AWS Security Checks
579+ AWS Security Checks
Complete list of AWS security checks across 82+ services based on CIS AWS Foundations Benchmark v1.5.0, NIST 800-53, PCI-DSS, HIPAA, SOC 2, and 38+ compliance frameworks.
579+
Security Checks
34+
AWS Services
38+
Compliance Frameworks
v1.5.0
CIS Benchmark
Security Checks by AWS Service
Comprehensive security checks organized by AWS service. Click any check for detailed remediation guidance.
Identity and Access Management (IAM)
Avoid the use of root account
CIS 1.1high
Ensure MFA is enabled for the root account
CIS 1.2critical
Ensure hardware MFA is enabled for the root account
CIS 1.3high
Ensure no root account access keys exist
CIS 1.4critical
Ensure IAM password policy requires at least one uppercase letter
CIS 1.5medium
Ensure IAM password policy requires at least one lowercase letter
CIS 1.6medium
Ensure IAM password policy requires at least one symbol
CIS 1.7medium
Ensure IAM password policy requires at least one number
CIS 1.8medium
Ensure IAM password policy requires minimum length of 14 or greater
CIS 1.9medium
Ensure IAM password policy prevents password reuse
CIS 1.10low
Ensure IAM password policy expires passwords within 90 days or less
CIS 1.11medium
Ensure MFA is enabled for all IAM users with console access
CIS 1.12high
Ensure access keys are rotated every 90 days or less
CIS 1.13high
Ensure access keys unused for 45 days or more are disabled
CIS 1.14medium
Ensure IAM users receive permissions only through groups
CIS 1.15low
Ensure no IAM policies allow full administrative privileges
CIS 1.16high
Ensure a support role has been created for AWS Support access
CIS 1.17low
Ensure IAM instance roles are used for AWS resource access from instances
CIS 1.18medium
Ensure IAM Access Analyzer is enabled for all regions
CIS 1.19medium
Ensure credentials unused for 45 days or more are disabled
CIS 1.20medium
Ensure cross-account role trust policies are restricted
high
Ensure IAM role does not allow assume from any AWS account
critical
Ensure IAM policies do not use NotAction with Allow effect
medium
Ensure IAM policies do not use NotResource with Allow effect
medium
Ensure expired SSL/TLS certificates are removed from IAM
medium
Ensure IAM users have at most one active access key
medium
Ensure empty IAM groups are removed
low
Ensure all IAM users belong to at least one group
low
Ensure SAML provider trust policy has conditions
medium
Ensure server certificates are not expiring within 30 days
high
Simple Storage Service (S3)
Ensure S3 bucket has block public access enabled
CIS 2.1.1critical
Ensure S3 bucket policy does not allow public read access
CIS 2.1.2critical
Ensure S3 bucket policy does not allow public write access
CIS 2.1.3critical
Ensure MFA Delete is enabled on S3 buckets
CIS 2.1.4medium
Ensure S3 bucket has server-side encryption enabled
CIS 2.1.5high
Ensure S3 bucket versioning is enabled
CIS 2.1.6medium
Ensure S3 bucket has server access logging enabled
CIS 2.1.7medium
Ensure S3 bucket ACL does not grant public read access
critical
Ensure S3 bucket ACL does not grant public write access
critical
Ensure S3 bucket enforces SSL/TLS for all requests
high
Ensure S3 bucket uses KMS for encryption
medium
Ensure S3 bucket has lifecycle configuration
low
Ensure S3 bucket has cross-region replication enabled
low
Ensure S3 bucket has object lock enabled for compliance
medium
Ensure S3 access points do not allow public access
high
Ensure S3 bucket CORS policy is restrictive
medium
Ensure S3 bucket event notifications are configured
low
Ensure S3 bucket replication uses encryption
medium
Ensure S3 bucket inventory is enabled
low
Ensure S3 bucket does not have overly permissive bucket policy
high
Elastic Compute Cloud (EC2)
Ensure EBS volumes are encrypted
CIS 2.2.1high
Ensure default EBS encryption is enabled
CIS 2.2.2medium
Ensure EBS snapshots are encrypted
high
Ensure EBS snapshots are not publicly accessible
critical
Ensure EC2 instances do not have public IP addresses
medium
Ensure EC2 instances use IMDSv2
CIS 5.6high
Ensure detailed monitoring is enabled for EC2 instances
low
Ensure EC2 instances do not use default security groups
CIS 5.3medium
Ensure security groups do not allow ingress from 0.0.0.0/0 to port 22
CIS 5.2high
Ensure security groups do not allow ingress from 0.0.0.0/0 to port 3389
CIS 5.1high
Ensure security groups do not allow unrestricted ingress to high-risk ports
high
Ensure unused security groups are removed
low
Ensure EC2 instances are managed by AWS Systems Manager
medium
Ensure EC2 instances have termination protection enabled
low
Ensure AMIs are not publicly shared
high
Ensure EC2 instances are launched from approved AMIs
medium
Ensure EC2 instances do not use tenancy in dedicated hosts without requirement
info
Ensure EC2 Auto Scaling groups use launch templates
low
Ensure EC2 instance IAM roles are used instead of access keys
high
Ensure EC2 instances have EBS optimization enabled
low
Ensure security groups restrict outbound traffic
medium
Ensure EC2 instances use encrypted EBS root volumes
high
Ensure EC2 Nitro instances use encrypted memory
medium
Ensure EC2 instances have required tags
low
Ensure EC2 stopped instances are reviewed and terminated
low
Ensure EC2 placement groups are used for high availability
low
Ensure EC2 serial console access is disabled
medium
Ensure EC2 instances use secure key pairs
medium
Ensure EC2 instances do not have multiple ENIs unless required
info
Ensure EC2 instances use current generation instance types
low
Virtual Private Cloud (VPC)
Ensure VPC flow logs are enabled
CIS 3.9medium
Ensure VPC flow logs retention is at least 90 days
low
Ensure default VPC is not used
CIS 5.4medium
Ensure VPC subnets do not auto-assign public IPs
medium
Ensure VPC has separate public and private subnets
medium
Ensure NACLs restrict inbound traffic
medium
Ensure NACLs do not allow unrestricted SSH access
high
Ensure NACLs do not allow unrestricted RDP access
high
Ensure VPC peering connections are documented and reviewed
medium
Ensure VPC endpoint policies are restrictive
medium
Ensure VPC endpoints are used for AWS services
medium
Ensure NAT gateways are highly available
medium
Ensure Internet Gateways are attached only to required VPCs
medium
Ensure Transit Gateway is used for multi-VPC connectivity
low
Ensure Transit Gateway route tables restrict traffic
medium
Ensure VPN connections use strong encryption
high
Ensure VPN tunnels are in UP state
medium
Ensure Direct Connect is encrypted
high
Ensure Elastic IP addresses are associated with resources
low
Ensure route tables do not have overly permissive routes
medium
AWS CloudTrail
Ensure CloudTrail is enabled in all regions
CIS 3.1high
Ensure CloudTrail log file validation is enabled
CIS 3.2medium
Ensure CloudTrail logs are encrypted with KMS
CIS 3.7high
Ensure CloudTrail S3 bucket is not publicly accessible
CIS 3.3critical
Ensure CloudTrail logs are delivered to CloudWatch Logs
CIS 3.4medium
Ensure S3 bucket access logging is enabled for CloudTrail bucket
CIS 3.6medium
Ensure CloudTrail is integrated with CloudWatch Logs
medium
Ensure management events are logged
high
Ensure data events are logged for S3 buckets
medium
Ensure data events are logged for Lambda functions
medium
Ensure CloudTrail trails are not stopped
critical
Ensure CloudTrail log retention is configured
medium
Ensure CloudTrail trails exist in all accounts
high
Ensure organization trail is enabled
medium
Ensure CloudTrail insights is enabled
low
Ensure metric filters exist for unauthorized API calls
CIS 4.1medium
Ensure metric filters exist for console login without MFA
CIS 4.2medium
Ensure metric filters exist for root account usage
CIS 4.3high
Ensure metric filters exist for IAM policy changes
CIS 4.4medium
Ensure metric filters exist for CloudTrail configuration changes
CIS 4.5high
Ensure metric filters exist for security group changes
CIS 4.10medium
Ensure metric filters exist for NACL changes
CIS 4.11medium
Ensure metric filters exist for VPC changes
CIS 4.14medium
Ensure metric filters exist for S3 bucket policy changes
CIS 4.8medium
Ensure metric filters exist for KMS key changes
CIS 4.7medium
Relational Database Service (RDS)
Ensure RDS instances are not publicly accessible
CIS 2.3.1critical
Ensure RDS instances have encryption at rest enabled
CIS 2.3.2high
Ensure RDS instances use KMS customer managed keys
medium
Ensure RDS instances have automated backups enabled
high
Ensure RDS backup retention is at least 7 days
medium
Ensure RDS instances have Multi-AZ enabled
medium
Ensure RDS instances have deletion protection enabled
medium
Ensure RDS instances have minor version auto-upgrade enabled
medium
Ensure RDS instances use current engine versions
medium
Ensure RDS instances do not use default ports
low
Ensure RDS instances have enhanced monitoring enabled
low
Ensure RDS instances have Performance Insights enabled
low
Ensure RDS instances have logging enabled
medium
Ensure RDS snapshots are not publicly accessible
critical
Ensure RDS snapshots are encrypted
high
Ensure RDS instances use SSL/TLS for connections
high
Ensure RDS security groups are restrictive
high
Ensure RDS instances are deployed in private subnets
high
Ensure RDS Aurora clusters have backtrack enabled
low
Ensure RDS Aurora clusters have IAM authentication enabled
medium
Ensure RDS instances have copy tags to snapshots enabled
low
Ensure RDS database master credentials are stored in Secrets Manager
medium
Ensure RDS Event Subscriptions are configured
low
Ensure RDS instances use the latest certificate authority
medium
Ensure RDS Proxy is used for connection pooling
low
AWS Lambda
Ensure Lambda functions are not publicly accessible
critical
Ensure Lambda functions use latest runtime versions
medium
Ensure Lambda functions have tracing enabled
low
Ensure Lambda functions have dead letter queues configured
low
Ensure Lambda functions use least privilege IAM roles
high
Ensure Lambda functions do not have secrets in environment variables
high
Ensure Lambda functions encrypt environment variables with KMS
medium
Ensure Lambda functions run in VPC when accessing private resources
medium
Ensure Lambda functions in VPC use security groups
medium
Ensure Lambda function URLs use authentication
high
Ensure Lambda functions have concurrency limits
low
Ensure Lambda functions have appropriate timeout settings
low
Ensure Lambda functions do not share execution roles
medium
Ensure Lambda layers are from trusted sources
medium
Ensure Lambda functions have code signing enabled
medium
Ensure Lambda functions log to CloudWatch
medium
Ensure Lambda CloudWatch log groups have retention configured
low
Ensure Lambda functions do not use wildcards in resource policies
high
Ensure Lambda functions are tagged appropriately
low
Ensure Lambda event source mappings use filtering
low
Key Management Service (KMS)
Ensure KMS key rotation is enabled
CIS 3.8medium
Ensure KMS keys are not scheduled for deletion
high
Ensure KMS key policies are not overly permissive
high
Ensure KMS keys are used for EBS encryption
medium
Ensure KMS keys are used for RDS encryption
medium
Ensure KMS keys are used for S3 bucket encryption
medium
Ensure KMS key usage is monitored
medium
Ensure KMS keys have descriptive aliases
low
Ensure KMS keys are tagged appropriately
low
Ensure KMS grants are reviewed regularly
medium
Ensure asymmetric KMS keys are used for digital signatures
info
Ensure KMS keys support required key spec for data type
info
Ensure KMS multi-region keys are properly configured
info
Ensure KMS keys are not exposed in CloudTrail logs
medium
Ensure external key stores are monitored for availability
high
Elastic Load Balancing (ELB)
Ensure ELB access logging is enabled
CIS 2.4medium
Ensure ALB has WAF enabled
high
Ensure ELB uses secure TLS protocols
high
