Last active
August 12, 2024 21:59
All controls in AWS Control Tower #2024-08-13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Name | Behavior | Scope | ap-northeast-1 | ap-northeast-3 | us-east-1 | |
|---|---|---|---|---|---|---|
| Require any AWS CodeBuild project environment to have logging configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| ECS containers should run as non-privileged | DETECTIVE | REGIONAL | supported | - | supported | |
| Disallow changes to Amazon CloudWatch Logs log groups set up by AWS Control Tower | PREVENTIVE | GLOBAL | - | - | - | |
| Require an Amazon RDS database instance to have minor version upgrades configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require any Amazon ECS task definition to specify a user that is not the root | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon OpenSearch Service domain to send error logs to Amazon CloudWatch Logs | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an AWS Private CA certificate to have a single domain name | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that an AWS KMS customer-managed key (CMK) is configured with key material originating from an external key store (XKS) | PREVENTIVE | GLOBAL | - | - | - | |
| S3 buckets should have event notifications enabled | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an AWS AppSync GraphQL API cache to have encryption at rest enabled. | PROACTIVE | REGIONAL | supported | supported | supported | |
| CodeBuild project environments should have a logging configuration | DETECTIVE | REGIONAL | supported | - | supported | |
| Classic Load Balancer should span multiple Availability Zones | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon EBS volume configured through an Amazon EC2 launch template to encrypt data at rest | PROACTIVE | REGIONAL | supported | supported | supported | |
| Enable CloudTrail in all available regions | PREVENTIVE | GLOBAL | - | - | - | |
| Detect whether public access to Amazon RDS database instances is enabled | DETECTIVE | REGIONAL | supported | supported | supported | |
| AWS KMS keys should not be deleted unintentionally | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Elasticsearch domain to encrypt data at rest | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon Redshift cluster to have audit logging configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon ElastiCache for Redis cluster to have automatic minor version upgrades activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon EFS volume to have an automated backup plan | PROACTIVE | REGIONAL | supported | supported | supported | |
| Disallow changes to AWS Config aggregation set up by Control Tower | PREVENTIVE | GLOBAL | - | - | - | |
| EFS access points should enforce a user identity | DETECTIVE | REGIONAL | supported | supported | supported | |
| IAM root user access key should not exist | DETECTIVE | REGIONAL | supported | - | supported | |
| Require encryption on all AWS CodeBuild project artifacts | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that an AWS KMS asymmetric key with RSA key material used for encryption has a key length greater than 2048 bits | PROACTIVE | REGIONAL | supported | supported | supported | |
| ECR repositories should have at least one lifecycle policy configured | DETECTIVE | REGIONAL | supported | supported | supported | |
| Detect whether public write access to Amazon S3 buckets is allowed | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require that Amazon EC2 transit gateways refuse automatic Amazon VPC attachment requests | PROACTIVE | REGIONAL | supported | supported | supported | |
| Amazon Elastic MapReduce cluster master nodes should not have public IP addresses | DETECTIVE | REGIONAL | supported | - | supported | |
| CodeBuild project environment variables should not contain clear text credentials | DETECTIVE | REGIONAL | supported | - | supported | |
| Enable AWS Config in all available regions | PREVENTIVE | GLOBAL | - | - | - | |
| Require an Amazon RDS database instance to have a VPC configuration | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon ECS container to run as non-privileged | PROACTIVE | REGIONAL | supported | supported | supported | |
| S3 bucket server access logging should be enabled | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require any AWS Network Firewall firewall policy to have an associated rule group | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon CloudWatch log group to be encrypted at rest with an AWS KMS key | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon RDS DB parameter group to require Transport Layer Security (TLS) connections for supported engine types | PROACTIVE | REGIONAL | supported | supported | supported | |
| Detect whether Amazon EBS optimization is enabled for Amazon EC2 instances | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an AWS Lambda function to be in a customer-managed Amazon Virtual Private Cloud (VPC) | PROACTIVE | REGIONAL | supported | supported | supported | |
| RDS cluster snapshots and database snapshots should be encrypted at rest | DETECTIVE | REGIONAL | supported | - | supported | |
| Stopped EC2 instances should be removed after a specified time period | DETECTIVE | REGIONAL | supported | - | supported | |
| Detect whether AWS Systems Manager documents owned by the account are public | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon S3 bucket to have versioning enabled | PROACTIVE | REGIONAL | supported | supported | supported | |
| Disallow deletion of AWS Config Aggregation Authorizations created by AWS Control Tower | PREVENTIVE | GLOBAL | - | - | - | |
| Require an AWS CloudTrail trail to have log file validation activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| A WAF Regional rule group should have at least one rule | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon S3 access point to have a Block Public Access (BPA) configuration with all options set to true | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon CloudFront distribution to use SNI to serve HTTPS requests | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon Redshift cluster to have a unique database name | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require any Amazon ECS cluster to have container insights activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon CloudWatch alarm to have an action configured for the alarm state | PROACTIVE | REGIONAL | supported | supported | supported | |
| Application Load Balancer deletion protection should be enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon CloudWatch alarm to have actions activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Detect whether replication instances for AWS Database Migration Service are public | DETECTIVE | REGIONAL | supported | supported | supported | |
| Elasticsearch domains should be configured with at least three dedicated master nodes | DETECTIVE | REGIONAL | supported | supported | supported | |
| EKS clusters should run on a supported Kubernetes version | DETECTIVE | REGIONAL | supported | - | supported | |
| S3 buckets should have lifecycle policies configured | DETECTIVE | REGIONAL | supported | supported | supported | |
| Disallow configuration changes to AWS Config | PREVENTIVE | GLOBAL | - | - | - | |
| Require any Amazon SQS queue to have a dead-letter queue configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an AWS Lambda function URL to be configured for access only to principals within your AWS account | PREVENTIVE | GLOBAL | - | - | - | |
| MFA should be enabled for all IAM users that have a console password | DETECTIVE | REGIONAL | supported | supported | supported | |
| Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager | DETECTIVE | REGIONAL | supported | - | supported | |
| Require any Amazon CloudFront distributions with Amazon S3 backed origins to have origin access control configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Detect whether encryption is enabled for Amazon EBS volumes attached to Amazon EC2 instances | DETECTIVE | REGIONAL | supported | - | supported | |
