Ensure IAM policies that allow full *-* administrative privileges are not created
Ensure ALB protocol is HTTPS
Ensure all data stored in the Elasticsearch is securely encrypted at rest
Ensure all Elasticsearch has node-to-node encryption enabled
Ensure IAM password policy requires at least one number
Ensure IAM password policy prevents password reuse
Ensure all data stored in the RDS is securely encrypted at rest
Ensure all data stored in RDS is not publicly accessible
Ensure the S3 bucket has access logging enabled
Ensure the S3 bucket has server-side-encryption enabled
Ensure the S3 bucket does not allow READ permissions to everyone
Ensure the S3 bucket has versioning enabled
Ensure SageMaker Notebook is encrypted at rest using KMS CMK
Ensure all data stored in the SNS topic is encrypted
Ensure DynamoDB point in time recovery (backup) is enabled
Ensure CloudTrail log file validation is enabled
Ensure EFS is securely encrypted
Ensure Kinesis Stream is securely encrypted
Ensure no IAM policies documents allow * as a statement's actions
Ensure S3 bucket has block public ACLs enabled
Ensure S3 bucket has ignore public ACLs enabled
Ensure the S3 bucket does not allow WRITE permissions to everyone
Ensure no IAM policies that allow full *-* administrative privileges are not created
Ensure CloudTrail is enabled in all Regions
CloudFront Distribution should have WAF enabled
Ensure Redshift Cluster logging is enabled
Ensure Elasticsearch Domain Logging is enabled
Redshift cluster should not be publicly accessible
EC2 instance should not have public IP.
DMS replication instance should not be publicly accessible
Ensure the ELBv2 (Application/Network) has access logging enabled
Ensure the ELB has access logging enabled
Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)
Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions
Ensure Redshift uses SSL
Ensure EBS default encryption is enabled
Ensure IAM policies does not allow credentials exposure
Ensure that EMR clusters with Kerberos have Kerberos Realm set
Ensure that enhanced monitoring is enabled for Amazon RDS instances
Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance
Ensure VPC subnets do not assign public IP by default
Ensure that RDS instances has backup policy
Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on
Ensure that Elasticsearch is configured inside a VPC
Ensure that ELB is cross-zone-load-balancing enabled
Ensure that RDS clusters have deletion protection enabled
Ensure that RDS global clusters are encrypted
Ensured that Redshift cluster allowing version upgrade by default
Ensure that S3 bucket has lock configuration enabled by default
Ensure that S3 bucket has cross-region replication enabled
Ensure that S3 buckets are encrypted with KMS by default
Ensure that RDS database cluster snapshot is encrypted
Ensure that Secrets Manager secret is encrypted using KMS CMK
Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled
Ensure that Workspace user volumes are encrypted
Ensure that Workspace root volumes are encrypted
Ensure that RDS instances have Multi-AZ enabled
Ensure DynamoDB global table point in time recovery (backup) is enabled
Ensure Logging is enabled for WAF Web Access Control Lists
Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)
Ensure ELB Policy uses only secure protocols
Ensure that CloudSearch is using https
Ensure Create before destroy for ACM certificates
Verify logging preference for ACM certificates
Ensure that GuardDuty detector is enabled
Ensure Kinesis Firehose delivery stream is encrypted
Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions
Ensure CloudTrail logging is enabled
Ensure that AWS Lambda function is not publicly accessible
Ensure DB Snapshots are not Public
Ensure SSM documents are not Public
Ensure Secrets Manager secrets should be rotated within 90 days
Ensure Elasticsearch Domain Audit Logging is enabled
Ensure that CloudWatch alarm actions are enabled
Ensure that RDS Cluster log capture is enabled
Ensure that RDS Cluster audit logging is enabled for MySQL engine
Ensure ECS containers should run as non-privileged
Ensure ECS task definitions should not share the host's process namespace
Ensure ECS containers are limited to read-only access to root filesystems
Ensure Elastic Beanstalk managed platform updates are enabled
Ensure Amazon Redshift clusters should have automatic snapshots enabled
Ensure IAM root user doesnt have Access keys
Ensure that RDS instances have performance insights enabled
Ensure DocumentDB has an adequate backup retention period
Ensure that only encrypted EBS volumes are attached to EC2 instances
Ensure GuardDuty is enabled to specific org/region
Ensure that S3 bucket has a Public Access block
Ensure that RDS clusters has backup plan of AWS Backup
Ensure that EBS are added in the backup plans of AWS Backup
Ensure CloudTrail trails are integrated with CloudWatch Logs
Ensure VPC flow logging is enabled in all VPCs
Ensure the default security group of every VPC restricts all traffic
Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.
Ensure that Auto Scaling is enabled on your DynamoDB tables
Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup
Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances
Ensure that ALB redirects HTTP requests into HTTPS ones
Ensure an IAM User does not have access to the console
Ensure public facing ALB are protected by WAF
Ensure WAF2 has a Logging Configuration
Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled
Ensure Secrets Manager secrets should have automatic rotation enabled
Ensure AWS Neptune cluster deletion protection is enabled
Ensure RDS instance with copy tags to snapshots is enabled
Ensure that an S3 bucket has a lifecycle configuration
Ensure S3 buckets should have event notifications enabled
Ensure KMS key Policy is defined