Ensure ALB redirects HTTP to HTTPS
high
Ensure ELB has deletion protection enabled
medium
Ensure ALB drops invalid headers
medium
Ensure ELB cross-zone load balancing is enabled
low
Ensure ELB uses approved SSL certificates
high
Ensure NLB TLS listeners use certificates
high
Ensure ELB security groups restrict access
medium
Ensure Classic Load Balancers are not used
low
Ensure ELB target groups have health checks configured
medium
Ensure ALB desync mitigation mode is enabled
medium
Ensure internal load balancers are used for internal services
medium
Ensure ELB uses strong cipher suites
medium
Ensure ALB sticky sessions use secure cookies
low
Ensure ELB connection draining is enabled
low
Ensure ALB listener rules are properly ordered
low
Ensure GWLB endpoints are properly configured
medium
Ensure ELB has appropriate idle timeout
low
Elastic Container Service (ECS)
Ensure ECS task definitions do not run as root
high
Ensure ECS task definitions use read-only root filesystem
medium
Ensure ECS task definitions do not grant privileged access
critical
Ensure ECS task definitions do not share host namespaces
high
Ensure ECS task definitions have logging configured
medium
Ensure ECS tasks use task execution roles
high
Ensure ECS task roles follow least privilege
high
Ensure ECS services use awsvpc network mode
medium
Ensure ECS tasks have resource limits defined
medium
Ensure ECS Fargate platform version is current
medium
Ensure ECS cluster has Container Insights enabled
low
Ensure ECS services have deployment circuit breaker enabled
low
Ensure ECS tasks do not have secrets in environment variables
high
Ensure ECS container images are from trusted registries
medium
Ensure ECS service tasks run in private subnets
medium
Ensure ECS task definitions drop unnecessary capabilities
medium
Ensure ECS Execute Command logging is enabled
medium
Ensure ECS services have auto-scaling configured
low
Ensure ECS task definitions specify health checks
low
Ensure EC2 launch type uses managed instance scaling
low
Elastic Kubernetes Service (EKS)
Ensure EKS cluster endpoint is not publicly accessible
high
Ensure EKS cluster has secrets encryption enabled
high
Ensure EKS cluster logging is enabled
medium
Ensure EKS node groups use managed node groups
medium
Ensure EKS clusters use the latest Kubernetes version
high
Ensure EKS node groups use current AMI versions
medium
Ensure EKS cluster uses IRSA for pod permissions
high
Ensure EKS cluster has network policy enforcement
medium
Ensure EKS cluster uses Pod Security Standards
high
Ensure EKS node groups have SSH access disabled
medium
Ensure EKS clusters use private ECR for container images
medium
Ensure EKS cluster RBAC is properly configured
high
Ensure EKS cluster aws-auth ConfigMap is properly managed
high
Ensure EKS add-ons are up to date
medium
Ensure EKS Fargate profiles are used for sensitive workloads
low
Ensure EKS cluster security groups are restrictive
medium
Ensure EKS cluster has audit logging enabled
medium
Ensure EKS nodes are launched in private subnets
medium
Ensure EKS cluster uses GuardDuty for threat detection
medium
Ensure EKS cluster uses VPC endpoints for AWS services
low
Amazon CloudWatch
Ensure CloudWatch log groups have retention configured
medium
Ensure CloudWatch log groups are encrypted with KMS
medium
Ensure CloudWatch Alarms exist for root account usage
CIS 4.3high
Ensure CloudWatch Alarms exist for unauthorized API calls
CIS 4.1medium
Ensure CloudWatch Alarms have SNS notifications configured
medium
Ensure CloudWatch cross-account sharing is properly configured
medium
Ensure CloudWatch log metric filters exist for security events
medium
Ensure CloudWatch Logs Insights queries are saved for common investigations
low
Ensure CloudWatch Container Insights is enabled for EKS/ECS
low
Ensure CloudWatch alarms cover EC2 instance health
low
Ensure CloudWatch Synthetics canaries monitor critical endpoints
low
Ensure CloudWatch Events/EventBridge rules monitor security events
medium
Ensure CloudWatch Anomaly Detection is configured for critical metrics
low
Ensure CloudWatch log groups do not allow public access
critical
Ensure CloudWatch Contributor Insights rules are configured
low
AWS Secrets Manager
Ensure Secrets Manager secrets have automatic rotation enabled
high
Ensure Secrets Manager secrets are encrypted with KMS CMK
medium
Ensure Secrets Manager secrets have resource policies
medium
Ensure Secrets Manager secrets are not publicly accessible
critical
Ensure Secrets Manager rotation is tested
medium
Ensure Secrets Manager secrets have appropriate rotation schedules
medium
Ensure Secrets Manager secrets are tagged appropriately
low
Ensure Secrets Manager secrets are used instead of hardcoded credentials
high
Ensure Secrets Manager cross-region replication is configured for DR
low
Ensure Secrets Manager secret versions are managed
low
Ensure Secrets Manager access is logged
medium
Ensure Secrets Manager secrets are not unused
low
Ensure Secrets Manager Lambda rotation functions are secure
medium
Ensure Secrets Manager secrets have descriptions
info
Ensure Secrets Manager integrations use caching
low
Amazon API Gateway
Ensure API Gateway has authentication enabled
critical
Ensure API Gateway has logging enabled
medium
Ensure API Gateway uses TLS 1.2 or higher
high
Ensure API Gateway has WAF enabled
high
Ensure API Gateway has throttling enabled
medium
Ensure API Gateway uses private endpoints for internal APIs
medium
Ensure API Gateway resource policies are restrictive
medium
Ensure API Gateway validates request parameters
medium
Ensure API Gateway has X-Ray tracing enabled
low
Ensure API Gateway caching is configured securely
medium
Ensure API Gateway uses custom domains with certificates
medium
Ensure API Gateway integrations use HTTPS
high
Ensure API Gateway has mutual TLS enabled for sensitive APIs
medium
Ensure API Gateway stages have appropriate deployment settings
low
Ensure API Gateway Lambda integrations use proxy or proper mapping
low
Ensure HTTP APIs use JWT authorizers
high
Ensure WebSocket APIs have route authorization
high
Ensure API Gateway usage plans limit API access
medium
Ensure API Gateway CORS is properly configured
medium
Ensure API Gateway has content type validation
low
Amazon GuardDuty
Ensure GuardDuty is enabled in all regions
CIS 4.16high
Ensure GuardDuty has S3 Protection enabled
medium
Ensure GuardDuty has EKS Protection enabled
medium
Ensure GuardDuty has Malware Protection enabled
medium
Ensure GuardDuty has RDS Protection enabled
medium
Ensure GuardDuty has Lambda Protection enabled
medium
Ensure GuardDuty findings are exported
medium
Ensure GuardDuty findings trigger automated responses
medium
Ensure GuardDuty uses trusted IP lists
low
Ensure GuardDuty threat lists are configured
low
Ensure GuardDuty is integrated with Security Hub
medium
Ensure GuardDuty uses delegated administrator for organizations
medium
Ensure GuardDuty suppression rules are documented
low
Ensure GuardDuty high severity findings are addressed within SLA
high
Ensure GuardDuty findings are archived appropriately
medium
AWS WAF
Ensure WAF web ACLs are associated with resources
high
Ensure WAF has AWS managed rules enabled
high
Ensure WAF has SQL injection protection enabled
high
Ensure WAF has XSS protection enabled
high
Ensure WAF has rate limiting rules
medium
Ensure WAF logging is enabled
medium
Ensure WAF has bot control enabled
medium
Ensure WAF has IP reputation rules enabled
medium
Ensure WAF rules use proper action types
low
Ensure WAF has geo-blocking configured where required
medium
Ensure WAF has anonymous IP protection
medium
Ensure WAF web ACLs have default deny action
medium
Ensure WAF rules are ordered correctly
low
Ensure WAF has file upload protection
medium
Ensure WAF CAPTCHA is configured for high-risk actions
medium
Ensure classic WAF is migrated to WAFv2
low
Ensure WAF metrics and alarms are configured
