| IAM (Identity and Access Management) | MFA is not enabled for Root Account | Ensure Multi-Factor Authentication (MFA) is enabled for the AWS root account. | |
| IAM (Identity and Access Management) | MFA is not enabled for IAM Users | Ensure Multi-Factor Authentication (MFA) is enabled for all AWS IAM users with AWS Console access. | |
| IAM (Identity and Access Management) | Multiple Access Keys exists for IAM Users | Detects when a canary token access key has been used | |
| IAM (Identity and Access Management) | Cross-Account Access Lacks External ID and MFA | Ensure cross-account IAM roles use either MFA or external IDs to secure the access to AWS resources. | |
| IAM (Identity and Access Management) | Lack of Access Key Rotation | Ensure AWS IAM access keys are rotated on a periodic basis as a security best practice (90 Days). | |
| IAM (Identity and Access Management) | Password Expiration is Disabled | Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (90 Days). | |
| IAM (Identity and Access Management) | Weak Password Policy ( AWS Default password policy) is set for the AWS account | Ensure AWS account has an IAM strong password policy in use | |
| IAM (Identity and Access Management) | Weak IAM Server Certificate in use | Ensure that all your SSL/TLS certificates are using either 2048 or 4096 bit RSA keys instead of 1024-bit keys. | |
| IAM (Identity and Access Management) | IAM Role Policy are Too Permissive | Ensure AWS IAM policies attached to IAM roles are not too permissive. | |
| IAM (Identity and Access Management) | IAM Access Analyzer is not Enabled | Ensure that IAM Access Analyzer feature is enabled to maintain access security to your AWS resources. | |
| IAM (Identity and Access Management) | Pre-Heartbleed Server Certificates | Ensure that your server certificates are not vulnerable to Heartbleed security bug. | |
| IAM (Identity and Access Management) | Root Account Access Keys Present | Ensure that your AWS account (root) is not using access keys as a security best practice. | |
| IAM (Identity and Access Management) | Lack of SSH Public Keys Rotation | Ensure IAM SSH public keys are rotated on a periodic basis to adhere to AWS security best practices. | |
| IAM (Identity and Access Management) | SSL/TLS Certificate is about to Expire | Ensure SSL/TLS certificates are renewed before their expiration. | |
| IAM (Identity and Access Management) | Security Challenge Question not Enabled | Ensure security challenge questions are enabled and configured to improve the security of your AWS account. | |
| IAM (Identity and Access Management) | Security Contact Information is not Registered | Ensure alternate contacts are set to improve the security of your AWS account. | |
| IAM (Identity and Access Management) | AWS Multi-Account are managed centrally via Identity Federation or AWS Organization | Set up, organize and manage your AWS accounts for optimal security and manageability. | |
| IAM (Identity and Access Management) | Root Account Recently used | Ensure root account credentials have not been used recently to access your AWS account. | |
| Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2) | Overbroad Ingress Rules for Security Groups | Ensure no EC2 security group allows unrestricted inbound access to any uncommon ports. | |
| Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2) | EC2 Instance Termination Protection is not Enabled | Ensure Termination Protection feature is enabled for EC2 instances that are not part of ASGs. | |
| Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2) | AMIs are Publicaly Shared | Ensure your Amazon Machine Images (AMIs) are not accessible to all AWS accounts. | |
| Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2) | Golden/Approved AMIs not in Use | Ensure all AWS EC2 instances are launched from approved AMIs. | |
| Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2) | Amazon EBS Snapshots are Publicly Accessible | Ensure that your Amazon EBS volume snapshots are not accessible to all AWS accounts. | |
| Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2) | Amazon EBS Volumes Encryption is not enabled | Ensure that existing Elastic Block Store (EBS) attached volumes are encrypted to meet security and compliance requirements. | |
| Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2) | Amazon EBS Snapshots Encryption is not enabled | Ensure Amazon EBS snapshots are encrypted to meet security and compliance requirements. | |
| Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2) | KMS Customer Master Keys is not used for EBS Volume Encryption | Ensure EBS volumes are encrypted with KMS CMKs in order to have full control over data encryption and decryption. | |
| Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2) | Weak Cryptographic Controls for ELB | Ensure AWS Application Load Balancers (ALBs) are using the latest predefined security policy. | |
| Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2) | Load Balancer is not Integrated with AWS WAF | Ensure that WAF ACL is integrated with Elastic Load Balancer | |
| Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2) | ELB uses In-secure protocols | Ensure that your Application Load Balancer (ALB) listeners are using a secure protocol such as HTTPS. | |
| Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2) | ELB Deletion Protection Disabled | Ensure Deletion Protection feature is enabled for your AWS load balancers to follow security best practices. | |
| Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2) | Access logging disabled for ELB | Ensure access logging is enabled for your AWS ALBs to follow security best practices. | |
| Virtual Private Cloud(VPC) | VPC Flow Logs Disabled | Ensure Virtual Private Cloud (VPC) Flow Logs feature is enabled in all applicable AWS regions. | |
| Simple Storage Service (S3) | Overbroad S3 Access Control | Ensure that your AWS S3 buckets are not publicly exposed to the Internet. | |
| Simple Storage Service (S3) | Cross-Account Access for S3 Buckets | Ensure Amazon S3 buckets do not allow unknown cross account access via bucket policies. | |
| Simple Storage Service (S3) | Server-Side Encryption is not Enabled for S3 | Ensure AWS S3 buckets enforce Server-Side Encryption (SSE) | |
| Simple Storage Service (S3) | KMS Customer Master Keys is not used for S3 Buckets Encryption | Ensure that Amazon S3 buckets are encrypted with customer-provided AWS KMS CMKs | |
| Simple Storage Service (S3) | Versioning and Multi-Factor Delete is not Enabled on S3 buckets | Ensure AWS S3 buckets have the MFA Delete feature enabled. Ensure AWS S3 object versioning is enabled for an additional level of data protection. | |
| Simple Storage Service (S3) | Access Logging Disabled for S3 | Ensure AWS S3 buckets have server access logging enabled to track access requests. | |
| Simple Storage Service (S3) | Secure Transport is Not Enabled on S3 | Ensure AWS S3 buckets enforce SSL to secure data in transit | |
| Cloud Trail | CloudTrail Log Encryption Disabled | Ensure your AWS CloudTrail logs are encrypted using AWS KMS–Managed Keys (SSE-KMS). | |
| Cloud Trail | KMS Customer Master Keys is not used for CloudTrail Encryption | Ensure that KMS master keys are used for CloudTrail Encryption | |
| Cloud Trail | CloudTrail Log File Validation is Disabled | Ensure your AWS CloudTrail trails have log file integrity validation enabled. | |
| Cloud Trail | CloudTrail is not integrated with CloudWatch | Ensure CloudTrail event monitoring with CloudWatch is enabled. | |
| CloudWatch | No Security Incident Alarm exist for AWS Services | Ensure that Security Incident Alarms are created in CloudWatch | |
| Relational Database Service (RDS) | RDS Database instance are Publicly accessible | Ensure RDS database instances are not publicly accessible and prone to security risks. | |
| Relational Database Service (RDS) | Deletion protection is not Enabled for RDS Instance | Ensure Deletion Protection feature is enabled for your AWS RDS database instances. | |
| Relational Database Service (RDS) | RDS Automated Backup is not enabled | Ensure that Automated Backups are created for the RDS Instances | |