| Require Amazon ECS services not to assign public IP addresses automatically | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an AWS Database Migration Service (DMS) Endpoint to encrypt connections for source and target endpoints | PROACTIVE | REGIONAL | supported | supported | supported | |
| EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) | DETECTIVE | REGIONAL | supported | - | supported | |
| Network Firewall policies should have at least one rule group associated | DETECTIVE | REGIONAL | supported | supported | supported | |
| Neptune DB clusters should have deletion protection enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon RDS event notification subscription to have critical database instance events configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon S3 bucket to have server access logging configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon S3 bucket to have server-side encryption configured using an AWS KMS key | PROACTIVE | REGIONAL | supported | supported | supported | |
| Disallow changes to AWS IAM roles set up by AWS Control Tower and AWS CloudFormation | PREVENTIVE | GLOBAL | - | - | - | |
| Require an Amazon ElastiCache for Redis replication group to have automatic failover activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Disallow changes to Amazon SNS subscriptions set up by AWS Control Tower | PREVENTIVE | GLOBAL | - | - | - | |
| RDS automatic minor version upgrades should be enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| Require any Amazon SQS queue to have encryption at rest configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon OpenSearch Service domain to use fine-grained access control | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that an Amazon Elastic MapReduce (EMR) security configuration is configured with EBS volume local disk encryption using an AWS KMS key | PROACTIVE | REGIONAL | supported | supported | supported | |
| Disallow creation of access keys for the root user | PREVENTIVE | GLOBAL | - | - | - | |
| Disallow Changes to Bucket Policy for AWS Control Tower Created S3 Buckets in Log Archive | PREVENTIVE | GLOBAL | - | - | - | |
| Require an Amazon OpenSearch Service domain to encrypt data at rest | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon CloudFront distribution to have encryption in transit configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Disallow changes to Amazon SNS set up by AWS Control Tower | PREVENTIVE | GLOBAL | - | - | - | |
| Security groups should only allow unrestricted incoming traffic for authorized ports | DETECTIVE | REGIONAL | supported | - | supported | |
| Detect whether Amazon Redshift clusters are blocked from public access | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an AWS WAFV2 web ACL to be non-empty | PROACTIVE | REGIONAL | supported | supported | supported | |
| IAM customer managed policies that you create should not allow wildcard actions for services | DETECTIVE | REGIONAL | supported | - | supported | |
| S3 buckets should prohibit public read access | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon RDS database instance to have automatic backups configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon RDS database cluster to export logs to Amazon CloudWatch Logs by means of the EnableCloudwatchLogsExports property | PROACTIVE | REGIONAL | supported | supported | supported | |
| IAM authentication should be configured for RDS clusters | DETECTIVE | REGIONAL | supported | - | supported | |
| Require Amazon RDS database instances to have AWS IAM authentication configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon CloudFront distribution to have a security policy of TLSv1.2 as a minimum | PROACTIVE | REGIONAL | supported | supported | supported | |
| Disallow internet access for an Amazon VPC instance managed by a customer | PREVENTIVE | GLOBAL | - | - | - | |
| SageMaker notebook instances should be launched in a custom VPC | DETECTIVE | REGIONAL | supported | supported | supported | |
| Classic Load Balancer should be configured with defensive or strictest desync mitigation mode | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require any ELB classic load balancer SSL/HTTPS listener to have a predefined security policy with a strong configuration | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require Amazon API Gateway V2 Websocket and HTTP routes to specify an authorization type | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an AWS CloudTrail Lake event data store to enable encryption at rest with an AWS KMS key | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require any AWS WAF global rule to have a condition | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an ELB application or classic load balancer to have logging activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon EC2 launch template to have IMDSv2 configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Neptune DB clusters should have IAM database authentication enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon RDS DB cluster to have a unique administrator username | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon RDS database instance or cluster to have enhanced monitoring configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon MQ ActiveMQ broker to use use active/standby deployment mode for high availability | PROACTIVE | REGIONAL | supported | supported | supported | |
| Detect whether an Amazon OpenSearch Service domain is in Amazon VPC | DETECTIVE | REGIONAL | supported | supported | supported | |
| A WAF Regional rule should have at least one condition | DETECTIVE | REGIONAL | supported | supported | supported | |
| RDS instances should not use a database engine default port | DETECTIVE | REGIONAL | supported | supported | supported | |
| Detect whether Amazon EBS snapshots are restorable by all AWS accounts | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon MQ Rabbit MQ broker to use Multi-AZ cluster mode for high availability | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an AWS Lambda layer permission to grant access to an AWS organization or specific AWS account | PROACTIVE | REGIONAL | supported | supported | supported | |
| S3 Block Public Access setting should be enabled | DETECTIVE | REGIONAL | supported | supported | supported | |
| API Gateway REST API stages should have AWS X-Ray tracing enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| Require Amazon EC2 launch templates to have Amazon CloudWatch detailed monitoring activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon OpenSearch Service domain to send audit logs to Amazon CloudWatch Logs | PROACTIVE | REGIONAL | supported | supported | supported | |
| ECS task definitions should not share the host's process namespace | DETECTIVE | REGIONAL | supported | - | supported | |
| Access logging should be configured for API Gateway V2 Stages | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon EC2 fleet to override only those launch templates with AWS Nitro instance types | PROACTIVE | REGIONAL | supported | supported | supported | |
| Detect whether Amazon EBS volumes are attached to Amazon EC2 instances | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon CloudFront distribution to have origin failover configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require any Amazon EC2 launch template not to auto-assign public IP addresses to network interfaces | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that Amazon EC2 launch templates restrict the token hop limit to a maximum of one | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Elasticsearch domain to have zone awareness and at least three data nodes | PROACTIVE | REGIONAL | supported | supported | supported | |
| Elasticsearch domains should have at least three data nodes | DETECTIVE | REGIONAL | supported | supported | supported | |
| Secrets Manager secrets should have automatic rotation enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| An RDS event notifications subscription should be configured for critical database parameter group events | DETECTIVE | REGIONAL | supported | supported | supported | |