medium
Ensure WAF is integrated with Security Hub
low
Ensure Firewall Manager is used for multi-account WAF
medium
Ensure WAF rules are regularly reviewed and updated
medium
AWS Config
Ensure AWS Config is enabled in all regions
CIS 3.5high
Ensure AWS Config is recording all resource types
medium
Ensure AWS Config uses S3 bucket with versioning
medium
Ensure AWS Config S3 bucket is encrypted
medium
Ensure AWS Config rules are configured for critical controls
high
Ensure AWS Config uses conformance packs
medium
Ensure AWS Config aggregator is configured for multi-account
medium
Ensure AWS Config rules have remediation configured
medium
Ensure AWS Config sends notifications for compliance changes
low
Ensure AWS Config recorder is running
critical
Ensure AWS Config delivery channel is configured
high
Ensure AWS Config includes global resources
high
Ensure AWS Config S3 bucket access logging is enabled
low
Ensure AWS Config retention is configured
low
Ensure AWS Config rules evaluate in near real-time
low
Simple Notification Service (SNS)
Ensure SNS topics are encrypted with KMS
medium
Ensure SNS topics do not allow public access
critical
Ensure SNS subscriptions require confirmation
medium
Ensure SNS topics use delivery status logging
low
Ensure SNS HTTPS subscriptions use TLS
high
Ensure SNS topics have appropriate access policies
medium
Ensure SNS dead-letter queues are configured
low
Ensure SNS topics are tagged appropriately
low
Ensure cross-account SNS access is documented
medium
Ensure SNS message filtering is used appropriately
low
Simple Queue Service (SQS)
Ensure SQS queues are encrypted with KMS
medium
Ensure SQS queues do not allow public access
critical
Ensure SQS queues have dead-letter queues configured
medium
Ensure SQS queues enforce HTTPS
high
Ensure SQS queue policies follow least privilege
medium
Ensure SQS queue visibility timeout is appropriate
low
Ensure SQS queues are tagged appropriately
low
Ensure SQS FIFO queues are used when ordering matters
low
Ensure SQS message retention is configured appropriately
low
Ensure SQS long polling is enabled
low
Amazon DynamoDB
Ensure DynamoDB tables are encrypted with KMS CMK
medium
Ensure DynamoDB tables have point-in-time recovery enabled
high
Ensure DynamoDB tables have deletion protection enabled
medium
Ensure DynamoDB auto-scaling is configured
low
Ensure DynamoDB streams are encrypted
medium
Ensure DynamoDB global tables use proper replication
medium
Ensure DynamoDB VPC endpoints are used
medium
Ensure DynamoDB tables are tagged appropriately
low
Ensure DynamoDB Contributor Insights is enabled
low
Ensure DynamoDB tables use appropriate capacity mode
low
Ensure DynamoDB IAM policies follow least privilege
high
Ensure DynamoDB tables have CloudWatch alarms
low
Elastic Container Registry (ECR)
Ensure ECR repositories have image scanning enabled
high
Ensure ECR repositories have image immutability enabled
medium
Ensure ECR repositories are encrypted with KMS CMK
medium
Ensure ECR repositories have lifecycle policies
low
Ensure ECR repository policies are restrictive
high
Ensure ECR repositories do not allow public access
critical
Ensure ECR enhanced scanning is enabled for critical repositories
medium
Ensure ECR repositories are tagged appropriately
low
Ensure ECR pull-through cache is configured for external images
low
Ensure ECR replication is configured for disaster recovery
medium
Ensure ECR scan findings are reviewed
high
Ensure ECR images are signed for integrity
medium
AWS Certificate Manager (ACM)
Ensure ACM certificates are not expiring soon
high
Ensure ACM certificates use RSA-2048 or higher
medium
Ensure ACM certificates have Certificate Transparency logging enabled
medium
Ensure ACM certificates are in use
low
Ensure ACM certificate validation is completed
medium
Ensure ACM certificates cover all required domains
medium
Ensure ACM certificates are tagged appropriately
low
Ensure imported certificates are renewed before expiration
high
Ensure ACM private CA certificates have appropriate validity
medium
Ensure ACM private CA has appropriate permissions
high
Amazon Route 53
Ensure Route 53 hosted zones have query logging enabled
medium
Ensure DNSSEC is enabled for Route 53 domains
CIS 3.1high
Ensure Route 53 domains have auto-renewal enabled
medium
Ensure Route 53 domains have transfer lock enabled
high
Ensure Route 53 domains have privacy protection enabled
low
Ensure Route 53 health checks have SNS notifications configured
medium
Ensure Route 53 Resolver query logs are enabled
medium
Ensure Route 53 hosted zones are not publicly queryable
medium
Ensure Route 53 failover records are configured for critical endpoints
medium
Ensure Route 53 traffic policies use health checks
medium
Ensure Route 53 alias records are used instead of CNAME where possible
low
Ensure Route 53 geolocation routing has default location configured
low
Ensure Route 53 health checks use HTTPS instead of HTTP
low
Ensure Route 53 Resolver rules are monitored for modifications
high
Ensure Route 53 delegation sets are not shared unnecessarily
low
Amazon CloudFront
Ensure CloudFront distributions use secure SSL/TLS protocols
CIS 4.1high
Ensure CloudFront distributions enforce HTTPS-only viewer connections
high
Ensure CloudFront distributions use origin access identity (OAI) for S3 origins
CIS 4.2high
Ensure CloudFront distributions have access logging enabled
CIS 4.3medium
Ensure CloudFront distributions have WAF integrated
high
Ensure CloudFront distributions use field-level encryption for sensitive data
medium
Ensure CloudFront distributions enforce origin SSL/TLS for custom origins
high
Ensure CloudFront distributions use custom SSL/TLS certificates
medium
Ensure CloudFront distributions have geo-restriction configured if required
low
Ensure CloudFront distributions have default root object configured
low
Ensure CloudFront distributions use signed URLs or signed cookies for private content
medium
Ensure CloudFront distributions have origin failover configured for critical applications
medium
Ensure CloudFront distributions compress content for optimization
low
Ensure CloudFront distributions have appropriate TTL values configured
low
Ensure CloudFront distributions use HTTP/2 or HTTP/3
low
Ensure CloudFront distributions forward only required headers to origin
low
Ensure CloudFront distributions have real-time logs enabled for security monitoring
medium
Ensure CloudFront distributions use Lambda@Edge for additional security controls
low
Ensure CloudFront distributions have custom error pages configured
low
Ensure CloudFront distribution origins use origin shields for better caching
low
Amazon Redshift
Ensure Redshift clusters are not publicly accessible
CIS 5.1critical
Ensure Redshift clusters have encryption at rest enabled
CIS 5.2high
Ensure Redshift clusters have encryption in transit enabled
high
Ensure Redshift clusters have audit logging enabled
CIS 5.3high
Ensure Redshift clusters have automated snapshots configured
medium
Ensure Redshift cluster snapshots are encrypted
high
Ensure Redshift clusters are not using default master username
medium
Ensure Redshift clusters have version upgrade enabled
medium
Ensure Redshift cluster parameter groups enable user activity logging
medium
Ensure Redshift clusters are deployed in VPC
high
Ensure Redshift clusters have enhanced VPC routing enabled
medium
Ensure Redshift clusters use strong master passwords
medium
Ensure Redshift cluster security groups restrict access to known IPs
high
Ensure Redshift cluster manual snapshots are not publicly accessible
critical
Ensure Redshift clusters have maintenance windows configured appropriately
low
Ensure Redshift clusters have cross-region snapshots for disaster recovery
medium
Ensure Redshift clusters use reserved nodes for cost optimization
low
Ensure Redshift clusters have monitoring enabled with CloudWatch