| Relational Database Service (RDS) | RDS Instance Encryption is not Enabled | Ensure AWS RDS instances are encrypted to meet security and compliance requirements. | |
| Relational Database Service (RDS) | KMS Customer Master Keys is not used for RDS Instance Encryption | Ensure RDS instances are encrypted with KMS CMKs in order to have full control over data encryption and decryption. | |
| Relational Database Service (RDS) | RDS Snapshots Encryption is not Enabled | Ensure that AWS RDS snapshots are encrypted to meet security and compliance requirements. | |
| Relational Database Service (RDS) | RDS Snapshots Publicly accessible | Ensure that your Amazon RDS database snapshots are not accessible to all AWS accounts. | |
| Relational Database Service (RDS) | RDS Log Exports is not Enabled (RDS MySQL, Aurora and MariaDB) | Ensure Log Exports feature is enabled for your AWS RDS MySQL, Aurora and MariaDB database instances. | |
| Relational Database Service (RDS) | IAM Database Authentication is not Enabled for RDS Instances | Ensure IAM Database Authentication feature is enabled for your AWS RDS MySQL and PostgreSQL database instances. | |
| Relational Database Service (RDS) | RDS Auto Minor Version Upgrade Not Enabled | Ensure AWS RDS instances have the Auto Minor Version Upgrade feature enabled. | |
| Relational Database Service (RDS) | RDS Database Instance not updated | Ensure that the RDS Instance is Updated | |
| Relational Database Service (RDS) | RDS Automated Backup is not enabled | Ensure AWS RDS instances have Automated Backups feature enabled. | |
| Relational Database Service (RDS) | RDS Secure Transport is not Enabled (SQL Server, PostgreSQL) | Ensure AWS RDS SQL Server instances have Transport Encryption feature enabled. | |
| Relational Database Service (RDS) | RDS Backup Retention Period is not enough | Ensure AWS RDS instances have sufficient backup retention period for compliance purposes. | |
| Relational Database Service (RDS) | SSL/TLS Certificates Already Expired for RDS | Ensure that RDS Instance is using the updated SSL Certificate | |
| Relational Database Service (RDS) | RDS not using Multi-AZ deployment | Ensure AWS RDS clusters have the Multi-AZ feature enabled. | |
| Simple Notification Service (SNS) | Cross-Account Access for SNS Topics | Ensure Amazon SNS topics do not allow unknown cross account access. | |
| Simple Notification Service (SNS) | SNS Topics Exposed to Everyone | Ensure that AWS Simple Notification Service (SNS) topics are not exposed to everyone. | |
| Simple Notification Service (SNS) | Server-Side Encryption is Not Enabled for AWS SNS Topics | Ensure that Amazon SNS topics enforce Server-Side Encryption (SSE). | |
| Simple Notification Service (SNS) | KMS Customer Master Keys is not used for SNS Topics Encryption | Ensure that Amazon SNS topics are encrypted with KMS Customer Master Keys (CMKs). | |
| Key Management Service (KMS) | Lack of KMS Key Rotation | Ensure KMS key rotation feature is enabled for all your Customer Master Keys (CMK). | |
| Key Management Service (KMS) | AWS Keys Exposed to Everyone | Ensure Amazon KMS master keys are not exposed to everyone. | |
| Key Management Service (KMS) | Cross-Account Access for KMS Service | Ensure Amazon KMS master keys do not allow unknown cross account access. | |
| Lambda | Code Signing is not Enabled for Lambda Functions | Ensure that Code Signing is enabled for your Amazon Lambda functions. | |
| Lambda | Lambda Runtime Environment Version is not Latest | Ensure that the latest version of the runtime environment is used for your AWS Lambda functions. | |
| Lambda | Cross-Account Access for Lambda Functions Queues | Ensure AWS Lambda functions do not allow unknown cross account access via permission policies. | |
| Lambda | Lambda Function Exposed to Everyone | Ensure that your Amazon Lambda functions are not exposed to everyone. | |
| Lambda | Lambda Environment Variables are not Encrypted | Ensure encryption is enabled for the AWS Lambda environment variables that store sensitive information. | |