| API Gateway REST API cache data should be encrypted at rest | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon EC2 dedicated host to use an AWS Nitro instance type | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon Neptune DB cluster to have deletion protection enabled | PROACTIVE | REGIONAL | supported | supported | supported | |
| The VPC default security group should not allow inbound and outbound traffic | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require any classic load balancer SSL/HTTPS listener to have a certificate provided by AWS Certificate Manager | PROACTIVE | REGIONAL | supported | supported | supported | |
| EKS cluster endpoints should not be publicly accessible | DETECTIVE | REGIONAL | supported | - | supported | |
| Require that Amazon EBS direct APIs are not called | PREVENTIVE | GLOBAL | - | - | - | |
| Require AWS Lambda function policies to prohibit public access | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon GuardDuty detector to have Amazon S3 protection activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that an AWS KMS key is configured with the bypass policy lockout safety check enabled | PREVENTIVE | GLOBAL | - | - | - | |
| OpenSearch domains should have audit logging enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| Require Amazon ECR private repositories to have tag immutability enabled | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon RDS DB Proxy to require Transport Layer Security (TLS) connections | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon RDS database instance to copy tags to snapshots | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require any classic load balancer to have multiple Availability Zones configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Detect whether Amazon S3 settings to block public access are set as true for the account | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require that AWS Identity and Access Management (IAM) customer-managed policies do not have wildcard service actions | PROACTIVE | REGIONAL | supported | supported | supported | |
| Auto Scaling groups should use multiple instance types in multiple Availability Zones | DETECTIVE | REGIONAL | supported | supported | supported | |
| Detect whether unrestricted incoming TCP traffic is allowed | DETECTIVE | REGIONAL | supported | supported | supported | |
| S3 buckets should require requests to use Secure Socket Layer | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an AWS KMS key policy to have a statement that limits creation of AWS KMS grants to AWS services | PREVENTIVE | GLOBAL | - | - | - | |
| Require an Amazon Redshift cluster to have automatic snapshots configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| RDS DB instances should be configured with multiple Availability Zones | DETECTIVE | REGIONAL | supported | supported | supported | |
| ECR private repositories should have tag immutability configured | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon OpenSearch Service domain to use a minimum TLS version of TLSv1.2 | PROACTIVE | REGIONAL | supported | supported | supported | |
| ElastiCache replication groups of earlier Redis versions should have Redis AUTH enabled | DETECTIVE | REGIONAL | supported | supported | - | |
| Require any AWS WAF global web ACL to have a rule or rule group | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require any Amazon Kinesis data stream to have encryption at rest configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon EC2 instance to use an AWS Nitro instance type when creating from the 'AWS::EC2::LaunchTemplate' resource type | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that application load balancer deletion protection is activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Detect whether public read access to Amazon S3 buckets is allowed | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon CloudFront distribution to have a default root object configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Disallow the use of Amazon EC2 VM import and export | PREVENTIVE | GLOBAL | - | - | - | |
| Require an Amazon RDS database cluster to have backtracking configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data in transit | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require Amazon SageMaker notebook instances to have root access disallowed | PROACTIVE | REGIONAL | supported | supported | supported | |
| CodeBuild GitHub or Bitbucket source repository URLs should use OAuth | DETECTIVE | REGIONAL | supported | - | supported | |
| OpenSearch domain error logging to CloudWatch Logs should be enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an AWS WAFV2 rule group to be non-empty | PROACTIVE | REGIONAL | supported | supported | supported | |
| Detect public write access setting for log archive | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon EKS cluster to be configured with secret encryption using AWS Key Management Service (KMS) keys | PROACTIVE | REGIONAL | supported | supported | supported | |
| EC2 Auto Scaling groups should use EC2 launch templates | DETECTIVE | REGIONAL | supported | supported | supported | |
| Disallow Changes to Bucket Policy for Amazon S3 Buckets | PREVENTIVE | GLOBAL | - | - | - | |
| EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT | DETECTIVE | REGIONAL | supported | - | supported | |
| Disallow changes to AWS Lambda functions set up by AWS Control Tower | PREVENTIVE | GLOBAL | - | - | - | |
| Require any application load balancer listener default actions to redirect all HTTP requests to HTTPS | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon CloudFront distribution to use custom SSL/TLS certificates | PROACTIVE | REGIONAL | supported | supported | supported | |
| ECS clusters should use Container Insights | DETECTIVE | REGIONAL | supported | - | supported | |
| Require that an AWS ELB application or classic load balancer listener is configured with HTTPS or TLS termination | PROACTIVE | REGIONAL | supported | supported | supported | |
| Disallow actions as a root user | PREVENTIVE | GLOBAL | - | - | - | |
| Detect whether MFA for the root user is enabled | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an AWS Network Firewall firewall to be deployed across multiple Availability Zones | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon EFS file system to encrypt file data at rest using AWS KMS | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require any AWS WAF regional web access control list (ACL) to have a rule or rule group | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon Redshift cluster to be encrypted | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon EBS volume configured through an Amazon EC2 Auto Scaling launch configuration to encrypt data at rest | PROACTIVE | REGIONAL | supported | supported | supported | |
| RDS DB clusters should be encrypted at rest | DETECTIVE | REGIONAL | supported | supported | supported | |
| Detect whether an Amazon EKS endpoint is blocked from public access | DETECTIVE | REGIONAL | supported | supported | supported | |
| IAM customer managed policies should not allow decryption actions on all KMS keys | DETECTIVE | REGIONAL | supported | - | supported | |
| Require Amazon ECS containers to allow read-only access to the root filesystem | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon CloudFront distribution to encrypt traffic to custom origins | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that an Amazon RDS database instance is configured with multiple Availability Zones | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an AWS Glue job to have an associated security configuration | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that AWS Identity and Access Management (IAM) customer-managed policies do not contain a statement that includes "*" in the Action and Resource elements | PROACTIVE | REGIONAL | supported | supported | supported | |
| Classic Load Balancer listeners should be configured with HTTPS or TLS termination | DETECTIVE | REGIONAL | supported | - | supported | |
