HITRUST CSF 11.5 - AWS Native
This page lists all 114 policies in the HITRUST CSF 11.5 pack for AWS Native, as published in hitrust-awsnative version 2.0.1.
Policies
anti-malware-edr
Enforcement: advisory
Ensures EC2 instances have anti-malware/EDR agents deployed
api-gateway-access-logging
Enforcement: advisory
Ensures API Gateway stages have access logging enabled
api-gateway-authorization
Enforcement: advisory
Ensures API Gateway methods use strong authorization instead of NONE
api-gateway-waf-association
Enforcement: advisory
HITRUST 13.ac01.01 - Ensures public-facing API Gateways have WAF associations
apigateway-domainname-configure-security-policy
Enforcement: advisory
Checks that ApiGateway Domain Name Security Policy uses secure/modern TLS encryption.
apigatewayv2-domainname-configure-domain-name-security-policy
Enforcement: advisory
Checks that any ApiGatewayV2 Domain Name Security Policy uses secure/modern TLS encryption.
apigatewayv2-domainname-enable-domain-name-configuration
Enforcement: advisory
Checks that any ApiGatewayV2 Domain Name Configuration is enabled.
appflow-connectorprofile-configure-customer-managed-key
Enforcement: advisory
Check that AppFlow ConnectorProfile uses a customer-managed KMS key.
appflow-flow-configure-customer-managed-key
Enforcement: advisory
Check that AppFlow Flow uses a customer-managed KMS key.
athena-workgroup-configure-customer-managed-key
Enforcement: advisory
Checks that Athena Workgroups use a customer-managed-key.
athena-workgroup-disallow-unencrypted-workgroup
Enforcement: advisory
Checks that Athena Workgroups are encrypted.
athena-workgroup-enforce-configuration
Enforcement: advisory
Checks that Athena Workgroups enforce their configuration to their clients.
centralized-os-app-logging
Enforcement: advisory
Ensures EC2 instances have logging agents configured to forward OS/application logs to central system
cloud-asset-inventory
Enforcement: advisory
Enforces tagging for cloud asset inventory and management
cloudfront-distribution-configure-access-logging
Enforcement: advisory
Checks that any CloudFront distributions have access logging configured.
cloudfront-distribution-configure-secure-tls
Enforcement: advisory
Checks that CloudFront distributions uses secure/modern TLS encryption.
cloudfront-distribution-configure-secure-tls-to-origin
Enforcement: advisory
Checks that CloudFront distributions communicate with custom origins using TLS 1.2 encryption only.
cloudfront-distribution-configure-waf-acl
Enforcement: advisory
Checks that CloudFront distributions have a WAF ACL associated.
cloudfront-distribution-disallow-unencrypted-traffic
Enforcement: advisory
Checks that CloudFront distributions only allow encypted ingress traffic.
cloudfront-distribution-enable-access-logging
Enforcement: advisory
Checks that any CloudFront distributions have access logging enabled.
cloudfront-distribution-enable-tls-to-origin
Enforcement: advisory
Checks that CloudFront distributions communicate with custom origins using TLS encryption.
cloudfront-waf-association
Enforcement: advisory
HITRUST 13.ac01.01 - Ensures CloudFront distributions have WAF associations
database-strict-network-access
Enforcement: advisory
Ensures RDS instances have strict network access controls
dynamodb-streams-enabled
Enforcement: advisory
Enforces that all DynamoDB tables have Stream settings enabled to capture all changes
ec2-instance-disallow-public-ip
Enforcement: advisory
Checks that EC2 instances do not have a public IP address.
ec2-instance-disallow-unencrypted-block-device
Enforcement: advisory
Checks that EC2 instances do not have unencrypted block devices.
ec2-instance-disallow-unencrypted-root-block-device
Enforcement: advisory
Checks that EC2 instances does not have unencrypted root volumes.
ec2-launchtemplate-configure-customer-managed-key
Enforcement: advisory
Check that encrypted EBS volume uses a customer-managed KMS key.
ec2-launchtemplate-disallow-public-ip
Enforcement: advisory
Checks that EC2 Launch Templates do not have public IP addresses.
ec2-launchtemplate-disallow-unencrypted-block-device
Enforcement: advisory
Checks that EC2 Launch Templates do not have unencrypted block device.
ec2-securitygroup-disallow-inbound-http-traffic
Enforcement: advisory
Check that EC2 Security Groups do not allow inbound HTTP traffic.
ec2-volume-configure-customer-managed-key
Enforcement: advisory
Check that encrypted EBS volumes use a customer-managed KMS key.
ec2-volume-disallow-unencrypted-volume
Enforcement: advisory
Checks that EBS volumes are encrypted.
ecr-image-scanning
Enforcement: advisory
HITRUST 09.ac05.01 - Ensures ECR repositories have image scanning enabled for vulnerability management
ecr-repository-configure-customer-managed-key
Enforcement: advisory
Checks that ECR repositories use a customer-managed KMS key.
