ISO/IEC 27001 - AWS
This page lists all 238 policies in the ISO/IEC 27001:2022 pack for AWS.
| Policy Name | Description | Framework Reference | Framework Specification |
|---|---|---|---|
| resource-tagging | Ensures all AWS resources must include tags for proper change tracking | A.5.9 Inventory of information and other associated assets | An inventory of information and other associated assets, including owners, shall be developed and maintained. |
| dms-endpoint-redis-tls | DMS Redis endpoints must use TLS for transmission | A.5.14 Information transfer | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties. |
| dax-cluster-endpoint-encryption | Require DAX clusters to use TLS endpoint encryption in transit | A.5.14 Information transfer | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties. |
| elasticache-replicationgroup-encryption-in-transit | ElastiCache replication groups must have encryption in transit enabled | A.5.14 Information transfer | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties. |
| dms-endpoint-ssl | DMS endpoints must require SSL/TLS connections | A.5.14 Information transfer | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties. |
| msk-cluster-encryption-in-transit | MSK clusters must have in-cluster encryption in transit enabled | A.5.14 Information transfer | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties. |
| cloudfront-distribution-disallow-default-certificate | CloudFront distributions must use a custom SSL certificate rather than the default CloudFront certificate. | A.5.14 Information transfer | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties. |
| elb-load-balancer-disallow-unencrypted-traffic | Check that ELB Load Balancers do not allow unencrypted (HTTP) traffic. | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| api-gateway-ssl-certificate-required | Ensures API Gateway REST API stages have client certificates configured for SSL/TLS authentication to protect data in transit. | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| redshift-ssl-required | Ensures Redshift clusters have encryption in transit enabled through SSL parameter configuration. | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| elasticsearch-https-required | Elasticsearch domains must require HTTPS for client connections | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| opensearch-https-required | OpenSearch domains must require HTTPS for client connections | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| elasticsearch-node-to-node-encryption-enabled | Elasticsearch domains must have node-to-node encryption enabled | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| opensearch-node-to-node-encryption-enabled | OpenSearch domains must have node-to-node encryption enabled | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| s3-bucket-ssl-enforcement-required | S3 buckets must enforce SSL/TLS for all requests to ensure encryption in transit | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| rds-instance-ssl-encryption | Ensures RDS instances have SSL/TLS encryption enabled through parameter group configuration | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| rds-clusterinstance-ssl-encryption | Ensures RDS cluster instances have SSL/TLS encryption enabled through parameter group configuration | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| cloudfront-distribution-disallow-unencrypted-traffic | Checks that CloudFront distributions only allow encypted ingress traffic. | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| cloudfront-distribution-configure-secure-tls | Checks that CloudFront distributions uses secure/modern TLS encryption. | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| cloudfront-distribution-enable-tls-to-origin | Checks that CloudFront distributions communicate with custom origins using TLS encryption. | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| api-gateway-domain-name-configure-security-policy | Checks that ApiGateway Domain Name Security Policy uses secure/modern TLS encryption. | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| api-gateway-v2-domain-name-configure-domain-name-security-policy | Checks that any ApiGatewayV2 Domain Name Security Policy uses secure/modern TLS encryption. | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| ec2-security-group-disallow-inbound-http-traffic | Check that EC2 Security Groups do not allow inbound HTTP traffic. | A.5.14 Information transfer; A.8.20 Networks security | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
| api-gateway-v2-domain-name-enable-domain-name-configuration | Checks that any ApiGatewayV2 Domain Name Configuration is enabled. | A.5.14 Information transfer | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties. |
| cloudfront-distribution-configure-secure-tls-to-origin | Checks that CloudFront distributions communicate with custom origins using TLS 1.2 encryption only. | A.5.14 Information transfer; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| alb-http-to-https-redirection-check | Ensure ALB HTTP listeners redirect to HTTPS for secure data transmission. | A.5.14 Information transfer | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties. |
| elb-acm-certificate-required | Ensure ELB Classic Load Balancers use ACM certificates for HTTPS/SSL listeners. | A.5.14 Information transfer | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties. |
