Ensure IAM password policy prevents password reuse
Ensure CloudTrail log file validation is enabled
Ensure CloudTrail is enabled in all Regions
Ensure CloudTrail logging is enabled
Ensure ELB Policy uses only secure protocols
Ensure EFS is securely encrypted
Ensure IAM policies that allow full *-* administrative privileges are not created
Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy
Disallow policies from using the AWS AdministratorAccess policy
Ensure all data stored in RDS is not publicly accessible
Ensure that RDS clusters have deletion protection enabled
Ensure Elasticsearch Domain enforces HTTPS
Ensure the S3 bucket has access logging enabled
Ensure VPC subnets do not assign public IP by default
Ensure Kinesis Stream is securely encrypted
Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK)
Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK)
Ensure Kinesis Firehose delivery stream is encrypted
Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK
Ensure Connect Instance Kinesis Video Stream Storage Config uses CMK
Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager
Ensure IAM policies that allow full *-* administrative privileges are not created
Ensure no IAM policies documents allow * as a statement's actions
Ensure AWS IAM policy does not allow full IAM privileges
Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell
Ensure IAM password policy expires passwords within 90 days or less
Ensure IAM password policy requires minimum length of 14 or greater
Ensure IAM password policy requires at least one lowercase letter
Ensure IAM password policy requires at least one number
Ensure IAM password policy requires at least one symbol
Ensure IAM password policy requires at least one uppercase letter
Ensure resource is encrypted by KMS using a customer managed Key (CMK)
Ensure VPC flow logging is enabled in all VPCs
Ensure EBS default encryption is enabled
Ensure all data stored in the EBS is securely encrypted
Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK)
Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)
CloudFront Distribution should have WAF enabled
Ensure the default security group of every VPC restricts all traffic
Ensure SNS topic policy is not public by only allowing specific services or principals to access it
Ensure SageMaker Notebook is encrypted at rest using KMS CMK
Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest
Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK)