AWS: Control Permissions
The following lists describe the permissions required for controls of Amazon Web Services (AWS). Enable these permissions to ensure you can view these controls in the policy tab.
| ControlID | Title | Permissions |
|---|---|---|
| 1 | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | iam:GenerateCredentialReport iam:GetCredentialReport iam:listVirtualMFADevices |
| 2 | Ensure console credentials unused for 45 days or greater are disabled | iam:GenerateCredentialReport iam:GetCredentialReport |
| 3 | Ensure access keys unused for 90 days or greater are disabled | iam:GenerateCredentialReport iam:GetCredentialReport |
| 4 | Ensure access key 1 is rotated every 90 days or less | iam:GenerateCredentialReport iam:GetCredentialReport |
| 5 | Ensure access key 2 is rotated every 90 days or less | iam:GenerateCredentialReport iam:GetCredentialReport |
| 6 | Ensure that custom IAM Password Policy is Defined | iam:GetAccountPasswordPolicy |
| 7 | Ensure that custom IAM password policy requires at least one uppercase letter | iam:GetAccountPasswordPolicy |
| 8 | Ensure that custom IAM password policy requires at least one lowercase letter | iam:GetAccountPasswordPolicy |
| 9 | Ensure that custom IAM password policy requires at least one symbol | iam:GetAccountPasswordPolicy |
| 10 | Ensure that custom IAM password policy requires at least one number | iam:GetAccountPasswordPolicy |
| 11 | Ensure that custom IAM password policy requires minimum length of 14 or greater | iam:GetAccountPasswordPolicy |
| 12 | Ensure that custom IAM password policy prevents password reuse | iam:GetAccountPasswordPolicy |
| 13 | Ensure that custom IAM password policy expires passwords within 90 days or less | iam:GetAccountPasswordPolicy |
| 14 | Ensure no root user account access key exists | iam:GenerateCredentialReport iam:GetCredentialReport |
| 15 | Ensure MFA is enabled for the root user account | iam:GenerateCredentialReport iam:GetCredentialReport |
| 16 | Ensure hardware MFA is enabled for the root user account | iam:GenerateCredentialReport iam:GetCredentialReport |
| 17 | Ensure IAM policies are attached only to groups or roles | iam:ListUserPolicies iam:ListAttachedUserPolicies |
| 18 | Eliminate use of the root user for administrative and daily tasks | iam:GenerateCredentialReport iam:GetCredentialReport |
| 19 | Ensure CloudTrail is enabled in all regions | cloudtrail:ListTrails cloudtrail:DescribeTrails cloudtrail:GetTrailStatus |
| 20 | Ensure CloudTrail log file validation is enabled | cloudtrail:DescribeTrails |
| 21 | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | s3:GetBucketAcl s3:GetBucketLocation s3:GetBucketPolicy s3:GetBucketPolicyStatus |
| 22 | Ensure CloudTrail trails are integrated with CloudWatch Logs | cloudtrail:GetEventSelectors cloudwatch:DescribeAlarmsForMetric |
| 23 | Ensure AWS Config is enabled in all regions | config:DescribeConfigurationRecorderStatus |
| 24 | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | config:DescribeConfigurationRecorderStatus config:DescribeConfigurationRecorders |
| 25 | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | cloudtrail:DescribeTrails s3:ListBucket s3:ListAllMyBuckets s3:GetBucketLocation kms:DescribeKey |
| 26 | Ensure rotation for customer created symmetric CMKs is enabled | kms:DescribeCustomKeyStores kms:GetKeyPolicy kms:GetKeyRotationStatus kms:ListKeys |
| 27 | Ensure unauthorized API calls are monitored | cloudtrail:ListTrails cloudtrail:DescribeTrails logs:DescribeMetricFilters |
| 28 | Ensure management console sign-in without MFA is monitored | cloudtrail:ListTrails cloudtrail:DescribeTrails logs:DescribeMetricFilters |
| 29 | Ensure usage of root account is monitored | cloudtrail:ListTrails cloudtrail:DescribeTrails logs:DescribeMetricFilters |
| 30 | Ensure IAM policy changes are monitored | cloudtrail:ListTrails cloudtrail:DescribeTrails logs:DescribeMetricFilters |
| 31 | Ensure CloudTrail configuration changes are monitored | cloudtrail:ListTrails cloudtrail:DescribeTrails logs:DescribeMetricFilters |
| 32 | Ensure AWS Management Console authentication failures are monitored | cloudtrail:ListTrails cloudtrail:DescribeTrails logs:DescribeMetricFilters |
| 33 | Ensure disabling or scheduled deletion of customer created CMKs is monitored | cloudtrail:ListTrails cloudtrail:DescribeTrails logs:DescribeMetricFilters |
| 34 | Ensure S3 bucket policy changes are monitored | cloudtrail:ListTrails cloudtrail:DescribeTrails logs:DescribeMetricFilters |
| 35 | Ensure AWS Config configuration changes are monitored | cloudtrail:ListTrails cloudtrail:DescribeTrails logs:DescribeMetricFilters |
| 36 | Ensure security group changes are monitored | cloudtrail:ListTrails cloudtrail:DescribeTrails logs:DescribeMetricFilters |
| 37 | Ensure Network Access Control Lists (NACL) changes are monitored | cloudtrail:ListTrails cloudtrail:DescribeTrails |
| 38 | Ensure changes to network gateways are monitored | cloudtrail:ListTrails cloudtrail:DescribeTrails logs:DescribeMetricFilters |
| 39 | Ensure route table changes are monitored | cloudtrail:ListTrails cloudtrail:DescribeTrails logs:DescribeMetricFilters |
| 40 | Ensure VPC changes are monitored | cloudtrail:ListTrails cloudtrail:DescribeTrails logs:DescribeMetricFilters |
| 41 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 | ec2:DescribeSecurityGroups |
| 42 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 | ec2:DescribeSecurityGroups |
| 43 | Ensure VPC flow logging is enabled in all VPCs | ec2:DescribeVpcs ec2:DescribeFlowLogs |
| 44 | Ensure the default security group of every VPC restricts all traffic | ec2:DescribeSecurityGroups |
| 45 | S3 Bucket Access Control List Grant Access to Everyone or Authenticated Users | s3:GetBucketPolicyStatus s3:GetBucketAcl s3:GetBucketPolicy s3:ListBucket s3:GetBucketLocation s3:GetBucketTagging |
| 46 | S3 Bucket Policy Grant Access to Everyone | s3:GetBucketPolicyStatus s3:GetBucketAcl s3:GetBucketPolicy s3:ListBucket s3:GetBucketLocation s3:GetBucketTagging |
| 47 | Ensure access logging is enabled for S3 buckets | s3:GetBucketLogging s3:ListBucket s3:GetBucketLocation s3:GetBucketTagging |
| 48 | Ensure versioning is enabled for S3 buckets | s3:GetBucketVersioning s3:ListBucket s3:GetBucketLocation s3:GetBucketTagging |
| 49 | Ensure a support role has been created to manage incidents with AWS Support | iam:ListPolicies iam:GetPolicyVersion iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListPolicies iam:ListRolePolicies iam:ListUserPolicies |
| 50 | Ensure IAM policies that allow full *:* administrative privileges are not attached | iam:ListPolicies iam:GetPolicyVersion |
| 51 | Ensure that Public Accessibility is set to No for Database Instances | rds:DescribeDBInstances |
| 52 | Ensure DB snapshot is not publicly visible | rds:DescribeDBSnapshotAttributes rds:describeDBSnapshots |
| 53 | Ensure that encryption-at-rest is enabled for RDS Instances | rds:describeDBSnapshots |
| 54 | Ensure database Instance snapshot is encrypted | rds:describeDBSnapshots |
| 55 | Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances | rds:DescribeDBInstances |
| 56 | Ensure database Instance is not listening on to a standard/default port | rds:DescribeDBInstances |
| 57 | Ensure S3 Bucket Policy is set to deny HTTP requests | s3:GetBucketAcl s3:GetBucketPolicy s3:ListBucket s3:GetBucketLocation s3:GetBucketTagging |
| 58 | Ensure that the key expiry is set for CMK with external key material | kms:DescribeKey kms:ListKeys |
| 59 | Ensure Block new public bucket policies for a bucket is set to true | s3:GetAccountPublicAccessBlock s3:GetBucketPublicAccessBlock s3:GetBucketPolicyStatus s3:GetBucketAcl s3:GetBucketPolicy s3:ListBucket s3:GetBucketLocation s3:GetBucketTagging |
