AWS: Control Permissions
The following lists describe the permissions required for controls of Amazon Web Services (AWS). Enable these permissions to ensure you can view these controls in the policy tab.
As cloud environments evolve and providers introduce API changes, required permissions may change as well. These permissions are reviewed and updated with each product release to reflect the latest requirements. Stale API entries are periodically removed, and updates are included in subsequent releases.
| Control ID | Title | Permissions |
|---|---|---|
| 1 | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | iam:ListUsers iam:ListUserPolicies iam:ListGroups iam:GenerateCredentialReport iam:GetCredentialReport iam:ListVirtualMFADevices iam:GetGroup iam:ListAttachedUserPolicies iam:GetUser iam:ListAccessKeys |
| 2 | Ensure console credentials unused for 45 days or greater are disabled | iam:ListUsers iam:ListUserPolicies iam:ListGroups iam:GenerateCredentialReport iam:GetCredentialReport iam:ListVirtualMFADevices iam:GetGroup iam:ListAttachedUserPolicies iam:GetUser iam:ListAccessKeys |
| 3 | Ensure access keys unused for 90 days or greater are disabled | iam:ListUsers iam:ListUserPolicies iam:ListGroups iam:GenerateCredentialReport iam:GetCredentialReport iam:ListVirtualMFADevices iam:GetGroup iam:ListAttachedUserPolicies iam:GetUser iam:ListAccessKeys |
| 4 | Ensure access key 1 is rotated every 90 days or less | iam:ListUsers iam:ListUserPolicies iam:ListGroups iam:GenerateCredentialReport iam:GetCredentialReport iam:ListVirtualMFADevices iam:GetGroup iam:ListAttachedUserPolicies iam:GetUser iam:ListAccessKeys |
| 5 | Ensure access key 2 is rotated every 90 days or less | iam:ListUsers iam:ListUserPolicies iam:ListGroups iam:GenerateCredentialReport iam:GetCredentialReport iam:ListVirtualMFADevices iam:GetGroup iam:ListAttachedUserPolicies iam:GetUser iam:ListAccessKeys |
| 6 | Ensure that custom IAM Password Policy is Defined | iam:GetAccountPasswordPolicy |
| 7 | Ensure that custom IAM password policy requires at least one uppercase letter | iam:GetAccountPasswordPolicy |
| 8 | Ensure that custom IAM password policy requires at least one lowercase letter | iam:GetAccountPasswordPolicy |
| 9 | Ensure that custom IAM password policy requires at least one symbol | iam:GetAccountPasswordPolicy |
| 10 | Ensure that custom IAM password policy requires at least one number | iam:GetAccountPasswordPolicy |
| 11 | Ensure that custom IAM password policy requires minimum length of 14 or greater | iam:GetAccountPasswordPolicy |
| 12 | Ensure that custom IAM password policy prevents password reuse | iam:GetAccountPasswordPolicy |
| 13 | Ensure that custom IAM password policy expires passwords within 90 days or less | iam:GetAccountPasswordPolicy |
| 14 | Ensure no root user account access key exists | iam:ListUsers iam:ListUserPolicies iam:ListGroups iam:GenerateCredentialReport iam:GetCredentialReport iam:ListVirtualMFADevices iam:GetGroup iam:ListAttachedUserPolicies iam:GetUser iam:ListAccessKeys |
| 15 | Ensure MFA is enabled for the root user account | iam:ListUsers iam:ListUserPolicies iam:ListGroups iam:GenerateCredentialReport iam:GetCredentialReport iam:ListVirtualMFADevices iam:GetGroup iam:ListAttachedUserPolicies iam:GetUser iam:ListAccessKeys |
| 17 | Ensure IAM policies are attached only to groups or roles | iam:ListUsers iam:ListUserPolicies iam:ListGroups iam:GenerateCredentialReport iam:GetCredentialReport iam:ListVirtualMFADevices iam:GetGroup iam:ListAttachedUserPolicies iam:GetUser iam:ListAccessKeys |
| 18 | Eliminate use of the root user for administrative and daily tasks | iam:ListUsers iam:ListUserPolicies iam:ListGroups iam:GenerateCredentialReport iam:GetCredentialReport iam:ListVirtualMFADevices iam:GetGroup iam:ListAttachedUserPolicies iam:GetUser iam:ListAccessKeys |
| 19 | Ensure CloudTrail is enabled in all regions | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetTrailStatus cloudtrail:GetEventSelector |
| 20 | Ensure CloudTrail log file validation is enabled | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails |
| 21 | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails s3:GetBucketAcl s3:GetBucketPolicy s3:GetBucketPolicyStatus |
| 22 | Ensure CloudTrail trails are integrated with CloudWatch Logs | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetTrailStatus cloudtrail:GetEventSelectors |
| 23 | Ensure AWS Config is enabled in all regions | config:DescribeConfigurationRecorderStatus |
| 24 | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails s3:GetBucketLogging |
| 25 | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails |
| 26 | Ensure rotation for customer created symmetric CMKs is enabled | kms:DescribeCustomKeyStores kms:ListKeys kms:DescribeKey kms:GetKeyRotationStatus |
| 27 | Ensure unauthorized API calls are monitored | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus logs:DescribeMetricFilters cloudwatch:DescribeAlarmsForMetric sns:ListSubscriptionsByTopic |
| 28 | Ensure management console sign-in without MFA is monitored | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus logs:DescribeMetricFilters cloudwatch:DescribeAlarmsForMetric sns:ListSubscriptionsByTopic |
| 29 | Ensure usage of root account is monitored | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus logs:DescribeMetricFilters cloudwatch:DescribeAlarmsForMetric sns:ListSubscriptionsByTopic |
| 30 | Ensure IAM policy changes are monitored | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus logs:DescribeMetricFilters cloudwatch:DescribeAlarmsForMetric sns:ListSubscriptionsByTopic |
| 31 | Ensure CloudTrail configuration changes are monitored | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus logs:DescribeMetricFilters cloudwatch:DescribeAlarmsForMetric sns:ListSubscriptionsByTopic |
| 32 | Ensure AWS Management Console authentication failures are monitored | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus logs:DescribeMetricFilters cloudwatch:DescribeAlarmsForMetric sns:ListSubscriptionsByTopic |
| 33 | Ensure disabling or scheduled deletion of customer created CMKs is monitored | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus logs:DescribeMetricFilters cloudwatch:DescribeAlarmsForMetric sns:ListSubscriptionsByTopic |
| 34 | Ensure S3 bucket policy changes are monitored | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus logs:DescribeMetricFilters cloudwatch:DescribeAlarmsForMetric sns:ListSubscriptionsByTopic |
| 35 | Ensure AWS Config configuration changes are monitored | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus logs:DescribeMetricFilters cloudwatch:DescribeAlarmsForMetric sns:ListSubscriptionsByTopic |
| 36 | Ensure security group changes are monitored | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus logs:DescribeMetricFilters cloudwatch:DescribeAlarmsForMetric sns:ListSubscriptionsByTopic |
| 37 | Ensure Network Access Control Lists (NACL) changes are monitored | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus logs:DescribeMetricFilters cloudwatch:DescribeAlarmsForMetric sns:ListSubscriptionsByTopic |
| 38 | Ensure changes to network gateways are monitored | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus logs:DescribeMetricFilters cloudwatch:DescribeAlarmsForMetric sns:ListSubscriptionsByTopic |
| 39 | Ensure route table changes are monitored | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus logs:DescribeMetricFilters cloudwatch:DescribeAlarmsForMetric sns:ListSubscriptionsByTopic |
| 40 | Ensure VPC changes are monitored | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus logs:DescribeMetricFilters cloudwatch:DescribeAlarmsForMetric sns:ListSubscriptionsByTopic |
| 41 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 | ec2:DescribeSecurityGroups |
| 42 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 | ec2:DescribeSecurityGroups |
| 43 | Ensure VPC flow logging is enabled in all VPCs | ec2:DescribeVpcs ec2:DescribeFlowLogs |
| 44 | Ensure the default security group of every VPC restricts all traffic | ec2:DescribeSecurityGroups |
| 45 | S3 Bucket Access Control List Grant Access to Everyone or Authenticated Users | s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketTagging s3:GetBucketAcl s3:GetBucketPolicy s3:GetBucketPolicyStatus |
| 46 | S3 Bucket Policy Grant Access to Everyone | s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketTagging s3:GetBucketAcl s3:GetBucketPolicy s3:GetBucketPolicyStatus |
| 47 | Ensure access logging is enabled for S3 buckets | s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketTagging s3:GetBucketLogging |
| 48 | Ensure versioning is enabled for S3 buckets | s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketTagging s3:GetBucketVersioning |
| 49 | Ensure a support role has been created to manage incidents with AWS Support | iam:ListServerCertificates access-analyzer:ListAnalyzers iam:ListPolicies |
| 50 | Ensure IAM policies that allow full *:* administrative privileges are not attached | iam:ListPolicies iam:GetPolicyVersion |
| 51 | Ensure that Public Accessibility is set to No for Database Instances | rds:DescribeDBInstances |
| 52 | Ensure DB snapshot is not publicly visible | rds:DescribeDBSnapshotAttributes rds:describeDBSnapshots |
| 53 | Ensure that encryption-at-rest is enabled for RDS Instances | rds:DescribeDBInstances |
| 54 | Ensure database Instance snapshot is encrypted | rds:describeDBSnapshots |
| 55 | Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances | rds:DescribeDBInstances |
| 56 | Ensure database Instance is not listening on to a standard/default port | rds:ListTagsForResource rds:DescribeDBInstances |
| 57 | Ensure S3 Bucket Policy is set to deny HTTP requests | s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketTagging s3:GetBucketAcl s3:GetBucketPolicy |
| 58 | Ensure that the key expiry is set for CMK with external key material | kms:DescribeKey kms:ListKeys kms:DescribeCustomKeyStores |
| 59 | Ensure Block new public bucket policies for a bucket is set to true | s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketTagging s3:GetBucketAcl s3:GetBucketPolicy s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock s3:GetAccountPublicAccessBlock |
| 60 | Ensure that Block public and cross-account access if bucket has public policies for bucket is set to true | s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketTagging s3:GetBucketAcl s3:GetBucketPolicy s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock s3:GetAccountPublicAccessBlock |
| 61 | Ensure that Block new public ACLs and uploading public objects for a bucket is set to true | s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketTagging s3:GetBucketAcl s3:GetBucketPolicy s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock s3:GetAccountPublicAccessBlock |
| 62 | Ensure that Remove public access granted through public ACLs for a bucket is set to true | s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketTagging s3:GetBucketAcl s3:GetBucketPolicy s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock s3:GetAccountPublicAccessBlock |
| 63 | Ensure Block new public bucket policies for an account is set to true | s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketTagging s3:GetBucketAcl s3:GetBucketPolicy s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock s3:GetAccountPublicAccessBlock |
| 64 | Ensure that Block public and cross-account access if bucket has public policies for the account is set to true | s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketTagging s3:GetBucketAcl s3:GetBucketPolicy s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock s3:GetAccountPublicAccessBlock |
| 65 | Ensure that Block new public ACLs and uploading public objects for the account is set to true | s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketTagging s3:GetBucketAcl s3:GetBucketPolicy s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock s3:GetAccountPublicAccessBlock |
| 66 | Ensure that Remove public access granted through public ACLs for the account is enabled | s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketTagging s3:GetBucketAcl s3:GetBucketPolicy s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock s3:GetAccountPublicAccessBlock |
| 67 | Ensure all S3 buckets employ encryption-at-rest | s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketTagging s3:GetEncryptionConfiguration |
| 68 | Ensure all the expired SSL/TLS certificates stored in AWS IAM are removed | iam:ListServerCertificates iam:GetServerCertificate |
| 69 | Ensure automated backups are enabled for RDS database instances | rds:DescribeDBInstances |
| 70 | Ensure Deletion Protection is enabled for RDS DB Cluster | rds:DescribeDBClusters |
| 71 | Ensure Deletion Protection is enabled for RDS Database instances | rds:DescribeDBInstances |
| 72 | Ensure IAM Database Authentication is Enabled for the DB Cluster | rds:DescribeDBClusters |
| 73 | Ensure IAM Database Authentication is Enabled for the DB Instances | rds:DescribeDBInstances |
| 74 | Ensure AWS RDS Log Exports is enabled for DB Cluster | rds:DescribeDBClusters |
| 75 | Ensure AWS RDS Log Exports is enabled for DB Instances | rds:DescribeDBInstances |
| 76 | Ensure RDS Database Master username is not set to well-known/default | rds:DescribeDBInstances |
| 77 | Ensure VPC security group attached to RDS Database Instance does not allows Inbound traffic from ANY source IP | rds:ListTagsForResource rds:DescribeDBInstances ec2:DescribeSecurityGroups |
| 78 | Ensure that public access is not given to RDS Instance | rds:DescribeDBInstances rds:ListTagsForResource ec2:DescribeRouteTables |
| 79 | Ensure RDS DB Cluster are not present in public subnets | ec2:DescribeRouteTables rds:describeDBSubnetGroups rds:describeDBClusters |
| 80 | Ensure Event Subscriptions for Instance Level Events is Enabled for DB Instances | rds:DescribeEventSubscriptions rds:DescribeDBInstances rds:ListTagsForResource |
| 81 | Ensure RDS Microsoft SQL instance enforces encrypted connections only | rds:ListTagsForResource rds:DescribeDBInstances rds:DescribeDBParameters |
| 82 | Ensure RDS PostgreSQL instance enforces encrypted connections only | rds:ListTagsForResource rds:DescribeDBInstances rds:DescribeDBParameters |
| 83 | Ensure RDS PostgreSQL Cluster enforces encrypted connections only | rds:DescribeDBClusterParameters rds:DescribeDBClusters |
| 84 | Ensure Encryption is enabled for the RDS DB Cluster | rds:DescribeDBClusters |
| 85 | Ensure RDS DB Cluster snapshots are encrypted | rds:DescribeDBClusterSnapshots |
| 86 | Ensure CMK is used to protect RDS DB Cluster encryption key | rds:DescribeDBClusters |
| 87 | Ensure CMK is used to protect RDS Db Instance encryption key | rds:ListTagsForResource rds:DescribeDBInstances kms:DescribeKey |
| 88 | Ensure DB instance replication is set to the another Zone for High Availability | rds:DescribeDBInstances |
| 89 | Ensure DB Cluster replication is set to the another Zone for High Availability | rds:DescribeDBClusters |
| 90 | Ensure RDS database Cluster snapshots are not public | rds:DescribeDBClusterSnapshots rds:DescribeDBClusterSnapshotAttributes |
| 91 | Ensure Enhance monitoring is enabled for RDS Database Instance | rds:DescribeDBInstances |
| 92 | Ensure AWS RDS DB Cluster with copy tags to snapshots option is enabled | rds:DescribeDBClusters |
| 93 | Ensure AWS RDS instances with copy tags to snapshots option is enabled | rds:DescribeDBInstances |
| 94 | Ensure Event Subscriptions for cluster Level Events is Enabled for DB Clusters | rds:DescribeEventSubscriptions rds:DescribeDBClusters |
| 95 | Ensure MYSQL DB Instance backup Binary logs configuration is not set to OFF | rds:DescribeDBClusterParameters rds:DescribeDBClusters |
| 96 | Ensure backup configuration is enabled for MSSQL DB Instances | rds:ListTagsForResource rds:DescribeDBInstances rds:DescribeOptionGroups |
| 97 | Ensure that Lambda function has tracing enabled | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole lambda:GetPolicy lambda:ListFunctionUrlConfigs |