ecr-repository-configure-image-scan
Enforcement: advisory
Checks that ECR repositories have ‘scan-on-push’ configured.
ecr-repository-disallow-mutable-image
Enforcement: advisory
Checks that ECR Repositories have immutable images enabled.
ecr-repository-disallow-unencrypted-repository
Enforcement: advisory
Checks that ECR Repositories are encrypted.
ecr-repository-enable-image-scan
Enforcement: advisory
Checks that ECR repositories have ‘scan-on-push’ enabled.
ecs-task-definition-image-scanning
Enforcement: advisory
HITRUST 09.ac05.01 - Ensures ECS task definitions use images from repositories with vulnerability scanning
efs-filesystem-configure-customer-managed-key
Enforcement: advisory
Check that encrypted EFS File system uses a customer-managed KMS key.
efs-filesystem-disallow-unencrypted-file-system
Enforcement: advisory
Checks that EFS File Systems do not have an unencrypted file system.
eks-cluster-disallow-api-endpoint-public-access
Enforcement: advisory
Check that EKS Clusters API Endpoint are not publicly accessible.
eks-cluster-enable-cluster-encryption-config
Enforcement: advisory
Check that EKS Cluster Encryption Config is enabled.
elb-listener-disallow-unencrypted-traffic
Enforcement: advisory
Check that ELB Listeners do not allow unencrypted (HTTP) traffic.
elb-loadbalancer-disallow-unencrypted-traffic
Enforcement: advisory
Check that ELB Load Balancers do not allow unencrypted (HTTP) traffic.
environment-separation-tagging
Enforcement: advisory
Ensures that resources are tagged to distinguish between production and non-production environments
iam-group-policy-least-privilege
Enforcement: advisory
Ensures IAM group policies follow least privilege principles
iam-policy-least-privilege
Enforcement: advisory
Ensures IAM managed policies follow least privilege principles
iam-policy-mfa-enforcement
Enforcement: advisory
Ensures IAM policies require MFA for privileged actions
iam-role-least-privilege
Enforcement: advisory
Ensures IAM roles follow least privilege principles
iam-role-mfa-enforcement
Enforcement: advisory
Ensures IAM roles require MFA for privileged actions
iam-role-policy-least-privilege
Enforcement: advisory
Ensures IAM role policies follow least privilege principles
iam-role-policy-mfa-enforcement
Enforcement: advisory
Ensures IAM role policies require MFA for privileged actions
iam-role-session-duration
Enforcement: advisory
Enforces maximum session duration for IAM roles
iam-user-policy-least-privilege
Enforcement: advisory
Ensures IAM user policies follow least privilege principles
kinesis-event-source-mapping-dlq
Enforcement: advisory
Ensures Kinesis Lambda event source mappings have DLQ configuration
kinesis-stream-retention
Enforcement: advisory
Ensures Kinesis streams have retention periods configured
kms-key-creation
Enforcement: advisory
HITRUST 09.ab01.01 - Validates KMS key creation with appropriate specifications and origins
kms-key-deletion-lifecycle
Enforcement: advisory
HITRUST 09.ac10.01, 06.ad04.01 - Validates KMS key deletion windows and lifecycle management
kms-key-enable-key-rotation
Enforcement: advisory
Checks that KMS Keys have key rotation enabled.
kms-key-policy-access-control
Enforcement: advisory
HITRUST 07.ad01.01, 07.ad02.01 - Validates KMS key policies for least privilege and separation of duties
lambda-environment-variables-encryption
Enforcement: advisory
Ensures that all Lambda functions have their environment variables encrypted using AWS KMS
lambda-function-documentation
Enforcement: advisory
Ensures all AWS Lambda functions have a documented description attribute
lambda-function-logging
Enforcement: advisory
Ensures that all AWS Lambda functions have logging enabled to track output data processing
lambda-permission-configure-source-arn
Enforcement: advisory
Checks that lambda function permissions have a source arn specified.
lambda-runtime-restrictions
Enforcement: advisory
Ensures that AWS Lambda functions are created only with approved runtime versions
least-privilege
Enforcement: advisory
Ensures IAM policies follow least privilege principles
limit-lambda-execution-time
Enforcement: advisory
Ensures that AWS Lambda functions are configured to time out after a specified duration to prevent extended access
load-balancer-waf-association
Enforcement: advisory
HITRUST 13.ac01.01 - Ensures public-facing Load Balancers have WAF associations
no-hardcoded-secrets
Enforcement: advisory
Ensures EC2 instances do not contain hardcoded secrets
pubsub-least-privilege-iam
Enforcement: advisory
Ensures IAM policies follow least privilege principles for Pub/Sub services (SNS, SQS, Kinesis)
rds-audit-logging
Enforcement: advisory
Ensures RDS instances have audit logging enabled
rds-cluster-secure-master-credentials
Enforcement: advisory
Ensures RDS clusters use secure credential management instead of hardcoded passwords
rds-dbcluster-configure-backup-retention
Enforcement: advisory
Checks that RDS DB Cluster backup retention policy is configured.
rds-dbcluster-configure-customer-managed-key
Enforcement: advisory
Checks that RDS DB Cluster storage uses a customer-managed KMS key.
rds-dbcluster-disallow-single-availability-zone
Enforcement: advisory
Check that RDS DB Cluster doesn’t use single availability zone.
rds-dbcluster-disallow-unencrypted-storage
Enforcement: advisory
Checks that RDS DB Cluster storage is encrypted.
rds-dbcluster-enable-backup-retention
Enforcement: advisory
Checks that RDS DB Clusters backup retention policy is enabled.
rds-dbinstance-configure-customer-managed-key
Enforcement: advisory
Checks that RDS DB Instance storage uses a customer-managed KMS key.
rds-dbinstance-disallow-public-access
Enforcement: advisory
Checks that RDS DB Instances public access is not enabled.
rds-dbinstance-disallow-unencrypted-storage
Enforcement: advisory
Checks that RDS DB Instance storage is encrypted.
rds-dbinstance-enable-backup-retention
Enforcement: advisory
Checks that RDS DB Instances backup retention policy is enabled.
rds-iam-authentication
Enforcement: advisory
Ensures RDS instances have IAM database authentication enabled
rds-instance-high-availability
Enforcement: advisory
Ensures RDS instances have Multi-AZ deployment enabled for high availability
rds-managed-service-patching
Enforcement: advisory
Ensures RDS instances have automated minor version upgrades enabled
rds-private-subnet-validation
Enforcement: advisory
Validates that RDS DB subnet groups contain only private subnets
rds-secure-master-credentials
Enforcement: advisory
Ensures RDS instances use secure credential management instead of hardcoded passwords
rds-ssl-encryption
Enforcement: advisory
Ensures RDS instances have SSL/TLS encryption enabled
resource-tagging
Enforcement: advisory
Ensures all AWS resources must include tags for proper change tracking
restrict-default-iam-user-creation
Enforcement: advisory
Ensures that default IAM user accounts are not allowed to be created
s3-bucket-access-logging
Enforcement: advisory
Ensures S3 buckets have access logging enabled
s3-bucket-configure-server-side-encryption-customer-managed-key
Enforcement: advisory
Check that S3 Buckets Server-Side Encryption (SSE) is using a customer-managed KMS Key.
s3-bucket-configure-server-side-encryption-kms
Enforcement: advisory
Check that S3 Buckets Server-Side Encryption (SSE) uses AWS KMS.
s3-bucket-disallow-public-read
Enforcement: advisory
Checks that S3 Bucket ACLs don’t allow ‘PublicRead’, ‘PublicReadWrite’ or ‘AuthenticatedRead’.
s3-bucket-enable-server-side-encryption
Enforcement: advisory
Check that S3 Bucket Server-Side Encryption (SSE) is enabled.
s3-bucket-least-privilege
Enforcement: advisory
Prevents overly permissive S3 bucket policies
s3-bucket-lifecycle
Enforcement: advisory
Ensures S3 buckets have lifecycle rules configured for retention/disposal
s3-bucket-macie-access
Enforcement: advisory
Ensures S3 buckets allow AWS Macie access for data classification and discovery
s3-bucket-public-access-block
Enforcement: advisory
Ensures S3 bucket public access blocks have all settings enabled
s3-bucket-replication
Enforcement: advisory
Ensures S3 buckets have replication configured for enhanced availability
s3-bucket-versioning
Enforcement: advisory
Ensures S3 buckets have versioning enabled
secretsmanager-secret-configure-customer-managed-key
Enforcement: advisory
Check that Secrets Manager Secrets use a customer-manager KMS key.
security-group-default-deny
Enforcement: advisory
Ensures Security Groups follow default deny with explicit allow principle
security-group-ssh-rdp
Enforcement: advisory
Ensures security groups do not allow SSH/RDP from the internet
security-group-strict
Enforcement: advisory
Ensures security groups follow strict firewall rules with default deny
sqs-dead-letter-queue
Enforcement: advisory
Ensures SQS queues have dead letter queue configuration
sqs-encryption
Enforcement: advisory
Ensures SQS queues have server-side encryption enabled
sqs-message-retention
Enforcement: advisory
Ensures SQS queues have message retention periods configured
subnet-multi-az
Enforcement: advisory
Ensures subnets are distributed across multiple availability zones
vpc-endpoint-security-policy
Enforcement: advisory
Ensures that VPC endpoints are associated with security policies that limit access to specified resources
vpc-flow-logs
Enforcement: advisory
Ensures VPC flow logs use approved destinations for centralized monitoring
vpc-subnet-flow-logs
Enforcement: advisory
Ensures all VPCs and subnets have flow logs enabled
waf-association-validation
Enforcement: advisory
HITRUST 13.ac01.01 - Validates WAF Web ACL associations are properly configured