| s3-bucket-public-access-block | Ensures each S3 bucket has a public access block with all settings enabled | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| s3-bucket-acl-prohibited | Prohibit user-permission ACLs on S3 buckets; use bucket policies and Block Public Access instead. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| ec2-instance-disallow-public-ip | Checks that EC2 instances do not have a public IP address. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| rds-instance-disallow-public-access | Checks that RDS Instance public access is not enabled. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| rds-cluster-instance-disallow-public-access | Checks that RDS Cluster Instances public access is not enabled. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| neptune-clusterinstance-no-public-access | Checks that Neptune Cluster Instances public access is not enabled. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| dms-no-public-access | Ensures DMS replication instances are not publicly accessible to maintain security. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| emr-no-default-subnet | EMR clusters must specify explicit subnet configuration to prevent default subnet usage | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| emr-no-public-ip | EMR clusters must not be deployed in public subnets that auto-assign public IP addresses | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| redshift-public-access-prohibited | Ensures Redshift clusters prohibit public access to prevent unauthorized connections. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| sagemaker-notebook-internet-access-disabled | Ensures SageMaker notebook instances have direct internet access disabled. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| vpc-subnet-auto-assign-public-ip-disabled | Ensures VPC subnets have auto-assign public IP disabled to prevent unintended internet exposure. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| ec2-imdsv2-required | EC2 instances must use IMDSv2 | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| ec2-iam-profile-required | EC2 instances must have IAM profile attached | A.5.15 Access control | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements. |
| iam-policy-least-privilege | Ensures IAM policies follow least privilege principles | A.5.15 Access control; A.8.2 Privileged access rights | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; The allocation and use of privileged access rights shall be restricted and managed. |
| iam-role-least-privilege | Ensures IAM roles follow least privilege principles | A.5.15 Access control; A.8.2 Privileged access rights | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; The allocation and use of privileged access rights shall be restricted and managed. |
| iam-role-policy-least-privilege | Ensures IAM role policies follow least privilege principles | A.5.15 Access control; A.8.2 Privileged access rights | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; The allocation and use of privileged access rights shall be restricted and managed. |
| iam-user-policy-least-privilege | Ensures IAM user policies follow least privilege principles | A.5.15 Access control; A.8.2 Privileged access rights | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; The allocation and use of privileged access rights shall be restricted and managed. |
| iam-group-policy-least-privilege | Ensures IAM group policies follow least privilege principles | A.5.15 Access control; A.8.2 Privileged access rights | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; The allocation and use of privileged access rights shall be restricted and managed. |
| pubsub-least-privilege-iam | Ensures IAM policies follow least privilege principles for Pub/Sub services (SNS, SQS, Kinesis) | A.5.15 Access control; A.8.2 Privileged access rights | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; The allocation and use of privileged access rights shall be restricted and managed. |
| s3-bucket-least-privilege | Prevents overly permissive S3 bucket policies | A.5.15 Access control; A.8.2 Privileged access rights | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; The allocation and use of privileged access rights shall be restricted and managed. |
| ecs-task-non-privileged-required | ECS task definitions must use non-privileged user for host mode | A.5.15 Access control; A.8.2 Privileged access rights | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; The allocation and use of privileged access rights shall be restricted and managed. |
| api-gateway-authorization | Ensures API Gateway methods use strong authorization instead of NONE | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| lambda-permission-configure-source-arn | Checks that lambda function permissions have a source arn specified. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| ebs-snapshot-not-publicly-restorable | Ensure EBS snapshots are not publicly restorable to prevent unauthorized data access. | A.5.15 Access control | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements. |
| s3-bucket-policy-grantee-check | Ensure S3 bucket policies do not grant access to inappropriate principals for proper access control. | A.5.15 Access control | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements. |
| iam-user-group-membership-required | IAM users must be members of groups for proper access management | A.5.16 Identity management; A.5.18 Access rights | The full life cycle of identities shall be managed.; Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control. |
| iam-user-mfa-console-access | Ensures IAM users with console access have MFA devices | A.5.16 Identity management; A.8.5 Secure authentication | The full life cycle of identities shall be managed.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
| iam-role-assume-role-mfa-enforcement | Ensures IAM roles require MFA when assumed by human users (not AWS services) | A.5.16 Identity management; A.8.5 Secure authentication | The full life cycle of identities shall be managed.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
| iam-role-mfa-enforcement | IAM roles must require MFA for privileged actions | A.5.16 Identity management; A.8.5 Secure authentication | The full life cycle of identities shall be managed.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
| iam-role-policy-mfa-enforcement | IAM role policies must require MFA for privileged actions | A.5.16 Identity management; A.8.5 Secure authentication | The full life cycle of identities shall be managed.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
| iam-policy-mfa-enforcement | IAM policies must require MFA for privileged actions | A.5.16 Identity management; A.8.5 Secure authentication | The full life cycle of identities shall be managed.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
| no-direct-user-access-keys | Prevents creation of direct IAM user access keys for human users | A.5.17 Authentication information; A.8.5 Secure authentication | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
| secrets-manager-rotation-required | Ensures Secrets Manager secrets have automatic rotation enabled with proper scheduling and frequency limits. | A.5.17 Authentication information | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information. |
| iam-password-policy-minimum-password-length | Ensure IAM password policy requires minimum length of 14 or greater. | A.5.17 Authentication information; A.8.5 Secure authentication | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
| iam-password-policy-prevent-reuse | Ensure IAM password policy prevents password reuse. | A.5.17 Authentication information; A.8.5 Secure authentication | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
| iam-password-expiration | IAM password policy must expire passwords | A.5.17 Authentication information; A.8.5 Secure authentication | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
| iam-password-complexity | IAM password policy must require character complexity (lowercase, uppercase, numbers, symbols) | A.5.17 Authentication information; A.8.5 Secure authentication | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
| no-hardcoded-secrets | Ensures EC2 instance userData does not contain hardcoded secrets | A.5.17 Authentication information | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information. |
| rds-secure-master-credentials | Ensures RDS instances use secure credential management instead of hardcoded passwords | A.5.17 Authentication information | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information. |
| rds-cluster-secure-master-credentials | Ensures RDS clusters use secure credential management instead of hardcoded passwords | A.5.17 Authentication information | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information. |
| rds-iam-authentication | Ensures RDS instances have IAM database authentication enabled | A.5.17 Authentication information; A.8.5 Secure authentication | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
| codebuild-project-envvar-awscred-check | Ensure CodeBuild project environment variables do not contain AWS credentials. | A.5.17 Authentication information | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information. |
| iam-role-inline-policy-restriction | IAM roles must not have inline policies | A.5.18 Access rights; A.8.2 Privileged access rights | Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.; The allocation and use of privileged access rights shall be restricted and managed. |
| iam-role-policy-restriction | IAM role policies (inline policy attachments) should not be used | A.5.18 Access rights; A.8.2 Privileged access rights | Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.; The allocation and use of privileged access rights shall be restricted and managed. |
| iam-group-policy-restriction | IAM group policies (inline policy attachments) should not be used | A.5.18 Access rights; A.8.2 Privileged access rights | Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.; The allocation and use of privileged access rights shall be restricted and managed. |
| iam-user-no-policies-check | Ensure IAM users follow best practices by using groups and roles instead of direct policy attachments. | A.5.18 Access rights | Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control. |
| cloudwatch-alarms-actions-required | Ensures CloudWatch alarms have actions enabled and configured for proper incident response. | A.5.25 Assessment and decision on information security events; A.5.26 Response to information security incidents; A.8.16 Monitoring activities | The organization shall assess information security events and decide if they are to be categorized as information security incidents.; Information security incidents shall be responded to in accordance with the documented procedures.; Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. |
| cloudwatch-log-retention | Ensures CloudWatch log groups have appropriate retention periods for compliance. | A.5.28 Collection of evidence; A.8.15 Logging | The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.; Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| s3-bucket-replication | Ensures S3 buckets have replication configured for enhanced availability | A.5.29 Information security during disruption; A.8.13 Information backup; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
| rds-instance-enable-backup-retention | Checks that RDS Instances backup retention policy is enabled. | A.5.29 Information security during disruption; A.8.13 Information backup; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
| rds-cluster-enable-backup-retention | Checks that RDS Clusters backup retention policy is enabled. | A.5.29 Information security during disruption; A.8.13 Information backup; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
| elasticache-backup-retention | ElastiCache Redis clusters must have automatic backup retention for 15 days | A.5.29 Information security during disruption; A.8.13 Information backup; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
| redshift-automatic-snapshots-required | Ensures Redshift clusters have automatic snapshots enabled with minimum 7-day retention period. | A.5.29 Information security during disruption; A.8.13 Information backup; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
| dynamodb-point-in-time-recovery-enabled | DynamoDB tables must have point-in-time recovery enabled | A.5.29 Information security during disruption; A.8.13 Information backup; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