| 99 | Ensure that Multiple Triggers are not configured in $Latest Lambda Function | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 100 | Ensure that Lambda Runtime Version is latest and not custom | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 101 | Ensure that Lambda function does not have Admin Privileges | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 102 | Ensure that Lambda function does not have Cross Account Access | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 103 | Ensure that Lambda Environment Variables at-rest are encrypted with CMK | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 104 | Ensure that Lambda Environment Variables are encrypted using AWS encryption helpers for encryption in transit | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 105 | Ensure that Lambda function does not allows anonymous invocation | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 106 | Ensure that VPC access for Lambda Function is not set to default(Null) | ec2:DescribeRouteTables ec2:DescribeSecurityGroups lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 107 | Ensure that AWS Lambda excess Permissions are removed | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole iam:GetServiceLastAccessedDetails iam:GenerateServiceLastAccessedDetails |
| 108 | Ensure Version Upgrade is enabled for AWS Redshift clusters to automatically receive upgrades | redshift:DescribeClusters |
| 109 | Ensure AWS Redshift clusters are not using default endpoint port | redshift:DescribeClusters |
| 110 | Ensure AWS Redshift clusters are not publicly accessible | redshift:DescribeClusters |
| 111 | Ensure AWS Redshift clusters master username is not set to well-known/default | redshift:DescribeClusters |
| 112 | Ensure that AWS Redshift clusters encryption is set for data at rest | redshift:DescribeClusters |
| 113 | Ensure audit logging is enabled for AWS Redshift clusters for security and troubleshooting purposes | redshift:DescribeClusters redshift:DescribeLoggingStatus |
| 114 | Ensure Images (AMIs) owned by an AWS account are not public | ec2:DescribeImages |
| 115 | Ensure that EBS Volumes attached to EC2 instances are encrypted | ec2:DescribeVolumes |
| 116 | Ensure that Unattached EBS Volumes are encrypted | ec2:DescribeVolumes |
| 117 | Ensure that RDS Instances certificates are rotated | rds:DescribeDBInstances |
| 118 | Ensure that DocumentDB Instances certificates are rotated | rds:DescribeDBInstances |
| 119 | Ensure no AWS default KMS Key is used to protect Secrets | secretsmanager:ListSecrets |
| 120 | Ensure No CMK is marked for deletion | kms:DescribeKey kms:ListKeys kms:DescribeCustomKeyStores |
| 121 | Ensure only Root user of the AWS Account should be allowed full access on the CMK | kms:DescribeCustomKeyStores Kms:ListKeys kms:DescribeKey kms:GetKeyPolicy |
| 122 | Permissions to delete key is not granted to any Principal other than the Root user of AWS Account | kms:DescribeCustomKeyStores Kms:ListKeys kms:DescribeKey kms:GetKeyPolicy kms:GetKeyRotationStatus |
| 123 | Ensure CMK administrators are not the user of the key | kms:GetKeyPolicy kms:ListKeys kms:DescribeCustomKeyStores kms:DescribeKey |
| 124 | Ensure all Custom key stores are connected to their CloudHSM clusters | kms:DescribeCustomKeyStores kms:ListKeys |
| 125 | Ensure that multiple triggers are not configured for Lambda Function Aliases | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole |
| 126 | Ensure AMIs owned by an AWS account are encrypted | ec2:DescribeImages |
| 127 | Ensure AWS EBS Volume snapshots are encrypted | ec2:DescribeSnapshots |
| 128 | Ensure access log is enabled for Application load balancer | elasticloadbalancing:DescribeLoadBalancers |
| 129 | Ensure access log is enabled for Classic Elastic load balancer | elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DescribeLoadBalancers |
| 130 | Ensure Classic Elastic load balancer is not using unencrypted protocol | elasticloadbalancing:DescribeLoadBalancers |
| 131 | Ensure Elastic load balancer listener is not using unencrypted protocol | elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers acm:ListCertificates |
| 132 | Ensure DocumentDB database cluster master username is not set to well-known/default | rds:DescribeDBClusters |
| 133 | Ensure backup retention is set to minimum of 7 days for DocumentDB clusters | rds:DescribeDBClusters |
| 134 | Ensure audit logs is enabled for Log export to CloudWatch for DocumentDB clusters | rds:DescribeDBClusters |
| 135 | Ensure deletion protection is enabled for DocumentDB clusters | rds:DescribeDBClusters |
| 136 | Ensure DocumentDB Cluster is not listening on default port | rds:DescribeDBClusters |
| 137 | Ensure multi-AZ high availability is enabled for neptune DB | rds:DescribeDBClusters |
| 138 | Ensure neptune DB is not listening on default port | rds:DescribeDBClusters |
| 139 | Ensure IAM DB authentication is enabled for neptune database | rds:DescribeDBClusters |
| 140 | Ensure backup retention is set to minimum of 7 days for neptune database | rds:DescribeDBClusters |
| 141 | Ensure Audit logs is enabled for log exports to cloudwatch for neptune database | rds:DescribeDBClusters |
| 142 | Ensure Auto minor version upgrade is enabled for neptune database | rds:DescribeDBInstances |
| 143 | Ensure deletion protection is enabled for neptune DB | rds:DescribeDBClusters |
| 144 | Ensure EFS Encryption is enabled for data at rest | kms:ListKeys kms:DescribeCustomKeyStores kms:DescribeKey elasticfilesystem:DescribeFileSystems |
| 145 | Ensure EFS File system resource is encrypted by KMS using a customer managed Key (CMK) | kms:ListKeys kms:DescribeCustomKeyStores kms:DescribeKey elasticfilesystem:DescribeFileSystems |
| 146 | Ensure that AWS Elastic Block Store (EBS) volume snapshots are not public | ec2:DescribeSnapshots ec2:DescribeSnapshotAttribute |
| 147 | Ensure that AWS ElastiCache Memcached clusters are not associated with default VPC | elasticache:DescribeCacheClusters elasticache:DescribeCacheSubnetGroups ec2:DescribeVpcs |
| 148 | Ensure that AWS ElastiCache Redis clusters are not associated with default VPC | elasticache:DescribeCacheClusters elasticache:DescribeCacheSubnetGroups ec2:DescribeVpcs |
| 149 | Ensure that AWS ElastiCache redis clusters are not using their default endpoint ports | elasticache:DescribeReplicationGroups |
| 150 | Ensure that AWS ElastiCache memcached clusters are not using their default endpoint ports | elasticache:DescribeCacheClusters |
| 151 | Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature is set to enabled | elasticache:DescribeReplicationGroups |
| 152 | Ensure AWS ElastiCache Redis cluster with Redis AUTH feature is enabled | elasticache:DescribeReplicationGroups |
| 153 | Ensure that AWS ElastiCache Redis clusters are In-Transit encrypted | elasticache:DescribeReplicationGroups |
| 154 | Ensure that AWS ElastiCache Redis clusters are Data At-Rest encrypted | elasticache:DescribeReplicationGroups |
| 155 | Ensure that AWS ElastiCache Redis clusters are Data At-Rest encrypted with CMK | elasticache:DescribeReplicationGroups |
| 156 | Ensure node-to-node encryption feature is enabled for AWS Elasticsearch Service domains | es:ListDomainNames es:DescribeElasticsearchDomain |
| 157 | Ensure AWS Elasticsearch Service domains have enabled the support for publishing slow logs to AWS CloudWatch Logs | es:ListDomainNames es:DescribeElasticsearchDomain |
| 158 | Ensure AWS Elasticsearch Service domains are not publicly accessible | es:ListDomainNames es:DescribeElasticsearchDomain |
| 159 | Ensure AWS Elasticsearch Service domains are using the latest version of Elasticsearch engine | es:ListDomainNames es:DescribeElasticsearchDomain |
| 160 | Ensure that IAM Access analyzer is enabled for all regions | access-analyzer:ListAnalyzers |
| 161 | Ensure no Network ACLs allow ingress from 0.0.0.0/0 to port 22 | ec2:DescribeNetworkAcls |
| 162 | Ensure AWS Route 53 Registered domain has Transfer lock enabled | route53domains:ListDomains |
| 163 | Ensure AWS Route 53 Registered domain has Auto renew Enabled | route53domains:ListDomains |
| 164 | Ensure AWS Route 53 Registered domain is not expired | route53domains:ListDomains |
| 165 | Ensure AWS Kinesis Data Firehose delivery stream with Direct PUT and other sources as source has Server-side encryption configured | firehose:ListDeliveryStreams firehose:DescribeDeliveryStream |
| 166 | Ensure AWS Kinesis Data Firehose delivery stream with Kinesis Data stream as source has Server-side encryption configured | kinesis:DescribeStream firehose:ListDeliveryStreams firehose:DescribeDeliveryStream |