| Deny access to AWS based on the requested AWS Region for an organizational unit | PREVENTIVE | GLOBAL | - | - | - | |
| Require that any application load balancer must be configured to drop HTTP headers | PROACTIVE | REGIONAL | supported | supported | supported | |
| RDS DB instances should publish logs to CloudWatch Logs | DETECTIVE | REGIONAL | supported | - | supported | |
| Disallow changes to AWS Config Rules set up by AWS Control Tower | PREVENTIVE | GLOBAL | - | - | - | |
| Require an Amazon RDS database instance not to use a database engine default port | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon API Gateway REST API stage to have AWS X-Ray tracing activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| ActiveMQ brokers should use active/standby deployment mode | DETECTIVE | REGIONAL | supported | supported | supported | |
| Enhanced monitoring should be configured for RDS DB instances | DETECTIVE | REGIONAL | supported | - | supported | |
| Application Load Balancer should be configured with defensive or strictest desync mitigation mode | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an AWS Lambda function URL to use AWS IAM-based authentication | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon RDS database instance to not be publicly accessible | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon ElastiCache cache cluster to use a custom subnet group | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require OAuth on GitHub or Bitbucket source repository URLs for AWS CodeBuild projects | PROACTIVE | REGIONAL | supported | supported | supported | |
| RDS DB instances should be configured to copy tags to snapshots | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon RDS event subscription to have critical cluster events configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Enable integrity validation for CloudTrail log file | PREVENTIVE | GLOBAL | - | - | - | |
| Disallow delete actions on S3 buckets without MFA | PREVENTIVE | GLOBAL | - | - | - | |
| Stateless network firewall rule group should not be empty | DETECTIVE | REGIONAL | supported | supported | supported | |
| Unused IAM user credentials should be removed | DETECTIVE | REGIONAL | supported | supported | supported | |
| DynamoDB tables should automatically scale capacity with demand | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require that an Amazon Redshift cluster parameter group is configured to use Secure Sockets Layer (SSL) for encryption of data in transit | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon RDS database cluster to copy tags to snapshots | PROACTIVE | REGIONAL | supported | supported | supported | |
| CloudTrail log file validation should be enabled | DETECTIVE | REGIONAL | supported | supported | supported | |
| Connections to OpenSearch domains should be encrypted using the latest TLS security policy | DETECTIVE | REGIONAL | supported | - | supported | |
| Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data at rest in Amazon S3 with an AWS KMS key | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an AWS AppSync GraphQL API cache to have encryption in transit enabled. | PROACTIVE | REGIONAL | supported | supported | supported | |
| Secrets Manager secrets configured with automatic rotation should rotate successfully | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an AWS CloudTrail trail to have encryption at rest activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Deny access to AWS based on the requested AWS Region for the landing zone | PREVENTIVE | GLOBAL | - | - | - | |
| Amazon Redshift clusters should have audit logging enabled | DETECTIVE | REGIONAL | supported | supported | supported | |
| Amazon EFS volumes should be in backup plans | DETECTIVE | REGIONAL | supported | - | supported | |
| EBS default encryption should be enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| OpenSearch domains should encrypt data sent between nodes | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon ElastiCache for Redis replication group to have encryption in transit activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Classic Load Balancers should have cross-zone load balancing enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| Amazon Redshift clusters should not use the default Admin username | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require Amazon ECR repositories to have a lifecycle policy configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that an AWS Identity and Access Management (IAM) user does not have an inline or managed policy attached attached | PROACTIVE | REGIONAL | supported | supported | supported | |
| Users should not have root access to SageMaker notebook instances | DETECTIVE | REGIONAL | supported | supported | supported | |
| Amazon SageMaker notebook instances should not have direct internet access | DETECTIVE | REGIONAL | supported | - | supported | |
| EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation | DETECTIVE | REGIONAL | supported | - | supported | |
| An RDS event notifications subscription should be configured for critical cluster events | DETECTIVE | REGIONAL | supported | supported | supported | |
| OpenSearch domains should be in a VPC | DETECTIVE | REGIONAL | supported | - | supported | |
| Disallow cross-region networking for Amazon EC2, Amazon CloudFront, and AWS Global Accelerator | PREVENTIVE | GLOBAL | - | - | - | |
| Application, Network and Gateway Load Balancers should span multiple Availability Zones | DETECTIVE | REGIONAL | supported | supported | supported | |
| GuardDuty should be enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| Elasticsearch domains should encrypt data sent between nodes | DETECTIVE | REGIONAL | supported | - | supported | |
| Require Amazon EFS access points to have a root directory | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that an AWS Identity and Access Management (IAM) inline policy does not have a statement that includes "*" in the Action and Resource elements | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that application and network load balancer access logging is activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| VPC flow logging should be enabled in all VPCs | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon API Gateway REST domain to use a security policy that specifies a minimum TLS protocol version of TLSv1.2 | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an AWS AppSync GraphQL API to be configured with private visibility | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon API Gateway V2 stage to have access logging activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require any AWS KMS key to have rotation configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Amazon EC2 Auto Scaling group should cover multiple Availability Zones | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon EC2 instance to have detailed monitoring enabled | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon Managed Streaming for Apache Kafka (MSK) cluster to enforce encryption in transit between cluster broker nodes | PROACTIVE | REGIONAL | supported | supported | supported | |
| Connections to Elasticsearch domains should be encrypted using the latest TLS security policy | DETECTIVE | REGIONAL | supported | supported | supported | |
| EFS access points should enforce a root directory | DETECTIVE | REGIONAL | supported | supported | supported | |
| Detect whether public IP addresses for Amazon EC2 Auto Scaling are enabled through launch configurations | DETECTIVE | REGIONAL | supported | - | supported | |
| IAM policies should not allow full "*" administrative privileges | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Elasticsearch domain to encrypt data sent between nodes | PROACTIVE | REGIONAL | supported | supported | supported | |
| Hardware MFA should be enabled for the root user | DETECTIVE | REGIONAL | supported | supported | supported | |
| Application Load Balancer should be configured to redirect all HTTP requests to HTTPS | DETECTIVE | REGIONAL | supported | - | supported | |