| rds-instance-high-availability | Ensures RDS instances have Multi-AZ deployment enabled for high availability | A.5.29 Information security during disruption; A.8.14 Redundancy of information processing facilities; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
| rds-cluster-disallow-single-availability-zone | Check that RDS Cluster doesn’t use single availability zone. | A.5.29 Information security during disruption; A.8.14 Redundancy of information processing facilities; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
| elb-load-balancer-configure-multi-availability-zone | Check that ELB Load Balancers uses more than one availability zone. | A.5.29 Information security during disruption; A.8.14 Redundancy of information processing facilities; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
| elb-load-balancer-enable-health-check | Check that ELB Load Balancers have a health check enabled. | A.5.29 Information security during disruption; A.8.14 Redundancy of information processing facilities; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
| rds-deletion-protection | RDS database instances must have deletion protection enabled to prevent accidental deletion and ensure data availability | A.5.29 Information security during disruption; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
| elb-deletion-protection | Load balancers must have deletion protection enabled | A.5.29 Information security during disruption; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
| backup-vault-encryption | AWS Backup vaults must be encrypted with a customer-managed KMS key | A.5.33 Protection of records; A.8.13 Information backup | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. |
| dax-cluster-encryption-at-rest | Require DAX clusters to enable server-side encryption at rest | A.5.33 Protection of records | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release. |
| docdb-cluster-encryption-at-rest | Require DocumentDB clusters to enable storage encryption at rest | A.5.33 Protection of records | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release. |
| neptune-cluster-encryption-at-rest | Neptune clusters must have storage encryption at rest enabled. | A.5.33 Protection of records | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release. |
| elasticache-replicationgroup-encryption-at-rest | ElastiCache replication groups must have encryption at rest enabled | A.5.33 Protection of records | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release. |
| kinesis-stream-encryption | Kinesis streams must have KMS server-side encryption enabled | A.5.33 Protection of records | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release. |
| codebuild-project-artifact-encryption | Ensure CodeBuild project build artifacts are encrypted. | A.5.33 Protection of records | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release. |
| codebuild-project-s3-logs-encryption | Ensure CodeBuild project S3 build logs are encrypted. | A.5.33 Protection of records | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release. |
| cloudtrail-kms-encryption-enabled | Ensures CloudTrail trails have encryption enabled using KMS keys. | A.5.33 Protection of records; A.8.15 Logging | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| cloudwatch-log-group-kms-encryption-enabled | Ensures CloudWatch log groups have encryption enabled using KMS keys. | A.5.33 Protection of records; A.8.15 Logging | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| s3-bucket-object-lock-enabled | S3 buckets must have object lock enabled to protect audit information and prevent unauthorized deletion | A.5.33 Protection of records; A.8.15 Logging | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| cloudtrail-log-file-validation-enabled | Ensures CloudTrail trails have log file validation enabled to protect audit log integrity. | A.5.33 Protection of records; A.8.15 Logging | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| s3-bucket-encryption | S3 buckets must have server-side encryption configured using BucketServerSideEncryptionConfiguration resource | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| rds-instance-disallow-unencrypted-storage | Checks that RDS instance storage is encrypted. | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| rds-cluster-disallow-unencrypted-storage | Checks that RDS Clusters storage is encrypted. | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| sqs-encryption | Ensures SQS queues have server-side encryption enabled | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| api-gateway-cache-encryption-enabled | Ensures API Gateway method settings have cache data encryption enabled when caching is configured. | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| dynamodb-kms-encryption-enabled | Ensures DynamoDB tables have encryption enabled using KMS keys. | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| redshift-kms-encryption-enabled | Ensures Redshift clusters have encryption enabled using KMS keys. | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| sns-kms-encryption-enabled | Ensures SNS topics have encryption enabled using KMS keys. | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| elasticsearch-encryption-enabled | Elasticsearch domains must have encryption at rest enabled | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| opensearch-encryption-enabled | OpenSearch domains must have encryption at rest enabled | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| s3-bucket-versioning | S3 buckets must have versioning enabled using BucketVersioning resource | A.5.33 Protection of records; A.8.13 Information backup | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. |
| athena-database-disallow-unencrypted-database | Checks that Athena Databases storage is encrypted. | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| athena-workgroup-disallow-unencrypted-workgroup | Checks that Athena Workgroups are encrypted. | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| security-hub-enabled | Ensures AWS Security Hub is enabled for continuous monitoring and security assessment. | A.5.36 Compliance with policies, rules and standards for information security; A.8.16 Monitoring activities | Compliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed.; Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. |
