NIST SP 800-53 - AWS
This page lists all 139 policies in the NIST SP 800-53 pack for AWS.
| Policy Name | Description | Framework Reference | Framework Specification |
|---|---|---|---|
| security-group-ssh-rdp | Ensures security groups do not allow SSH/RDP from the internet | AC-17 Remote Access | The organization establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed. |
| iam-user-group-membership-required | IAM users must be members of groups for proper access management | AC-2 Account Management | The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. |
| iam-role-inline-policy-restriction | IAM roles must not have inline policies | AC-2 Account Management | The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. |
| iam-role-policy-restriction | IAM role policies (inline policy attachments) should not be used | AC-2 Account Management | The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. |
| iam-user-policy-restriction | IAM user policies (inline policy attachments) should not be used | AC-2 Account Management | The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. |
| iam-group-policy-restriction | IAM group policies (inline policy attachments) should not be used | AC-2 Account Management | The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. |
| s3-bucket-public-access-block | Ensures each S3 bucket has a public access block with all settings enabled | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| s3-bucket-disallow-public-read | Checks that S3 Bucket ACLs don’t allow ‘public-read’ or ‘public-read-write’ or ‘authenticated-read’. | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| ec2-instance-disallow-public-ip | Checks that EC2 instances do not have a public IP address. | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| rds-instance-disallow-public-access | Checks that RDS Instance public access is not enabled. | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| rds-cluster-instance-disallow-public-access | Checks that RDS Cluster Instances public access is not enabled. | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| neptune-clusterinstance-no-public-access | Checks that Neptune Cluster Instances public access is not enabled. | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| dms-no-public-access | Ensures DMS replication instances are not publicly accessible to maintain security. | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| ecs-task-non-privileged-required | ECS task definitions must use non-privileged user for host mode | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| emr-no-default-subnet | EMR clusters must specify explicit subnet configuration to prevent default subnet usage | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| emr-no-public-ip | EMR clusters must not be deployed in public subnets that auto-assign public IP addresses | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| lambda-public-access-restricted | Lambda functions must restrict public access through resource-based policies | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| redshift-public-access-prohibited | Ensures Redshift clusters prohibit public access to prevent unauthorized connections. | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| sagemaker-notebook-internet-access-disabled | Ensures SageMaker notebook instances have direct internet access disabled. | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| vpc-subnet-auto-assign-public-ip-disabled | Ensures VPC subnets have auto-assign public IP disabled to prevent unintended internet exposure. | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| ec2-iam-profile-required | EC2 instances must have IAM profile attached | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| iam-policy-least-privilege | Ensures IAM policies follow least privilege principles | AC-6 Least Privilege | The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks. |
| iam-role-least-privilege | Ensures IAM roles follow least privilege principles | AC-6 Least Privilege | The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks. |
| iam-role-policy-least-privilege | Ensures IAM role policies follow least privilege principles | AC-6 Least Privilege | The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks. |
| iam-user-policy-least-privilege | Ensures IAM user policies follow least privilege principles | AC-6 Least Privilege | The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks. |
| iam-group-policy-least-privilege | Ensures IAM group policies follow least privilege principles | AC-6 Least Privilege | The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks. |
| pubsub-least-privilege-iam | Ensures IAM policies follow least privilege principles for Pub/Sub services (SNS, SQS, Kinesis) | AC-6 Least Privilege | The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks. |
| s3-bucket-least-privilege | Prevents overly permissive S3 bucket policies | AC-6 Least Privilege | The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks. |
| cloudwatch-log-retention | Ensures CloudWatch log groups have appropriate retention periods for compliance. | AU-11 Audit Record Retention | The organization retains audit records for a defined time period consistent with records retention policy. |
| cloudtrail-enabled | Ensures CloudTrail is enabled with at least one active trail for audit logging. | AU-12 Audit Generation | The information system provides audit record generation capability for the auditable events defined in AU-2 at organization-defined information system components. |
| cloudtrail-multi-region-enabled | Ensures CloudTrail trails are configured as multi-region trails for comprehensive audit coverage. | AU-12 Audit Generation | The information system provides audit record generation capability for the auditable events defined in AU-2 at organization-defined information system components. |