| DynamoDB tables should have point-in-time recovery enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| Lambda function policies should prohibit public access | DETECTIVE | REGIONAL | supported | - | supported | |
| Disallow changes to replication configuration for Amazon S3 buckets | PREVENTIVE | GLOBAL | - | - | - | |
| RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon EC2 Auto Scaling group to use only AWS Nitro instance types when overriding a launch template | PROACTIVE | REGIONAL | supported | supported | supported | |
| Detect whether an account has AWS CloudTrail or CloudTrail Lake enabled. | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon RDS database cluster to have encryption at rest configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| OpenSearch domains should have fine-grained access control enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| EC2 instances should be managed by AWS Systems Manager | DETECTIVE | REGIONAL | supported | supported | supported | |
| Neptune DB clusters should publish audit logs to CloudWatch Logs | DETECTIVE | REGIONAL | supported | - | supported | |
| Require that AWS Identity and Access Management (IAM) inline policies do not have wildcard service actions | PROACTIVE | REGIONAL | supported | supported | supported | |
| Disallow Changes to Lifecycle Configuration for Amazon S3 Buckets | PREVENTIVE | GLOBAL | - | - | - | |
| Require an Amazon RDS database instance to have encryption at rest configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Redshift clusters should use enhanced VPC routing | DETECTIVE | REGIONAL | supported | - | supported | |
| Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require any Amazon ELB application or network load balancer to have an AWS Certificate Manager certificate | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon S3 bucket to have lifecycle policies configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon EC2 instance to set AssociatePublicIpAddress to false on a new network interface created by means of the NetworkInterfaces property in the AWS::EC2::Instance resource | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that an AWS KMS customer-managed key (CMK) is configured with imported key material | PREVENTIVE | GLOBAL | - | - | - | |
| Require an Amazon ElastiCache replication group of earlier Redis versions to have Redis AUTH activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that a public AWS DMS replication instance is not public | PROACTIVE | REGIONAL | supported | supported | supported | |
| A WAFV2 web ACL should have at least one rule or rule group | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon EC2 Auto Scaling group to have multiple Availability Zones | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require Amazon SageMaker notebook instances to be deployed within a custom Amazon VPC | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon RDS cluster not be configured to be publicly accessible by means of the 'PubliclyAccessible' property | PROACTIVE | REGIONAL | supported | supported | supported | |
| S3 buckets should prohibit public write access | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require that an Amazon API Gateway REST API stage has encryption at rest configured for cache data | PROACTIVE | REGIONAL | supported | supported | supported | |
| RDS instances should be deployed in a VPC | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon DocumentDB cluster to be encrypted at rest | PROACTIVE | REGIONAL | supported | supported | supported | |
| Disallow changes to Amazon CloudWatch set up by AWS Control Tower | PREVENTIVE | GLOBAL | - | - | - | |
| CodeBuild S3 logs should be encrypted | DETECTIVE | REGIONAL | supported | - | supported | |
| EBS snapshots should not be publicly restorable | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon ElastiCache replication group of later Redis versions to have RBAC authentication activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Detect whether any Amazon EC2 instance has an associated public IPv4 address | DETECTIVE | REGIONAL | supported | - | supported | |
| S3 permissions granted to other AWS accounts in bucket policies should be restricted | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon RDS database instance to have a unique administrator username | PROACTIVE | REGIONAL | supported | supported | supported | |
| ECS containers should be limited to read-only access to root filesystems | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data at rest in Amazon S3 | PROACTIVE | REGIONAL | supported | supported | supported | |
| Amazon Redshift clusters should prohibit public access | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon S3 bucket to have block public access settings configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon EC2 Auto Scaling group launch configuration to configure Amazon EC2 instances for IMDSv2 | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that any Amazon EC2 security group rule does not use the source IP range 0.0.0.0/0 or ::/0 for ports other than 80 and 443 | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require Amazon EFS access points to enforce a user identity | PROACTIVE | REGIONAL | supported | supported | supported | |
| AWS AppSync GraphQL APIs should not be authenticated with API keys | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an AWS Step Functions state machine to have logging activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require encryption at rest for all Amazon DynamoDB Accelerator (DAX) clusters | PROACTIVE | REGIONAL | supported | supported | supported | |
| Elasticsearch domains should have encryption at-rest enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| Neptune DB clusters should be encrypted at rest | DETECTIVE | REGIONAL | supported | - | supported | |
| Neptune DB cluster snapshots should be encrypted at rest | DETECTIVE | REGIONAL | supported | - | supported | |
| Remove unused Secrets Manager secrets | DETECTIVE | REGIONAL | supported | - | supported | |
| Require that an AWS AppSync GraphQL API is not authenticated with API keys | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon DAX cluster to deploy nodes to at least three Availability Zones | PROACTIVE | REGIONAL | supported | supported | supported | |
| Disallow Changes to Encryption Configuration for Amazon S3 Buckets | PREVENTIVE | GLOBAL | - | - | - | |
| ElastiCache replication groups should have encryption-in-transit enabled | DETECTIVE | REGIONAL | supported | supported | - | |
| Require an Amazon ECS task definition to have a specific memory usage limit | PROACTIVE | REGIONAL | supported | supported | supported | |
| RDS DB clusters should be configured for multiple Availability Zones | DETECTIVE | REGIONAL | supported | - | supported | |
| S3 Block Public Access setting should be enabled at the bucket-level | DETECTIVE | REGIONAL | supported | - | supported | |
| Disallow changes to lifecycle configuration for AWS Control Tower created Amazon S3 buckets in log archive | PREVENTIVE | GLOBAL | - | - | - | |
| Require an AWS Lambda function URL to use AWS IAM-based authentication | PREVENTIVE | GLOBAL | - | - | - | |
| Detect whether any Amazon EMR cluster master nodes have public IP addresses | DETECTIVE | REGIONAL | supported | - | supported | |
| VPC Lambda functions should operate in more than one Availability Zone | DETECTIVE | REGIONAL | supported | - | supported | |
| Disallow management of resource types, modules, and hooks within the AWS CloudFormation registry | PREVENTIVE | GLOBAL | - | - | - | |
| Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon RDS database instance to export logs to Amazon CloudWatch Logs by means of the EnableCloudwatchLogsExports property | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that an Elastic Load Balancing v2 target group does not explicitly disable cross-zone load balancing | PROACTIVE | REGIONAL | supported | supported | supported | |
| CloudTrail should have encryption at-rest enabled | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon CloudWatch log group to be retained for at least one year | PROACTIVE | REGIONAL | supported | supported | supported | |
