General policies

Ensure EC2 instances have tags

Ensure an unused EBS volume is attached to an instance

Ensure AWS EBS volumes are encrypted

Ensure AWS RDS DB cluster encryption is enabled

Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication

Ensure DynamoDB PITR is enabled

Ensure all data stored in the EBS snapshot is securely encrypted

Ensure ECR image scan on push is enabled

Ensure AWS ElastiCache Redis cluster with encryption for data at rest is enabled

Ensure AWS ElastiCache Redis cluster with in-transit encryption is enabled

Ensure all data stored in the ElastiCache Replication Group is securely encrypted in-transit

Ensure EBS volumes have encrypted launch configurations

Ensure all data stored in SageMaker is securely encrypted at rest

Ensure AWS SNS topic has SSE enabled

Ensure AWS SQS server side encryption is enabled

Ensure AWS EFS with encryption for data at rest is enabled

Ensure Neptune storage is securely encrypted

Ensure all unused Elastic IPs are deleted

Ensure unused network interfaces are deleted

Ensure unused Elastic Load Balancers are deleted

Ensure AWS Kinesis streams are encrypted using SSE

Ensure DAX is securely encrypted at rest

Ensure ECR image tags are immutable

Ensure AWS Redshift cluster is encrypted using CMKt

Ensure AWS resources that support tags have Tags

Ensure CloudFront distribution has WAF enabled

Ensure DocumentDB is encrypted at rest

Ensure Athena Database is encrypted at rest

Ensure CodeBuild project encryption is not disabled

Ensure Instance Metadata Service version 1 is not enabled

Ensure MSK cluster encryption at rest and in transit is enabled

Ensure Athena workgroup prevents disabling encryption

Ensure instances with scheduled reboots are rescheduled or manually rebooted

Ensure PGAudit is enabled on RDS Postgres instances

Ensure Glue Data Catalog encryption is enabled

Ensure all data stored in Aurora is securely encrypted at rest

Ensure EFS volumes in ECS task definitions have encryption in transit enabled

Ensure AWS SageMaker notebook instance is configured with data encryption at rest using KMS key

Ensure AWS Glue security configuration encryption is enabled

Ensure Neptune cluster instance is not publicly available

Ensure AWS Load Balancer is using TLS 1.2

Ensure API gateway caching is enabled

Ensure DynamoDB Tables have Auto Scaling enabled

Ensure Amazon ElastiCache Redis clusters have automatic backup turned on

Ensure RDS instances have backup policy

Ensure Redshift clusters have AWS Backup's backup plan

Ensure Amazon EFS has an AWS Backup backup plan

Ensure RDS clusters have an AWS Backup backup plan

Ensure EBS has an AWS Backup backup plan

Ensure KMS has a rotation policy

Ensure DynamoDB tables are encrypted

Ensure ECR repositories are encrypted

Ensure RDS global clusters are encrypted

Ensure Redshift cluster is encrypted by KMS

Ensure S3 buckets are encrypted with KMS by default

Ensure CodeBuild projects are encrypted

Ensure Secret Manager secret is encrypted using KMS

Ensure RDS database cluster snapshot is encrypted

Ensure only encrypted EBS volumes are attached to EC2 instances

Ensure load balancer has deletion protection enabled

Ensure that AWS EMR clusters have Kerberos enabled

Ensure AWS Lambda function is configured for function-level concurrent execution limit

Ensure AWS Lambda function is configured for a DLQ

Ensure AWS Lambda function is configured inside a VPC

Ensure GuardDuty is enbaled to specific org/region

Ensure Elastic Load Balancers use SSL certificates provided by AWS Certificate Manager

Ensure EC2 is EBS optimized

Ensure RDS clusters and instances have deletion protection enabled

Ensure Redshift cluster allow version upgrade by default

Ensure S3 bucket has lock configuration enabled by default

Ensure S3 bucket has cross-region replication enabled

Ensure RDS instances have Multi-AZ enabled

Ensure DocDB has audit logs enabled

Ensure Redshift uses SSL

Ensure Session Manager data is encrypted in transit

Ensure that RDS database cluster snapshot is encrypted

Ensure that CodeBuild projects are encrypted

Ensure that Secrets Manager secret is encrypted using KMS

Ensure that Load Balancer has deletion protection enabled

Ensure EBS default encryption is enabled

Autoscaling groups should supply tags to launch configurations

Ensure that Workspace user volumes are encrypted

Ensure that Workspace root volumes are encrypted

Ensure that CloudWatch Log Group is encrypted by KMS

Ensure that Athena Workgroup is encrypted

Ensure that Timestream database is encrypted with KMS CMK

Ensure Dynamodb point in time recovery is enabled for global tables

Ensure Backup Vault is encrypted at rest using KMS CMK

Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it

Ensure SQS queue policy is not public by only allowing specific services or principals to access it

Ensure SNS topic policy is not public by only allowing specific services or principals to access it

Ensure QLDB ledger permissions mode is set to STANDARD

Ensure EMR Cluster security configuration encryption uses SSE-KMS

Ensure Route53 A Record has an attached resource

Ensure Route53 A Record has an attached resource

Ensure Route 53 DNS service modifications are detected

Ensure provisioned resources are not manually modified

Ensure Glue component has a security configuration associated