| api-gateway-access-logging | Ensures API Gateway stages have access logging enabled | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| api-gateway-v2-access-logging | Ensures API Gateway V2 stages have access logging enabled | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| s3-bucket-access-logging | Ensures each S3 bucket has access logging enabled | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| vpc-flow-logs | Ensures VPC flow logs use approved destinations for centralized monitoring | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| elb-load-balancer-configure-access-logging | Check that ELB Load Balancers uses access logging. | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| cloudtrail-s3-data-events-enabled | Ensures CloudTrail trails have S3 data events enabled for comprehensive object-level logging. | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| elasticsearch-cloudwatch-logging-enabled | Elasticsearch domains must send logs to CloudWatch for audit tracking | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| redshift-logging-enabled | Ensures Redshift clusters have logging configurations enabled for audit and monitoring purposes. | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| wafv2-logging-enabled | Ensures WAFv2 Web ACLs have logging configurations enabled for audit and monitoring purposes. | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| rds-audit-logging | Ensures RDS instances have audit logging enabled | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| rds-cluster-logging-enabled | Ensure RDS clusters have logging enabled for monitoring and audit compliance. | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| sqs-dead-letter-queue | Ensures SQS queues have dead letter queue configuration | AU-5 Response to Audit Processing Failures | The information system alerts designated organizational officials in the event of an audit processing failure and takes additional actions. |
| s3-bucket-notifications-enabled | S3 buckets must have event notifications enabled to alert personnel of important bucket activities | AU-5 Response to Audit Processing Failures | The information system alerts designated organizational officials in the event of an audit processing failure and takes additional actions. |
| cloudtrail-cloudwatch-logs-integration | Ensures CloudTrail trails have CloudWatch Logs integration enabled for real-time monitoring and analysis. | AU-6 Audit Review, Analysis, and Reporting | The organization reviews and analyzes information system audit records regularly for indications of inappropriate or unusual activity. |
| cloudtrail-kms-encryption-enabled | Ensures CloudTrail trails have encryption enabled using KMS keys. | AU-9 Protection of Audit Information | The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| cloudwatch-log-group-kms-encryption-enabled | Ensures CloudWatch log groups have encryption enabled using KMS keys. | AU-9 Protection of Audit Information | The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| s3-bucket-object-lock-enabled | S3 buckets must have object lock enabled to protect audit information and prevent unauthorized deletion | AU-9 Protection of Audit Information | The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| cloudtrail-s3-bucket-public-access-denied | Ensures S3 buckets used for CloudTrail logging deny public access to protect audit information. | AU-9 Protection of Audit Information | The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| cloudtrail-log-file-validation-enabled | Ensures CloudTrail trails have log file validation enabled to protect audit log integrity. | AU-9 Protection of Audit Information | The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| autoscaling-health-checks-enabled | Ensures Auto Scaling groups with load balancers have ELB health checks configured for proper monitoring. | CA-7 Continuous Monitoring | The organization develops a continuous monitoring strategy and implements a continuous monitoring program. |
| rds-instance-enhanced-monitoring | RDS database instances must have enhanced monitoring enabled to provide detailed system-level metrics | CA-7 Continuous Monitoring | The organization develops a continuous monitoring strategy and implements a continuous monitoring program. |
| rds-clusterinstance-enhanced-monitoring | RDS cluster instances must have enhanced monitoring enabled to provide detailed system-level metrics | CA-7 Continuous Monitoring | The organization develops a continuous monitoring strategy and implements a continuous monitoring program. |
| security-hub-enabled | Ensures AWS Security Hub is enabled for continuous monitoring and security assessment. | CA-7 Continuous Monitoring | The organization develops a continuous monitoring strategy and implements a continuous monitoring program. |
| elasticbeanstalk-health-reporting-enabled | Elastic Beanstalk must have enhanced health reporting enabled | CA-7 Continuous Monitoring | The organization develops a continuous monitoring strategy and implements a continuous monitoring program. |
| config-snapshot-retention | Ensures AWS Config retention configuration meets minimum 7-year requirement for compliance auditing. | CM-2 Baseline Configuration | The organization develops, documents, and maintains a current baseline configuration of the information system. |
| config-recorder-enabled | Ensures AWS Config configuration recorders are enabled for tracking and auditing resource changes. | CM-3 Configuration Change Control | The organization determines the types of changes to the information system that are configuration-controlled. |
| redshift-maintenance-required | Ensures Redshift clusters have proper maintenance settings configured for automated updates. | CM-3 Configuration Change Control | The organization determines the types of changes to the information system that are configuration-controlled. |
