AC_AWS_0033 | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | AWS | Logging and Monitoring | HIGH |
AC_AWS_0036 | Ensure CloudTrail log file validation is enabled | AWS | Logging and Monitoring | MEDIUM |
AC_AWS_0038 | Ensure CloudTrail trails are integrated with CloudWatch Logs | AWS | Logging and Monitoring | MEDIUM |
AC_AWS_0039 | Ensure data events logging is enabled for AWS CloudTrail trails | AWS | Logging and Monitoring | MEDIUM |
AC_AWS_0043 | Ensure temporary passwords are not valid for more than 90 days | AWS | Identity and Access Management | MEDIUM |
AC_AWS_0048 | Ensure Elastic Block Store (EBS) volumes are encrypted through AWS Config | AWS | Data Protection | MEDIUM |
AC_AWS_0060 | Ensure that Multi-AZ is enabled for Amazon Relational Database Service (Amazon RDS) Instances | AWS | Compliance Validation | MEDIUM |
AC_AWS_0063 | Ensure delete protection is enabled for Amazon Relational Database Service (Amazon RDS) Instances | AWS | Resilience | MEDIUM |
AC_AWS_0065 | Ensure Amazon Relational Database Service (Amazon RDS) instance is not open to more than 256 hosts | AWS | Infrastructure Security | HIGH |
AC_AWS_0066 | Ensure Amazon Relational Database Service (Amazon RDS) instances do not have public interface defined | AWS | Infrastructure Security | HIGH |
AC_AWS_0072 | Ensure backup retention period is set according to best practice for AWS DocumentDB clusters | AWS | Data Protection | MEDIUM |
AC_AWS_0073 | Ensure KMS customer managed keys are used for encryption of AWS DocumentDB Clusters | AWS | Data Protection | MEDIUM |
AC_AWS_0074 | Ensure log export is enabled for AWS DocumentDB clusters | AWS | Logging and Monitoring | MEDIUM |
AC_AWS_0077 | Ensure read-write capacities are reserved for AWS DynamoDB tables | AWS | Compliance Validation | MEDIUM |
AC_AWS_0080 | Ensure EBS volume encryption is enabled | AWS | Data Protection | HIGH |
AC_AWS_0083 | Ensure scan on push is enabled on Amazon Elastic Container Registry (Amazon ECR) repository | AWS | Configuration and Vulnerability Analysis | MEDIUM |
AC_AWS_0100 | Ensure control plane logging is enabled for all log types for AWS Elastic Kubernetes Service (EKS) clusters | AWS | Logging and Monitoring | MEDIUM |
AC_AWS_0102 | Ensure redis version is compliant with AWS PCI-DSS requirements for AWS ElastiCache clusters | AWS | Compliance Validation | HIGH |
AC_AWS_0103 | Ensure memcached elasticache engines are not in use in AWS PCI-DSS environments for AWS ElastiCache clusters | AWS | Compliance Validation | HIGH |
AC_AWS_0107 | Ensure dedicated master nodes are enabled for AWS ElasticSearch Domains | AWS | Logging and Monitoring | MEDIUM |
AC_AWS_0108 | Ensure general purpose SSD node type is not used for AWS ElasticSearch Domains | AWS | Compliance Validation | HIGH |
AC_AWS_0115 | Ensure HTTPS-only is enforced for AWS ElasticSearch Domain | AWS | Infrastructure Security | MEDIUM |
AC_AWS_0118 | Ensure public access is disabled for AWS ElasticSearch Domains - aws_elasticsearch_domain_policy | AWS | Identity and Access Management | HIGH |
AC_AWS_0122 | Ensure connection draining is enabled for AWS ELB | AWS | Resilience | MEDIUM |
AC_AWS_0135 | Ensure IAM password policy requires at least one uppercase letter | AWS | Compliance Validation | MEDIUM |
AC_AWS_0140 | Ensure IAM password policy prevents password reuse | AWS | Compliance Validation | LOW |
AC_AWS_0144 | Ensure IAM policies that allow full "*:*" administrative privileges are not attached | AWS | Identity and Access Management | HIGH |
AC_AWS_0146 | Ensure IAM policies that allow full administrative privileges are not created and attached inline to a role | AWS | Identity and Access Management | HIGH |
AC_AWS_0149 | Ensure no user can assume the role without MFA is specified in the condition parameter of AWS IAM User Policy | AWS | Compliance Validation | LOW |
AC_AWS_0156 | Ensure cross-zone load balancing is enabled for AWS LB (Load Balancer) | AWS | Resilience | MEDIUM |
AC_AWS_0166 | Ensure at-rest data encryption is enabled for AWS ECS clusters | AWS | Data Protection | LOW |
AC_AWS_0167 | Ensure at-rest data encryption is enabled for AWS EBS Root Block cluster | AWS | Data Protection | HIGH |
AC_AWS_0169 | Ensure there are no URL references used in base64 encoded value of AWS Launch Configuration | AWS | Data Protection | HIGH |
AC_AWS_0172 | Ensure recommended SSL/TLS protocol version is used for AWS Elastic Load Balancers (ELB) | AWS | Infrastructure Security | HIGH |
AC_AWS_0173 | Ensure a default root object is configured for AWS Cloudfront Distribution | AWS | Infrastructure Security | MEDIUM |
AC_AWS_0176 | Ensure active/standby deployment mode is used for AWS MQ Brokers | AWS | Resilience | MEDIUM |
AC_AWS_0182 | Ensure storage encryption is enabled for AWS Neptune cluster | AWS | Data Protection | HIGH |
AC_AWS_0185 | Ensure external principals are allowed for AWS RAM resources | AWS | Data Protection | MEDIUM |
AC_AWS_0189 | Ensure Aurora Serverless AutoPause is enabled for Amazon Relational Database Service (Amazon RDS) clusters | AWS | Compliance Validation | MEDIUM |
AC_AWS_0195 | Ensure policy with iam:Passrole/* action and NotResource attributes is not used | AWS | Identity and Access Management | HIGH |
AC_AWS_0212 | Ensure there are no publicly writeable and readable AWS S3 Buckets | AWS | Identity and Access Management | HIGH |
AC_AWS_0213 | Ensure IAM policies that allow full "*:*" administrative privileges are not attached with control tower | AWS | Identity and Access Management | LOW |
AC_AWS_0217 | Ensure 'allow all actions from all principals' is disabled for AWS S3 Buckets | AWS | Identity and Access Management | HIGH |
AC_AWS_0220 | Ensure 'allow list actions from all principals' is disabled for AWS S3 Buckets | AWS | Identity and Access Management | HIGH |
AC_AWS_0222 | Ensure 'allow put or restore actions from all principals' is disabled for AWS S3 Buckets | AWS | Identity and Access Management | HIGH |
AC_AWS_0228 | Ensure Security Groups do not have unrestricted specific ports open - (HTTP,80) | AWS | Infrastructure Security | HIGH |
AC_AWS_0231 | Ensure no security groups allow ingress from 0.0.0.0/0 to ALL ports and protocols | AWS | Infrastructure Security | HIGH |
AC_AWS_0233 | Ensure Cassandra Client (TCP:9042) is not exposed to public | AWS | Infrastructure Security | MEDIUM |
AC_AWS_0248 | Ensure Security Groups do not have unrestricted specific ports open - Memcached SSL (TCP,11214) | AWS | Infrastructure Security | HIGH |
AC_AWS_0257 | Ensure Security Groups do not have unrestricted specific ports open - NetBIOS Datagram Service (UDP,138) | AWS | Infrastructure Security | HIGH |