| 60 | Ensure that Block public and cross-account access if bucket has public policies for bucket is set to true | s3:GetAccountPublicAccessBlock s3:GetBucketPublicAccessBlock s3:GetBucketPolicyStatus s3:GetBucketAcl s3:GetBucketPolicy s3:ListBucket s3:GetBucketLocation s3:GetBucketTagging |
| 61 | Ensure that Block new public ACLs and uploading public objects for a bucket is set to true | s3:GetAccountPublicAccessBlock s3:GetBucketPublicAccessBlock s3:GetBucketPolicyStatus s3:GetBucketAcl s3:GetBucketPolicy s3:ListBucket s3:GetBucketLocation s3:GetBucketTagging |
| 62 | Ensure that Remove public access granted through public ACLs for a bucket is set to true | s3:GetAccountPublicAccessBlock s3:GetBucketPublicAccessBlock s3:GetBucketPolicyStatus s3:GetBucketAcl s3:GetBucketPolicy s3:ListBucket s3:GetBucketLocation s3:GetBucketTagging |
| 63 | Ensure Block new public bucket policies for an account is set to true | s3:GetBucketPolicy s3:ListBucket s3:GetAccountPublicAccessBlock s3:GetBucketAcl s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock |
| 64 | Ensure that Block public and cross-account access if bucket has public policies for the account is set to true | s3:GetBucketPolicy s3:ListBucket s3:GetAccountPublicAccessBlock s3:GetBucketAcl s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock |
| 65 | Ensure that Block new public ACLs and uploading public objects for the account is set to true | s3:GetBucketPolicy s3:ListBucket s3:GetAccountPublicAccessBlock s3:GetBucketAcl s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock |
| 66 | Ensure that Remove public access granted through public ACLs for the account is enabled | s3:GetBucketPolicy s3:ListBucket s3:GetAccountPublicAccessBlock s3:GetBucketAcl s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock |
| 67 | Ensure all S3 buckets employ encryption-at-rest | s3:GetEncryptionConfiguration s3:ListBucket s3:GetBucketLocation s3:GetBucketTagging |
| 68 | Ensure all the expired SSL/TLS certificates stored in AWS IAM are removed | iam:ListPolicies iam:GetPolicyVersion iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListPolicies iam:ListRolePolicies iam:ListUserPolicies |
| 69 | Ensure automated backups are enabled for RDS database instances | rds:DescribeDBInstances |
| 70 | Ensure Deletion Protection is enabled for RDS DB Cluster | rds:DescribeDBClusters |
| 71 | Ensure Deletion Protection is enabled for RDS Database instances | rds:DescribeDBInstances |
| 72 | Ensure IAM Database Authentication is Enabled for the DB Cluster | rds:DescribeDBClusters |
| 73 | Ensure IAM Database Authentication is Enabled for the DB Instances | rds:DescribeDBInstances |
| 74 | Ensure AWS RDS Log Exports is enabled for DB Cluster | rds:DescribeDBClusters |
| 75 | Ensure AWS RDS Log Exports is enabled for DB Instances | rds:DescribeDBInstances |
| 76 | Ensure RDS Database Master username is not set to well-known/default | rds:DescribeDBInstances |
| 77 | Ensure VPC security group attached to RDS Database Instance does not allows Inbound traffic from ANY source IP | rds:DescribeDBInstances |
| 78 | Ensure that public access is not given to RDS Instance | rds:DescribeDBInstances |
| 79 | Ensure RDS DB Cluster are not present in public subnets | ec2:DescribeRouteTables rds:describeDBSubnetGroups rds:describeDBClusters |
| 80 | Ensure Event Subscriptions for Instance Level Events is Enabled for DB Instances | rds:DescribeEventSubscriptions rds:DescribeDBInstances rds:ListTagsForResource |
| 81 | Ensure RDS Microsoft SQL instance enforces encrypted connections only | rds:DescribeDBInstances |
| 82 | Ensure RDS PostgreSQL instance enforces encrypted connections only | rds:DescribeDBInstances |
| 83 | Ensure RDS PostgreSQL Cluster enforces encrypted connections only | rds:DescribeDBInstances |
| 84 | Ensure Encryption is enabled for the RDS DB Cluster | rds:DescribeDBClusters |
| 85 | Ensure RDS DB Cluster snapshots are encrypted | rds:DescribeDBClusters |
| 86 | Ensure CMK is used to protect RDS DB Cluster encryption key | rds:DescribeDBClusters |
| 87 | Ensure CMK is used to protect RDS Db Instance encryption key | rds:DescribeDBInstances |
| 88 | Ensure DB instance replication is set to the another Zone for High Availability | rds:DescribeDBInstances |
| 89 | Ensure DB Cluster replication is set to the another Zone for High Availability | rds:DescribeDBClusters |
| 90 | Ensure RDS database Cluster snapshots are not public | rds:DescribeDBClusters |
| 91 | Ensure Enhance monitoring is enabled for RDS Database Instance | rds:DescribeDBInstances |
| 92 | Ensure AWS RDS DB Cluster with copy tags to snapshots option is enabled | rds:ListTagsForResource rds:DescribeDBClusterSnapshotAttributes |
| 93 | Ensure AWS RDS instances with copy tags to snapshots option is enabled | rds:ListTagsForResource rds:DescribeDBSnapshotAttributes |
| 94 | Ensure Event Subscriptions for cluster Level Events is Enabled for DB Clusters | rds:DescribeEventSubscriptions rds:DescribeDBClusters |
| 95 | Ensure MYSQL DB Instance backup Binary logs configuration is not set to OFF | rds:DescribeDBInstances |
| 96 | Ensure backup configuration is enabled for MSSQL DB Instances | rds:DescribeDBInstances |
| 97 | Ensure that Lambda function has tracing enabled | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole lambda:GetPolicy lambda:ListFunctionUrlConfigs |
| 98 | Ensure that Lambda Function is not using An IAM role for more than one Lambda Function | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 99 | Ensure that Multiple Triggers are not configured in $Latest Lambda Function | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 100 | Ensure that Lambda Runtime Version is latest and not custom | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 101 | Ensure that Lambda function does not have Admin Privileges | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 102 | Ensure that Lambda function does not have Cross Account Access | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 103 | Ensure that Lambda Environment Variables at-rest are encrypted with CMK | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 104 | Ensure that Lambda Environment Variables are encrypted using AWS encryption helpers for encryption in transit | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 105 | Ensure that Lambda function does not allows anonymous invocation | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 106 | Ensure that VPC access for Lambda Function is not set to default(Null) | ec2:DescribeRouteTables ec2:DescribeSecurityGroups lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 107 | Ensure that AWS Lambda excess Permissions are removed | iam:GetServiceLastAccessedDetails lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 108 | Ensure Version Upgrade is enabled for AWS Redshift clusters to automatically receive upgrades | redshift:DescribeClusterParameters redshift:DescribeClusters redshift:DescribeLoggingStatus |
| 109 | Ensure AWS Redshift clusters are not using default endpoint port | redshift:DescribeClusterParameters redshift:DescribeClusters redshift:DescribeLoggingStatus |
| 110 | Ensure AWS Redshift clusters are not publicly accessible | redshift:DescribeClusterParameters redshift:DescribeClusters redshift:DescribeLoggingStatus |
| 111 | Ensure AWS Redshift clusters master username is not set to well-known/default | redshift:DescribeClusterParameters redshift:DescribeClusters redshift:DescribeLoggingStatus |
| 112 | Ensure that AWS Redshift clusters encryption is set for data at rest | redshift:DescribeClusterParameters redshift:DescribeClusters redshift:DescribeLoggingStatus |
| 113 | Ensure audit logging is enabled for AWS Redshift clusters for security and troubleshooting purposes | redshift:DescribeClusterParameters redshift:DescribeClusters redshift:DescribeLoggingStatus |
| 114 | Ensure Images (AMIs) owned by an AWS account are not public | ec2:DescribeImages |
| 115 | Ensure that EBS Volumes attached to EC2 instances are encrypted | ec2:DescribeVolumes ec2:DescribeSnapshots |
| 116 | Ensure that Unattached EBS Volumes are encrypted | ec2:DescribeVolumes ec2:DescribeSnapshots |
| 117 | Ensure that RDS Instances certificates are rotated | rds:DescribeDBInstances |
| 118 | Ensure that DocumentDB Instances certificates are rotated | rds:DescribeDBInstances |
| 119 | Ensure no AWS default KMS Key is used to protect Secrets | secretsmanager:DescribeSecret secretsmanager:ListSecrets |
| 120 | Ensure No CMK is marked for deletion | kms:DescribeCustomKeyStores kms:GetKeyPolicy kms:GetKeyRotationStatus kms:ListKeys |
| 121 | Ensure only Root user of the AWS Account should be allowed full access on the CMK | kms:DescribeCustomKeyStores kms:GetKeyPolicy kms:GetKeyRotationStatus kms:ListKeys |
| 122 | Permissions to delete key is not granted to any Principal other than the Root user of AWS Account | kms:DescribeCustomKeyStores kms:GetKeyPolicy kms:GetKeyRotationStatus kms:ListKeys |
| 123 | Ensure CMK administrators are not the user of the key | kms:DescribeCustomKeyStores kms:GetKeyPolicy kms:GetKeyRotationStatus kms:ListKeys |
| 124 | Ensure all Custom key stores are connected to their CloudHSM clusters | kms:DescribeCustomKeyStores |
| 125 | Ensure that multiple triggers are not configured for Lambda Function Aliases | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 126 | Ensure AMIs owned by an AWS account are encrypted | ec2:DescribeImages |
| 127 | Ensure AWS EBS Volume snapshots are encrypted | ec2:DescribeSnapshots |
| 128 | Ensure access log is enabled for Application load balancer | elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DescribeLoadBalancers |
| 129 | Ensure access log is enabled for Classic Elastic load balancer | elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DescribeLoadBalancers |
| 130 | Ensure Classic Elastic load balancer is not using unencrypted protocol | elasticloadbalancing:DescribeLoadBalancers |
| 131 | Ensure Elastic load balancer listener is not using unencrypted protocol | elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers wafv2:GetWebACLForResource acm:ListCertificates |
| 132 | Ensure DocumentDB database cluster master username is not set to well-known/default | rds:DescribeDBClusters |
| 133 | Ensure backup retention is set to minimum of 7 days for DocumentDB clusters | rds:DescribeDBClusters |
| 134 | Ensure audit logs is enabled for Log export to CloudWatch for DocumentDB clusters | rds:DescribeDBClusters |
| 135 | Ensure deletion protection is enabled for DocumentDB clusters | rds:DescribeDBClusters |
| 136 | Ensure DocumentDB Cluster is not listening on default port | rds:DescribeDBClusters |
| 137 | Ensure multi-AZ high availability is enabled for neptune DB | rds:DescribeDBClusters |
| 138 | Ensure neptune DB is not listening on default port | rds:DescribeDBClusters |
| 139 | Ensure IAM DB authentication is enabled for neptune database | rds:DescribeDBClusters |
| 140 | Ensure backup retention is set to minimum of 7 days for neptune database | rds:DescribeDBClusters |
| 141 | Ensure Audit logs is enabled for log exports to cloudwatch for neptune database | rds:DescribeDBClusters |
| 142 | Ensure Auto minor version upgrade is enabled for neptune database | rds:DescribeDBClusters |
| 143 | Ensure deletion protection is enabled for neptune DB | rds:DescribeDBClusters |
| 144 | Ensure EFS Encryption is enabled for data at rest | elasticfilesystem:DescribeFileSystems |
| 145 | Ensure EFS File system resource is encrypted by KMS using a customer managed Key (CMK) | elasticfilesystem:DescribeFileSystems |
| 146 | Ensure that AWS Elastic Block Store (EBS) volume snapshots are not public | ec2:DescribeSnapshots ec2:DescribeSnapshotAttribute |
| 147 | Ensure that AWS ElastiCache Memcached clusters are not associated with default VPC | elasticache:DescribeCacheClusters elasticache:DescribeCacheSubnetGroups elasticache:DescribeReplicationGroups |
| 148 | Ensure that AWS ElastiCache Redis clusters are not associated with default VPC | elasticache:DescribeCacheClusters elasticache:DescribeCacheSubnetGroups elasticache:DescribeReplicationGroups |
| 149 | Ensure that AWS ElastiCache redis clusters are not using their default endpoint ports | elasticache:DescribeCacheClusters elasticache:DescribeCacheSubnetGroups elasticache:DescribeReplicationGroups |
| 150 | Ensure that AWS ElastiCache memcached clusters are not using their default endpoint ports | elasticache:DescribeCacheClusters elasticache:DescribeCacheSubnetGroups elasticache:DescribeReplicationGroups |
| 151 | Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature is set to enabled | elasticache:DescribeCacheClusters elasticache:DescribeCacheSubnetGroups elasticache:DescribeReplicationGroups |
| 152 | Ensure AWS ElastiCache Redis cluster with Redis AUTH feature is enabled | elasticache:DescribeCacheClusters elasticache:DescribeCacheSubnetGroups elasticache:DescribeReplicationGroups |
| 153 | Ensure that AWS ElastiCache Redis clusters are In-Transit encrypted | elasticache:DescribeCacheClusters elasticache:DescribeCacheSubnetGroups elasticache:DescribeReplicationGroups |
| 154 | Ensure that AWS ElastiCache Redis clusters are Data At-Rest encrypted | elasticache:DescribeCacheClusters elasticache:DescribeCacheSubnetGroups elasticache:DescribeReplicationGroups |
| 155 | Ensure that AWS ElastiCache Redis clusters are Data At-Rest encrypted with CMK | elasticache:DescribeCacheClusters elasticache:DescribeCacheSubnetGroups elasticache:DescribeReplicationGroups |
| 156 | Ensure node-to-node encryption feature is enabled for AWS Elasticsearch Service domains | es:DescribeDomains es:DescribeElasticsearchDomain es:DescribeElasticsearchDomains es:ListDomainNames |
| 157 | Ensure AWS Elasticsearch Service domains have enabled the support for publishing slow logs to AWS CloudWatch Logs | es:DescribeDomains es:DescribeElasticsearchDomain es:DescribeElasticsearchDomains es:ListDomainNames |
| 158 | Ensure AWS Elasticsearch Service domains are not publicly accessible | es:DescribeDomains es:DescribeElasticsearchDomain es:DescribeElasticsearchDomains es:ListDomainNames |
| 159 | Ensure AWS Elasticsearch Service domains are using the latest version of Elasticsearch engine | es:DescribeDomains es:DescribeElasticsearchDomain es:DescribeElasticsearchDomains es:ListDomainNames |
| 160 | Ensure that IAM Access analyzer is enabled for all regions | access-analyzer:ListAnalyzers |
| 161 | Ensure no Network ACLs allow ingress from 0.0.0.0/0 to port 22 | ec2:DescribeNetworkAcls |
| 162 | Ensure AWS Route 53 Registered domain has Transfer lock enabled | route53:ListHostedZones route53domains:ListDomains |
| 163 | Ensure AWS Route 53 Registered domain has Auto renew Enabled | route53:ListHostedZones route53domains:ListDomains |
| 164 | Ensure AWS Route 53 Registered domain is not expired | route53:ListHostedZones route53domains:ListDomains |
| 165 | Ensure AWS Kinesis Data Firehose delivery stream with Direct PUT and other sources as source has Server-side encryption configured | kinesis:DescribeStream kinesis:ListStreams |
| 166 | Ensure AWS Kinesis Data Firehose delivery stream with Kinesis Data stream as source has Server-side encryption configured | kinesis:DescribeStream kinesis:ListStreams |
| 167 | Ensure AWS Kinesis Data Firehose delivery stream with Direct PUT and other sources as source has Server-side encryption configured with KMS Customer Managed Keys | kinesis:DescribeStream kinesis:ListStreams |
| 168 | Ensure AWS Kinesis Data Firehose delivery stream with Kinesis Data stream as source has Server-side encryption configured with KMS Customer Managed Keys | kinesis:DescribeStream kinesis:ListStreams |
| 169 | Ensure DynamoDB tables are encrypted using KMS Customer managed Keys | dynamodb:DescribeGlobalTable dynamodb:DescribeTable dynamodb:ListGlobalTables dynamodb:ListTables |
| 170 | Ensure no Network ACLs allow ingress from 0.0.0.0/0 to port 3389 | ec2:DescribeNetworkAcls |
| 171 | Ensure there is only one active access key available for any single IAM user | iam:GenerateCredentialReport iam:GetCredentialReport |
| 172 | Ensure AWS Organizations changes are monitored | cloudtrail:ListTrails |
| 173 | Ensure DynamoDB tables are not configured using DEFAULT encryption | dynamodb:DescribeGlobalTable dynamodb:DescribeTable dynamodb:ListGlobalTables dynamodb:ListTables |
| 174 | Ensure that Customer managed KMS keys use external key material | kms:DescribeCustomKeyStores kms:GetKeyPolicy kms:GetKeyRotationStatus kms:ListKeys |
| 175 | Ensure no Inline Policies are attached to IAM Users directly | iam:ListPolicies iam:GetPolicyVersion iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListPolicies iam:ListRolePolicies iam:ListUserPolicies |
| 176 | Ensure no Managed Policies are attached to IAM Users directly | iam:ListPolicies iam:GetPolicyVersion iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListPolicies iam:ListRolePolicies iam:ListUserPolicies |
| 177 | Ensure that Object-level logging for write events is enabled for S3 bucket | s3:ListBucket s3:GetBucketLogging |
| 178 | Ensure that Object-level logging for read events is enabled for S3 bucket | s3:ListBucket s3:GetBucketLogging |
| 179 | Ensure MFA is enabled in AWS Directory | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 180 | Ensure QLDB ledger has deletion protection enabled | qldb:DescribeLedger qldb:ListLedgers |
| 181 | Ensure proper protocol is configured for Radius server in AWS Directory | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 182 | Ensure SNS Topics do not Allow Everyone to Publish | sns:GetTopicAttributes sns:ListTopics |
| 183 | Ensure SNS Topics do not Allow Everyone to Subscribe | sns:GetTopicAttributes sns:ListTopics |
| 184 | Ensure there are no Internet facing Application load balancers | elasticloadbalancing:DescribeLoadBalancers |
| 185 | Ensure ALB using listener type HTTPS must have SSL Security Policy | elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers |
| 186 | Ensure that ALB using listener type HTTP must be redirected to HTTPS | elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers |
| 187 | Ensure that ALB listeners have HTTPS enabled Target Groups | elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:DescribeLoadBalancers |
| 188 | Ensure IncreaseVolumeSize is Disabled for Workspace directories in all regions | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 189 | Ensure Automated backup retention is set for Redshift Cluster | redshift:DescribeClusterParameters redshift:DescribeClusters redshift:DescribeLoggingStatus |
| 190 | Ensure Redshift Cluster is configured to require an SSL connection | redshift:DescribeClusterParameters redshift:DescribeClusters redshift:DescribeLoggingStatus |
| 191 | Ensure database audit logging is enabled for Redshift Cluster | redshift:DescribeClusterParameters redshift:DescribeClusters redshift:DescribeLoggingStatus |
| 192 | Ensure Redshift Cluster is encrypted with KMS key | redshift:DescribeClusterParameters redshift:DescribeClusters redshift:DescribeLoggingStatus |
| 193 | Ensure that NLB balancer listener is not using unencrypted protocol | elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers |
| 194 | Ensure that Classic Elastic load balancer is not internet facing | elasticloadbalancing:DescribeLoadBalancers |
| 195 | Ensure Classic Elastic Load balancer must have SSL Security Policy | elasticloadbalancing:DescribeLoadBalancers |
| 196 | Ensure AWS VPC subnets have automatic public IP assignment disabled | ec2:DescribeSubnets |
| 197 | Ensure to encrypt the User Volumes and Root Volumes with the customer managed master keys for AWS WorkSpace | workspaces:DescribeWorkspaces kms:DescribeKey |
| 198 | Ensure Workspace directory must have a vpc endpoint so that the API traffic associated with the management of workspaces stays within the vpc | iam:GenerateCredentialReport iam:GetCredentialReport |
| 199 | Ensure not to setup access keys during initial user setup for all IAM users that have a console password | iam:GenerateCredentialReport iam:GetCredentialReport |
| 200 | Ensure to log state machine execution history to CloudWatch Logs | states:ListStateMachines states:DescribeStateMachine |
| 201 | Ensure RDS Instance should not have an Interface open to a public scope | rds:DescribeDBInstances |
| 202 | Ensure to update the Security Policy of the Network Load Balancer | elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers wafv2:GetWebACLForResource acm:ListCertificates |
| 203 | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | kms:DescribeKey ec2:DescribeVolumes ec2:DescribeSnapshots |
| 204 | Ensure AWS EBS Volume snapshots are encrypted with KMS using a customer managed Key (CMK) | kms:DescribeKey ec2:DescribeVolumes ec2:DescribeSnapshots |
| 205 | Ensure RestartWorkspace is Enabled for Directories in all regions | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 206 | Ensure that DocumentDB Cluster Snapshots are encrypted | rds:DescribeDBClusterSnapshots |
| 207 | Ensure that DocumentDB Cluster Snapshots are not public | rds:DescribeDBClusterSnapshots rds:DescribeDBClusterSnapshotAttributes |
| 208 | Ensure WorkDocs is not enabled in Workspace Directories | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 209 | Ensure Access to Internet is not enabled in Workspace Directories | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 210 | Ensure Local Administrator setting is not enabled in Workspace Directories | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 211 | Ensure Maintenance Mode is not enabled in Workspace Directories | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 212 | Ensure Device Type Windows Access Control is allowed in Workspace Directories | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 213 | Ensure Device Type MacOS Access Control is allowed in Workspace Directories | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 214 | Ensure Device Type Web Access Control is allowed in Workspace Directories | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 215 | Ensure Device Type iOS Access Control is allowed in Workspace Directories | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 216 | Ensure Device Type Android Access Control is allowed in Workspace Directories | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 217 | Ensure Device Type ChromeOS Access Control is allowed in Workspace Directories | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 218 | Ensure Device Type ZeroClient Access Control is allowed in Workspace Directories | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 219 | Ensure neptune DB snapshots are encrypted | rds:DescribeDBClusterSnapshots |
| 220 | Ensure neptune DB snapshots are not public | rds:DescribeDBClusterSnapshotAttributes rds:DescribeDBClusterSnapshots |
| 221 | Ensure ChangeComputeType is Disabled in all regions for Workspace Directories | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 222 | Ensure SwitchRunningMode is Disabled in all regions for Workspace Directories | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 223 | Ensure RebuildWorkspace is Disabled in all regions for Workspace Directories | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 224 | Ensure only AD Connector directory type is allowed for AWS Directories | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 225 | Ensure to enable the encryption of the Root volumes for Workspaces in all regions | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 226 | Ensure to enable the encryption of the User volumes for Workspaces in all regions | workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces |
| 227 | Ensure Amazon API Gateway APIs are only accessible through private API endpoints in all regions | apigateway:GET |
| 228 | Ensure to disable default route table association for Transit Gateways in all regions | ec2:DescribeTransitGateways |
| 229 | Ensure to disable default route table propagation for Transit Gateways in all regions | ec2:DescribeTransitGateways |
| 230 | Ensure to enable config for the all resources for Config Service | config:DescribeConfigurationRecorders config:DescribeDeliveryChannels |
| 231 | Ensure to enable config for the global resources like IAM for Config Service | config:DescribeConfigurationRecorders config:DescribeDeliveryChannels |
| 232 | Ensure to configure data retention period for the configuration items for Config Service | config:DescribeConfigurationRecorders config:DescribeDeliveryChannels |
| 233 | Ensure to configure s3 buckets which contains details for the resources that Config records | config:DescribeConfigurationRecorders config:DescribeDeliveryChannels |
| 234 | Ensure to configure certificate provider type to custom in EMR security configuration | elasticmapreduce:DescribeCluster elasticmapreduce:DescribeSecurityConfiguration elasticmapreduce:ListClusters |
| 235 | Ensure to enable data in transit encryption for EMR security configuration | elasticmapreduce:DescribeCluster elasticmapreduce:DescribeSecurityConfiguration elasticmapreduce:ListClusters |
| 236 | Ensure that all AWS Systems Manager (SSM) parameters are encrypted | ssm:DescribeParameters |
| 237 | Ensure termination protection is enabled for EMR cluster | elasticmapreduce:DescribeCluster elasticmapreduce:DescribeSecurityConfiguration elasticmapreduce:ListClusters |
| 238 | Ensure ACM uses imported certificates only and does not create/issue certificates | acm:DescribeCertificate acm:ListCertificates |
| 239 | Ensure expired certificates are removed from AWS ACM | acm:DescribeCertificate acm:ListCertificates |
| 240 | Ensure ACM certificates should not have domain with wildcard(*) | acm:DescribeCertificate acm:ListCertificates |
| 241 | Ensure that the certificate use appropriate algorithms and key size | acm:DescribeCertificate acm:ListCertificates |
| 242 | Ensure logging is not set to OFF for Rest APIs Stage in all regions | apigateway:GET |
| 243 | Ensure to enable encryption if caching is enabled for Rest API Stage in all regions | apigateway:GET |
| 244 | Ensure accessLogSettings exists with the destinationArn and in the json format for Rest API Stage in all regions | apigateway:GET |
| 245 | Ensure there are no Internet facing Network load balancers | elasticloadbalancing:DescribeLoadBalancers |
| 246 | Ensure NLB using listener type TLS must have SSL Security Policy | elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers |
| 247 | Ensure that NLB listeners using TLS have TLS enabled Target Groups configured | elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:DescribeLoadBalancers |
| 248 | Ensure that NLB listeners using default insecure ports are not configured for passthrough | elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers |
| 249 | Ensure AWS NLB logging is enabled | elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DescribeLoadBalancers |
| 250 | Ensure AWS RDS instance is not open to a large scope | rds:DescribeDBInstances |
| 251 | Ensure QLDB ledger has encryption enabled using accessible Customer managed KMS key | qldb:DescribeLedger qldb:ListLedgers |
| 252 | Ensure to encrypt the data in transit when using NFS between the client and EFS service | elasticfilesystem:DescribeFileSystems |
| 253 | Ensure AWS Security Hub is enabled in all regions | securityhub:DescribeHub |
| 254 | Ensure that backup retention is set between 3 to 7 days for Aurora postgreSQL clusters | rds:DescribeDBClusters |
| 255 | Ensure MFA Delete is enabled on S3 buckets | s3:GetBucketVersioning s3:ListBucket s3:GetBucketTagging s3:GetBucketLocation |
| 256 | Ensure trail is configure on organization level | cloudtrail:ListTrails |
| 257 | Ensure status of the log_destination parameter for PostgreSQL instance is set to csvlog | rds:DescribeDBParameters |
| 258 | Ensure status of the log_rotation_age parameter for PostgreSQL instance is set to 60(minutes) | rds:DescribeDBParameters |
| 259 | Ensure status of the log_connections parameter for PostgreSQL instance is set to ON(1) | rds:DescribeDBParameters |
| 260 | Ensure status of the log_disconnections parameter for PostgreSQL instance is set to ON(1) | rds:DescribeDBParameters |
| 261 | Ensure status of the log_hostname parameter for PostgreSQL instance is set to OFF(0) | rds:DescribeDBParameters |
| 262 | Ensure status of the log_statement parameter for PostgreSQL instance is set to ddl or stricter | rds:DescribeDBParameters |
| 263 | Ensure status of the pgaudit.log parameter for PostgreSQL instance is set to appropriate value | rds:DescribeDBParameters |
| 264 | Ensure each trail includes the global services | cloudtrail:ListTrails |
| 265 | Ensure status of the log_destination parameter for Aurora PostgreSQL cluster is set to csvlog | rds:DescribeDBClusterParameters |
| 266 | Ensure status of the log_rotation_age parameter for Aurora PostgreSQL cluster is set to 60(minutes) | rds:DescribeDBClusterParameters |
| 267 | Ensure status of the log_connections parameter for Aurora PostgreSQL cluster is set to ON(1) | rds:DescribeDBClusterParameters |
| 268 | Ensure status of the log_disconnections parameter for Aurora PostgreSQL cluster is set to ON(1) | rds:DescribeDBClusterParameters |
| 269 | Ensure status of the log_hostname parameter for Aurora PostgreSQL cluster is set to OFF(0) | rds:DescribeDBClusterParameters |
| 270 | Ensure status of the log_statement parameter for Aurora PostgreSQL cluster is set to ddl or stricter | rds:DescribeDBClusterParameters |
| 271 | Ensure status of the pgaudit.log parameter for Aurora PostgreSQL cluster is set to appropriate value | rds:DescribeDBClusterParameters |
| 272 | Ensure to log KMS events to the trail | cloudtrail:ListTrails |
| 273 | Ensure block public access is enabled so that no port should have public access for EMR clusters | elasticmapreduce:DescribeCluster elasticmapreduce:DescribeSecurityConfiguration elasticmapreduce:ListClusters |
| 285 | Ensure all data stored in the Elasticsearch is securely encrypted at rest | es:DescribeDomains es:DescribeElasticsearchDomain es:DescribeElasticsearchDomains es:ListDomainNames |
| 286 | Ensure all data stored in the Launch configuration EBS is securely encrypted | autoscaling:DescribeLaunchConfigurations |
| 288 | Ensure SageMaker Notebook is encrypted at rest using KMS CMK | sagemaker:DescribeNotebookInstance sagemaker:ListNotebookInstances |
| 289 | Ensure every security groups rule has a description | ec2:DescribeSecurityGroups |
| 291 | Ensure SQS Queue have encryption at rest enabled | sqs:GetQueueAttributes sqs:ListQueues |
| 292 | Ensure Dynamodb point in time recovery (backup) is enabled | dynamodb:DescribeBackup dynamodb:DescribeContinuousBackups |
| 293 | Ensure ECR repository policy is not set to public | ecr:GetRepositoryPolicy ecr:DescribeRepositories |
| 294 | Ensure Customer managed KMS key policy does not contain wildcard (*) principal | kms:DescribeCustomKeyStores kms:GetKeyPolicy kms:GetKeyRotationStatus kms:ListKeys |
| 295 | Ensure Cloudfront distribution ViewerProtocolPolicy is set to HTTPS | cloudfront:GetDistribution cloudfront:ListDistributions |
| 302 | Ensure DAX is encrypted at rest (default is unencrypted) | dax:DescribeClusters |
| 303 | Ensure MQ Broker logging is enabled | mq:DescribeBroker mq:ListBrokers |
| 305 | Ensure ECR Image Tags are immutable | ecr:DescribeRepositories ecr:GetRepositoryPolicy |
| 312 | Ensure container insights are enabled on ECS cluster | ecs:DescribeClusters ecs:DescribeTaskDefinition ecs:ListClusters ecs:ListTaskDefinitions |
| 313 | Ensure CloudWatch Log Group has a retention period set to 7 days or greater | logs:DescribeLogGroups |
| 314 | Ensure that CloudFront Distribution has WAF enabled | cloudfront:GetDistribution cloudfront:ListDistributions |
| 315 | Ensure MQ Broker is not publicly exposed | mq:DescribeBroker mq:ListBrokers |
| 318 | Ensure API Gateway has X-Ray Tracing enabled | apigateway:GET |
| 319 | Ensure Global Accelerator has flow logs enabled | globalaccelerator:DescribeAccelerator globalaccelerator:DescribeAcceleratorAttributes globalaccelerator:ListAccelerators |
| 321 | Ensure that CodeBuild Project encryption is not disabled | codebuild:BatchGetProjects codebuild:ListProjects |
| 322 | Ensure that EC2 Metadata Service only allows IMDSv2 | ec2:DescribeInstances |
| 323 | Ensure MSK Cluster logging is enabled | kafka:ListClusters |
| 324 | Ensure MSK Cluster encryption at rest and in transit is enabled | kafka:ListClusters |
| 325 | Ensure Athena Workgroups enforce configuration to prevent client disabling encryption | athena:GetWorkGroup athena:ListWorkGroups |
| 326 | Ensure Elasticsearch Domain enforces HTTPS | es:DescribeDomains es:DescribeElasticsearchDomain es:DescribeElasticsearchDomains es:ListDomainNames |
| 327 | Ensure Cloudfront distribution has Access Logging enabled | cloudfront:GetDistribution cloudfront:ListDistributions |
| 328 | Ensure that EC2 instance have no public IP | ec2:DescribeInstances |
| 329 | Ensure that DMS replication instance is not publicly accessible | dms:DescribeReplicationInstances |
| 330 | Ensure DocDB TLS is not disabled | rds:DescribeDBClusters |
| 332 | Ensure Glue Data Catalog Encryption is enabled with SSE-KMS with customer-managed keys | glue:GetDataCatalogEncryptionSettings kms:DescribeKey |
| 333 | Ensure all data stored in Aurora is securely encrypted at rest | rds:DescribeDBClusters |
| 334 | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest | sagemaker:DescribeEndpoint sagemaker:DescribeEndpointConfig sagemaker:ListEndpoints |
| 338 | Ensure that load balancer is using TLS 1.2 or above | elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers wafv2:GetWebACLForResource acm:ListCertificates |
| 339 | Ensure EBS default encryption is enabled with customer managed key | kms:DescribeKey |
| 342 | Ensure that EMR clusters with Kerberos have Kerberos Realm set | elasticmapreduce:DescribeCluster elasticmapreduce:ListClusters |
| 343 | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole lambda:GetPolicy lambda:ListFunctionUrlConfigs |
| 344 | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole lambda:GetPolicy lambda:ListFunctionUrlConfigs |
| 346 | Ensure network load balancers should have security group attached | elasticloadbalancing:DescribeLoadBalancers |
| 347 | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance | sagemaker:DescribeNotebookInstance sagemaker:ListNotebookInstances |
| 348 | Ensure that VPC Endpoint Service is configured for Manual Acceptance | ec2:DescribeVpcEndpointServices |
| 349 | Ensure that CloudFormation stacks are sending event notifications to an SNS topic | cloudformation:DescribeStacks cloudformation:GetStackPolicy cloudformation:ListStacks |
| 350 | Ensure that detailed monitoring is enabled for EC2 instances | ec2:DescribeInstances |
| 351 | Ensure that Elastic Load Balancers use SSL certificates provided by AWS Certificate Manager | elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers |
| 354 | Ensure that ALB drops HTTP headers | elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DescribeLoadBalancers |
| 355 | Ensure Trail is configured to log Data events for s3 buckets | cloudtrail:ListTrails |
| 357 | Ensure that EC2 is EBS optimized | ec2:DescribeInstances |
| 358 | Ensure that ECR repositories are encrypted using KMS | ecr:DescribeRepositories ecr:GetRepositoryPolicy |
| 359 | Ensure that Elasticsearch is configured inside a VPC | es:DescribeDomains es:DescribeElasticsearchDomain es:DescribeElasticsearchDomains es:ListDomainNames |
| 360 | Ensure that ELB has cross-zone-load-balancing enabled | elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DescribeLoadBalancers |
| 366 | Ensure that Secrets Manager secret is encrypted using KMS using a customer managed Key (CMK) | secretsmanager:DescribeSecret secretsmanager:ListSecrets |
| 367 | Ensure that Load Balancer has deletion protection enabled | elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DescribeLoadBalancers |
| 369 | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DescribeLoadBalancers |
| 370 | Ensure that Auto Scaling Groups supply tags to Launch Configurations | autoscaling:DescribeAutoScalingGroups |
| 371 | Ensure Redshift is not deployed outside of a VPC | redshift:DescribeClusterParameters redshift:DescribeClusters redshift:DescribeLoggingStatus |
| 373 | Ensure to encrypt CloudWatch log groups | logs:DescribeLogGroups |
| 374 | Ensure that Athena Workgroup is encrypted | athena:GetWorkGroup athena:ListWorkGroups |
| 377 | Ensure ECR image scanning on push is enabled | ecr:DescribeRepositories ecr:GetRepositoryPolicy |
| 378 | Ensure Transfer Server is not exposed publicly | transfer:DescribeServer transfer:ListServers |
| 379 | Ensure S3 bucket must not allow WRITE permission for server access logs from everyone on the bucket | s3:GetBucketPolicyStatus s3:GetBucketAcl s3:GetBucketPolicy s3:ListBucket s3:GetBucketTagging s3:GetBucketLocation |
| 380 | Ensure Backup Vault is encrypted at rest using KMS CMK | backup:DescribeBackupVault backup:ListBackupVaults |
| 381 | Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it | glacier:ListVaults |
| 382 | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | sqs:GetQueueAttributes sqs:ListQueues |
| 383 | Ensure SNS topic policy is not public by only allowing specific services or principals to access it | sns:GetTopicAttributes sns:ListTopics |
| 384 | Ensure QLDB ledger permissions mode is set to STANDARD | qldb:DescribeLedger qldb:ListLedgers |
| 385 | Ensure that EMR Cluster security configuration encryption is using SSE-KMS | elasticmapreduce:DescribeCluster elasticmapreduce:DescribeSecurityConfiguration elasticmapreduce:ListClusters |
| 386 | Ensure that all NACLs are attached to subnets | ec2:DescribeNetworkAcls |
| 387 | Ensure GuardDuty is enabled to specific org/region | guardduty:GetDetector guardduty:ListDetectors |
| 388 | Ensure API Gateway stage have logging level defined as appropriate and have metrics enabled | apigateway:GET |
| 393 | Ensure the option group attached to the RDS Oracle Instance have TLSv1.2 and the required ciphers configured | rds:DescribeDBInstances rds:DescribeOptionGroups |
| 395 | Ensure that Auto Scaling Groups that are associated with a Load Balancer are using Elastic Load Balancing health checks | autoscaling:DescribeAutoScalingGroups |
| 396 | Ensure that Auto Scaling is enabled on your DynamoDB tables | application-autoscaling:DescribeScalableTargets |
| 398 | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | ec2:DescribeAddresses |
| 399 | Ensure that all IAM users are members of at least one IAM group | iam:ListUsers iam:ListGroups |
| 400 | Ensure an IAM User does not have access to the console | iam:GenerateCredentialReport iam:GetCredentialReport |
| 401 | Route53 A Record has Attached Resource | route53:ListHostedZones route53domains:ListDomains route53:GetDNSSEC route53:GetHostedZone route53:ListQueryLoggingConfigs route53:ListResourceRecordSets route53domains:GetDomainDetail |
| 402 | Ensure that PostgreSQL RDS instances have Query Logging enabled | rds:DescribeDBInstances |
| 403 | Ensure public facing ALB are protected by WAF | wafv2:GetWebACLForResource elasticloadbalancing:DescribeLoadBalancers |
| 407 | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | elasticache:DescribeCacheClusters elasticache:DescribeCacheSubnetGroups elasticache:DescribeReplicationGroups |
| 409 | Ensure that ssl_max_protocol_version parameter for Aurora PostgreSQL cluster is set to latest version | rds:DescribeDBClusterParameters |
| 410 | Ensure that ssl_min_protocol_version parameter for Aurora PostgreSQL cluster is set to latest version | rds:DescribeDBClusterParameters |
| 411 | Ensure that a log driver has been defined for each active Amazon ECS task definition | ecs:DescribeClusters ecs:DescribeTaskDefinition ecs:ListClusters ecs:ListTaskDefinitions |
| 413 | Ensure that your Amazon Relational Database Service (RDS) instances have Storage AutoScaling feature enabled | rds:DescribeDBInstances |
| 419 | Ensure that AWS CloudFront distribution origins do not use insecure SSL protocols | cloudfront:GetDistribution cloudfront:ListDistributions |
| 426 | Ensure Amazon API Gateway REST APIs are protected by AWS WAF | apigateway:GET |
| 427 | Ensure client-side SSL certificates are used for HTTP backend authentication in AWS API Gateway REST APIs | apigateway:GET |
| 428 | Ensure that SSL certificates associated with API Gateway REST APIs are rotated periodically | apigateway:GET |
| 429 | Ensure AWS CloudFront distributions use improved security policies for HTTPS connections | cloudfront:GetDistribution cloudfront:ListDistributions |
| 430 | Ensure the traffic between the AWS CloudFront distributions and their origins is encrypted | cloudfront:GetDistribution cloudfront:ListDistributions |
| 431 | Ensure your AWS Cloudfront distributions are using an origin access identity for their origin S3 buckets | cloudfront:GetDistribution cloudfront:ListDistributions |
| 432 | Ensure that your Amazon DynamoDB tables are using backup and restore | dynamodb:DescribeBackup dynamodb:DescribeContinuousBackups |
| 433 | Ensure IAM instance roles are used for AWS resource access from instances | ec2:DescribeInstances |
| 435 | Ensure Performance Insights feature is enabled for your Amazon RDS database instances | rds:DescribeDBInstances |
| 436 | Ensure to encrypt data in transit for SNS topic | sns:GetTopicAttributes sns:ListTopics |
| 437 | Ensure unused AWS EC2 key pairs are decommissioned | ec2:DescribeInstances ec2:DescribeKeyPairs |
| 438 | Ensure AWS SNS topics do not allow HTTP subscriptions | sns:GetTopicAttributes sns:ListTopics |
| 439 | Ensure that Elastic File System does not have the default access policy | elasticfilesystem:DescribeFileSystems |
| 440 | Ensure that the latest version of Memcached is used for AWS ElastiCache clusters | elasticache:DescribeCacheClusters elasticache:DescribeCacheSubnetGroups elasticache:DescribeReplicationGroups |
| 442 | Ensure that your Amazon Lambda functions are configured to use enhanced monitoring | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole lambda:GetPolicy lambda:ListFunctionUrlConfigs |
| 443 | Ensure that Route 53 Hosted Zone has configured logging for DNS queries | route53:ListHostedZones route53domains:ListDomains route53:GetDNSSEC route53:GetHostedZone route53:ListQueryLoggingConfigs route53:ListResourceRecordSets route53domains:GetDomainDetail |
| 444 | Ensure that DNSSEC Signing is enabled for Route 53 Hosted Zones | route53:ListHostedZones route53domains:ListDomains route53:GetDNSSEC route53:GetHostedZone route53:ListQueryLoggingConfigs route53:ListResourceRecordSets route53domains:GetDomainDetail |
| 445 | Ensure that Route 53 domains have Privacy Protection enabled | route53:ListHostedZones route53domains:ListDomains |
| 446 | Ensure a loggroup is created to upload logs of datasync task to the cloudwatch log group | datasync:DescribeTask datasync:ListTasks |
| 447 | Ensure to enable data integrity checks for only files transferred in datasync task | datasync:DescribeTask datasync:ListTasks |
| 448 | Ensure that all your SSL/TLS IAM certificates are using 2048 or higher bit RSA keys | iam:ListServerCertificates |
| 449 | Ensure to disable default endpoint for all the APIs | apigateway:GET |
| 450 | Ensure that Microsoft AD directory forward domain controller security event logs to cloudwatch logs | ds:DescribeDirectories ds:ListLogSubscriptions |
| 451 | Ensure SQS queues uses KMS customer managed master key | sqs:GetQueueAttributes sqs:ListQueues |
| 452 | Ensure SQS queues are encrypted in transit | sqs:GetQueueAttributes sqs:ListQueues |
| 453 | Ensure to block public access to Amazon EFS file systems | elasticfilesystem:DescribeFileSystems |
| 455 | Ensure backtracking is enabled for AWS RDS cluster | rds:DescribeDBClusterBacktracks |
| 456 | Ensure database retention is set to 7 days or more for AWS RDS cluster | rds:DescribeDBClusters |
| 457 | Ensure Aurora Serverless AutoPause is enabled for RDS cluster | rds:DescribeDBClusters |
| 458 | Ensure connection draining is enabled for AWS ELB | elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DescribeLoadBalancers |
| 459 | Ensure Enhanced VPC routing should be enabled for AWS Redshift Clusters | redshift:DescribeClusterParameters redshift:DescribeClusters redshift:DescribeLoggingStatus |
| 460 | Ensure that content encoding is enabled for API Gateway Rest API | apigateway:GET |
| 461 | Ensure to configure idle session timeout in all regions | ssm:DescribeParameters |
| 462 | Ensure session logs for system manager are stored in CloudWatch log groups or S3 buckets | ssm:DescribeParameters |
| 463 | Ensure session logs for system manager are stored in only Encrypted CloudWatch log groups or S3 buckets | ssm:DescribeParameters |
| 464 | Ensure Block public sharing setting is ON for the documents in all regions | ssm:DescribeParameters ssm:getdocument ssm:getservicesetting |
| 465 | Ensure stage caching is enabled for AWS API Gateway Method Settings | apigateway:GET |
| 466 | Ensure transit encryption is enabled for EFS volumes in AWS ECS Task Definition | ecs:DescribeClusters ecs:DescribeTaskDefinition ecs:ListClusters ecs:ListTaskDefinitions |
| 467 | Ensure to disable root access for all notebook instance users | sagemaker:DescribeNotebookInstance sagemaker:ListNotebookInstances |
| 468 | Ensure to enable inter-container traffic encryption for Processing jobs(if configured) | sagemaker:DescribeProcessingJob sagemaker:ListProcessingJobs |
| 469 | Ensure processing jobs(if configured) are running inside a VPC | sagemaker:DescribeProcessingJob sagemaker:ListProcessingJobs |
| 470 | Ensure to enable network isolation for processing jobs(if configured) | sagemaker:DescribeProcessingJob sagemaker:ListProcessingJobs |
| 471 | Ensure ML storage volume attached to training jobs are encrypted | sagemaker:DescribeTrainingJob sagemaker:ListTrainingJobs |
| 472 | Ensure ML storage volume attached to training jobs are encrypted with customer managed master key | kms:DescribeKey sagemaker:DescribeTrainingJob sagemaker:ListTrainingJobs |
| 473 | Ensure to encrypt the output of the training jobs in s3 with customer managed master key | sagemaker:DescribeTrainingJob sagemaker:ListTrainingJobs |
| 474 | Ensure to enable inter-container traffic encryption for training jobs | sagemaker:DescribeTrainingJob sagemaker:ListTrainingJobs |
| 475 | Ensure to enable network isolation for training jobs | sagemaker:DescribeTrainingJob sagemaker:ListTrainingJobs |
| 476 | Ensure ML storage volume attached to Hyperparameter Tuning jobs are encrypted | sagemaker:DescribeHyperParameterTuningJob sagemaker:ListHyperParameterTuningJobs |
| 477 | Ensure ML storage volume attached to Hyperparameter Tuning jobs (if configured) are encrypted with customer managed master key | sagemaker:DescribeHyperParameterTuningJob sagemaker:ListHyperParameterTuningJobs |
| 478 | Ensure to encrypt the output of Hyperparameter tuning jobs in s3 | sagemaker:DescribeHyperParameterTuningJob sagemaker:ListHyperParameterTuningJobs |
| 479 | Ensure to encrypt the output of Hyperparameter tuning jobs(if configured) in s3 with customer managed master key | sagemaker:DescribeHyperParameterTuningJob sagemaker:ListHyperParameterTuningJobs |
| 480 | Ensure to enable inter-container traffic encryption for Hyperparameter tuning jobs(if configured) | sagemaker:DescribeHyperParameterTuningJob sagemaker:ListHyperParameterTuningJobs |
| 481 | Ensure Hyperparameter tuning jobs(if configured) are running inside a VPC | sagemaker:DescribeHyperParameterTuningJob sagemaker:ListHyperParameterTuningJobs |
| 482 | Ensure to enable network isolation for Hyperparameter tuning jobs(if configured) | sagemaker:DescribeHyperParameterTuningJob sagemaker:ListHyperParameterTuningJobs |
| 483 | Ensure to enable network isolation for models | sagemaker:DescribeModel sagemaker:ListModels |
| 485 | Ensure to enable CloudWatch logging in the audit logging account | kinesis:DescribeStream kinesis:ListStreams |
| 489 | Ensure multi-az is enabled for AWS DMS instances | dms:DescribeReplicationInstances |
| 490 | Ensure auto minor version upgrade is enabled for AWS DMS instances | dms:DescribeReplicationInstances |
| 491 | Ensure auto minor version upgrade is enabled for AWS MQ Brokers | mq:DescribeBroker mq:ListBrokers |
| 492 | Ensure active/standby deployment mode is used for AWS MQ Brokers | mq:DescribeBroker mq:ListBrokers |
| 495 | Ensure advanced security options are enabled for AWS ElasticSearch Domain | es:DescribeDomains es:DescribeElasticsearchDomain es:DescribeElasticsearchDomains es:ListDomainNames |
| 496 | Ensure general purpose SSD node type is used for AWS ElasticSearch Domains | es:DescribeDomains es:DescribeElasticsearchDomain es:DescribeElasticsearchDomains es:ListDomainNames |
| 497 | Ensure KMS customer managed keys are used for encryption for AWS ElasticSearch Domains | es:DescribeDomains es:DescribeElasticsearchDomain es:DescribeElasticsearchDomains es:ListDomainNames |
| 498 | Ensure Zone Awareness is enabled for AWS ElasticSearch Domain | es:DescribeDomains es:DescribeElasticsearchDomain es:DescribeElasticsearchDomains es:ListDomainNames |
| 499 | Ensure Amazon cognito authentication is enabled for AWS ElasticSearch Domain | es:DescribeDomains es:DescribeElasticsearchDomain es:DescribeElasticsearchDomains es:ListDomainNames |
| 500 | Ensure dedicated master nodes are enabled for AWS ElasticSearch Domains | es:DescribeDomains es:DescribeElasticsearchDomain es:DescribeElasticsearchDomains es:ListDomainNames |
| 501 | Ensure policies are used for AWS CloudFormation Stacks | cloudformation:DescribeStacks cloudformation:GetStackPolicy cloudformation:ListStacks |
| 502 | Ensure termination protection is enabled for AWS CloudFormation Stack | cloudformation:DescribeStacks cloudformation:GetStackPolicy cloudformation:ListStacks |
| 503 | Ensure TLS security policy is using 1.2 version for the custom domains | apigateway:GET |
| 504 | Ensure there is a Dead Letter Queue configured for each Amazon SQS queue | sqs:GetQueueAttributes sqs:ListQueues |
| 505 | Ensure that EMR cluster is configured with security configuration | elasticmapreduce:DescribeCluster elasticmapreduce:DescribeSecurityConfiguration elasticmapreduce:ListClusters |
| 506 | Ensure AWS Elastic MapReduce (EMR) clusters capture detailed log data to Amazon S3 | elasticmapreduce:DescribeCluster elasticmapreduce:DescribeSecurityConfiguration elasticmapreduce:ListClusters |
| 507 | Ensure encryption at rest is enabled for AWS DocumentDB clusters | rds:DescribeDBClusters |
| 508 | Ensure AWS EBS Volume has a corresponding AWS EBS Snapshot | ec2:DescribeVolumes ec2:DescribeSnapshots |
| 509 | Ensure egress filter is set as DROP_ALL for AWS Application Mesh | appmesh:DescribeMesh appmesh:ListMeshes |
| 510 | Ensure secrets should be auto rotated after not more than 90 days | secretsmanager:DescribeSecret secretsmanager:ListSecrets |
| 511 | Ensure CORS is configured to prevent sharing across all domains for AWS API Gateway V2 API | apigateway:GET |
| 512 | Ensure storage encryption is enabled for AWS Neptune cluster | rds:DescribeDBClusters |
| 514 | Ensure sufficient data retention period is set for AWS Kinesis Streams (7 days or More) | kinesis:DescribeStreamSummary kinesis:ListStreams |
| 516 | Ensure AWS ACM certificates are renewed 7 days before expiration date | acm:DescribeCertificate acm:ListCertificates |
| 517 | Ensure customer master key (CMK) is not disabled for AWS Key Management Service (KMS) | kms:DescribeCustomKeyStores kms:GetKeyPolicy kms:GetKeyRotationStatus kms:ListKeys |
| 518 | Ensure SNS Topics at rest are encrypted with customer managed master key | sns:GetTopicAttributes sns:ListTopics |
| 519 | Ensure ML storage volume attached to notebooks are encrypted | sagemaker:DescribeNotebookInstance sagemaker:ListNotebookInstances |
| 520 | Ensure ML storage volume attached to notebooks are encrypted with customer managed master key | sagemaker:DescribeNotebookInstance sagemaker:ListNotebookInstances |
| 521 | Ensure ML storage volume attached to processing jobs are encrypted | sagemaker:DescribeProcessingJob sagemaker:ListProcessingJobs |
| 522 | Ensure ML storage volume attached to processing jobs(if configured) are encrypted with customer managed master key | sagemaker:DescribeProcessingJob sagemaker:ListProcessingJobs |
| 523 | Ensure to encrypt the output of processing jobs | sagemaker:DescribeProcessingJob sagemaker:ListProcessingJobs |
| 524 | Ensure to encrypt the output of processing jobs(if configured)in s3 with customer managed master key | sagemaker:DescribeProcessingJob sagemaker:ListProcessingJobs |
| 527 | Ensure to encrypt the destination bucket in s3 in the audit logging account | kinesis:DescribeStream kinesis:ListStreams |
| 528 | Ensure to encrypt the destination bucket in s3 with customer managed master keys in the audit logging account | kinesis:DescribeStream kinesis:ListStreams |
| 529 | Ensure detailed monitoring is enabled for AWS Launch Configuration | autoscaling:DescribeLaunchConfigurations |
| 530 | Ensure that encryption is enabled for AWS Neptune instances | rds:DescribeDBInstances |
| 531 | Ensure that your Amazon Neptune database instances are using KMS Customer Master Keys (CMKs) | ec2:DescribeInstances |
| 533 | Ensure that ACM Certificate is validated | acm:DescribeCertificate acm:ListCertificates |
| 534 | Ensure AppFlow Flows are encrypted with customer managed master keys | kms:DescribeKey appflow:DescribeFlow appflow:ListFlows |
| 535 | Ensure encryption is enabled for entity recognition analysis jobs | comprehend:ListEntitiesDetectionJobs |
| 536 | Ensure DomainKeys Identified Mail (DKIM) is enabled for SES identities | ses:GetIdentityDkimAttributes ses:ListIdentities |
| 537 | Ensure security contact information is registered | account:GetAlternateContact sts:GetCallerIdentity |
| 538 | Ensure that Images (AMIs) are not older than 90 days | ec2:DescribeImages |
| 539 | Ensure that Images (AMIs) are not unused more than 90 days | ec2:DescribeImages |