| ebs-unused-volumes-prohibited | EBS volumes must be removed when unused | CM-8 Information System Component Inventory | The organization develops and documents an inventory of information system components that accurately reflects the current information system. |
| dynamodb-point-in-time-recovery-enabled | DynamoDB tables must have point-in-time recovery enabled | CP-10 Information System Recovery and Reconstitution | The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. |
| ec2-ebs-optimized-required | EC2 instances must be EBS optimized | CP-10 Information System Recovery and Reconstitution | The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. |
| rds-instance-high-availability | Ensures RDS instances have Multi-AZ deployment enabled for high availability | CP-2 Contingency Plan | The organization develops a contingency plan for the information system that identifies essential missions and business functions. |
| rds-deletion-protection | RDS database instances must have deletion protection enabled to prevent accidental deletion and ensure data availability | CP-2 Contingency Plan | The organization develops a contingency plan for the information system that identifies essential missions and business functions. |
| elb-deletion-protection | Load balancers must have deletion protection enabled | CP-2 Contingency Plan | The organization develops a contingency plan for the information system that identifies essential missions and business functions. |
| rds-cluster-disallow-single-availability-zone | Check that RDS Cluster doesn’t use single availability zone. | CP-2 Contingency Plan | The organization develops a contingency plan for the information system that identifies essential missions and business functions. |
| elb-load-balancer-configure-multi-availability-zone | Check that ELB Load Balancers uses more than one availability zone. | CP-2 Contingency Plan | The organization develops a contingency plan for the information system that identifies essential missions and business functions. |
| elb-load-balancer-enable-health-check | Check that ELB Load Balancers have a health check enabled. | CP-2 Contingency Plan | The organization develops a contingency plan for the information system that identifies essential missions and business functions. |
| s3-bucket-replication | Ensures S3 buckets have replication configured for enhanced availability | CP-9 Information System Backup | The organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation. |
| s3-bucket-versioning | S3 buckets must have versioning enabled using BucketVersioning resource | CP-9 Information System Backup | The organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation. |
| rds-instance-enable-backup-retention | Checks that RDS Instances backup retention policy is enabled. | CP-9 Information System Backup | The organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation. |
| rds-cluster-enable-backup-retention | Checks that RDS Clusters backup retention policy is enabled. | CP-9 Information System Backup | The organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation. |
| elasticache-backup-retention | ElastiCache Redis clusters must have automatic backup retention for 15 days | CP-9 Information System Backup | The organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation. |
| redshift-automatic-snapshots-required | Ensures Redshift clusters have automatic snapshots enabled with minimum 7-day retention period. | CP-9 Information System Backup | The organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation. |
| iam-user-mfa-console-access | Ensures IAM users with console access have MFA devices | IA-2 Identification and Authentication (Organizational Users) | The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
| iam-role-assume-role-mfa-enforcement | Ensures IAM roles require MFA when assumed by human users (not AWS services) | IA-2 Identification and Authentication (Organizational Users) | The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
| iam-role-mfa-enforcement | IAM roles must require MFA for privileged actions | IA-2 Identification and Authentication (Organizational Users) | The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
| iam-role-policy-mfa-enforcement | IAM role policies must require MFA for privileged actions | IA-2 Identification and Authentication (Organizational Users) | The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
| iam-policy-mfa-enforcement | IAM policies must require MFA for privileged actions | IA-2 Identification and Authentication (Organizational Users) | The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
| iam-password-policy-minimum-password-length | Ensure IAM password policy requires minimum length of 14 or greater. | IA-5 Authenticator Management | The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator. |
| iam-password-policy-prevent-reuse | Ensure IAM password policy prevents password reuse. | IA-5 Authenticator Management | The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator. |
| iam-password-expiration | IAM password policy must expire passwords | IA-5 Authenticator Management | The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator. |
| iam-password-complexity | IAM password policy must require character complexity (lowercase, uppercase, numbers, symbols) | IA-5 Authenticator Management | The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator. |
| no-direct-user-access-keys | Prevents creation of direct IAM user access keys for human users | IA-5 Authenticator Management | The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator. |
| secrets-manager-rotation-required | Ensures Secrets Manager secrets have automatic rotation enabled with proper scheduling and frequency limits. | IA-5 Authenticator Management | The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator. |