| security-group-default-deny | Ensures Security Groups follow default deny with explicit allow principle | A.6.7 Remote working; A.8.20 Networks security; A.8.22 Segregation of networks | Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Groups of information services, users and information systems shall be segregated in the organization’s networks. |
| sagemaker-notebook-root-access | SageMaker notebook instances must disable root access to enforce least privilege for notebook users. | A.8.2 Privileged access rights | The allocation and use of privileged access rights shall be restricted and managed. |
| codebuild-project-privileged-mode | Ensure CodeBuild projects do not run in privileged mode. | A.8.2 Privileged access rights | The allocation and use of privileged access rights shall be restricted and managed. |
| restrict-default-iam-user-creation | Ensures that default IAM user accounts are not allowed to be created | A.8.2 Privileged access rights | The allocation and use of privileged access rights shall be restricted and managed. |
| iam-role-session-duration | Enforces maximum session duration for IAM roles | A.8.2 Privileged access rights | The allocation and use of privileged access rights shall be restricted and managed. |
| eventbridge-eventbus-policy-attached | Ensure custom EventBridge event buses have a resource-based policy attached to control cross-account and cross-service access. | A.8.3 Information access restriction | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| eventbridge-schema-registry-policy-attached | Ensure EventBridge schema registries have a resource-based policy attached to control cross-account and cross-service access. | A.8.3 Information access restriction | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| efs-accesspoint-posix-user | EFS access points must enforce a POSIX user identity so all file system requests are made with a defined user. | A.8.3 Information access restriction | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| opensearch-access-control-enabled | OpenSearch domains must have fine-grained access control enabled | A.8.3 Information access restriction | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| lambda-public-access-restricted | Lambda functions must restrict public access through resource-based policies | A.8.3 Information access restriction | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| eks-cluster-disallow-api-endpoint-public-access | Check that EKS Clusters API Endpoint are not publicly accessible. | A.8.3 Information access restriction | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| ec2-launch-template-disallow-public-ip | Checks that EC2 Launch Templates do not have public IP addresses. | A.8.3 Information access restriction | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| ec2-launch-configuration-disallow-public-ip | Checks that EC2 Launch Configurations do not have a public IP address. | A.8.3 Information access restriction | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| rds-private-subnet-validation | Validates that RDS DB subnet groups contain only private subnets | A.8.3 Information access restriction | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| database-strict-network-access | Ensures RDS instances have strict network access controls | A.8.3 Information access restriction; A.8.20 Networks security | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
| neptune-cluster-iam-authentication | Neptune clusters must have IAM database authentication enabled. | A.8.5 Secure authentication | Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
| rds-cluster-iam-authentication | RDS clusters must have IAM database authentication enabled | A.8.5 Secure authentication | Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
| emr-kerberos-enabled | Ensure EMR clusters have Kerberos authentication enabled for enhanced security. | A.8.5 Secure authentication | Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
| autoscaling-group-capacity-rebalancing | Auto Scaling groups must enable capacity rebalancing to proactively replace Spot Instances at risk of interruption. | A.8.6 Capacity management | The use of resources shall be monitored and adjusted in line with current and expected capacity requirements. |
| dynamodb-autoscaling-enabled | Ensures DynamoDB tables have auto-scaling or on-demand mode enabled for capacity management. | A.8.6 Capacity management | The use of resources shall be monitored and adjusted in line with current and expected capacity requirements. |
| guardduty-malware-detection-enabled | Ensures AWS GuardDuty is enabled with malware detection capabilities for threat protection. | A.8.7 Protection against malware; A.8.16 Monitoring activities | Protection against malware shall be implemented and supported by appropriate user awareness.; Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. |
| anti-malware-edr | Ensures EC2 instances have anti-malware/EDR agents deployed | A.8.7 Protection against malware | Protection against malware shall be implemented and supported by appropriate user awareness. |
| rds-instance-managed-service-patching | Ensures RDS instances have automated minor version upgrades enabled | A.8.8 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken. |
| rds-clusterinstance-managed-service-patching | Ensures RDS cluster instances have automated minor version upgrades enabled | A.8.8 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken. |
| neptune-clusterinstance-managed-service-patching | Ensures Neptune cluster instances have automated minor version upgrades enabled | A.8.8 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken. |
| docdb-clusterinstance-managed-service-patching | Ensures DocumentDB cluster instances have automated minor version upgrades enabled | A.8.8 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken. |
| elasticbeanstalk-managed-updates-enabled | Elastic Beanstalk environments must have managed platform updates enabled | A.8.8 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken. |
| ecr-image-scanning | Ensures ECR repositories have image scanning enabled for vulnerability management | A.8.8 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken. |
| ecs-task-definition-image-scanning | Ensures ECS task definitions use images from repositories with vulnerability scanning | A.8.8 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken. |
| lambda-runtime-restrictions | Ensures that AWS Lambda functions are created only with approved runtime versions | A.8.8 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken. |
| redshift-maintenance-required | Ensures Redshift clusters have proper maintenance settings configured for automated updates. | A.8.8 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken. |
| config-recorder-enabled | Ensures AWS Config configuration recorders are enabled for tracking and auditing resource changes. | A.8.9 Configuration management | Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed. |
| config-snapshot-retention | Ensures AWS Config retention configuration meets minimum 7-year requirement for compliance auditing. | A.8.9 Configuration management | Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed. |
| athena-workgroup-enforce-configuration | Checks that Athena Workgroups enforce their configuration to their clients. | A.8.9 Configuration management | Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed. |
| vpc-security-group-associated-to-eni | Ensure VPC security groups are associated to ENI (network interfaces) to maintain proper network security asset management. | A.8.9 Configuration management | Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed. |
| vpc-network-acl-unused | Ensure VPC network ACLs are not unused to maintain proper network security asset management. | A.8.9 Configuration management | Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed. |
| s3-bucket-lifecycle | Ensures each S3 bucket has lifecycle rules configured for retention/disposal | A.8.10 Information deletion | Information stored in information systems, devices or in any other storage media shall be deleted when no longer required. |
| s3-bucket-macie-access | Ensures S3 buckets allow AWS Macie access for data classification and discovery | A.8.12 Data leakage prevention | Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information. |
| docdb-cluster-backup-retention | Require DocumentDB clusters to retain automated backups for a minimum period | A.8.13 Information backup | Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. |
| neptune-cluster-backup-retention | Neptune clusters must retain automated backups for at least the configured minimum number of days. | A.8.13 Information backup | Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. |
| ebs-volume-in-backup-plan | Ensure EBS volumes are included in AWS Backup plans for automated backup and recovery capabilities. | A.8.13 Information backup | Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. |
| eventbridge-global-endpoint-replication | EventBridge global endpoints must enable event replication | A.8.14 Redundancy of information processing facilities | Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. |
| lb-multi-az | ELBv2 load balancers must span at least two Availability Zones. | A.8.14 Redundancy of information processing facilities | Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. |
| lb-cross-zone-load-balancing | Network Load Balancers must enable cross-zone load balancing. | A.8.14 Redundancy of information processing facilities | Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. |
| subnet-multi-az | Ensures subnets are distributed across multiple availability zones | A.8.14 Redundancy of information processing facilities; A.5.30 ICT readiness for business continuity | Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
| elb-cross-zone-load-balancing-enabled | Classic Load Balancers must have cross-zone load balancing enabled | A.8.14 Redundancy of information processing facilities | Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. |
| networkfirewall-logging-enabled | Ensure AWS Network Firewalls have a logging configuration for audit and monitoring purposes. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| ec2-clientvpn-connection-logging | Client VPN endpoints must enable connection logging to record client connection events. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| mq-broker-audit-logging | Amazon MQ brokers must enable audit logging to record user management actions. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| eks-cluster-logging | EKS clusters must enable control plane logging for all required log types. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| appsync-graphqlapi-logging | AppSync GraphQL APIs must have logging configured. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| sfn-statemachine-logging | Step Functions state machines must have execution logging enabled. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| apigateway-method-execution-logging | API Gateway method settings must enable execution logging. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| codebuild-project-logging | Ensure CodeBuild projects have an enabled log destination. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| lb-access-logging | ELBv2 load balancers must have access logging enabled. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| cloudtrail-enabled | Ensures CloudTrail is enabled with at least one active trail for audit logging. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| cloudtrail-multi-region-enabled | Ensures CloudTrail trails are configured as multi-region trails for comprehensive audit coverage. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| cloudtrail-s3-data-events-enabled | Ensures CloudTrail trails have S3 data events enabled for comprehensive object-level logging. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| cloudtrail-cloudwatch-logs-integration | Ensures CloudTrail trails have CloudWatch Logs integration enabled for real-time monitoring and analysis. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| api-gateway-access-logging | Ensures API Gateway stages have access logging enabled | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| api-gateway-v2-access-logging | Ensures API Gateway V2 stages have access logging enabled | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| s3-bucket-access-logging | Ensures each S3 bucket has access logging enabled | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| elb-load-balancer-configure-access-logging | Check that ELB Load Balancers uses access logging. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| elasticsearch-cloudwatch-logging-enabled | Elasticsearch domains must send logs to CloudWatch for audit tracking | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| redshift-logging-enabled | Ensures Redshift clusters have logging configurations enabled for audit and monitoring purposes. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| wafv2-logging-enabled | Ensures WAFv2 Web ACLs have logging configurations enabled for audit and monitoring purposes. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| rds-cluster-logging-enabled | Ensure RDS clusters have logging enabled for monitoring and audit compliance. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| cloudfront-distribution-enable-access-logging | Checks that any CloudFront distributions have access logging enabled. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| cloudfront-distribution-configure-access-logging | Checks that any CloudFront distributions have access logging configured. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| lambda-function-logging | Ensures that all AWS Lambda functions have logging enabled to track output data processing | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| centralized-os-app-logging | Ensures EC2 instances have logging agents configured to forward OS/application logs to central system | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| rds-instance-logging-enabled | Ensure RDS database instances have logging enabled for monitoring and audit compliance. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| vpc-subnet-flow-logs | Ensures all VPCs and subnets have flow logs enabled | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
| ec2-monitoring-enabled | EC2 instances must have detailed monitoring enabled | A.8.16 Monitoring activities | Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. |
| rds-instance-enhanced-monitoring | RDS database instances must have enhanced monitoring enabled to provide detailed system-level metrics | A.8.16 Monitoring activities | Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. |
| rds-clusterinstance-enhanced-monitoring | RDS cluster instances must have enhanced monitoring enabled to provide detailed system-level metrics | A.8.16 Monitoring activities | Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. |
| vpc-nacl-no-unrestricted-ssh-rdp | Network ACLs must not allow unrestricted SSH/RDP ingress from the internet | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
| internet-gateway-authorized-vpc | Internet gateways must only attach to authorized VPCs | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
| ssm-document-not-public | SSM documents must not be shared publicly | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
| elb-desync-mitigation | Classic Load Balancers must use a defensive or strictest desync mitigation mode. | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
| networkfirewall-multi-az | Network Firewalls must span at least two Availability Zones for resilience. | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
| networkfirewall-policy-stateless-fragment-default-action | Network Firewall policies must drop or forward fragmented packets to the stateful engine. | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
| networkfirewall-policy-stateless-default-action | Network Firewall policies must drop or forward unmatched packets to the stateful engine. | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
| networkfirewall-policy-rule-group-associated | Network Firewall policies must reference at least one rule group. | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
| networkfirewall-stateless-rule-group-not-empty | Stateless Network Firewall rule groups must contain at least one rule. | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
| s3-accesspoint-public-access-block | S3 access points must block all public access | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
| load-balancer-waf-association | Ensures public-facing Load Balancers have WAF associations | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
| api-gateway-waf-association | Ensures public-facing API Gateways have WAF associations | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
| cloudfront-waf-association | Ensures CloudFront distributions have WAF associations | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
| appsync-waf-association | Ensures public-facing AppSync GraphQL APIs have WAF associations | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
| lambda-vpc-placement-required | Lambda functions must be deployed in VPC for network isolation and security | A.8.20 Networks security; A.8.22 Segregation of networks | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Groups of information services, users and information systems shall be segregated in the organization’s networks. |
| ec2-vpc-placement-required | EC2 instances must be placed in VPC for network isolation | A.8.20 Networks security; A.8.22 Segregation of networks | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Groups of information services, users and information systems shall be segregated in the organization’s networks. |
| elasticsearch-vpc-required | Elasticsearch domains must be deployed in VPC for network isolation | A.8.20 Networks security; A.8.22 Segregation of networks | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Groups of information services, users and information systems shall be segregated in the organization’s networks. |
| opensearch-vpc-required | OpenSearch domains must be deployed in VPC for network isolation | A.8.20 Networks security; A.8.22 Segregation of networks | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Groups of information services, users and information systems shall be segregated in the organization’s networks. |
| redshift-enhanced-vpc-routing-enabled | Ensures Redshift clusters have enhanced VPC routing enabled for network isolation. | A.8.20 Networks security; A.8.22 Segregation of networks | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Groups of information services, users and information systems shall be segregated in the organization’s networks. |
| vpc-route-table-internet-gateway-restricted | Ensures VPC route tables restrict public access to internet gateways appropriately. | A.8.20 Networks security; A.8.22 Segregation of networks; A.8.21 Security of network services | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Groups of information services, users and information systems shall be segregated in the organization’s networks.; Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored. |
| vpc-endpoint-security-policy | Ensures that VPC endpoints are associated with security policies that limit access to specified resources | A.8.21 Security of network services | Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored. |
| ebs-volume-disallow-unencrypted-volume | Checks that EBS volumes are encrypted. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| ec2-instance-disallow-unencrypted-block-device | Checks that EC2 instances do not have unencrypted block devices. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| ec2-instance-disallow-unencrypted-root-block-device | Checks that EC2 instances does not have unencrypted root volumes. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| efs-file-system-disallow-unencrypted-file-system | Checks that EFS File Systems do not have an unencrypted file system. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| secrets-manager-secret-configure-customer-managed-key | Check that Secrets Manager Secrets use a customer-manager KMS key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| sagemaker-endpoint-kms-encryption-enabled | Ensures SageMaker endpoint configurations have encryption enabled using KMS keys. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| sagemaker-notebook-kms-encryption-enabled | Ensures SageMaker notebook instances have encryption enabled using KMS keys. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| kms-key-enable-key-rotation | Checks that KMS Keys have key rotation enabled. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| kms-key-creation | Validates KMS key creation with appropriate specifications and origins | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| ecr-repository-disallow-unencrypted-repository | Checks that ECR Repositories are encrypted. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| eks-cluster-enable-cluster-encryption-config | Check that EKS Cluster Encryption Config is enabled. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| lambda-environment-variables-encryption | Ensures that all Lambda functions have their environment variables encrypted using AWS KMS | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| ec2-launch-template-disallow-unencrypted-block-device | Checks that EC2 Launch Templates do not have unencrypted block device. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| ec2-launch-configuration-disallow-unencrypted-block-device | Checks that EC2 Launch Configurations do not have unencrypted block devices. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| ec2-launch-configuration-disallow-unencrypted-root-block-device | Checks that EC2 launch configuration do not have unencrypted root block device. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| kms-grant-access-control | Validates KMS grants for least privilege access control | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| kms-key-policy-access-control | Validates KMS key policies for least privilege and separation of duties | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| appflow-connector-profile-configure-customer-managed-key | Check that AppFlow ConnectorProfile uses a customer-managed KMS key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| appflow-flow-configure-customer-managed-key | Check that AppFlow Flow uses a customer-managed KMS key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| athena-database-configure-customer-managed-key | Checks that Athena Databases storage uses a customer-managed-key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| athena-workgroup-configure-customer-managed-key | Checks that Athena Workgroups use a customer-managed-key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| ebs-volume-configure-customer-managed-key | Check that encrypted EBS volumes use a customer-managed KMS key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| ec2-launch-template-configure-customer-managed-key | Check that encrypted EBS volume uses a customer-managed KMS key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| ecr-repository-configure-customer-managed-key | Checks that ECR repositories use a customer-managed KMS key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| efs-file-system-configure-customer-managed-key | Check that encrypted EFS File system uses a customer-managed KMS key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| rds-cluster-configure-customer-managed-key | Checks that RDS Clusters storage uses a customer-managed KMS key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
| rds-instance-configure-customer-managed-key | Checks that RDS Instance storage uses a customer-managed KMS key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |