | | +| CloudTrailEnabled | The AWS Account has CloudTrail enabled. | AC-2(4), AC-3(1), AC-3(10), AC-4(26), AC-6(9), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-3(1), AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-1(1)(c), SI-3(8)(b), SI-4(2), SI-4(17), SI-4(20), SI-7(8), SI-10(1)(c) | | | | | | +| CloudTrailEncryptionEnabled | The trail does have encryption enabled. | AU-9(3), CM-6a, CM-9b, CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4) | | | | | | +| CloudTrailLogFileValidationEnabled | The trail does have log file validation enabled. | AU-9a, CM-6a, CM-9b, PM-11b, PM-17b, SA-1(1), SA-10(1), SC-16(1), SI-1a.2, SI-1a.2, SI-1c.2, SI-4d, SI-7a, SI-7(1), SI-7(3), SI-7(7) | | | | | | +| CloudtrailS3DataEventsEnabled | The AWS Account has at least once AWS CloudTrail that Logs Amazon S3 data events for all S3 buckets. | AC-2(4), AC-3(1), AC-3(10), AC-4(26), AC-6(9), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), CM-6a, CM-9b, IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-1(1)(c), SI-3(8)(b), SI-4(2), SI-4(17), SI-4(20), SI-7(8), SI-10(1)(c) | | | | | | +| CloudWatchAlarmAction | The CloudWatch alarm does have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled. | AU-6(1), AU-6(5), AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-36(1)(a), SI-2a, SI-4(12), SI-5b, SI-5(1) | | | | | | +| CloudWatchLogGroupEncrypted | The CloudWatch Log Group is encrypted with an AWS KMS key. | AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4) | | | | | | +| CloudWatchLogGroupRetentionPeriod | The CloudWatch Log Group does have an explicit retention period configured. | AC-16b, AT-4b, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-10, AU-11(1), AU-11, AU-12(1), AU-12(2), AU-12(3), AU-14a, AU-14b, CA-7b, PM-14a.1, PM-14b, PM-21b, PM-31, SC-28(2), SI-4(17), SI-12 | | | | | | +| CloudWatchLoggroupRetentionPeriodCheck | AWS KMS keys are not scheduled for deletion in AWS Key Management Service (KMS). | SA-9(6), SC-12, SC-12(2), SC-12(6) | | | | | | +| DMSReplicationNotPublic | The DMS replication instance is public. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25 | | | | | | +| DynamoDBAutoScalingEnabled | The provisioned capacity DynamoDB table does have Auto Scaling enabled on it's indexes. | CP-1a.1(b), CP-1a.2, CP-2a, CP-2a.6, CP-2a.7, CP-2d, CP-2e, CP-2(5), CP-2(6), CP-6(2), CP-10, SC-5(2), SC-6, SC-22, SC-36, SI-13(5) | | | | | | +| DynamoDBInBackupPlan | The DynamoDB table is in an AWS Backup plan. | CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5) | | | | | | +| DynamoDBPITREnabled | The DynamoDB table does have Point-in-time Recovery enabled. | CP-1(2), CP-2(5), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5) | | | | | | +| DynamodbTableEncryptedKms | DynamoDB tables are encrypted in KMS. | AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4) | | | | | | +| DynamodbThroughputLimitCheck | DynamoDB throughput is approaching the maximum limit for the AWS Account. | AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-6, SC-36(1)(a), SI-2a | | | | | | +| EBSSnapshotPublicRestorableCheck | EBS snapshots can be publicly restored. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25 | | | | | | +| EC2Attached2EbsEncryptedVolumes | EC2 instances are only attached to encrypted EBS volumes. | AU-9(3), CM-6a, CM-9b, CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4) | | | | | | +| Ec2EbsEncryptionByDefault | Default encryption for EBS volumes is enabled at the AWS Account level. | AU-9(3), CM-6a, CM-9b, CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4) | | | | | | +| EC2EBSInBackupPlan | The EBS volume is in an AWS Backup plan. | CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5) | | | | | | +| EC2EBSOptimizedInstance | The EC2 instance type 'supports' EBS optimization and does have EBS optimization enabled. | CP-2(5), CP-9a, CP-9b, CP-9c, CP-10, SC-5(2) | | | | | | +| EC2IMDSv2Enabled | The EC2 instance does have IMDSV2 (Instance Metadata Service Version 2) enabled. | AC-2(6), AC-3, AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-6, AC-24, CM-5(1)(a), MP-2, SC-23(3) | | | | | | +| EC2InstanceManagedBySSM | EC2 instances are managed by Systems Manager. | CM-2a, CM-2b, CM-2b.1, CM-2b.2, CM-2b.3, CM-2(2), CM-3(3), CM-8a, CM-8a.1, CM-8a.2, CM-8a.3, CM-8a.4, CM-8a.5, CM-8b, CM-8(1), CM-8(2), CM-8(3)(a), CM-8(6), SI-3c.2 | | | | | | +| EC2InstanceNoPublicIp | The EC2 instance is associated with a public IP address. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25 | | | | | | +| EC2InstanceProfileAttached | The EC2 instance does have an instance profile attached. | AC-3, CM-5(1)(a), CM-6a | | | | | | +| EC2InstancesInVPC | The EC2 instance is within a VPC. | AC-2(6), AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-25 | | | | | | +| EC2ManagedAssociationComplianceStatusCheck | Managed EC2 instances are compliant with their association's standaRDS. | CM-2a, CM-2b, CM-2b.1, CM-2b.2, CM-2b.3, CM-2(2), CM-3(3), CM-8a, CM-8a.1, CM-8a.2, CM-8a.3, CM-8a.4, CM-8a.5, CM-8b, CM-8(1), CM-8(3)(a), CM-8(6), SI-3c.2 | | | | | | +| EC2ManagedinstancePatchComplianceStatusCheck | EC2 instances are compliant with their patch requirements. | CM-8(3)(a), RA-3a.1, RA-3a.1, SI-2c, SI-2d, SI-2(2), SI-2(5), SI-3c.2 | | | | | | +| EC2RestrictedCommonPorts | The EC2 instance allows unrestricted inbound IPv4 TCP traffic on one or more common ports (by default these ports include 20, 21, 3389, 3309, 3306, 4333). | AC-4(21), AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), CM-2a, CM-2(2), CM-6a, CM-7b, CM-8(6), CM-9b, SC-7a, SC-7c, SC-7(5), SC-7(7), SC-7(11), SC-7(12), SC-7(16), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28) | | | | | | +| EC2RestrictedSSH | The Security Group allows unrestricted SSH access. | AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), CM-9b, SC-7a, SC-7c, SC-7(7), SC-7(11), SC-7(12), SC-7(16), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28) | | | | | | +| EC2StoppedInstance | EC2 instances have not been stopped for more than the allowed number of days. | CM-2a, CM-2b, CM-2b.1, CM-2b.2, CM-2b.3, CM-2(2), CM-3(3), CM-8(6) | | | | | | +| EC2VolumeInUseCheck | When an instances is terminated, its associated EBS volumes are marked for deletion. | CM-2a, CM-2b, CM-2b.1, CM-2b.2, CM-2b.3, CM-2(2), CM-3(3), CM-8(6) | | | | | | +| ECSTaskDefinitionUserForHostMode | The ECS task definition is configured for host networking and has at least one container with definitions with 'privileged' set to false or empty or 'user' set to root or empty. | AC-3, AC-5b, CM-5(1)(a) | | | | | | +| EFSEncrypted | The EFS does have encryption at rest enabled. | AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4) | | | | | | +| EFSInBackupPlan | The EFS is in an AWS Backup plan. | CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5) | | | | | | +| ElastiCacheRedisClusterAutomaticBackup | The ElastiCache Redis cluster does retain automatic backups for at least 15 days. | CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5) | | | | | | +| ElasticBeanstalkEnhancedHealthReportingEnabled | The Elastic Beanstalk environment does have enhanced health reporting enabled. | AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-6, SC-36(1)(a), SI-2a | | | | | | +| ElasticBeanstalkManagedUpdatesEnabled | The Elastic Beanstalk environment does have managed updates enabled. | SI-2c, SI-2d, SI-2(2), SI-2(5) | | | | | | +| ELBACMCertificateRequired | The CLB does utilize an SSL certificate provided by ACM (Amazon Certificate Manager). | AC-4, AC-4(22), AC-17(2), AC-24(1), AU-9(3), CA-9b, IA-5(1)(c), PM-17b, SC-7(4)(b), SC-7(4)(g), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4), SC-8(5), SC-13a, SC-23, SC-23(5), SI-1a.2, SI-1a.2, SI-1c.2 | | | | | | +| ELBCrossZoneLoadBalancingEnabled | The CLB does balance traffic between at least 2 Availability Zones. | CP-1a.1(b), CP-1a.2, CP-2a, CP-2a.6, CP-2a.7, CP-2d, CP-2e, CP-2(5), CP-2(6), CP-6(2), CP-10, SC-5(2), SC-6, SC-22, SC-36, SI-13(5) | | | | | | +| ELBDeletionProtectionEnabled | The ALB, NLB, or GLB does have deletion protection enabled. | CA-7(4)(c), CM-2a, CM-2(2), CM-3a, CM-8(6), CP-1a.1(b), CP-1a.2, CP-2a, CP-2a.6, CP-2a.7, CP-2d, CP-2e, CP-2(5), SA-15a.4, SC-5(2), SC-22 | | | | | | +| ELBLoggingEnabled | The ELB does have logging enabled. | AC-4(26), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-4(17), SI-7(8) | | | | | | +| ELBTlsHttpsListenersOnly | The CLB does restrict its listeners to only the SSL and HTTPS protocols. | AC-4, AC-4(22), AC-17(2), AC-24(1), AU-9(3), CA-9b, IA-5(1)(c), PM-17b, PM-17b, SC-7(4)(b), SC-7(4)(g), SC-8, SC-8(1), SC-8(2), SC-8(2), SC-8(3), SC-8(4), SC-8(5), SC-13a, SC-23, SI-1a.2, SI-1a.2, SI-1a.2, SI-1a.2, SI-1c.2, SI-1c.2 | | | | | | +| ELBv2ACMCertificateRequired | The ALB, NLB, or GLB listener does utilize an SSL certificate provided by ACM (Amazon Certificate Manager). | SC-8(1), SC-23(5) | | | | | | +| EMRMasterNoPublicIP | EMR clusters' master nodes have no public IP. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25 | | | | | | +| GuarddutyEnabledCentralized | The AWS Account has Amazon GuardDuty enabled and results Logged in a centralized account. | AC-2(12)(a), AC-3(12)(b), AU-3(1), AU-6(1), AU-6(5), AU-12(3), AU-14a, AU-14b, CA-2d, CA-7, CA-7b, CM-8(3)(a), IR-4a, PE-6(2), PE-6(4), PM-14a.1, PM-14b, PM-16, PM-31, RA-1a, RA-1a.1, RA-1a.2, RA-3a.1, RA-3a.1, RA-3(4), RA-5a, RA-5(4), RA-10a, RA-10a.1, RA-10a.2, SC-5a, SC-5b, SC-5(1), SC-5(3)(a), SC-5(3)(b), SC-43b, SI-3(8)(a), SI-4a, SI-4a.1, SI-4a.1, SI-4a.2, SI-4b, SI-4c, SI-4(1), SI-4(1), SI-4(2), SI-4(3), SI-4(4)(a), SI-4(4)(b), SI-4(10), SI-4(13)(a), SI-4(14), SI-4(14), SI-4(23), SI-4(25), SI-5b, SI-5(1) | | | | | | +| IAMNoInlinePolicy | The IAM Group, User, or Role contains an inline policy. | AC-2i.2, AC-2(1), AC-2(6), AC-3, AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-6, AC-6(3), AC-24, CM-5(1)(a), CM-6a, CM-9b, MP-2, SC-23(3) | | | | | | +| IAMPasswordPolicy | The account password policy for IAM users meets the specified requirements indicated in the parameters. | AC-2d.1, AC-2(1), AC-2(3)(a), AC-2(3)(b), AC-2(3)(c), AC-2(3)(d), AC-2(3), AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-7(4), AC-7(4)(a), AC-24, CM-5(1)(a), CM-6a, CM-9b, CM-12b, IA-4d, IA-5, IA-5b, IA-5c, IA-5d, IA-5f, IA-5h, IA-5(1)(f), IA-5(1)(g), IA-5(1)(h), IA-5(18)(a), IA-5(18)(b), IA-8(2)(b), MA-4c, SC-23(3) | | | | | | +| IAMPolicyNoStatementsWithAdminAccess | The IAM policy grants admin access, meaning the policy allows a principal to perform all actions on all resources. | AC-2i.2, AC-2(1), AC-2(6), AC-3, AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-5b, AC-6, AC-6(2), AC-6(3), AC-6(10), AC-24, CM-5(1)(a), CM-6a, CM-9b, MP-2, SC-23(3), SC-25 | | | | | | +| IAMPolicyNoStatementsWithFullAccess | The IAM policy grants full access, meaning the policy allows a principal to perform all actions on individual resources. | AC-3, AC-5b, AC-6(2), AC-6(10), CM-5(1)(a) | | | | | | +| IAMRootAccessChecked | The Account IAM Root User has an access key(s). | AC-2(1), AC-2(6), AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-6, AC-6(2), AC-6(10), AC-24, CM-5(1)(a), CM-6a, CM-6a, CM-9b, IA-2, IA-4b, IA-4(4), IA-4(8), IA-5(8), MP-2, SC-23(3), SC-25 | | | | | | +| IAMUserGroupMembership | The IAM user does belong to any group(s). | AC-2i.2, AC-2(1), AC-2(6), AC-3, AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-6, AC-6(3), AC-24, CM-5(1)(a), CM-6a, CM-9b, MP-2, SC-23(3) | | | | | | +| IamUserMfaEnabled | AWS Identity and Access Management users have multi-factor authentication (MFA) enabled. | AC-2(1), AC-3(2), AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-7(4), AC-7(4)(a), AC-24, CM-5(1)(a), IA-2(1), IA-2(2), IA-2(6), IA-2(6), IA-2(6)(a), IA-2(8), SC-23(3) | | | | | | +| IAMUserNoPolicies | The IAM policy is attached at the user level. | AC-2i.2, AC-2(1), AC-2(6), AC-3, AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-6, AC-6(3), AC-24, CM-5(1)(a), CM-6a, CM-9b, MP-2, SC-23(3), SC-25 | | | | | | +| IAMUserUnusedCredentialsCheck | IAM User passwoRDS and active access keys have been used within a specified number of days. | AC-2g, AC-2j, AC-2j, AC-2(1), AC-2(3)(a), AC-2(3)(b), AC-2(3)(c), AC-2(3)(d), AC-2(3), AC-2(6), AC-3, AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-6, AC-24, CM-5(1)(a), CM-6a, CM-9b, MP-2, SC-23(3) | | | | | | +| KMSBackingKeyRotationEnabled | The KMS Symmetric key does have automatic key rotation enabled. | CM-6a, CM-9b, SA-9(6), SC-12, SC-12(2), SC-12(6) | | | | | | +| LambdaConcurrency | The Lambda function is configured with function-level concurrent execution limits. | AU-12(3), AU-14a, AU-14b, CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-6 | | | | | | +| LambdaDLQ | The Lambda function is configured with a dead-letter configuration. | AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-36(1)(a), SI-2a | | | | | | +| LambdaInsideVPC | The Lambda function is VPC enabled. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-25 | | | | | | +| MFAEnabledIAMConsoleAccess | IAM Users have MFA enabled for console access. | AC-2(1), AC-3(2), AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-7(4), AC-7(4)(a), AC-24, CM-5(1)(a), CM-6a, CM-9b, IA-2(1), IA-2(2), IA-2(6), IA-2(6), IA-2(6)(a), IA-2(8), SC-23(3) | | | | | | +| MultiRegionCloudtrailEnabled | The AWS Account has at least one multi-region CloudTrail enabled. | AC-2(4), AC-3(1), AC-3(10), AC-4(26), AC-6(9), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), CM-6a, CM-9b, IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-1(1)(c), SI-3(8)(b), SI-4(2), SI-4(17), SI-4(20), SI-7(8), SI-10(1)(c) | | | | | | +| NIST.800.53.R4-LambdaFunctionPublicAccessProhibited | The Lambda function permission grants public access. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25 | | | | | | +| OpenSearchEncryptedAtRest | The OpenSearch Service domain does have encryption at rest enabled. | AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4) | | | | | | +| OpenSearchErrorLogsToCloudWatch | The OpenSearch Service domain does stream error logs (ES_APPLICATION_LOGS) to CloudWatch Logs. | AU-10 | | | | | | +| OpenSearchInVPCOnly | The OpenSearch Service domain is running within a VPC. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-25 | | | | | | +| OpenSearchNodeToNodeEncryption | The OpenSearch Service domain does have node-to-node encryption enabled. | AC-4, AC-4(22), AC-24(1), AU-9(3), CA-9b, PM-17b, SC-7(4)(b), SC-7(4)(g), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4), SC-8(5), SC-13a, SC-23, SI-1a.2, SI-1a.2, SI-1c.2 | | | | | | +| RDSEnhancedMonitoringEnabled | The RDS DB Instance does have enhanced monitoring enabled. | AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-36(1)(a), SI-2a | | | | | | +| RDSInBackupPlan | The RDS DB instance is in an AWS Backup plan. | CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5) | | | | | | +| RDSInstanceBackupEnabled | The RDS DB Instance does have backup enabled. | CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5) | | | | | | +| RDSInstanceDeletionProtectionEnabled | The RDS DB Instance or Aurora Cluster does have deletion protection enabled. | CA-7(4)(c), CM-3a, CP-1a.1(b), CP-1a.2, CP-2a, CP-2a.6, CP-2a.7, CP-2d, CP-2e, CP-2(5), SA-15a.4, SC-5(2), SC-22, SI-13(5) | | | | | | +| RDSInstancePublicAccess | The RDS DB Instance allows public access. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25 | | | | | | +| RDSLoggingEnabled | The non-Aurora RDS DB instance or Aurora cluster does have all CloudWatch log types exported. | AC-2(4), AC-3(1), AC-3(10), AC-4(26), AC-6(9), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-1(1)(c), SI-3(8)(b), SI-4(2), SI-4(17), SI-4(20), SI-7(8), SI-10(1)(c) | | | | | | +| RDSMultiAZSupport | The RDS DB Instance does have multi-AZ support. | CP-1a.1(b), CP-1a.2, CP-2a, CP-2a.6, CP-2a.7, CP-2d, CP-2e, CP-2(5), CP-2(6), CP-6(2), CP-10, SC-5(2), SC-6, SC-22, SC-36, SI-13(5) | | | | | | +| RDSSnapShotEncrypted | RDS snapshots are encrypted. | AU-9(3), CP-9d, CP-9(8), SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4) | | | | | | +| RDSSnapShotPublicProhibited | RDS snapshots are not public. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25 | | | | | | +| RDSStorageEncrypted | The RDS DB Instance or Aurora Cluster does have storage encrypted. | AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4) | | | | | | +| RedShift-cluster-KMS-enabled | Redshift clusters are encrypted with one of the specified KMS keys. | AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4) | | | | | | +| RedshiftBackupEnabled | The Redshift cluster does have automated snapshots enabled or the retention period is between 1 and 35 days. | CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5) | | | | | | +| RedshiftClusterConfiguration | The Redshift cluster does have encryption or audit logging enabled. | AC-2(4), AC-3(1), AC-3(10), AC-4(26), AC-6(9), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-9(3), AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), CP-9d, IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-1(1)(c), SI-3(8)(b), SI-4(2), SI-4(17), SI-4(20), SI-7(8), SI-10(1)(c), SI-19(4) | | | | | | +| RedshiftClusterMaintenanceSettings | The Redshift cluster does have version upgrades enabled, automated snapshot retention periods enabled, and an explicit maintenance window configured | CM-2b, CM-2b.1, CM-2b.2, CM-2b.3, CM-3(3), CP-9a, CP-9b, CP-9c, SC-5(2), SI-2c, SI-2d, SI-2(2), SI-2(5) | | | | | | +| RedshiftClusterPublicAccess | The Redshift cluster allows public access. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25 | | | | | | +| RedshiftEnhancedVPCRoutingEnabled | The Redshift cluster does have enhanced VPC routing enabled. | AC-4(21), SC-7b | | | | | | +| RedshiftRequireTlsSSL | The Redshift cluster does require TLS/SSL encryption. | AC-4, AC-4(22), AC-24(1), AU-9(3), CA-9b, PM-17b, SC-7(4)(b), SC-7(4)(g), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4), SC-8(5), SC-13a, SC-23, SI-1a.2, SI-1a.2, SI-1c.2 | | | | | | +| RootAccountHardwareMFAEnabled | The AWS Account root user is hardware MFA enabled. | AC-2(1), AC-3(2), AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-7(4), AC-7(4)(a), AC-24, CM-5(1)(a), CM-6a, CM-9b, IA-2(1), IA-2(2), IA-2(6), IA-2(6), IA-2(6)(a), IA-2(8), SC-23(3) | | | | | | +| RootAccountMFAEnabled | The AWS Account root user is MFA enabled. | AC-2(1), AC-3(2), AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-7(4), AC-7(4)(a), AC-24, CM-5(1)(a), CM-6a, CM-9b, IA-2(1), IA-2(2), IA-2(6), IA-2(6), IA-2(6)(a), IA-2(8), SC-23(3) | | | | | | +| S3AccountLevelPublicAccessBlocked | The AWS Account blocks S3 public access. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), CM-6a, CM-9b, MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25 | | | | | | +| S3BucketLevelPublicAccessProhibited | The S3 bucket does prohibit public access through bucket level settings. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25 | | | | | | +| S3BucketLoggingEnabled | The S3 Buckets does have server access logs enabled. | AC-2(4), AC-3(1), AC-3(10), AC-4(26), AC-6(9), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), CM-6a, CM-9b, IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-1(1)(c), SI-3(8)(b), SI-4(2), SI-4(17), SI-4(20), SI-7(8), SI-10(1)(c) | | | | | | +| S3BucketPublicReadProhibited | The S3 Bucket does prohibit public read access through its Block Public Access configurations and bucket ACLs. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), CM-6a, CM-9b, MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25 | | | | | | +| S3BucketPublicWriteProhibited | The S3 Bucket does prohibit public write access through its Block Public Access configurations and bucket ACLs. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), CM-6a, CM-9b, MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25 | | | | | | +| S3BucketReplicationEnabled | The S3 Bucket does have replication enabled. | AU-9(2), CM-6a, CM-9b, CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5) | | | | | | +| S3BucketServerSideEncryptionEnabled | S3 Buckets have default server-side encryption enabled. | AU-9(3), CM-6a, CM-9b, CP-9d, CP-9(8), PM-11b, SC-8(3), SC-8(4), SC-13a, SC-16(1), SC-28(1), SI-19(4) | | | | | | +| S3BucketSSLRequestsOnly | The S3 Bucket or bucket policy does require requests to use SSL. | AC-4, AC-4(22), AC-17(2), AC-24(1), AU-9(3), CA-9b, CM-6a, CM-9b, IA-5(1)(c), PM-11b, PM-17b, SC-7(4)(b), SC-7(4)(g), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4), SC-8(5), SC-13a, SC-16(1), SC-23, SI-1a.2, SI-1a.2, SI-1c.2 | | | | | | +| S3BucketVersioningEnabled | The S3 Bucket does have versioning enabled. | AU-9(2), CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), PM-11b, PM-17b, SC-5(2), SC-16(1), SI-1a.2, SI-1a.2, SI-1c.2, SI-13(5) | | | | | | +| S3DefaultEncryptionKMS | The S3 Bucket is encrypted with a KMS Key by default. | AU-9(3), CP-9d, CP-9(8), SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4) | | | | | | +| SageMakerEndpointConfigurationKMSKeyConfigured | The SageMaker resource endpoint is encrypted with a KMS key. | AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4) | | | | | | +| SageMakerNotebookInstanceKMSKeyConfigured | The SageMaker notebook is encrypted with a KMS key. | AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4) | | | | | | +| SageMakerNotebookNoDirectInternetAccess | The SageMaker notebook does disable direct internet access. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25 | | | | | | +| SecretsManagerRotationEnabled | The secret does have automatic rotation scheduled. | AC-2(1), AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-24, CM-5(1)(a), SC-23(3) | | | | | | +| SecretsManagerSecretPeriodic-Rotation | All secrets have been rotated in the past 90 days. | AC-2(1), AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-24, CM-5(1)(a), SC-23(3) | | | | | | +| SecretsManagerUsingKMSKey | The secret is encrypted with a KMS Customer managed key. | AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4) | | | | | | +| SecretsManageSecretUnused | All secrets have been accessed in the past 90 days. | AC-2(1), AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-24, CM-5(1)(a), SC-23(3) | | | | | | +| SecurityHubEnabled | The AWS Account has Security Hub enabled. | AU-6(1), AU-6(5), AU-12(3), AU-14a, AU-14b, CA-2d, CA-7, CA-7b, PM-14a.1, PM-14b, PM-31 | | | | | | +| SNSEncryptedKMS | The SNS topic does have KMS encryption enabled. | AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1) | | | | | | +| SSMDocumentNotPublic | SSM documents are not public. | AC-3, AC-4(21), CM-6a, SC-7(3) | | | | | | +| VPC_VPC2TunnelsUp | At least two redundant Site-to-Site VPN tunnels are implemented. | CP-1a.1(b), CP-1a.2, CP-2a, CP-2a.6, CP-2a.7, CP-2d, CP-2e, CP-2(5), CP-2(6), CP-6(2), CP-10, SC-5(2), SC-6, SC-22, SC-36, SI-13(5) | | | | | | +| VPCDefaultSecurityGroupClosed | The VPC's default security group allows inbound or outbound traffic. | AC-4(21), AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), CM-6a, CM-9b, SC-7a, SC-7c, SC-7(5), SC-7(7), SC-7(11), SC-7(12), SC-7(16), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28) | | | | | | +| VPCFlowLogsEnabled | The VPC does have an associated Flow Log. | AC-4(26), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), CM-6a, CM-9b, IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SI-4(17), SI-7(8) | | | | | | +| VPCNoUnrestrictedRouteToIGW | The route table may contain one or more unrestricted route(s) to an IGW ('0.0.0.0/0' or '::/0'). | AC-4(21), CM-7b | | | | | | +| VPCSGOpenOnlyToAuthorizedPorts | The VPC Security Group restricts IPv4 TCP traffic on unauthorized ports.2 | AC-4(21), AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), SC-7a, SC-7c, SC-7(5), SC-7(11), SC-7(12), SC-7(16), SC-7(21), SC-7(24)(b) | | | | | | +| VPCSubnetAutoAssignPublicIpDisabled | The subnet auto-assigns public IP addresses. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25 | | | | | | +| WAFv2LoggingEnabled | The WAFv2 web ACL does have logging enabled. | AC-4(26), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-4(17), SI-7(8) | | | | | | +| | CloudWatch LogGroup retention period is set to specific number of days and is greater than the configured retention period. | AC-16b, AT-4b, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-10, AU-11(1), AU-11, AU-12(1), AU-12(2), AU-12(3), AU-14a, AU-14b, CA-7b, PM-14a.1, PM-14b, PM-21b, PM-31, SC-28(2), SI-4(17), SI-12 | | | | | |