Compliance Controls¶
List of available controls:
- Access logging should be configured for API Gateway V2 Stages (
gatewayv2_stage_access_logging_enabled) - ACM certificates should have transparency logging enabled (
acm_certificate_transparency_logging_enabled) - ACM certificates should not use wildcard certificates (
acm_certificate_no_wildcard_domain_name) - Active MQ brokers should stream audit logs to CloudWatch (
mq_broker_audit_log_enabled) - Amazon MQ brokers should have automatic minor version upgrade enabled (
mq_broker_auto_minor_version_upgrade_enabled) - Amazon Redshift Serverless workgroups should use enhanced VPC routing (
redshiftserverless_workgroup_enhanced_vpc_routing_enabled) - API Gateway methods authorizer should be configured (
api_gateway_method_authorization_type_configured) - API Gateway methods request parameter should be validated (
api_gateway_method_request_parameter_validated) - API Gateway REST API stages should have AWS X-Ray tracing enabled (
apigateway_rest_api_stage_xray_tracing_enabled) - API Gateway routes should specify an authorization type (
api_gatewayv2_route_authorization_type_configured) - API Gateway stage cache encryption at rest should be enabled (
apigateway_stage_cache_encryption_at_rest_enabled) - API Gateway stage logging should be enabled (
apigateway_stage_logging_enabled) - API Gateway stage should uses SSL certificate (
apigateway_rest_api_stage_use_ssl_certificate) - API Gateway V2 authorizer should be configured (
api_gatewayv2_route_authorizer_configured) - Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit (
elb_application_network_listener_uses_secure_protocol) - Application and Network Load Balancers with listeners should use recommended security policies (
elb_application_network_lb_https_tls_listener_recommended_security_policy) - Application Load Balancer should be configured to drop invalid http headers (
elb_application_lb_http_drop_invalid_header_enabled) - AppStream fleet default internet access should be disabled (
appstream_fleet_default_internet_access_disabled) - AppStream fleet idle disconnect timeout should be set to less than or equal to 10 mins (
appstream_fleet_idle_disconnect_timeout_600_seconds) - AppStream fleet max user duration should be set to less than 10 hours (
appstream_fleet_max_user_duration_36000_seconds) - AppStream fleet session disconnect timeout should be set to less than or equal to 5 mins (
appstream_fleet_session_disconnect_timeout_300_seconds) - AppSync graphql API logging should be enabled (
appsync_graphql_api_field_level_logging_enabled) - At least one enabled trail should be present in a region (
cloudtrail_trail_enabled) - Athena workgroups should be encrypted at rest (
athena_workgroup_encryption_at_rest_enabled) - Athena workgroups should enforce configuration (
athena_workgroup_enforce_configuration_enabled) - Athena workgroups should have logging enabled (
athena_workgroup_logging_enabled) - Attached EBS volumes should have encryption enabled (
ebs_attached_volume_encryption_enabled) - Aurora MySQL DB clusters should have audit logging enabled (
rds_db_cluster_aurora_mysql_audit_logging_enabled) - Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs (
rds_db_cluster_aurora_postgres_logging_enabled) - AWS AppSync API caches should be encrypted at rest (
appsync_graphql_api_cache_encryption_at_rest_enabled) - AWS AppSync API caches should be encrypted in transit (
appsync_graphql_api_cache_encryption_in_transit_enabled) - AWS AppSync GraphQL APIs should not be authenticated with API keys (
appsync_graphql_api_authentication_without_api_key) - AWS DocumentDB clusters should be encrypted at rest (
docdb_cluster_encryption_at_rest_enabled) - AWS DocumentDB clusters should have an adequate backup retention period (
docdb_cluster_backup_retention_period_7_days) - AWS EC2 instances should have termination protection enabled (
ec2_instance_termination_protection_enabled) - AWS EC2 launch templates should not assign public IPs to network interfaces (
ec2_launch_template_not_publicly_accessible) - AWS ECS services should not have public IP addresses assigned to them automatically (
ecs_service_not_publicly_accessible) - AWS Glue Spark jobs should run on supported versions of AWS Glue (
glue_spark_job_runs_on_version_3_or_higher) - AWS Redshift audit logging should be enabled (
redshift_cluster_audit_logging_enabled) - AWS Redshift clusters should be encrypted with KMS (
redshift_cluster_kms_enabled) - AWS Redshift clusters should have automatic snapshots enabled (
redshift_cluster_automatic_snapshots_min_7_days) - AWS Redshift clusters should not use the default Admin username (
redshift_cluster_no_default_admin_name) - AWS Redshift enhanced VPC routing should be enabled (
redshift_cluster_enhanced_vpc_routing_enabled) - AWS Redshift should have automatic upgrades to major versions enabled (
redshift_cluster_automatic_upgrade_major_versions_enabled) - AWS Redshift should have required maintenance settings (
redshift_cluster_maintenance_settings_check) - AWS SQS queues should be encrypted at rest (
sqs_queue_encrypted_at_rest) - AWS WAF rules should have CloudWatch metrics enabled (
wafv2_rule_group_logging_enabled) - Backup plan min frequency and min retention check (
backup_plan_min_retention_35_days) - Classic Load Balancers should have connection draining enabled (
ec2_classic_lb_connection_draining_enabled) - CloudFormation stacks should have notifications enabled (
cloudformation_stack_notifications_enabled) - CloudFormation stacks should have rollback enabled (
cloudformation_stack_rollback_enabled) - CloudFront distributions access logs should be enabled (
cloudfront_distribution_logging_enabled) - CloudFront distributions should have a default root object configured (
cloudfront_distribution_default_root_object_configured) - CloudFront distributions should have AWS WAF enabled (
cloudfront_distribution_waf_enabled) - CloudFront distributions should have field level encryption enabled (
cloudfront_distribution_field_level_encryption_enabled) - CloudFront distributions should have geo restriction enabled (
cloudfront_distribution_geo_restrictions_enabled) - CloudFront distributions should have latest TLS version (
cloudfront_distribution_latest_tls_version) - CloudFront distributions should require encryption in transit (
cloudfront_distribution_encryption_in_transit_enabled) - CloudFront distributions should use custom SSL/TLS certificates (
cloudfront_distribution_use_custom_ssl_certificate) - CloudFront distributions should use SNI to serve HTTPS requests (
cloudfront_distribution_sni_enabled) - CloudFront distributions should use the recommended TLS security policy (
cloudfront_distribution_uses_recommended_tls_security_policy) - CloudTrail trail log file validation should be enabled (
cloudtrail_trail_validation_enabled) - CloudTrail trail logs should be encrypted with KMS CMK (
cloudtrail_trail_logs_encrypted_with_kms_cmk) - CloudTrail trails should be integrated with CloudWatch logs (
cloudtrail_trail_integrated_with_logs) - CloudWatch alarm action should be enabled (
cloudwatch_alarm_action_enabled_check) - CloudWatch alarm should have an action configured (
cloudwatch_alarm_action_enabled) - CodeBuild project artifact encryption should be enabled (
codebuild_project_artifact_encryption_enabled) - Codebuild Project Encryption At Rest Enabled (
codebuild_project_encryption_at_rest_enabled) - CodeBuild project environments should not have privileged mode enabled (
codebuild_project_environment_privileged_mode_disabled) - CodeBuild project S3 logs should be encrypted (
codebuild_project_s3_logs_encryption_enabled) - CodeBuild projects should have logging enabled (
codebuild_project_logging_enabled) - CodeBuild report group exports should be encrypted at rest (
codebuild_report_group_export_encryption_at_rest_enabled) - Cognito identity pools should not allow unauthenticated identities (
cognito_identity_pools_restrict_unauthenticated_identities) - Connections to Elasticsearch domains should be encrypted using TLS 1.2 (
es_domain_encrypted_using_tls_1_2) - Database logging should be enabled (
rds_db_instance_logging_enabled) - DataSync tasks should have logging enabled (
datasync_task_logging_enabled) - Disable IPv6 Networking if not in use within your organization (
lightsail_instance_ipv6_networking_disabled) - DMS endpoints for MongoDB should have an authentication mechanism enabled (
dms_endpoint_mongo_db_authentication_enabled) - DMS endpoints for Redis OSS should have TLS enabled (
dms_endpoint_redis_tls_enabled) - DMS endpoints should use SSL (
dms_endpoint_ssl_configured) - Dms Replication Instance Encryption Enabled (
dms_replication_instance_encryption_enabled) - DMS replication instances should have automatic minor version upgrade enabled (
dms_replication_instance_automatic_minor_version_upgrade_enabled) - DMS replication instances should not be publicly accessible (
dms_replication_instance_not_publicly_accessible) - DocumentDB clusters should have deletion protection enabled (
docdb_cluster_deletion_protection_enabled) - DocumentDB instance logging should be enabled (
docdb_cluster_instance_logging_enabled) - DynamoDB Accelerator (DAX) clusters should be encrypted at rest (
dax_cluster_encryption_at_rest_enabled) - DynamoDB Accelerator clusters should be encrypted in transit (
dax_cluster_encryption_in_transit_enabled) - DynamoDB table point-in-time recovery should be enabled (
dynamodb_table_point_in_time_recovery_enabled) - DynamoDB table should be encrypted with AWS KMS (
dynamodb_table_encrypted_with_kms) - DynamoDB table should have deletion protection enabled (
dynamodb_table_deletion_protection_enabled) - DynamoDB table should have encryption enabled (
dynamodb_table_encryption_enabled) - EBS snapshots should be encrypted (
ebs_snapshot_encryption_enabled) - EBS volume encryption at rest should be enabled (
ebs_volume_encryption_at_rest_enabled) - EC2 Client VPN endpoints should have client connection logging enabled (
ec2_client_vpn_endpoint_client_connection_logging_enabled) - EC2 instance detailed monitoring should be enabled (
ec2_instance_detailed_monitoring_enabled) - EC2 instance should have EBS optimization enabled (
ec2_instance_ebs_optimized) - EC2 instances should be in a VPC (
ec2_instance_in_vpc) - EC2 instances should have IAM profile attached (
ec2_instance_iam_profile_attached) - EC2 instances should not have a public IP address (
ec2_instance_not_publicly_accessible) - EC2 instances should not use key pairs in running state (
ec2_instance_no_amazon_key_pair) - EC2 instances should not use multiple ENIs (
ec2_instance_not_use_multiple_enis) - EC2 instances should use IMDSv2 (
ec2_instance_uses_imdsv2) - EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2) (
ec2_launch_template_default_version_uses_imdsv2) - EC2 network interfaces should have source/destination checking enabled (
ec2_network_inteface_source_destination_check_enabled) - EC2 transit gateways should have auto accept shared attachments disabled (
ec2_transit_gateway_auto_cross_account_attachment_disabled) - EC2 VPC Block Public Access settings should block internet gateway traffic (
vpc_block_public_access_restrict_internet_gateway_traffic) - EC2 VPN connections should have logging enabled (
vpc_vpn_connection_logging_enabled) - ECR private repositories should have tag immutability configured (
ecr_repository_tag_immutability_enabled) - ECR repositories should have image scan on push enabled (
ecr_repository_image_scan_on_push_enabled) - ECS clusters should have container insights enabled (
ecs_cluster_container_insights_enabled) - ECS fargate services should run on the latest fargate platform version (
ecs_service_fargate_using_latest_platform_version) - ECS task definitions should not share the host's process namespace (
ecs_task_definition_no_host_pid_mode) - EFS access points should enforce a root directory (
efs_access_point_enforce_root_directory) - EFS access points should enforce a user identity (
efs_access_point_enforce_user_identity) - EFS file system encryption at rest should be enabled (
efs_file_system_encrypt_data_at_rest) - EFS file systems should be encrypted with CMK (
efs_file_system_encrypted_with_cmk) - EKS clusters endpoint public access should be restricted (
eks_cluster_endpoint_public_access_restricted) - EKS clusters endpoint should restrict public access (
eks_cluster_endpoint_restrict_public_access) - EKS clusters should be configured to have kubernetes secrets encrypted using KMS (
eks_cluster_secrets_encrypted) - EKS clusters should have control plane audit logging enabled (
eks_cluster_control_plane_audit_logging_enabled) - ElastiCache clusters should not use the default subnet group (
elasticache_cluster_no_default_subnet_group) - ElastiCache for Redis replication groups before version 6.0 should use Redis Auth (
elasticache_replication_group_redis_auth_enabled) - ElastiCache for Redis replication groups should be encrypted at rest (
elasticache_replication_group_encryption_at_rest_enabled) - ElastiCache for Redis replication groups should be encrypted in transit (
elasticache_replication_group_encryption_in_transit_enabled) - ElastiCache for Redis replication groups should be encrypted with CMK (
elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk) - ElastiCache for Redis replication groups should have automatic failover enabled (
elasticache_replication_group_auto_failover_enabled) - ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater (
elasticache_redis_cluster_automatic_backup_retention_15_days) - Elasticsearch domain error logging to CloudWatch Logs should be enabled (
es_domain_error_logging_enabled) - Elasticsearch domain node-to-node encryption should be enabled (
es_domain_node_to_node_encryption_enabled) - Elasticsearch domain should send logs to CloudWatch (
es_domain_logs_to_cloudwatch) - Elasticsearch domains should be configured with at least three dedicated master nodes (
es_domain_dedicated_master_nodes_min_3) - Elasticsearch domains should have at least three data nodes (
es_domain_data_nodes_min_3) - Elasticsearch domains should have audit logging enabled (
es_domain_audit_logging_enabled) - Elasticsearch domains should have cognito authentication enabled (
es_domain_cognito_authentication_enabled) - Elasticsearch domains should have internal user database enabled (
es_domain_internal_user_database_enabled) - ELB application and classic load balancer logging should be enabled (
elb_application_classic_lb_logging_enabled) - ELB application and network load balancers should only use SSL or HTTPS listeners (
elb_application_network_lb_use_ssl_certificate) - ELB application load balancer deletion protection should be enabled (
elb_application_lb_deletion_protection_enabled) - ELB application load balancers should be configured to drop HTTP headers (
elb_application_lb_drop_http_headers) - ELB application load balancers should be configured with defensive or strictest desync mitigation mode (
elb_application_lb_desync_mitigation_mode) - ELB classic load balancers should be configured with defensive or strictest desync mitigation mode (
elb_classic_lb_desync_mitigation_mode) - ELB classic load balancers should have cross-zone load balancing enabled (
elb_classic_lb_cross_zone_load_balancing_enabled) - ELB classic load balancers should span multiple availability zones (
elb_classic_lb_multiple_az_configured) - ELB listeners SSL/TLS protocol version should be checked (
elb_tls_listener_protocol_version) - ELB load balancers should prohibit public access (
elb_application_classic_network_lb_prohibit_public_access) - ELB network load balancers should have TLS listener security policy configured (
elb_network_lb_tls_listener_security_policy_configured) - EMR cluster Kerberos should be enabled (
emr_cluster_kerberos_enabled) - EMR clusters should have security configuration enabled (
emr_cluster_security_configuration_enabled) - Ensure EBS volumes attached to an EC2 instance is marked for deletion upon instance termination (
ec2_instance_attached_ebs_volume_delete_on_termination_enabled) - Ensure encryption in transit is enabled for Lambda environment variables (
lambda_function_encryption_enabled) - Ensure IAM instance roles are used for AWS resource access from instances (
ec2_instance_using_iam_instance_role) - Ensure IAM password policy expires passwords within 90 days or less (
iam_password_policy_expire_90) - Ensure IAM password policy prevents password reuse (
iam_account_password_policy_reuse_24) - Ensure IAM password policy requires a minimum length of 14 or greater (
iam_account_password_policy_min_length_14) - Ensure IAM password policy requires at least one lowercase letter (
iam_account_password_policy_one_lowercase_letter) - Ensure IAM password policy requires at least one number (
iam_account_password_policy_one_number) - Ensure IAM password policy requires at least one symbol (
iam_account_password_policy_one_symbol) - Ensure IAM password policy requires at least one uppercase letter (
iam_account_password_policy_one_uppercase_letter) - Ensure Lambda function logging config is enabled (
lambda_function_logging_config_enabled) - ES domain encryption at rest should be enabled (
es_domain_encryption_at_rest_enabled) - ES domains should be in a VPC (
es_domain_in_vpc) - FSx for Lustre file systems should be configured to copy tags to backups (
fsx_lustre_file_system_copy_tags_to_backup_enabled) - FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment (
fsx_netapp_ontap_file_system_multi_az_deployment_enabled) - FSx for OpenZFS file systems should be configured for Multi-AZ deployment (
fsx_openzfs_file_system_multi_az_deployment_enabled) - FSx for OpenZFS file systems should be configured to copy tags to backups and volumes (
fsx_file_system_copy_tags_to_backup_and_volume_enabled) - FSx for Windows File Server file systems should be configured for Multi-AZ deployment (
fsx_windows_file_system_multi_az_deployment_enabled) - Glue data catalog connection password encryption should be enabled (
glue_data_catalog_encryption_settings_password_encryption_enabled) - Glue data catalog metadata encryption should be enabled (
glue_data_catalog_encryption_settings_metadata_encryption_enabled) - Glue jobs bookmarks encryption should be enabled (
glue_job_bookmarks_encryption_enabled) - Glue jobs CloudWatch logs encryption should be enabled (
glue_job_cloudwatch_logs_encryption_enabled) - Glue jobs S3 encryption should be enabled (
glue_job_s3_encryption_enabled) - IAM authentication should be configured for RDS clusters (
rds_db_cluster_iam_authentication_enabled) - IAM password policies for users should have strong configurations (
iam_account_password_policy_strong_min_reuse_24) - Kinesis firehose delivery streams should have server side encryption enabled (
kinesis_firehose_delivery_stream_server_side_encryption_enabled) - Kinesis streams should be encrypted with CMK (
kinesis_stream_encrypted_with_kms_cmk) - Kinesis streams should have an adequate data retention period (
kinesis_stream_retention_period_168_hours) - Kinesis streams should have server side encryption enabled (
kinesis_stream_server_side_encryption_enabled) - KMS CMK rotation should be enabled (
kms_cmk_rotation_enabled) - Lambda functions concurrent execution limit configured (
lambda_function_concurrent_execution_limit_configured) - Lambda functions CORS configuration should not allow all origins (
lambda_function_cors_configuration) - Lambda functions should be configured with a dead-letter queue (
lambda_function_dead_letter_queue_configured) - Lambda functions should be in a VPC (
lambda_function_in_vpc) - Lambda functions should restrict public URL (
lambda_function_restrict_public_url) - Lambda functions should use latest runtimes (
lambda_function_use_latest_runtime) - Lambda functions tracing should be enabled (
lambda_function_tracing_enabled) - Log group encryption at rest should be enabled (
log_group_encryption_at_rest_enabled) - Log group retention period should be at least 365 days (
cloudwatch_log_group_retention_period_365) - MQ brokers should restrict public access (
mq_broker_restrict_public_access) - MSK clusters should be encrypted in transit among broker nodes (
msk_cluster_encryption_in_transit_with_tls_enabled) - MSK clusters should disable unauthenticated access (
msk_cluster_unauthenticated_access_disabled) - MSK clusters should have public access disabled (
msk_cluster_not_publicly_accessible) - MSK Connect connectors should be encrypted in transit (
mskconnect_connector_encryption_in_transit_with_tls_enabled) - MSK connectors should have logging enabled (
mskconnect_connector_logging_enabled) - Neptune DB clusters should be configured to copy tags to snapshots (
neptune_db_cluster_copy_tags_to_snapshot_enabled) - Neptune DB clusters should be encrypted at rest (
neptune_db_cluster_encryption_at_rest_enabled) - Neptune DB clusters should have automated backups enabled (
neptune_db_cluster_automated_backup_enabled) - Neptune DB clusters should have deletion protection enabled (
neptune_db_cluster_deletion_protection_enabled) - Neptune DB clusters should have IAM database authentication enabled (
neptune_db_cluster_iam_authentication_enabled) - Neptune DB clusters should publish audit logs to CloudWatch Logs (
neptune_db_cluster_audit_logging_enabled) - Network Firewall firewalls should have deletion protection enabled (
networkfirewall_firewall_deletion_protection_enabled) - Network Firewall firewalls should have subnet change protection enabled (
networkfirewall_firewall_subnet_change_protection_enabled) - OpenSearch domains cognito authentication should be enabled for kibana (
opensearch_domain_cognito_authentication_enabled_for_kibana) - OpenSearch domains internal user database should be disabled (
opensearch_domain_internal_user_database_disabled) - OpenSearch domains logs to AWS CloudWatch Logs (
opensearch_domain_logs_to_cloudwatch) - OpenSearch domains node-to-node encryption should be enabled (
opensearch_domain_node_to_node_encryption_enabled) - OpenSearch domains should be in a VPC (
opensearch_domain_in_vpc) - OpenSearch domains should have at least three data nodes (
opensearch_domain_data_node_fault_tolerance) - OpenSearch domains should have audit logging enabled. (
opensearch_domain_audit_logging_enabled) - OpenSearch domains should have encryption at rest enabled (
opensearch_domain_encryption_at_rest_enabled) - OpenSearch domains should have fine-grained access control enabled (
opensearch_domain_fine_grained_access_enabled) - OpenSearch domains should use HTTPS (
opensearch_domain_https_required) - Paravirtual EC2 instance types should not be used (
ec2_instance_virtualization_type_no_paravirtual) - Password policies for IAM users should have strong configurations with minimum length of 8 or greater (
iam_account_password_policy_strong_min_length_8) - RDS Aurora clusters should have backtracking enabled (
rds_db_cluster_aurora_backtracking_enabled) - RDS clusters should have deletion protection enabled (
rds_db_cluster_deletion_protection_enabled) - RDS database clusters should use a custom administrator username (
rds_db_cluster_no_default_admin_name) - RDS database instances should use a custom administrator username (
rds_db_instance_no_default_admin_name) - RDS databases and clusters should not use a database engine default port (
rds_db_instance_and_cluster_no_default_port) - RDS DB clusters should be configured for multiple Availability Zones (
rds_db_cluster_multiple_az_enabled) - RDS DB clusters should be configured to copy tags to snapshots (
rds_db_cluster_copy_tags_to_snapshot_enabled) - RDS DB clusters should be encrypted at rest (
rds_db_cluster_encryption_at_rest_enabled) - RDS DB clusters should be encrypted with CMK (
rds_db_cluster_encrypted_with_cmk) - RDS DB clusters should have automatic minor version upgrade enabled (
rds_db_cluster_automatic_minor_version_upgrade_enabled) - RDS DB instance and cluster enhanced monitoring should be enabled (
rds_db_instance_and_cluster_enhanced_monitoring_enabled) - RDS DB instance automatic minor version upgrade should be enabled (
rds_db_instance_automatic_minor_version_upgrade_enabled) - RDS DB instance backup should be enabled (
rds_db_instance_backup_enabled) - RDS DB instance encryption at rest should be enabled (
rds_db_instance_encryption_at_rest_enabled) - RDS DB instance multiple az should be enabled (
rds_db_instance_multiple_az_enabled) - RDS DB instances backup retention period should be greater than or equal to 7 (
rds_db_instance_backup_retention_period_less_than_7) - RDS DB instances should be configured to copy tags to snapshots (
rds_db_instance_copy_tags_to_snapshot_enabled) - RDS DB instances should be integrated with CloudWatch logs (
rds_db_instance_cloudwatch_logs_enabled) - RDS DB instances should have deletion protection enabled (
rds_db_instance_deletion_protection_enabled) - RDS DB instances should have iam authentication enabled (
rds_db_instance_iam_authentication_enabled) - RDS DB instances should not use public subnet (
rds_db_instance_no_public_subnet) - RDS DB instances should prohibit public access (
rds_db_instance_prohibit_public_access) - RDS for MariaDB DB instances should publish logs to CloudWatch Logs (
rds_db_instance_mariadb_logging_enabled) - RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs (
rds_db_instance_postgres_logging_enabled) - RDS for SQL Server DB instances should publish logs to CloudWatch Logs (
rds_db_instance_sql_server_logging_enabled) - RDS instances should be deployed in a VPC (
rds_db_instance_in_vpc) - Redshift cluster audit logging and encryption should be enabled (
redshift_cluster_encryption_logging_enabled) - Redshift cluster encryption in transit should be enabled (
redshift_cluster_encryption_in_transit_enabled) - Redshift clusters should be encrypted with CMK (
redshift_cluster_encrypted_with_cmk) - Redshift clusters should have Multi-AZ deployments enabled (
redshift_cluster_multiple_az_enabled) - Redshift clusters should not use the default database name (
redshift_cluster_no_default_database_name) - Redshift clusters should prohibit public access (
redshift_cluster_prohibit_public_access) - Redshift Serverless namespaces should export logs to CloudWatch Logs (
redshiftserverless_namespace_export_connection_and_user_log_to_cloudwatch) - Redshift Serverless namespaces should not use the default admin username (
redshiftserverless_namespace_no_default_admin_username) - Redshift Serverless namespaces should not use the default database name (
redshiftserverless_namespace_no_default_database_username) - Redshift Serverless workgroups should prohibit public access (
redshiftserverless_workgroup_restrict_public_access) - Route 53 domains auto renew should be enabled (
route53_domain_auto_renew_enabled) - Route 53 domains should have transfer lock enabled (
route53_domain_transfer_lock_enabled) - Route53 domains privacy protection should be enabled (
route53_domain_privacy_protection_enabled) - RSA certificates managed by ACM should use a key length of at least 2,048 bits (
acm_certificate_rsa_key_length_2048_bits_or_greater) - S3 access points should have block public access settings enabled (
s3_access_point_restrict_public_access) - S3 bucket ACLs should not be accessible to all authenticated user (
s3_bucket_not_accessible_to_all_authenticated_user) - S3 bucket cross-account permissions should be restricted (
s3_bucket_policy_restricts_cross_account_permission_changes) - S3 bucket cross-region replication should be enabled (
s3_bucket_cross_region_replication_enabled) - S3 bucket default encryption should be enabled (
s3_bucket_default_encryption_enabled) - S3 bucket default encryption should be enabled with KMS (
s3_bucket_default_encryption_enabled_kms) - S3 bucket logging should be enabled (
s3_bucket_logging_enabled) - S3 bucket MFA delete should be enabled (
s3_bucket_mfa_delete_enabled) - S3 bucket object lock should be enabled (
s3_bucket_object_lock_enabled) - S3 bucket policy should prohibit public access (
s3_bucket_policy_restrict_public_access) - S3 bucket versioning should be enabled (
s3_bucket_versioning_enabled) - S3 buckets access control lists (ACLs) should not be used to manage user access to buckets (
s3_bucket_acls_should_prohibit_user_access) - S3 buckets object logging should be enabled (
s3_bucket_object_logging_enabled) - S3 buckets should have event notifications enabled (
s3_bucket_event_notifications_enabled) - S3 buckets should have lifecycle policies configured (
s3_bucket_lifecycle_policy_enabled) - S3 buckets should prohibit public read access (
s3_bucket_restrict_public_read_access) - S3 buckets should prohibit public write access (
s3_bucket_restrict_public_write_access) - S3 buckets static website hosting should be disabled (
s3_bucket_static_website_hosting_disabled) - S3 buckets with versioning enabled should have lifecycle policies configured (
s3_bucket_versioning_and_lifecycle_policy_enabled) - S3 Multi-Region Access Points should have block public access settings enabled (
s3_multi_region_access_point_public_access_blocked) - S3 public access should be blocked at account level (
s3_public_access_block_account) - S3 public access should be blocked at bucket levels (
s3_public_access_block_bucket) - SageMaker endpoint configuration encryption should be enabled (
sagemaker_endpoint_configuration_encryption_at_rest_enabled) - SageMaker endpoint production variants should have an initial instance count greater than 1 (
sagemaker_endpoint_configuration_prod_instance_count_greater_than_one) - SageMaker models should be in a VPC (
sagemaker_model_in_vpc) - SageMaker models should have network isolation enabled (
sagemaker_model_network_isolation_enabled) - SageMaker notebook instance encryption should be enabled (
sagemaker_notebook_instance_encryption_at_rest_enabled) - SageMaker notebook instances root access should be disabled (
sagemaker_notebook_instance_root_access_disabled) - SageMaker notebook instances should be encrypted using CMK (
sagemaker_notebook_instance_encrypted_with_kms_cmk) - SageMaker notebook instances should be in a VPC (
sagemaker_notebook_instance_in_vpc) - SageMaker notebook instances should not have direct internet access (
sagemaker_notebook_instance_direct_internet_access_disabled) - Secrets Manager secrets should be encrypted using CMK (
secretsmanager_secret_encrypted_with_kms_cmk) - SNS topics should be encrypted at rest (
sns_topic_encrypted_at_rest) - SQS queues should be configured with a dead-letter queue. (
sqs_queue_dead_letter_queue_configured) - SQS queues should be encrypted with KMS CMK (
sqs_queue_encrypted_with_kms_cmk) - SSM parameters encryption should be enabled (
ssm_parameter_encryption_enabled) - Step Function state machines should have logging turned on (
sfn_state_machine_logging_enabled) - The default stateless action for Network Firewall policies should be drop or forward for fragmented packets (
networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets) - The default stateless action for Network Firewall policies should be drop or forward for full packets (
networkfirewall_firewall_policy_default_stateless_action_check_full_packets) - VPC endpoint services should have acceptance required enabled (
vpc_endpoint_service_acceptance_required_enabled) - VPC Security groups should only allow unrestricted incoming traffic for authorized ports (
vpc_security_group_allows_ingress_authorized_ports) - VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to cassandra ports 7199 or 9160 or 8888 (
vpc_security_group_allows_ingress_to_cassandra_ports) - VPC subnet auto assign public IP should be disabled (
vpc_subnet_auto_assign_public_ip_disabled)