| cloudwatch-alarms-actions-required | Ensures CloudWatch alarms have actions enabled and configured for proper incident response. | IR-4 Incident Handling | The organization implements incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. |
| lambda-dead-letter-queue-required | Lambda functions must have dead letter queues configured for error handling and incident response | IR-4 Incident Handling | The organization implements incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. |
| s3-bucket-lifecycle | Ensures each S3 bucket has lifecycle rules configured for retention/disposal | MP-6 Media Sanitization | The organization sanitizes information system media, both paper and digital, prior to disposal, release out of organizational control, or release for reuse. |
| kms-key-enable-key-rotation | Checks that KMS Keys have key rotation enabled. | SC-12 Cryptographic Key Establishment and Management | The organization establishes and manages cryptographic keys for required cryptography employed within the information system. |
| kms-key-deletion-lifecycle | Validates KMS key deletion windows and lifecycle management | SC-12 Cryptographic Key Establishment and Management | The organization establishes and manages cryptographic keys for required cryptography employed within the information system. |
| kms-key-creation | Validates KMS key creation with appropriate specifications and origins | SC-12 Cryptographic Key Establishment and Management | The organization establishes and manages cryptographic keys for required cryptography employed within the information system. |
| vpc-peering-dns-resolution-enabled | Ensures VPC peering connections have DNS resolution enabled for proper name resolution. | SC-20 Secure Name / Address Resolution Service (Authoritative Source) | The information system provides additional data origin and integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries. |
| s3-bucket-encryption | S3 buckets must have server-side encryption configured using BucketServerSideEncryptionConfiguration resource | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| rds-instance-disallow-unencrypted-storage | Checks that RDS instance storage is encrypted. | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| rds-cluster-disallow-unencrypted-storage | Checks that RDS Clusters storage is encrypted. | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| ebs-volume-disallow-unencrypted-volume | Checks that EBS volumes are encrypted. | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| ec2-instance-disallow-unencrypted-block-device | Checks that EC2 instances do not have unencrypted block devices. | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| ec2-instance-disallow-unencrypted-root-block-device | Checks that EC2 instances does not have unencrypted root volumes. | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| efs-file-system-disallow-unencrypted-file-system | Checks that EFS File Systems do not have an unencrypted file system. | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| sqs-encryption | Ensures SQS queues have server-side encryption enabled | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| secrets-manager-secret-configure-customer-managed-key | Check that Secrets Manager Secrets use a customer-manager KMS key. | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| api-gateway-cache-encryption-enabled | Ensures API Gateway method settings have cache data encryption enabled when caching is configured. | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| dynamodb-kms-encryption-enabled | Ensures DynamoDB tables have encryption enabled using KMS keys. | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| redshift-kms-encryption-enabled | Ensures Redshift clusters have encryption enabled using KMS keys. | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| sagemaker-endpoint-kms-encryption-enabled | Ensures SageMaker endpoint configurations have encryption enabled using KMS keys. | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| sagemaker-notebook-kms-encryption-enabled | Ensures SageMaker notebook instances have encryption enabled using KMS keys. | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| sns-kms-encryption-enabled | Ensures SNS topics have encryption enabled using KMS keys. | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| elasticsearch-encryption-enabled | Elasticsearch domains must have encryption at rest enabled | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| dynamodb-auto-scaling-enabled | Ensures DynamoDB tables have auto-scaling or on-demand mode enabled for capacity management. | SC-5 Denial of Service Protection | The information system protects against or limits the effects of denial of service attacks. |
| lambda-concurrent-execution-limits-required | Lambda functions must have concurrent execution limits configured to protect resource availability | SC-5 Denial of Service Protection | The information system protects against or limits the effects of denial of service attacks. |
| limit-lambda-execution-time | Ensures that AWS Lambda functions are configured to time out after a specified duration to prevent extended access | SC-5 Denial of Service Protection | The information system protects against or limits the effects of denial of service attacks. |
| shield-advanced-enabled | Ensures AWS Shield Advanced is enabled for DDoS protection. | SC-5 Denial of Service Protection | The information system protects against or limits the effects of denial of service attacks. |
| elb-cross-zone-load-balancing-enabled | Classic Load Balancers must have cross-zone load balancing enabled | SC-5 Denial of Service Protection | The information system protects against or limits the effects of denial of service attacks. |