| Lambda | KMS Customer Master Keys is not used for Lambda Environment Variables Encryption | Ensure Lambda environment variables are encrypted with KMS Customer Master Keys (CMKs) to gain full control over data encryption and decryption. | |
| AWS Config | AWS Config Not Used | Ensure AWS Config is enabled in all regions to get the optimal visibility of the activity on your account. | |
| AWS Config | Validate AWS Config Rules | Validate the AWS Config Rules and check for NonCompliant Rules | |
| AWS GuardDuty | AWS GuardDuty Not Used | Ensure Amazon GuardDuty is enabled to help you protect your AWS accounts and workloads against security threats. | |
| AWS GuardDuty | Validate the AWS GuardDuty Findings | Always validate the findings that are reported by GuardDuty | |
| Route 53 | Route 53 Domain Transfer Lock is not Enabled | Ensure your domain names have the Transfer Lock feature enabled in order to keep them secure. | |
| Route 53 | SPF Record not Present | Ensure there is an SPF record set for each MX DNS record in order to stop spammers from spoofing your domains. | |
| Route 53 | Route53 Domains Already Expired | Ensure expired AWS Route 53 domains names are restored. | |
| Route 53 | Route53 Domains are about to Expire | Ensure AWS Route 53 domain names are renewed before their expiration (90 days before expiration). | |
| Route 53 | DNSSEC Signing for Route 53 Hosted Zones is not Enabled | Ensure that DNSSEC signing is enabled for your Amazon Route 53 Hosted Zones. | |
| Elastic Kubernetes Service (EKS) | EKS Secret Encryption is not Enabled | Ensure that envelope encryption of Kubernetes secrets using Amazon KMS is enabled. | |
| Elastic Kubernetes Service (EKS) | Kubernetes Cluster Logging is not Enabled | Ensure that EKS control plane logging is enabled for your Amazon EKS clusters. | |
| Elastic Kubernetes Service (EKS) | Kubernetes Cluster Version is not Updated | Ensure that the latest version of Kubernetes is installed on your Amazon EKS clusters. | |
| Elastic Kubernetes Service (EKS) | Cluster Endpoints are Publicly accessible | Ensure that AWS EKS cluster endpoint access is not public and prone to security risks. | |
| Simple Queue Service (SQS) | Server-Side Encryption is not Enabled for SQS Queues | Ensure Amazon SQS queues enforce Server-Side Encryption (SSE). | |
| Simple Queue Service (SQS) | KMS Customer Master Keys is not used for SQS Queue Encryption | Ensure SQS queues are encrypted with KMS CMKs to gain full control over data encryption and decryption. | |
| Simple Queue Service (SQS) | SQS Queue Exposed to Everyone | Ensure that AWS Simple Queue Service (SQS) queues are not exposed to everyone. | |
| Simple Queue Service (SQS) | Cross-Account Access for SQS Queues | Ensure AWS Simple Queue Service (SQS) queues do not allow unknown cross account access. | |
| DynamoDB | Continuous Backup is Not Enabled for DynamoDB | Ensure that continous backup is enabld for all the DynamoDB | |
| DynamoDB | KMS Customer Master Keys is not used for DynamoDB Table Encryption | Ensure that for all the DynamoDB tables are using KMS Customers Master Keys for encryption | |
| AWS Backups | AWS Backup Vault is Not Prevented from Accidental Deletion | Ensure that Accidental Deletion is enabled for AWS Backup Vault | |
| RedShift | Redshift Cluster is publicly accessible | Ensure that Redshift Cluster is not publicly accessible | |
| WorkSpaces | Workspaces Volume Encryption is not Enabled | Ensure that the volume encryption is enabled for all the Workspaces | |
| ElastiCache | Older Version of ElastiCache Engine in Use | Ensure that you are not using an older version of elasticache and use the latest version that is available | |
| ElastiCache | ElastiCache Redis cluster In-Transit and At-rest Encryption not enabled | Ensure that redis clusters data In-transit and At-rest encryptions are enabled | |
| CloudFront | Access logging disabled for CloudFront | Ensure that access logging is enabled for Cloudfront | |
| CloudFront | WAF is Not Enabled in CloudFront | Ensure that WAF is enabled for all the available Cloudfront | |
| CloudFront | TLSv1.0 Supported by CloudFront Distribution | Ensure that you are using latest TLS version for all Cloudfront | |