| Security groups should not allow unrestricted access to ports with high risk | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require AWS Elastic Beanstalk environments to have enhanced health reporting enabled | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon DocumentDB cluster to have a backup retention period greater than or equal to seven days | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon Neptune DB cluster to set a backup retention period greater than or equal to seven days | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that an attached Amazon EBS volume is configured to encrypt data at rest | PREVENTIVE | GLOBAL | - | - | - | |
| Require that point-in-time recovery for an Amazon DynamoDB table is activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require any AWS Network Firewall firewall policy to drop or forward fragmented packets by default when they do not match a stateless rule | PROACTIVE | REGIONAL | supported | supported | supported | |
| Neptune DB cluster snapshots should not be public | DETECTIVE | REGIONAL | supported | - | supported | |
| Require Amazon ECS task definitions to have secure networking modes and user definitions | PROACTIVE | REGIONAL | supported | supported | supported | |
| Attached EBS volumes should be encrypted at-rest | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon EBS snapshot to be created from an encrypted EC2 volume | PREVENTIVE | GLOBAL | - | - | - | |
| Require an Elasticsearch domain to be created in a user-specified Amazon VPC | PROACTIVE | REGIONAL | supported | supported | supported | |
| Detect whether an Amazon SageMaker notebook instance allows direct internet access | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon EC2 instance to specify at most one network interface by means of the NetworkInterfaces property in the AWS::EC2::Instance resource | PROACTIVE | REGIONAL | supported | supported | supported | |
| Disallow Changes to Logging Configuration for Amazon S3 Buckets | PREVENTIVE | GLOBAL | - | - | - | |
| Elastic Beanstalk environments should have enhanced health reporting enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| Connections to Amazon Redshift clusters should be encrypted in transit | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon EC2 Auto Scaling group to have EC2 launch templates configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon OpenSearch Service domain to have zone awareness and at least three data nodes | PROACTIVE | REGIONAL | supported | supported | supported | |
| The default stateless action for Network Firewall policies should be drop or forward for fragmented packets | DETECTIVE | REGIONAL | supported | supported | supported | |
| Both VPN tunnels for an AWS Site-to-Site VPN connection should be up | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an AWS Elastic Beanstalk environment to have a logging configuration | PROACTIVE | REGIONAL | supported | supported | supported | |
| Detect whether the AWS Lambda function policy attached to the Lambda resource blocks public access | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require any Amazon CloudFront distribution to have logging enabled | PROACTIVE | REGIONAL | supported | supported | supported | |
| Detect whether versioning for Amazon S3 buckets is enabled | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require encryption on all Amazon S3 logs for AWS CodeBuild projects | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that an Amazon EC2 Auto Scaling group launch configuration does not have Amazon EC2 instances with public IP addresses | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that Amazon ECS task definitions do not pass secrets as container environment variables | PROACTIVE | REGIONAL | supported | supported | supported | |
| IAM users' access keys should be rotated every 90 days or less | DETECTIVE | REGIONAL | supported | supported | supported | |
| Neptune DB clusters should be configured to copy tags to snapshots | DETECTIVE | REGIONAL | supported | - | supported | |
| Require any Amazon RDS instance to have deletion protection configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| API Gateway REST API stages should be configured to use SSL certificates for backend authentication | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an EC2 instance to use an AWS Nitro instance type that supports encryption in-transit between instances when created using the AWS::EC2::Instance resource type | PROACTIVE | REGIONAL | supported | supported | supported | |
| Detect whether storage encryption is enabled for Amazon RDS database instances | DETECTIVE | REGIONAL | supported | supported | supported | |
| Disallow the use of deprecated Amazon EC2 RequestSpotFleet and RequestSpotInstances API actions | PREVENTIVE | GLOBAL | - | - | - | |
| Require Amazon ECR private repositories to have image scanning enabled | PROACTIVE | REGIONAL | supported | supported | supported | |
| IAM authentication should be configured for RDS instances | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an active Amazon ECS task definition to have a logging configuration | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require any Amazon EC2 network ACL to prevent ingress from 0.0.0.0/0 to port 22 or port 3389 | PROACTIVE | REGIONAL | supported | supported | supported | |
| EventBridge custom event buses should have a resource-based policy attached | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon Redshift cluster to have a unique administrator username | PROACTIVE | REGIONAL | supported | supported | supported | |
| An RDS event notifications subscription should be configured for critical database instance events | DETECTIVE | REGIONAL | supported | supported | supported | |
| Database Migration Service replication instances should not be public | DETECTIVE | REGIONAL | supported | - | supported | |
| Detect whether MFA is enabled for AWS IAM users | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon EC2 instance to use an AWS Nitro instance type when created using the 'AWS::EC2::Instance' resource type | PROACTIVE | REGIONAL | supported | supported | supported | |
| Detect whether MFA is enabled for AWS IAM users of the AWS Console | DETECTIVE | REGIONAL | supported | supported | supported | |
| CloudTrail trails should be integrated with Amazon CloudWatch Logs | DETECTIVE | REGIONAL | supported | supported | supported | |
| Application load balancer should be configured to drop http headers | DETECTIVE | REGIONAL | supported | - | supported | |
| Require any AWS Network Firewall rule group to contain at least one rule | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require a Network Load Balancer to have cross-zone load balancing activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Elasticsearch Service domain to use a minimum TLS version of TLSv1.2 | PROACTIVE | REGIONAL | supported | supported | supported | |
| IAM users should not have IAM policies attached | DETECTIVE | REGIONAL | supported | supported | supported | |
| API Gateway routes should specify an authorization type | DETECTIVE | REGIONAL | supported | supported | supported | |
| Detect whether any Amazon VPC subnets are assigned a public IP address | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon Athena workgroup to encrypt Athena query results at rest with an AWS Key Management Service (KMS) key | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require any AWS Network Firewall firewall policy to drop or forward stateless full packets by default when they do not match a rule | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that Amazon S3 buckets request to use Secure Socket Layer | PROACTIVE | REGIONAL | supported | supported | supported | |
| Detect whether public access to Amazon RDS database snapshots is enabled | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require any AWS CodeBuild project environment variable to encrypt credentials in environment variables | PROACTIVE | REGIONAL | supported | supported | supported | |
| Detect whether public routes exist in the route table for an Internet Gateway (IGW) | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon DAX cluster to encrypt data in transit with Transport Layer Security (TLS) | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Elasticsearch domain to send error logs to Amazon CloudWatch Logs | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that an Amazon S3 bucket does not manage user access with an access control list (ACL) | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon Neptune DB cluster to have storage encryption enabled | PROACTIVE | REGIONAL | supported | supported | supported | |
| Elasticsearch domains should be in a VPC | DETECTIVE | REGIONAL | supported | - | supported | |
| S3 access control lists (ACLs) should not be used to manage user access to buckets | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon Neptune DB cluster to have AWS Identity and Access Management (IAM) database authentication enabled | PROACTIVE | REGIONAL | supported | supported | supported | |
| MSK clusters should be encrypted in transit among broker nodes | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an AWS CloudTrail trail to have an Amazon CloudWatch log group configuration | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon Redshift cluster to have enhanced VPC routing | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon S3 buckets to have versioning configured and a lifecycle policy | PROACTIVE | REGIONAL | supported | supported | supported | |
| Redshift clusters should be encrypted at rest | DETECTIVE | REGIONAL | supported | - | supported | |
| Amazon Redshift should have automatic upgrades to major versions enabled | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an AWS AppSync GraphQL API to be configured with private visibility | PREVENTIVE | GLOBAL | - | - | - | |
| Require Amazon ECS tasks to use 'awsvpc' networking mode | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that an Amazon RDS instance does not create DB security groups | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require any Amazon EC2 Auto Scaling groups to use multiple instance types | PROACTIVE | REGIONAL | supported | supported | supported | |
| Disallow configuration changes to CloudTrail | PREVENTIVE | GLOBAL | - | - | - | |
| Require that an AWS KMS asymmetric key with RSA key material used for encryption does not have a key length of 2048 bits | PREVENTIVE | GLOBAL | - | - | - | |
| Require an Amazon Redshift cluster to have automatic upgrades to major versions configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| ECR private repositories should have image scanning configured | DETECTIVE | REGIONAL | supported | - | supported | |
| RabbitMQ brokers should use cluster deployment mode | DETECTIVE | REGIONAL | supported | supported | supported | |
| IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon EKS cluster to be configured with public access disabled to the cluster Kubernetes API server endpoint | PROACTIVE | REGIONAL | supported | supported | supported | |
| Amazon SQS queues should be encrypted at rest | DETECTIVE | REGIONAL | supported | supported | supported | |
| RDS snapshot should be private | DETECTIVE | REGIONAL | supported | - | supported | |
| OpenSearch domains should have at least three data nodes | DETECTIVE | REGIONAL | supported | - | supported | |
| Detect whether unrestricted internet connection through SSH is allowed | DETECTIVE | REGIONAL | supported | supported | supported | |
| Amazon DocumentDB manual cluster snapshots should not be public | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon CloudFront distribution to use updated SSL protocols between edge locations and custom origins | PROACTIVE | REGIONAL | supported | supported | supported | |
| Neptune DB clusters should have automated backups enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon RDS database cluster to have AWS IAM database authentication configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon RDS event notifications subscription to have critical database security group events configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an AWS Elastic Beanstalk environment to have managed platform updates configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon API Gateway REST and WebSocket API to have logging activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon EC2 fleet to override only those launch templates with AWS Nitro instance types that support encryption in transit between instances | PROACTIVE | REGIONAL | supported | supported | supported | |
| RSA certificates managed by ACM should use a key length of at least 2,048 bits | DETECTIVE | REGIONAL | supported | supported | supported | |
| Elasticsearch domains should have audit logging enabled | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon Managed Streaming for Apache Kafka (MSK) cluster to be configured with PublicAccess disabled | PROACTIVE | REGIONAL | supported | supported | supported | |
| Redshift clusters should not use the default database name | DETECTIVE | REGIONAL | supported | supported | supported | |
| EC2 launch templates should not assign public IPs to network interfaces | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon EC2 Auto Scaling group associated with an AWS Elastic Load Balancer (ELB) to have ELB health checks activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Detect whether a shared account in the Security organizational unit has AWS CloudTrail or CloudTrail Lake enabled. | DETECTIVE | REGIONAL | supported | supported | supported | |
| Password policies for IAM users should have strong configurations | DETECTIVE | REGIONAL | supported | supported | supported | |
| Secrets Manager secrets should be rotated within a specified number of days | DETECTIVE | REGIONAL | supported | - | supported | |
| Require AWS ECS Fargate Services to run on the latest Fargate platform version | PROACTIVE | REGIONAL | supported | supported | supported | |
| RDS database instances should use a custom administrator username | DETECTIVE | REGIONAL | supported | supported | supported | |
| Amazon ECS task definitions should have secure networking modes and user definitions. | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon ElastiCache replication group to have encryption at rest activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| ECS Fargate services should run on the latest Fargate platform version | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon RDS event notification subscription to have critical database parameter group events configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Elastic File System should be configured to encrypt file data at-rest using AWS KMS | DETECTIVE | REGIONAL | supported | - | supported | |
| OpenSearch domains should have encryption at rest enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| Lambda functions should be in a VPC | DETECTIVE | REGIONAL | supported | - | supported | |
| Kinesis streams should be encrypted at rest | DETECTIVE | REGIONAL | supported | - | supported | |
| Require any AWS WAF regional rule to have a condition | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon RDS DB cluster parameter group to require Transport Layer Security (TLS) connections for supported engine types | PROACTIVE | REGIONAL | supported | supported | supported | |
| Auto scaling groups associated with a load balancer should use load balancer health checks | DETECTIVE | REGIONAL | supported | supported | supported | |
| Elastic Beanstalk managed platform updates should be enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| The default stateless action for Network Firewall policies should be drop or forward for full packets | DETECTIVE | REGIONAL | supported | supported | supported | |
| CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require that Amazon ECS task definitions do not share the host's process namespace | PROACTIVE | REGIONAL | supported | supported | supported | |
| Application and Classic Load Balancers logging should be enabled | DETECTIVE | REGIONAL | supported | supported | supported | |
| EC2 Transit Gateways should not automatically accept VPC attachment requests | DETECTIVE | REGIONAL | supported | - | supported | |
| Require that an Amazon RDS database instance has encryption at rest configured to use a KMS key that you specify for supported engine types | PROACTIVE | REGIONAL | supported | supported | supported | |
| DynamoDB Accelerator (DAX) clusters should be encrypted at rest | DETECTIVE | REGIONAL | supported | - | supported | |
| Require any ELB classic load balancer to have cross-zone load balancing activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require any application load balancer to have defensive or strictest desync mitigation mode activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Integrate CloudTrail events with CloudWatch Logs | PREVENTIVE | GLOBAL | - | - | - | |
| Disallow Changes to Encryption Configuration for AWS Control Tower Created S3 Buckets in Log Archive | PREVENTIVE | GLOBAL | - | - | - | |
| Imported and ACM-issued certificates should be renewed after a specified time period | DETECTIVE | REGIONAL | supported | - | supported | |
| Elasticsearch domain error logging to CloudWatch Logs should be enabled | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon SageMaker notebook instance to prevent direct internet access | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that an Amazon EC2 subnet does not automatically assign public IP addresses | PROACTIVE | REGIONAL | supported | supported | supported | |
| RDS instances should have automatic backups enabled | DETECTIVE | REGIONAL | supported | supported | supported | |
| EC2 instances should not use multiple ENIs | DETECTIVE | REGIONAL | supported | - | supported | |
| Lambda functions should use supported runtimes | DETECTIVE | REGIONAL | supported | - | supported | |
| ElastiCache replication groups should have automatic failover enabled | DETECTIVE | REGIONAL | supported | supported | supported | |
| RDS DB instances should have encryption at-rest enabled | DETECTIVE | REGIONAL | supported | supported | supported | |
| SSM documents should not be public | DETECTIVE | REGIONAL | supported | supported | supported | |
| Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2) | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require that any Amazon EC2 security group rule does not use the source IP range 0.0.0.0/0 or ::/0 for specific high-risk ports | PROACTIVE | REGIONAL | supported | supported | supported | |
| EC2 instances should not have a public IPv4 address | DETECTIVE | REGIONAL | supported | - | supported | |
| Require that an Amazon EBS snapshot cannot be publicly restorable | PREVENTIVE | GLOBAL | - | - | - | |
| Require an AWS KMS key policy to have a statement that limits creation of AWS KMS grants to AWS services | PROACTIVE | REGIONAL | supported | supported | supported | |
| S3 buckets with versioning enabled should have lifecycle policies configured | DETECTIVE | REGIONAL | supported | supported | supported | |
| Security contact information should be provided for an AWS account | DETECTIVE | REGIONAL | supported | supported | supported | |
| Disallow Amazon Virtual Private Network (VPN) connections | PREVENTIVE | GLOBAL | - | - | - | |
| Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service | DETECTIVE | REGIONAL | supported | - | supported | |
| DMS endpoints should use SSL | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require any Amazon CloudFront distributions with Amazon S3 backed origins to have an origin access identity configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| API Gateway should be associated with a WAF Web ACL | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon S3 bucket to have event notifications configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require that an AWS KMS customer-managed key (CMK) is configured with key material originating from AWS CloudHSM | PREVENTIVE | GLOBAL | - | - | - | |
| Require that an Amazon S3 bucket has S3 Object Lock activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon DynamoDB table to be encrypted at rest using an AWS KMS key | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon OpenSearch Service domain to be created in a user-specified Amazon VPC | PROACTIVE | REGIONAL | supported | supported | supported | |
| Classic Load Balancers should have connection draining enabled | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon ElastiCache for Redis cluster to have automatic backups activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Disallow deletion of log archive | PREVENTIVE | GLOBAL | - | - | - | |
| Require an Amazon RDS cluster to have deletion protection configured | PROACTIVE | REGIONAL | supported | supported | supported | |
| API Gateway REST and WebSocket API execution logging should be enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Amazon EBS volume resource to be encrypted at rest when defined by means of the AWS::EC2::Instance BlockDeviceMappings property or AWS::EC2::Volume resource type | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require any ELB classic load balancer to have connection draining activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| A WAF Regional web ACL should have at least one rule or rule group | DETECTIVE | REGIONAL | supported | supported | supported | |
| An RDS event notifications subscription should be configured for critical database security group events | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Elasticsearch domain to have at least three dedicated master nodes | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon Neptune DB cluster to enable Amazon CloudWatch log export for audit logs | PROACTIVE | REGIONAL | supported | supported | supported | |
| Disallow changes to logging configuration for AWS Control Tower created Amazon S3 buckets in log archive | PREVENTIVE | GLOBAL | - | - | - | |
| Require an AWS Step Functions state machine to have AWS X-Ray tracing activated | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an AWS AppSync GraphQL API to have logging enabled | PROACTIVE | REGIONAL | supported | supported | supported | |
| RDS DB instances should have deletion protection enabled | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an Elasticsearch domain to send audit logs to Amazon CloudWatch Logs | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require only AWS Nitro instance types that support network traffic encryption between instances to be added to an Amazon EC2 Auto Scaling group, when overriding a launch template | PROACTIVE | REGIONAL | supported | supported | supported | |
| Classic Load Balancers with SSL listeners should use a predefined security policy that has strong configuration | DETECTIVE | REGIONAL | supported | - | supported | |
| Unused EC2 security groups should be removed | DETECTIVE | REGIONAL | supported | - | supported | |
| Detect public read access setting for log archive | DETECTIVE | REGIONAL | supported | supported | supported | |
| Secrets should not be passed as container environment variables | DETECTIVE | REGIONAL | supported | - | supported | |
| EC2 subnets should not automatically assign public IP addresses | DETECTIVE | REGIONAL | supported | - | supported | |
| Require an AWS Lambda function URL CORS policy to restrict access to specific origins | PROACTIVE | REGIONAL | supported | supported | supported | |
| AWS KMS key rotation should be enabled | DETECTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon Redshift cluster to prohibit public access | PROACTIVE | REGIONAL | supported | supported | supported | |
| Require an Amazon OpenSearch Service domain to encrypt data sent between nodes | PROACTIVE | REGIONAL | supported | supported | supported | |
| S3 buckets should be encrypted at rest with AWS KMS keys | DETECTIVE | REGIONAL | supported | - | supported | |
| ElastiCache replication groups should have encryption-at-rest enabled | DETECTIVE | REGIONAL | supported | supported | - | |
| Unused Network Access Control Lists should be removed | DETECTIVE | REGIONAL | supported | - | supported | |
| ECS services should not have public IP addresses assigned to them automatically | DETECTIVE | REGIONAL | supported | - | supported |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment