---
title: AWS Native
url: /docs/reference/pre-built-policy-packs/hitrust/aws-native/
---This page lists all 114 policies in the **HITRUST CSF 11.5** pack for **AWS Native**, as published in `hitrust-awsnative` version `2.0.1`.

## Policies

### anti-malware-edr

**Enforcement:** advisory

Ensures EC2 instances have anti-malware/EDR agents deployed

### api-gateway-access-logging

**Enforcement:** advisory

Ensures API Gateway stages have access logging enabled

### api-gateway-authorization

**Enforcement:** advisory

Ensures API Gateway methods use strong authorization instead of NONE

### api-gateway-waf-association

**Enforcement:** advisory

HITRUST 13.ac01.01 - Ensures public-facing API Gateways have WAF associations

### apigateway-domainname-configure-security-policy

**Enforcement:** advisory

Checks that ApiGateway Domain Name Security Policy uses secure/modern TLS encryption.

### apigatewayv2-domainname-configure-domain-name-security-policy

**Enforcement:** advisory

Checks that any ApiGatewayV2 Domain Name Security Policy uses secure/modern TLS encryption.

### apigatewayv2-domainname-enable-domain-name-configuration

**Enforcement:** advisory

Checks that any ApiGatewayV2 Domain Name Configuration is enabled.

### appflow-connectorprofile-configure-customer-managed-key

**Enforcement:** advisory

Check that AppFlow ConnectorProfile uses a customer-managed KMS key.

### appflow-flow-configure-customer-managed-key

**Enforcement:** advisory

Check that AppFlow Flow uses a customer-managed KMS key.

### athena-workgroup-configure-customer-managed-key

**Enforcement:** advisory

Checks that Athena Workgroups use a customer-managed-key.

### athena-workgroup-disallow-unencrypted-workgroup

**Enforcement:** advisory

Checks that Athena Workgroups are encrypted.

### athena-workgroup-enforce-configuration

**Enforcement:** advisory

Checks that Athena Workgroups enforce their configuration to their clients.

### centralized-os-app-logging

**Enforcement:** advisory

Ensures EC2 instances have logging agents configured to forward OS/application logs to central system

### cloud-asset-inventory

**Enforcement:** advisory

Enforces tagging for cloud asset inventory and management

### cloudfront-distribution-configure-access-logging

**Enforcement:** advisory

Checks that any CloudFront distributions have access logging configured.

### cloudfront-distribution-configure-secure-tls

**Enforcement:** advisory

Checks that CloudFront distributions uses secure/modern TLS encryption.

### cloudfront-distribution-configure-secure-tls-to-origin

**Enforcement:** advisory

Checks that CloudFront distributions communicate with custom origins using TLS 1.2 encryption only.

### cloudfront-distribution-configure-waf-acl

**Enforcement:** advisory

Checks that CloudFront distributions have a WAF ACL associated.

### cloudfront-distribution-disallow-unencrypted-traffic

**Enforcement:** advisory

Checks that CloudFront distributions only allow encypted ingress traffic.

### cloudfront-distribution-enable-access-logging

**Enforcement:** advisory

Checks that any CloudFront distributions have access logging enabled.

### cloudfront-distribution-enable-tls-to-origin

**Enforcement:** advisory

Checks that CloudFront distributions communicate with custom origins using TLS encryption.

### cloudfront-waf-association

**Enforcement:** advisory

HITRUST 13.ac01.01 - Ensures CloudFront distributions have WAF associations

### database-strict-network-access

**Enforcement:** advisory

Ensures RDS instances have strict network access controls

### dynamodb-streams-enabled

**Enforcement:** advisory

Enforces that all DynamoDB tables have Stream settings enabled to capture all changes

### ec2-instance-disallow-public-ip

**Enforcement:** advisory

Checks that EC2 instances do not have a public IP address.

### ec2-instance-disallow-unencrypted-block-device

**Enforcement:** advisory

Checks that EC2 instances do not have unencrypted block devices.

### ec2-instance-disallow-unencrypted-root-block-device

**Enforcement:** advisory

Checks that EC2 instances does not have unencrypted root volumes.

### ec2-launchtemplate-configure-customer-managed-key

**Enforcement:** advisory

Check that encrypted EBS volume uses a customer-managed KMS key.

### ec2-launchtemplate-disallow-public-ip

**Enforcement:** advisory

Checks that EC2 Launch Templates do not have public IP addresses.

### ec2-launchtemplate-disallow-unencrypted-block-device

**Enforcement:** advisory

Checks that EC2 Launch Templates do not have unencrypted block device.

### ec2-securitygroup-disallow-inbound-http-traffic

**Enforcement:** advisory

Check that EC2 Security Groups do not allow inbound HTTP traffic.

### ec2-volume-configure-customer-managed-key

**Enforcement:** advisory

Check that encrypted EBS volumes use a customer-managed KMS key.

### ec2-volume-disallow-unencrypted-volume

**Enforcement:** advisory

Checks that EBS volumes are encrypted.

### ecr-image-scanning

**Enforcement:** advisory

HITRUST 09.ac05.01 - Ensures ECR repositories have image scanning enabled for vulnerability management

### ecr-repository-configure-customer-managed-key

**Enforcement:** advisory

Checks that ECR repositories use a customer-managed KMS key.

### ecr-repository-configure-image-scan

**Enforcement:** advisory

Checks that ECR repositories have 'scan-on-push' configured.

### ecr-repository-disallow-mutable-image

**Enforcement:** advisory

Checks that ECR Repositories have immutable images enabled.

### ecr-repository-disallow-unencrypted-repository

**Enforcement:** advisory

Checks that ECR Repositories are encrypted.

### ecr-repository-enable-image-scan

**Enforcement:** advisory

Checks that ECR repositories have 'scan-on-push' enabled.

### ecs-task-definition-image-scanning

**Enforcement:** advisory

HITRUST 09.ac05.01 - Ensures ECS task definitions use images from repositories with vulnerability scanning

### efs-filesystem-configure-customer-managed-key

**Enforcement:** advisory

Check that encrypted EFS File system uses a customer-managed KMS key.

### efs-filesystem-disallow-unencrypted-file-system

**Enforcement:** advisory

Checks that EFS File Systems do not have an unencrypted file system.

### eks-cluster-disallow-api-endpoint-public-access

**Enforcement:** advisory

Check that EKS Clusters API Endpoint are not publicly accessible.

### eks-cluster-enable-cluster-encryption-config

**Enforcement:** advisory

Check that EKS Cluster Encryption Config is enabled.

### elb-listener-disallow-unencrypted-traffic

**Enforcement:** advisory

Check that ELB Listeners do not allow unencrypted (HTTP) traffic.

### elb-loadbalancer-disallow-unencrypted-traffic

**Enforcement:** advisory

Check that ELB Load Balancers do not allow unencrypted (HTTP) traffic.

### environment-separation-tagging

**Enforcement:** advisory

Ensures that resources are tagged to distinguish between production and non-production environments

### iam-group-policy-least-privilege

**Enforcement:** advisory

Ensures IAM group policies follow least privilege principles

### iam-policy-least-privilege

**Enforcement:** advisory

Ensures IAM managed policies follow least privilege principles

### iam-policy-mfa-enforcement

**Enforcement:** advisory

Ensures IAM policies require MFA for privileged actions

### iam-role-least-privilege

**Enforcement:** advisory

Ensures IAM roles follow least privilege principles

### iam-role-mfa-enforcement

**Enforcement:** advisory

Ensures IAM roles require MFA for privileged actions

### iam-role-policy-least-privilege

**Enforcement:** advisory

Ensures IAM role policies follow least privilege principles

### iam-role-policy-mfa-enforcement

**Enforcement:** advisory

Ensures IAM role policies require MFA for privileged actions

### iam-role-session-duration

**Enforcement:** advisory

Enforces maximum session duration for IAM roles

### iam-user-policy-least-privilege

**Enforcement:** advisory

Ensures IAM user policies follow least privilege principles

### kinesis-event-source-mapping-dlq

**Enforcement:** advisory

Ensures Kinesis Lambda event source mappings have DLQ configuration

### kinesis-stream-retention

**Enforcement:** advisory

Ensures Kinesis streams have retention periods configured

### kms-key-creation

**Enforcement:** advisory

HITRUST 09.ab01.01 - Validates KMS key creation with appropriate specifications and origins

### kms-key-deletion-lifecycle

**Enforcement:** advisory

HITRUST 09.ac10.01, 06.ad04.01 - Validates KMS key deletion windows and lifecycle management

### kms-key-enable-key-rotation

**Enforcement:** advisory

Checks that KMS Keys have key rotation enabled.

### kms-key-policy-access-control

**Enforcement:** advisory

HITRUST 07.ad01.01, 07.ad02.01 - Validates KMS key policies for least privilege and separation of duties

### lambda-environment-variables-encryption

**Enforcement:** advisory

Ensures that all Lambda functions have their environment variables encrypted using AWS KMS

### lambda-function-documentation

**Enforcement:** advisory

Ensures all AWS Lambda functions have a documented description attribute

### lambda-function-logging

**Enforcement:** advisory

Ensures that all AWS Lambda functions have logging enabled to track output data processing

### lambda-permission-configure-source-arn

**Enforcement:** advisory

Checks that lambda function permissions have a source arn specified.

### lambda-runtime-restrictions

**Enforcement:** advisory

Ensures that AWS Lambda functions are created only with approved runtime versions

### least-privilege

**Enforcement:** advisory

Ensures IAM policies follow least privilege principles

### limit-lambda-execution-time

**Enforcement:** advisory

Ensures that AWS Lambda functions are configured to time out after a specified duration to prevent extended access

### load-balancer-waf-association

**Enforcement:** advisory

HITRUST 13.ac01.01 - Ensures public-facing Load Balancers have WAF associations

### no-hardcoded-secrets

**Enforcement:** advisory

Ensures EC2 instances do not contain hardcoded secrets

### pubsub-least-privilege-iam

**Enforcement:** advisory

Ensures IAM policies follow least privilege principles for Pub/Sub services (SNS, SQS, Kinesis)

### rds-audit-logging

**Enforcement:** advisory

Ensures RDS instances have audit logging enabled

### rds-cluster-secure-master-credentials

**Enforcement:** advisory

Ensures RDS clusters use secure credential management instead of hardcoded passwords

### rds-dbcluster-configure-backup-retention

**Enforcement:** advisory

Checks that RDS DB Cluster backup retention policy is configured.

### rds-dbcluster-configure-customer-managed-key

**Enforcement:** advisory

Checks that RDS DB Cluster storage uses a customer-managed KMS key.

### rds-dbcluster-disallow-single-availability-zone

**Enforcement:** advisory

Check that RDS DB Cluster doesn't use single availability zone.

### rds-dbcluster-disallow-unencrypted-storage

**Enforcement:** advisory

Checks that RDS DB Cluster storage is encrypted.

### rds-dbcluster-enable-backup-retention

**Enforcement:** advisory

Checks that RDS DB Clusters backup retention policy is enabled.

### rds-dbinstance-configure-customer-managed-key

**Enforcement:** advisory

Checks that RDS DB Instance storage uses a customer-managed KMS key.

### rds-dbinstance-disallow-public-access

**Enforcement:** advisory

Checks that RDS DB Instances public access is not enabled.

### rds-dbinstance-disallow-unencrypted-storage

**Enforcement:** advisory

Checks that RDS DB Instance storage is encrypted.

### rds-dbinstance-enable-backup-retention

**Enforcement:** advisory

Checks that RDS DB Instances backup retention policy is enabled.

### rds-iam-authentication

**Enforcement:** advisory

Ensures RDS instances have IAM database authentication enabled

### rds-instance-high-availability

**Enforcement:** advisory

Ensures RDS instances have Multi-AZ deployment enabled for high availability

### rds-managed-service-patching

**Enforcement:** advisory

Ensures RDS instances have automated minor version upgrades enabled

### rds-private-subnet-validation

**Enforcement:** advisory

Validates that RDS DB subnet groups contain only private subnets

### rds-secure-master-credentials

**Enforcement:** advisory

Ensures RDS instances use secure credential management instead of hardcoded passwords

### rds-ssl-encryption

**Enforcement:** advisory

Ensures RDS instances have SSL/TLS encryption enabled

### resource-tagging

**Enforcement:** advisory

Ensures all AWS resources must include tags for proper change tracking

### restrict-default-iam-user-creation

**Enforcement:** advisory

Ensures that default IAM user accounts are not allowed to be created

### s3-bucket-access-logging

**Enforcement:** advisory

Ensures S3 buckets have access logging enabled

### s3-bucket-configure-server-side-encryption-customer-managed-key

**Enforcement:** advisory

Check that S3 Buckets Server-Side Encryption (SSE) is using a customer-managed KMS Key.

### s3-bucket-configure-server-side-encryption-kms

**Enforcement:** advisory

Check that S3 Buckets Server-Side Encryption (SSE) uses AWS KMS.

### s3-bucket-disallow-public-read

**Enforcement:** advisory

Checks that S3 Bucket ACLs don't allow 'PublicRead', 'PublicReadWrite' or 'AuthenticatedRead'.

### s3-bucket-enable-server-side-encryption

**Enforcement:** advisory

Check that S3 Bucket Server-Side Encryption (SSE) is enabled.

### s3-bucket-least-privilege

**Enforcement:** advisory

Prevents overly permissive S3 bucket policies

### s3-bucket-lifecycle

**Enforcement:** advisory

Ensures S3 buckets have lifecycle rules configured for retention/disposal

### s3-bucket-macie-access

**Enforcement:** advisory

Ensures S3 buckets allow AWS Macie access for data classification and discovery

### s3-bucket-public-access-block

**Enforcement:** advisory

Ensures S3 bucket public access blocks have all settings enabled

### s3-bucket-replication

**Enforcement:** advisory

Ensures S3 buckets have replication configured for enhanced availability

### s3-bucket-versioning

**Enforcement:** advisory

Ensures S3 buckets have versioning enabled

### secretsmanager-secret-configure-customer-managed-key

**Enforcement:** advisory

Check that Secrets Manager Secrets use a customer-manager KMS key.

### security-group-default-deny

**Enforcement:** advisory

Ensures Security Groups follow default deny with explicit allow principle

### security-group-ssh-rdp

**Enforcement:** advisory

Ensures security groups do not allow SSH/RDP from the internet

### security-group-strict

**Enforcement:** advisory

Ensures security groups follow strict firewall rules with default deny

### sqs-dead-letter-queue

**Enforcement:** advisory

Ensures SQS queues have dead letter queue configuration

### sqs-encryption

**Enforcement:** advisory

Ensures SQS queues have server-side encryption enabled

### sqs-message-retention

**Enforcement:** advisory

Ensures SQS queues have message retention periods configured

### subnet-multi-az

**Enforcement:** advisory

Ensures subnets are distributed across multiple availability zones

### vpc-endpoint-security-policy

**Enforcement:** advisory

Ensures that VPC endpoints are associated with security policies that limit access to specified resources

### vpc-flow-logs

**Enforcement:** advisory

Ensures VPC flow logs use approved destinations for centralized monitoring

### vpc-subnet-flow-logs

**Enforcement:** advisory

Ensures all VPCs and subnets have flow logs enabled

### waf-association-validation

**Enforcement:** advisory

HITRUST 13.ac01.01 - Validates WAF Web ACL associations are properly configured