| 167 | Ensure AWS Kinesis Data Firehose delivery stream with Direct PUT and other sources as source has Server-side encryption configured with KMS Customer Managed Keys | firehose:ListDeliveryStreams firehose:DescribeDeliveryStream |
| 168 | Ensure AWS Kinesis Data Firehose delivery stream with Kinesis Data stream as source has Server-side encryption configured with KMS Customer Managed Keys | kinesis:DescribeStream firehose:ListDeliveryStreams firehose:DescribeDeliveryStream kms:DescribeKey |
| 169 | Ensure DynamoDB tables are encrypted using KMS Customer managed Keys | dynamodb:ListTables dynamodb:DescribeTable kms:DescribeKey |
| 170 | Ensure no Network ACLs allow ingress from 0.0.0.0/0 to port 3389 | ec2:DescribeNetworkAcls |
| 171 | Ensure there is only one active access key available for any single IAM user | iam:ListUsers iam:ListUserPolicies iam:ListGroups iam:GenerateCredentialReport iam:GetCredentialReport iam:ListVirtualMFADevices iam:GetGroup iam:ListAttachedUserPolicies iam:GetUser iam:ListAccessKeys |
| 172 | Ensure AWS Organizations changes are monitored | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus logs:DescribeMetricFilters cloudwatch:DescribeAlarmsForMetric sns:ListSubscriptionsByTopic |
| 173 | Ensure DynamoDB tables are not configured using DEFAULT encryption | dynamodb:DescribeTable dynamodb:ListTables |
| 174 | Ensure that Customer managed KMS keys use external key material | kms:DescribeKey kms:ListKeys kms:DescribeCustomKeyStores |
| 175 | Ensure no Inline Policies are attached to IAM Users directly | iam:ListUsers iam:ListUserPolicies iam:ListGroups iam:GenerateCredentialReport iam:GetCredentialReport iam:ListVirtualMFADevices iam:GetGroup iam:ListAttachedUserPolicies iam:GetUser iam:ListAccessKeys |
| 176 | Ensure no Managed Policies are attached to IAM Users directly | iam:ListUsers iam:ListUserPolicies iam:ListGroups iam:GenerateCredentialReport iam:GetCredentialReport iam:ListVirtualMFADevices iam:GetGroup iam:ListAttachedUserPolicies iam:GetUser iam:ListAccessKeys |
| 177 | Ensure that Object-level logging for write events is enabled for S3 bucket | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetTrailStatus cloudtrail:GetEventSelectors |
| 178 | Ensure that Object-level logging for read events is enabled for S3 bucket | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetTrailStatus cloudtrail:GetEventSelectors |
| 179 | Ensure MFA is enabled in AWS Directory | ds:DescribeDirectories |
| 181 | Ensure proper protocol is configured for Radius server in AWS Directory | ds:DescribeDirectories |
| 182 | Ensure SNS Topics do not Allow Everyone to Publish | sns:GetTopicAttributes sns:ListTopics |
| 183 | Ensure SNS Topics do not Allow Everyone to Subscribe | sns:GetTopicAttributes sns:ListTopics |
| 184 | Ensure there are no Internet facing Application load balancers | acm:ListCertificates elasticloadbalancing:DescribeLoadBalancers |
| 185 | Ensure ALB using listener type HTTPS must have SSL Security Policy | elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers acm:ListCertificates |
| 186 | Ensure that ALB using listener type HTTP must be redirected to HTTPS | elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers acm:ListCertificates |
| 187 | Ensure that ALB listeners have HTTPS enabled Target Groups | elasticloadbalancing:DescribeLoadBalancers acm:ListCertificates elasticloadbalancing:DescribeTargetGroups |
| 188 | Ensure IncreaseVolumeSize is Disabled for Workspace directories in all regions | workspaces:DescribeWorkspaceDirectories |
| 189 | Ensure Automated backup retention is set for Redshift Cluster | redshift:DescribeClusters |
| 190 | Ensure Redshift Cluster is configured to require an SSL connection | redshift:DescribeClusterParameters redshift:DescribeClusters |
| 191 | Ensure database audit logging is enabled for Redshift Cluster | redshift:DescribeClusterParameters redshift:DescribeClusters |
| 192 | Ensure Redshift Cluster is encrypted with KMS key | redshift:DescribeClusters |
| 193 | Ensure that NLB balancer listener is not using unencrypted protocol | elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers |
| 194 | Ensure that Classic Elastic load balancer is not internet facing | elasticloadbalancing:DescribeLoadBalancers |
| 195 | Ensure Classic Elastic Load balancer must have SSL Security Policy | elasticloadbalancing:DescribeLoadBalancers |
| 196 | Ensure AWS VPC subnets have automatic public IP assignment disabled | ec2:DescribeSubnets |
| 197 | Ensure to encrypt the User Volumes and Root Volumes with the customer managed master keys for AWS WorkSpace | workspaces:DescribeWorkspaces kms:DescribeKey |
| 198 | Ensure Workspace directory must have a vpc endpoint so that the API traffic associated with the management of workspaces stays within the vpc | ds:DescribeDirectories workspaces:DescribeWorkspaces ec2:DescribeVpcEndpoints |
| 199 | Ensure not to setup access keys during initial user setup for all IAM users that have a console password | iam:ListUsers iam:ListUserPolicies iam:ListGroups iam:GenerateCredentialReport iam:GetCredentialReport iam:ListVirtualMFADevices iam:GetGroup iam:ListAttachedUserPolicies iam:GetUser iam:ListAccessKeys |
| 200 | Ensure to log state machine execution history to CloudWatch Logs | states:ListStateMachines states:DescribeStateMachine |
| 201 | Ensure RDS Instance should not have an Interface open to a public scope | rds:DescribeDBInstances ec2:DescribeSecurityGroups |
| 202 | Ensure to update the Security Policy of the Network Load Balancer | elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers |
| 203 | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | ec2:DescribeVolumes ec2:DescribeSnapshots |
| 204 | Ensure AWS EBS Volume snapshots are encrypted with KMS using a customer managed Key (CMK) | kms:DescribeKey ec2:DescribeSnapshots |
| 205 | Ensure RestartWorkspace is Enabled for Directories in all regions | workspaces:DescribeWorkspaceDirectories |
| 206 | Ensure that DocumentDB Cluster Snapshots are encrypted | rds:DescribeDBClusterSnapshots |
| 207 | Ensure that DocumentDB Cluster Snapshots are not public | rds:DescribeDBClusterSnapshots rds:DescribeDBClusterSnapshotAttributes |
| 208 | Ensure WorkDocs is not enabled in Workspace Directories | workspaces:DescribeWorkspaceDirectories |
| 209 | Ensure Access to Internet is not enabled in Workspace Directories | workspaces:DescribeWorkspaceDirectories |
| 210 | Ensure Local Administrator setting is not enabled in Workspace Directories | workspaces:DescribeWorkspaceDirectories |
| 211 | Ensure Maintenance Mode is not enabled in Workspace Directories | workspaces:DescribeWorkspaceDirectories |
| 212 | Ensure Device Type Windows Access Control is allowed in Workspace Directories | workspaces:DescribeWorkspaceDirectories |
| 213 | Ensure Device Type MacOS Access Control is allowed in Workspace Directories | workspaces:DescribeWorkspaceDirectories |
| 214 | Ensure Device Type Web Access Control is allowed in Workspace Directories | workspaces:DescribeWorkspaceDirectories |
| 215 | Ensure Device Type iOS Access Control is allowed in Workspace Directories | workspaces:DescribeWorkspaceDirectories |
| 216 | Ensure Device Type Android Access Control is allowed in Workspace Directories | workspaces:DescribeWorkspaceDirectories |
| 217 | Ensure Device Type ChromeOS Access Control is allowed in Workspace Directories | workspaces:DescribeWorkspaceDirectories |
| 218 | Ensure Device Type ZeroClient Access Control is allowed in Workspace Directories | workspaces:DescribeWorkspaceDirectories |
| 219 | Ensure neptune DB snapshots are encrypted | rds:DescribeDBClusterSnapshots |
| 220 | Ensure neptune DB snapshots are not public | rds:DescribeDBClusterSnapshotAttributes rds:DescribeDBClusterSnapshots |
| 221 | Ensure ChangeComputeType is Disabled in all regions for Workspace Directories | workspaces:DescribeWorkspaceDirectories |
| 222 | Ensure SwitchRunningMode is Disabled in all regions for Workspace Directories | workspaces:DescribeWorkspaceDirectories |
| 223 | Ensure RebuildWorkspace is Disabled in all regions for Workspace Directories | workspaces:DescribeWorkspaceDirectories |