| security-group-default-deny | Ensures Security Groups follow default deny with explicit allow principle | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| security-group-strict | Ensures security groups follow strict firewall rules with default deny | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| load-balancer-waf-association | Ensures public-facing Load Balancers have WAF associations | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| api-gateway-waf-enabled | Ensures API Gateway stages have WAF Web ACL associations for protection against web attacks. | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| elb-waf-enabled | Application Load Balancers must have WAF enabled | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| lambda-vpc-placement-required | Lambda functions must be deployed in VPC for network isolation and security | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| redshift-enhanced-vpc-routing-enabled | Ensures Redshift clusters have enhanced VPC routing enabled for network isolation. | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| vpc-route-table-internet-gateway-restricted | Ensures VPC route tables restrict public access to internet gateways appropriately. | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| ec2-vpc-placement-required | EC2 instances must be placed in VPC for network isolation | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| elasticsearch-vpc-required | Elasticsearch domains must be deployed in VPC for network isolation | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| elb-load-balancer-disallow-unencrypted-traffic | Check that ELB Load Balancers do not allow unencrypted (HTTP) traffic. | SC-8 Transmission Confidentiality and Integrity | The information system protects the confidentiality and integrity of transmitted information. |
| api-gateway-ssl-certificate-required | Ensures API Gateway REST API stages have client certificates configured for SSL/TLS authentication to protect data in transit. | SC-8 Transmission Confidentiality and Integrity | The information system protects the confidentiality and integrity of transmitted information. |
| redshift-ssl-required | Ensures Redshift clusters have encryption in transit enabled through SSL parameter configuration. | SC-8 Transmission Confidentiality and Integrity | The information system protects the confidentiality and integrity of transmitted information. |
| ec2-imdsv2-required | EC2 instances must use IMDSv2 | SC-8 Transmission Confidentiality and Integrity | The information system protects the confidentiality and integrity of transmitted information. |
| elasticsearch-https-required | Elasticsearch domains must require HTTPS for client connections | SC-8 Transmission Confidentiality and Integrity | The information system protects the confidentiality and integrity of transmitted information. |
| elasticsearch-node-to-node-encryption-enabled | Elasticsearch domains must have node-to-node encryption enabled | SC-8 Transmission Confidentiality and Integrity | The information system protects the confidentiality and integrity of transmitted information. |
| s3-bucket-ssl-enforcement-required | S3 buckets must enforce SSL/TLS for all requests to ensure encryption in transit | SC-8 Transmission Confidentiality and Integrity | The information system protects the confidentiality and integrity of transmitted information. |
| rds-instance-ssl-encryption | Ensures RDS instances have SSL/TLS encryption enabled through parameter group configuration | SC-8 Transmission Confidentiality and Integrity | The information system protects the confidentiality and integrity of transmitted information. |
| rds-clusterinstance-ssl-encryption | Ensures RDS cluster instances have SSL/TLS encryption enabled through parameter group configuration | SC-8 Transmission Confidentiality and Integrity | The information system protects the confidentiality and integrity of transmitted information. |
| rds-instance-managed-service-patching | Ensures RDS instances have automated minor version upgrades enabled | SI-2 Flaw Remediation | The organization identifies, reports, and corrects information system flaws. |
| rds-clusterinstance-managed-service-patching | Ensures RDS cluster instances have automated minor version upgrades enabled | SI-2 Flaw Remediation | The organization identifies, reports, and corrects information system flaws. |
| neptune-clusterinstance-managed-service-patching | Ensures Neptune cluster instances have automated minor version upgrades enabled | SI-2 Flaw Remediation | The organization identifies, reports, and corrects information system flaws. |
| docdb-clusterinstance-managed-service-patching | Ensures DocumentDB cluster instances have automated minor version upgrades enabled | SI-2 Flaw Remediation | The organization identifies, reports, and corrects information system flaws. |
| elasticbeanstalk-managed-updates-enabled | Elastic Beanstalk environments must have managed platform updates enabled | SI-2 Flaw Remediation | The organization identifies, reports, and corrects information system flaws. |
| guardduty-malware-detection-enabled | Ensures AWS GuardDuty is enabled with malware detection capabilities for threat protection. | SI-3 Malicious Code Protection | The organization implements malicious code protection mechanisms at information system entry and exit points. |
| ec2-monitoring-enabled | EC2 instances must have detailed monitoring enabled | SI-4 Information System Monitoring | The organization monitors the information system to detect attacks and indicators of potential attacks. |
| config-rule-auto-remediation-enabled | Ensures AWS Config rules have automatic remediation configured for integrity violations. | SI-7 Software, Firmware, and Information Integrity | The organization employs integrity verification tools to detect unauthorized changes to software, firmware, and information. |
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.