| 224 | Ensure only AD Connector directory type is allowed for AWS Directories | workspaces:DescribeWorkspaceDirectories |
| 225 | Ensure to enable the encryption of the Root volumes for Workspaces in all regions | workspaces:DescribeWorkspaces |
| 226 | Ensure to enable the encryption of the User volumes for Workspaces in all regions | workspaces:DescribeWorkspaces |
| 227 | Ensure Amazon API Gateway APIs are only accessible through private API endpoints in all regions | apigateway:GET |
| 228 | Ensure to disable default route table association for Transit Gateways in all regions | ec2:DescribeTransitGateways |
| 229 | Ensure to disable default route table propagation for Transit Gateways in all regions | ec2:DescribeTransitGateways |
| 230 | Ensure to enable config for the all resources for Config Service | config:DescribeConfigurationRecorders |
| 231 | Ensure to enable config for the global resources like IAM for Config Service | config:DescribeConfigurationRecorders |
| 232 | Ensure to configure data retention period for the configuration items for Config Service | config:DescribeRetentionConfigurations |
| 233 | Ensure to configure s3 buckets which contains details for the resources that Config records | config:DescribeDeliveryChannels |
| 234 | Ensure to configure certificate provider type to custom in EMR security configuration | elasticmapreduce:DescribeSecurityConfiguration elasticmapreduce:ListClusters elasticmapreduce:DescribeCluster |
| 235 | Ensure to enable data in transit encryption for EMR security configuration | elasticmapreduce:DescribeSecurityConfiguration elasticmapreduce:ListClusters elasticmapreduce:DescribeCluster |
| 236 | Ensure that all AWS Systems Manager (SSM) parameters are encrypted | ssm:DescribeParameters |
| 237 | Ensure termination protection is enabled for EMR cluster | elasticmapreduce:DescribeCluster elasticmapreduce:ListClusters |
| 238 | Ensure ACM uses imported certificates only and does not create/issue certificates | acm:ListCertificates |
| 239 | Ensure expired certificates are removed from AWS ACM | acm:ListCertificates |
| 240 | Ensure ACM certificates should not have domain with wildcard(*) | acm:ListCertificates |
| 241 | Ensure that the certificate use appropriate algorithms and key size | acm:ListCertificates |
| 242 | Ensure logging is not set to OFF for Rest APIs Stage in all regions | apigateway:GET |
| 243 | Ensure to enable encryption if caching is enabled for Rest API Stage in all regions | apigateway:GET |
| 244 | Ensure accessLogSettings exists with the destinationArn and in the json format for Rest API Stage in all regions | apigateway:GET |
| 245 | Ensure there are no Internet facing Network load balancers | elasticloadbalancing:DescribeLoadBalancers |
| 246 | Ensure NLB using listener type TLS must have SSL Security Policy | elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers |
| 247 | Ensure that NLB listeners using TLS have TLS enabled Target Groups configured | elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:DescribeLoadBalancers |
| 248 | Ensure that NLB listeners using default insecure ports are not configured for passthrough | elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers |
| 249 | Ensure AWS NLB logging is enabled | elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DescribeLoadBalancers |
| 250 | Ensure AWS RDS instance is not open to a large scope | rds:DescribeDBInstances ec2:DescribeSecurityGroups |
| 252 | Ensure to encrypt the data in transit when using NFS between the client and EFS service | elasticfilesystem:DescribeFileSystems elasticfilesystem:DescribeFileSystemPolicy |
| 253 | Ensure AWS Security Hub is enabled in all regions | securityhub:DescribeHub |
| 254 | Ensure that backup retention is set between 3 to 7 days for Aurora postgreSQL clusters | rds:DescribeDBClusters |
| 255 | Ensure MFA Delete is enabled on S3 buckets | s3:GetBucketVersioning s3:ListBucket s3:GetBucketTagging s3:GetBucketLocation |
| 256 | Ensure trail is configure on organization level | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails |
| 257 | Ensure status of the log_destination parameter for PostgreSQL instance is set to csvlog | rds:DescribeDBInstances rds:DescribeDBParameters |
| 258 | Ensure status of the log_rotation_age parameter for PostgreSQL instance is set to 60(minutes) | rds:DescribeDBInstances rds:DescribeDBParameters |
| 259 | Ensure status of the log_connections parameter for PostgreSQL instance is set to ON(1) | rds:DescribeDBInstances rds:DescribeDBParameters |
| 260 | Ensure status of the log_disconnections parameter for PostgreSQL instance is set to ON(1) | rds:DescribeDBInstances rds:DescribeDBParameters |
| 261 | Ensure status of the log_hostname parameter for PostgreSQL instance is set to OFF(0) | rds:DescribeDBInstances rds:DescribeDBParameters |
| 262 | Ensure status of the log_statement parameter for PostgreSQL instance is set to ddl or stricter | rds:DescribeDBInstances rds:DescribeDBParameters |
| 263 | Ensure status of the pgaudit.log parameter for PostgreSQL instance is set to appropriate value | rds:DescribeDBInstances rds:DescribeDBParameters |
| 264 | Ensure each trail includes the global services | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails |
| 265 | Ensure status of the log_destination parameter for Aurora PostgreSQL cluster is set to csvlog | rds:DescribeDBClusters rds:DescribeDBClusterParameters |
| 266 | Ensure status of the log_rotation_age parameter for Aurora PostgreSQL cluster is set to 60(minutes) | rds:DescribeDBClusters rds:DescribeDBClusterParameters |
| 267 | Ensure status of the log_connections parameter for Aurora PostgreSQL cluster is set to ON(1) | rds:DescribeDBClusters rds:DescribeDBClusterParameters |
| 268 | Ensure status of the log_disconnections parameter for Aurora PostgreSQL cluster is set to ON(1) | rds:DescribeDBClusters rds:DescribeDBClusterParameters |
| 269 | Ensure status of the log_hostname parameter for Aurora PostgreSQL cluster is set to OFF(0) | rds:DescribeDBClusters rds:DescribeDBClusterParameters |
| 270 | Ensure status of the log_statement parameter for Aurora PostgreSQL cluster is set to ddl or stricter | rds:DescribeDBClusters rds:DescribeDBClusterParameters |
| 271 | Ensure status of the pgaudit.log parameter for Aurora PostgreSQL cluster is set to appropriate value | rds:DescribeDBClusters rds:DescribeDBClusterParameters |
| 272 | Ensure to log KMS events to the trail | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetTrailStatus cloudtrail:GetEventSelectors |
| 273 | Ensure block public access is enabled so that no port should have public access for EMR clusters | elasticmapreduce:GetBlockPublicAccessConfiguration |
| 285 | Ensure all data stored in the Elasticsearch is securely encrypted at rest | es:ListDomainNames es:DescribeElasticsearchDomain |
| 286 | Ensure all data stored in the Launch configuration EBS is securely encrypted | autoscaling:DescribeLaunchConfigurations |
| 288 | Ensure SageMaker Notebook is encrypted at rest using KMS CMK | sagemaker:DescribeNotebookInstance sagemaker:ListNotebookInstances |
| 289 | Ensure every security groups rule has a description | ec2:DescribeSecurityGroups |
| 291 | Ensure SQS Queue have encryption at rest enabled | sqs:GetQueueAttributes sqs:ListQueues |
| 292 | Ensure Dynamodb point in time recovery (backup) is enabled | dynamodb:ListTables dynamodb:DescribeTable dynamodb:DescribeContinuousBackups |
| 293 | Ensure ECR repository policy is not set to public | ecr:GetRepositoryPolicy ecr:DescribeRepositories |
| 294 | Ensure Customer managed KMS key policy does not contain wildcard (*) principal | kms:DescribeCustomKeyStores Kms:ListKeys kms:DescribeKey kms:GetKeyPolicy kms:GetKeyRotationStatus |
| 295 | Ensure Cloudfront distribution ViewerProtocolPolicy is set to HTTPS | cloudfront:ListDistributions |
| 302 | Ensure DAX is encrypted at rest (default is unencrypted) | dax:DescribeClusters |
| 303 | Ensure MQ Broker logging is enabled | mq:DescribeBroker mq:ListBrokers |
| 305 | Ensure ECR Image Tags are immutable | ecr:DescribeRepositories |
| 312 | Ensure container insights are enabled on ECS cluster | ecs:DescribeClusters ecs:ListClusters |
| 313 | Ensure CloudWatch Log Group has a retention period set to 7 days or greater | logs:DescribeLogGroups |
| 314 | Ensure that CloudFront Distribution has WAF enabled | cloudfront:ListDistributions |
| 315 | Ensure MQ Broker is not publicly exposed | mq:DescribeBroker mq:ListBrokers |
| 318 | Ensure API Gateway has X-Ray Tracing enabled | apigateway:GET |
| 319 | Ensure Global Accelerator has flow logs enabled | globalaccelerator:DescribeAccelerator globalaccelerator:DescribeAcceleratorAttributes globalaccelerator:ListAccelerators |
| 321 | Ensure that CodeBuild Project encryption is not disabled | codebuild:ListProjects codebuild:BatchGetProjects |
| 322 | Ensure that EC2 Metadata Service only allows IMDSv2 | ec2:DescribeInstances |
| 323 | Ensure MSK Cluster logging is enabled | kafka:ListClusters |
| 324 | Ensure MSK Cluster encryption at rest and in transit is enabled | kafka:ListClusters |
| 325 | Ensure Athena Workgroups enforce configuration to prevent client disabling encryption | athena:GetWorkGroup athena:ListWorkGroups |
| 326 | Ensure Elasticsearch Domain enforces HTTPS | es:ListDomainNames es:DescribeElasticsearchDomain |
| 328 | Ensure that EC2 instance have no public IP | ec2:DescribeInstances |
| 329 | Ensure that DMS replication instance is not publicly accessible | dms:DescribeReplicationInstances |
| 330 | Ensure DocDB TLS is not disabled | rds:DescribeDBClusters rds:DescribeDBClusterParameters |
| 332 | Ensure Glue Data Catalog Encryption is enabled with SSE-KMS with customer-managed keys | glue:GetDataCatalogEncryptionSettings kms:DescribeKey |
| 333 | Ensure all data stored in Aurora is securely encrypted at rest | rds:DescribeDBClusters |
| 334 | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest | sagemaker:DescribeEndpoint sagemaker:DescribeEndpointConfig sagemaker:ListEndpoints |
| 338 | Ensure that load balancer is using TLS 1.2 or above | acm:ListCertificates elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeListeners |
| 339 | Ensure EBS default encryption is enabled with customer managed key | ec2:GetEbsEncryptionByDefault ec2:GetEbsDefaultKmsKeyId |
| 342 | Ensure that EMR clusters with Kerberos have Kerberos Realm set | elasticmapreduce:DescribeCluster elasticmapreduce:ListClusters |
| 343 | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole lambda:GetPolicy lambda:ListFunctionUrlConfigs |
| 344 | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole lambda:GetPolicy lambda:ListFunctionUrlConfigs |
| 346 | Ensure network load balancers should have security group attached | elasticloadbalancing:DescribeLoadBalancers |
| 347 | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance | sagemaker:DescribeNotebookInstance sagemaker:ListNotebookInstances |
| 348 | Ensure that VPC Endpoint Service is configured for Manual Acceptance | ec2:DescribeVpcEndpointServices |
| 349 | Ensure that CloudFormation stacks are sending event notifications to an SNS topic | cloudformation:ListStacks cloudformation:DescribeStacks |
| 350 | Ensure that detailed monitoring is enabled for EC2 instances | ec2:DescribeInstances |
| 351 | Ensure that Elastic Load Balancers use SSL certificates provided by AWS Certificate Manager | acm:ListCertificates elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeListeners |
| 354 | Ensure that ALB drops HTTP headers | elasticloadbalancing:DescribeLoadBalancers |
| 355 | Ensure Trail is configured to log Data events for s3 buckets | s3:ListAllMyBuckets s3:GetBucketLocation cloudtrail:DescribeTrails cloudtrail:GetTrailStatus cloudtrail:GetEventSelectors |
| 357 | Ensure that EC2 is EBS optimized | ec2:DescribeInstances |
| 358 | Ensure that ECR repositories are encrypted using KMS | ecr:DescribeRepositories |
| 359 | Ensure that Elasticsearch is configured inside a VPC | es:ListDomainNames es:DescribeElasticsearchDomain |
| 360 | Ensure that ELB has cross-zone-load-balancing enabled | elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DescribeLoadBalancers |
| 366 | Ensure that Secrets Manager secret is encrypted using KMS using a customer managed Key (CMK) | secretsmanager:ListSecrets |
| 367 | Ensure that Load Balancer has deletion protection enabled | acm:ListCertificates elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeLoadBalancerAttributes |
| 369 | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | acm:ListCertificates elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeLoadBalancerAttributes |
| 370 | Ensure that Auto Scaling Groups supply tags to Launch Configurations | autoscaling:DescribeAutoScalingGroups |
| 371 | Ensure Redshift is not deployed outside of a VPC | redshift:DescribeClusters |
| 373 | Ensure to encrypt CloudWatch log groups | logs:DescribeLogGroups |
| 374 | Ensure that Athena Workgroup is encrypted | athena:GetWorkGroup athena:ListWorkGroups |
| 377 | Ensure ECR image scanning on push is enabled | ecr:DescribeRepositories |
| 378 | Ensure Transfer Server is not exposed publicly | transfer:DescribeServer transfer:ListServers |
| 379 | Ensure S3 bucket must not allow WRITE permission for server access logs from everyone on the bucket | s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketTagging s3:GetBucketAcl s3:GetBucketPolicy s3:GetBucketPolicyStatus |
| 380 | Ensure Backup Vault is encrypted at rest using KMS CMK | backup:DescribeBackupVault backup:ListBackupVaults |
| 381 | Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it | glacier:ListVaults glacier:DescribeVault glacier:GetVaultAccessPolicy |
| 382 | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | sqs:GetQueueAttributes sqs:ListQueues |
| 383 | Ensure SNS topic policy is not public by only allowing specific services or principals to access it | sns:GetTopicAttributes sns:ListTopics |
| 385 | Ensure that EMR Cluster security configuration encryption is using SSE-KMS | elasticmapreduce:DescribeSecurityConfiguration elasticmapreduce:ListClusters elasticmapreduce:DescribeCluster |
| 386 | Ensure that all NACLs are attached to subnets | ec2:DescribeNetworkAcls |
| 387 | Ensure GuardDuty is enabled to specific org/region | guardduty:GetDetector guardduty:ListDetectors |
| 388 | Ensure API Gateway stage have logging level defined as appropriate and have metrics enabled | apigateway:GET |
| 393 | Ensure the option group attached to the RDS Oracle Instance have TLSv1.2 and the required ciphers configured | rds:DescribeDBInstances rds:DescribeOptionGroups |
| 395 | Ensure that Auto Scaling Groups that are associated with a Load Balancer are using Elastic Load Balancing health checks | autoscaling:DescribeAutoScalingGroups |
| 396 | Ensure that Auto Scaling is enabled on your DynamoDB tables | dynamodb:ListTables dynamodb:DescribeTable application-autoscaling:DescribeScalableTargets |
| 398 | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | ec2:DescribeAddresses |
| 399 | Ensure that all IAM users are members of at least one IAM group | iam:ListUsers iam:ListUserPolicies iam:ListGroups iam:GenerateCredentialReport iam:GetCredentialReport iam:ListVirtualMFADevices iam:GetGroup iam:ListAttachedUserPolicies iam:GetUser iam:ListAccessKeys |
| 400 | Ensure an IAM User does not have access to the console | iam:ListUsers iam:ListUserPolicies iam:ListGroups iam:GenerateCredentialReport iam:GetCredentialReport iam:ListVirtualMFADevices iam:GetGroup iam:ListAttachedUserPolicies iam:GetUser iam:ListAccessKeys |
| 401 | Route53 A Record has Attached Resource | route53:ListHostedZones route53:ListResourceRecordSets |
| 402 | Ensure that PostgreSQL RDS instances have Query Logging enabled | rds:DescribeDBInstances rds:DescribeDBParameters |
| 403 | Ensure public facing ALB are protected by WAF | acm:ListCertificates wafv2:GetWebACLForResource elasticloadbalancing:DescribeLoadBalancers |
| 407 | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | elasticache:DescribeReplicationGroups |
| 409 | Ensure that ssl_max_protocol_version parameter for Aurora PostgreSQL cluster is set to latest version | rds:DescribeDBClusters rds:DescribeDBClusterParameters |
| 410 | Ensure that ssl_min_protocol_version parameter for Aurora PostgreSQL cluster is set to latest version | rds:DescribeDBClusters rds:DescribeDBClusterParameters |
| 411 | Ensure that a log driver has been defined for each active Amazon ECS task definition | ecs:DescribeTaskDefinition ecs:ListTaskDefinitions |
| 413 | Ensure that your Amazon Relational Database Service (RDS) instances have Storage AutoScaling feature enabled | rds:DescribeDBInstances |
| 426 | Ensure Amazon API Gateway REST APIs are protected by AWS WAF | apigateway:GET |
| 427 | Ensure client-side SSL certificates are used for HTTP backend authentication in AWS API Gateway REST APIs | apigateway:GET |
| 428 | Ensure that SSL certificates associated with API Gateway REST APIs are rotated periodically | apigateway:GET |
| 429 | Ensure AWS CloudFront distributions use improved security policies for HTTPS connections | cloudfront:ListDistributions |
| 432 | Ensure that your Amazon DynamoDB tables are using backup and restore | dynamodb:ListTables dynamodb:DescribeTable dynamodb:ListBackups |
| 433 | Ensure IAM instance roles are used for AWS resource access from instances | ec2:DescribeInstances |
| 435 | Ensure Performance Insights feature is enabled for your Amazon RDS database instances | rds:DescribeDBInstances |
| 436 | Ensure to encrypt data in transit for SNS topic | sns:GetTopicAttributes sns:ListTopics |
| 437 | Ensure unused AWS EC2 key pairs are decommissioned | ec2:DescribeKeyPairs ec2:DescribeInstances |
| 438 | Ensure AWS SNS topics do not allow HTTP subscriptions | sns:GetTopicAttributes sns:ListTopics |
| 439 | Ensure that Elastic File System does not have the default access policy | elasticfilesystem:DescribeFileSystems elasticfilesystem:DescribeFileSystemPolicy |
| 440 | Ensure that the latest version of Memcached is used for AWS ElastiCache clusters | elasticache:DescribeCacheClusters |
| 442 | Ensure that your Amazon Lambda functions are configured to use enhanced monitoring | lambda:ListFunctions lambda:ListTags lambda:ListVersionsByFunction lambda:GetFunctionConcurrency lambda:ListAliases lambda:ListEventSourceMappings iam:ListRolePolicies iam:GetRolePolicy iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:GetRole lambda:GetPolicy lambda:ListFunctionUrlConfigs |
| 443 | Ensure that Route 53 Hosted Zone has configured logging for DNS queries | route53:ListHostedZones route53:ListQueryLoggingConfigs |
| 444 | Ensure that DNSSEC Signing is enabled for Route 53 Hosted Zones | route53:ListHostedZones route53:GetDNSSEC |
| 445 | Ensure that Route 53 domains have Privacy Protection enabled | route53domains:ListDomains route53domains:GetDomainDetail |
| 446 | Ensure a loggroup is created to upload logs of datasync task to the cloudwatch log group | datasync:ListTasks datasync:DescribeTask |
| 447 | Ensure to enable data integrity checks for only files transferred in datasync task | datasync:ListTasks datasync:DescribeTask |
| 448 | Ensure that all your SSL/TLS IAM certificates are using 2048 or higher bit RSA keys | iam:ListUsers iam:ListUserPolicies iam:ListGroups iam:GenerateCredentialReport iam:GetCredentialReport iam:ListVirtualMFADevices iam:GetGroup iam:ListAttachedUserPolicies iam:GetUser iam:ListAccessKeys |
| 449 | Ensure to disable default endpoint for all the APIs | apigateway:GET |
| 450 | Ensure that Microsoft AD directory forward domain controller security event logs to cloudwatch logs | ds:DescribeDirectories ds:ListLogSubscriptions |
| 451 | Ensure SQS queues uses KMS customer managed master key | sqs:ListQueues sqs:GetQueueAttributes |
| 452 | Ensure SQS queues are encrypted in transit | sqs:GetQueueAttributes sqs:ListQueues |
| 453 | Ensure to block public access to Amazon EFS file systems | elasticfilesystem:DescribeFileSystems elasticfilesystem:DescribeFileSystemPolicy |
| 455 | Ensure backtracking is enabled for AWS RDS cluster | rds:DescribeDBClusters |
| 456 | Ensure database retention is set to 7 days or more for AWS RDS cluster | rds:DescribeDBClusters |
| 457 | Ensure Aurora Serverless AutoPause is enabled for RDS cluster | rds:DescribeDBClusters |
| 458 | Ensure connection draining is enabled for AWS ELB | elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DescribeLoadBalancers |
| 459 | Ensure Enhanced VPC routing should be enabled for AWS Redshift Clusters | redshift:DescribeClusters |
| 460 | Ensure that content encoding is enabled for API Gateway Rest API | apigateway:GET |
| 461 | Ensure to configure idle session timeout in all regions | ssm:GetDocument s3:GetEncryptionConfiguration logs:DescribeLogGroups |
| 462 | Ensure session logs for system manager are stored in CloudWatch log groups or S3 buckets | ssm:GetDocument s3:GetEncryptionConfiguration logs:DescribeLogGroups |
| 463 | Ensure session logs for system manager are stored in only Encrypted CloudWatch log groups or S3 buckets | ssm:GetDocument s3:GetEncryptionConfiguration logs:DescribeLogGroups |
| 464 | Ensure Block public sharing setting is ON for the documents in all regions | ssm:GetServiceSetting |
| 465 | Ensure stage caching is enabled for AWS API Gateway Method Settings | apigateway:GET |
| 466 | Ensure transit encryption is enabled for EFS volumes in AWS ECS Task Definition | ecs:DescribeTaskDefinition ecs:ListTaskDefinitions |
| 467 | Ensure to disable root access for all notebook instance users | sagemaker:DescribeNotebookInstance sagemaker:ListNotebookInstances |
| 468 | Ensure to enable inter-container traffic encryption for Processing jobs(if configured) | sagemaker:DescribeProcessingJob sagemaker:ListProcessingJobs |
| 469 | Ensure processing jobs(if configured) are running inside a VPC | sagemaker:DescribeProcessingJob sagemaker:ListProcessingJobs |
| 472 | Ensure ML storage volume attached to training jobs are encrypted with customer managed master key | kms:DescribeKey sagemaker:DescribeTrainingJob sagemaker:ListTrainingJobs |
| 473 | Ensure to encrypt the output of the training jobs in s3 with customer managed master key | sagemaker:DescribeTrainingJob kms:DescribeKey sagemaker:ListTrainingJobs |
| 477 | Ensure ML storage volume attached to Hyperparameter Tuning jobs (if configured) are encrypted with customer managed master key | sagemaker:DescribeHyperParameterTuningJob sagemaker:ListHyperParameterTuningJobs kms:DescribeKey |
| 479 | Ensure to encrypt the output of Hyperparameter tuning jobs(if configured) in s3 with customer managed master key | sagemaker:DescribeHyperParameterTuningJob sagemaker:ListHyperParameterTuningJobs kms:DescribeKey |
| 481 | Ensure Hyperparameter tuning jobs(if configured) are running inside a VPC | sagemaker:DescribeHyperParameterTuningJob sagemaker:ListHyperParameterTuningJobs |
| 483 | Ensure to enable network isolation for models | sagemaker:DescribeModel sagemaker:ListModels |
| 485 | Ensure to enable CloudWatch logging in the audit logging account | firehose:ListDeliveryStreams firehose:DescribeDeliveryStream |
| 489 | Ensure multi-az is enabled for AWS DMS instances | dms:DescribeReplicationInstances |
| 490 | Ensure auto minor version upgrade is enabled for AWS DMS instances | dms:DescribeReplicationInstances |
| 491 | Ensure auto minor version upgrade is enabled for AWS MQ Brokers | mq:DescribeBroker mq:ListBrokers |
| 492 | Ensure active/standby deployment mode is used for AWS MQ Brokers | mq:DescribeBroker mq:ListBrokers |
| 495 | Ensure advanced security options are enabled for AWS ElasticSearch Domain | es:ListDomainNames es:DescribeElasticsearchDomain |
| 496 | Ensure general purpose SSD node type is used for AWS ElasticSearch Domains | es:ListDomainNames es:DescribeElasticsearchDomain |
| 497 | Ensure KMS customer managed keys are used for encryption for AWS ElasticSearch Domains | es:ListDomainNames es:DescribeElasticsearchDomain kms:DescribeKey |
| 498 | Ensure Zone Awareness is enabled for AWS ElasticSearch Domain | es:ListDomainNames es:DescribeElasticsearchDomain |
| 499 | Ensure Amazon cognito authentication is enabled for AWS ElasticSearch Domain | es:ListDomainNames es:DescribeElasticsearchDomain |
| 500 | Ensure dedicated master nodes are enabled for AWS ElasticSearch Domains | es:ListDomainNames es:DescribeElasticsearchDomain |
| 501 | Ensure policies are used for AWS CloudFormation Stacks | cloudformation:DescribeStacks cloudformation:GetStackPolicy cloudformation:ListStacks |
| 502 | Ensure termination protection is enabled for AWS CloudFormation Stack | cloudformation:ListStacks cloudformation:DescribeStacks |
| 503 | Ensure TLS security policy is using 1.2 version for the custom domains | apigateway:GET |
| 504 | Ensure there is a Dead Letter Queue configured for each Amazon SQS queue | sqs:GetQueueAttributes sqs:ListQueues |
| 505 | Ensure that EMR cluster is configured with security configuration | elasticmapreduce:DescribeCluster elasticmapreduce:ListClusters |
| 506 | Ensure AWS Elastic MapReduce (EMR) clusters capture detailed log data to Amazon S3 | elasticmapreduce:DescribeCluster elasticmapreduce:ListClusters |
| 507 | Ensure encryption at rest is enabled for AWS DocumentDB clusters | rds:DescribeDBClusters |
| 508 | Ensure AWS EBS Volume has a corresponding AWS EBS Snapshot | ec2:DescribeVolumes ec2:DescribeSnapshots |
| 509 | Ensure egress filter is set as DROP_ALL for AWS Application Mesh | appmesh:DescribeMesh appmesh:ListMeshes |
| 510 | Ensure secrets should be auto rotated after not more than 90 days | secretsmanager:ListSecrets |
| 511 | Ensure CORS is configured to prevent sharing across all domains for AWS API Gateway V2 API | apigateway:GET |
| 512 | Ensure storage encryption is enabled for AWS Neptune cluster | rds:DescribeDBClusters |
| 514 | Ensure sufficient data retention period is set for AWS Kinesis Streams (7 days or More) | kinesis:DescribeStreamSummary kinesis:ListStreams |
| 516 | Ensure AWS ACM certificates are renewed 7 days before expiration date | acm:ListCertificates |
| 517 | Ensure customer master key (CMK) is not disabled for AWS Key Management Service (KMS) | kms:DescribeKey kms:ListKeys kms:DescribeCustomKeyStores |
| 518 | Ensure SNS Topics at rest are encrypted with customer managed master key | kms:DescribeKey sns:GetTopicAttributes sns:ListTopics |
| 519 | Ensure ML storage volume attached to notebooks are encrypted | sagemaker:DescribeNotebookInstance sagemaker:ListNotebookInstances |
| 520 | Ensure ML storage volume attached to notebooks are encrypted with customer managed master key | sagemaker:DescribeNotebookInstance sagemaker:ListNotebookInstances kms:DescribeKey |
| 522 | Ensure ML storage volume attached to processing jobs(if configured) are encrypted with customer managed master key | sagemaker:DescribeProcessingJob sagemaker:ListProcessingJobs kms:DescribeKey |
| 523 | Ensure to encrypt the output of processing jobs | sagemaker:DescribeProcessingJob sagemaker:ListProcessingJobs |
| 524 | Ensure to encrypt the output of processing jobs(if configured)in s3 with customer managed master key | sagemaker:DescribeProcessingJob sagemaker:ListProcessingJobs kms:DescribeKey |
| 527 | Ensure to encrypt the destination bucket in s3 in the audit logging account | firehose:ListDeliveryStreams firehose:DescribeDeliveryStream |
| 528 | Ensure to encrypt the destination bucket in s3 with customer managed master keys in the audit logging account | firehose:ListDeliveryStreams firehose:DescribeDeliveryStream kms:DescribeKey |
| 529 | Ensure detailed monitoring is enabled for AWS Launch Configuration | autoscaling:DescribeLaunchConfigurations |
| 530 | Ensure that encryption is enabled for AWS Neptune instances | rds:DescribeDBInstances |
| 531 | Ensure that your Amazon Neptune database instances are using KMS Customer Master Keys (CMKs) | rds:DescribeDBInstances kms:DescribeKey |
| 533 | Ensure that ACM Certificate is validated | acm:ListCertificates |
| 534 | Ensure AppFlow Flows are encrypted with customer managed master keys | kms:DescribeKey appflow:DescribeFlow appflow:ListFlows |
| 535 | Ensure encryption is enabled for entity recognition analysis jobs | comprehend:ListEntitiesDetectionJobs |
| 536 | Ensure DomainKeys Identified Mail (DKIM) is enabled for SES identities | ses:GetIdentityDkimAttributes ses:ListIdentities |
| 537 | Ensure security contact information is registered | account:GetAlternateContact |
| 538 | Ensure that Images (AMIs) are not older than 90 days | ec2:DescribeImages |
| 539 | Ensure that Images (AMIs) are not unused more than 90 days | ec2:DescribeImages |
| 541 | Ensure CloudFront distribution should use custom SSL/TLS certificate | cloudfront:ListDistributions |
| 542 | Ensure CloudFront distribution should use SNI to serve HTTPS requests | cloudfront:ListDistributions |
| 543 | Ensure DynamoDB table should have deletion protection enabled | dynamodb:DescribeTable dynamodb:ListTables |
| 544 | Ensure DynamoDB Accelerator cluster should be encrypted in transit | dax:DescribeClusters |
| 545 | Ensure Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests | ec2:DescribeTransitGateways |
| 546 | Ensure Amazon EC2 paravirtual instance types should not be used | ec2:DescribeInstances |
| 548 | Ensure ECS task definitions should not share the host's process namespace | ecs:DescribeTaskDefinition ecs:ListTaskDefinitions |
| 551 | Ensure Neptune DB clusters should be configured to copy tags to snapshots | rds:DescribeDBClusters |
| 553 | Ensure that Athena workgroups should have logging enabled | athena:GetWorkGroup athena:ListWorkGroups |
| 555 | Ensure ActiveMQ brokers should stream audit logs to CloudWatch | mq:DescribeBroker mq:ListBrokers |
| 558 | Ensure OpenSearch domains should have at least three data nodes | es:ListDomainNames es:DescribeElasticsearchDomain |
| 560 | Ensure SNS Topics are encrypted | sns:GetTopicAttributes sns:ListTopics |
| 561 | Ensure S3 general purpose bucket policies restricts access to other AWS accounts | s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketTagging s3:GetBucketAcl s3:GetBucketPolicy |
| 562 | Ensure that Network Load Balancer(s) Listeners uses SSL certificates provided by AWS Certificate Manager | elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers |
| 563 | Ensure AWS CloudFront distribution origins do not use insecure SSL protocols | cloudfront:ListDistributions |
| 564 | Ensure the traffic between the AWS CloudFront distributions and their origins is encrypted | cloudfront:ListDistributions |
| 565 | Ensure your AWS Cloudfront distributions are using an origin access control for their origin S3 buckets | cloudfront:ListDistributions |
| 574 | Ensure AWS AppSync GraphQL APIs should not be authenticated with API keys | appsync:ListGraphqlApis |
| 575 | Ensure that EFS file systems should have automatic backups enabled | elasticfilesystem:DescribeBackupPolicy elasticfilesystem:DescribeFileSystems |
| 576 | Ensure EFS access points should enforce a root directory | elasticfilesystem:DescribeAccessPoints |
| 577 | Ensure EFS Access Points should enforce a POSIX user identity | elasticfilesystem:DescribeAccessPoints |
| 578 | Ensure EKS clusters should run on a latest supported Kubernetes version | eks:DescribeCluster eks:ListClusters |
| 579 | Ensure that AWS ElastiCache Redis Standalone clusters are not associated with default VPC | elasticache:DescribeCacheClusters elasticache:DescribeCacheSubnetGroups ec2:DescribeVpcs |
| 580 | Ensure that AWS ElastiCache Redis Standalone Clusters are not using their default endpoint ports | elasticache:DescribeCacheClusters |
| 581 | Ensure that AWS ElastiCache Redis standalone clusters should have automatic minor version upgrade enabled | elasticache:DescribeCacheClusters |
| 540 | Ensure only Root user of the AWS Account should be allowed full access on the CMK | kms:DescribeCustomKeyStores Kms:ListKeys kms:DescribeKey kms:GetKeyPolicy |
| 566 | Ensure GuardDuty S3 Protection should be enabled | guardduty:GetDetector guardduty:ListDetectors |
| 567 | Ensure GuardDuty EKS Audit Log Monitoring should be enabled | guardduty:GetDetector guardduty:ListDetectors |
| 568 | Ensure GuardDuty Lambda Protection should be enabled | guardduty:GetDetector guardduty:ListDetectors |
| 569 | Ensure GuardDuty Malware Protection for EC2 should be enabled | guardduty:GetDetector guardduty:ListDetectors |
| 570 | Ensure GuardDuty RDS Protection should be enabled | guardduty:GetDetector guardduty:ListDetectors |
| 571 | Ensure GuardDuty EKS Runtime Monitoring should be enabled | guardduty:GetDetector guardduty:ListDetectors |
| 572 | Ensure Amazon Macie should be enabled | macie2:GetMacieSession |
| 573 | Ensure Amazon Macie automated sensitive data discovery should be enabled | macie2:GetMacieSession |