medium
Ensure Redshift clusters use AWS Secrets Manager for credential rotation
medium
Ensure Redshift Spectrum queries use encryption
medium
Amazon ElastiCache
Ensure ElastiCache Redis clusters have encryption at rest enabled
CIS 6.1high
Ensure ElastiCache Redis clusters have encryption in transit enabled
CIS 6.2high
Ensure ElastiCache Redis clusters have AUTH enabled
high
Ensure ElastiCache clusters are not publicly accessible
critical
Ensure ElastiCache Redis has automatic backups enabled
medium
Ensure ElastiCache Redis uses Multi-AZ with automatic failover
high
Ensure ElastiCache security groups restrict access appropriately
high
Ensure ElastiCache Memcached clusters are not using default port
low
Ensure ElastiCache Redis uses supported engine versions
medium
Ensure ElastiCache clusters have maintenance windows configured
low
Ensure ElastiCache Redis clusters have CloudWatch monitoring enabled
medium
Ensure ElastiCache Redis parameter groups disable dangerous commands
medium
Ensure ElastiCache Redis snapshots are encrypted
high
Ensure ElastiCache Memcached uses appropriate node types for workload
low
Ensure ElastiCache Redis clusters use cluster mode for scalability
low
Ensure ElastiCache subnet groups span multiple availability zones
medium
Ensure ElastiCache Redis uses reserved nodes for cost optimization
low
Ensure ElastiCache Redis AUTH passwords are rotated regularly
medium
Ensure ElastiCache Redis has slow log enabled for performance monitoring
low
Ensure ElastiCache clusters have notification SNS topics configured
low
AWS Backup
Ensure AWS Backup has backup plans configured for critical resources
high
Ensure backup vaults have encryption enabled
high
Ensure backup vaults have access policies configured
medium
Ensure backup plans have sufficient retention periods
medium
Ensure backup plans include cross-region copy for disaster recovery
high
Ensure backup plans have appropriate backup frequency
medium
Ensure backup recovery points are protected from deletion
high
Ensure backup jobs have monitoring and alerting configured
medium
Ensure backup plans use resource tagging for selective backup
low
Ensure backup vaults are in different accounts for added security
medium
Ensure backup plans have lifecycle policies for cost optimization
low
Ensure backup restore testing is performed regularly
high
Ensure AWS Backup is integrated with AWS Organizations
medium
Ensure backup plans exclude unnecessary resources to optimize costs
low
Ensure backup vault has AWS Backup Vault Lock enabled for compliance
high
AWS Organizations
Ensure AWS Organizations has Service Control Policies (SCPs) enabled
high
Ensure Organizations has AWS CloudTrail enabled at organization level
CIS 7.1critical
Ensure Organizations has SCPs preventing CloudTrail disablement
critical
Ensure Organizations has SCPs enforcing regional restrictions
medium
Ensure Organizations has SCPs preventing account leaving
high
Ensure Organizations root account has MFA enabled
critical
Ensure Organizations has tag policies enabled and enforced
low
Ensure Organizations has backup policies enabled for data protection
high
Ensure Organizations has SCPs denying public S3 bucket creation
high
Ensure Organizations has delegated administrator for security services
medium
Ensure Organizations has organizational units (OUs) structured appropriately
low
Ensure Organizations has all features enabled
high
Ensure Organizations has SCPs preventing security service disablement
critical
Ensure Organizations management account has minimal resources
medium
Ensure Organizations has centralized logging bucket with proper access controls
critical
AWS Security Hub
Ensure AWS Security Hub is enabled in all regions
CIS 8.1high
Ensure Security Hub has CIS AWS Foundations Benchmark enabled
high
Ensure Security Hub has AWS Foundational Security Best Practices enabled
high
Ensure Security Hub has PCI-DSS standard enabled if applicable
high
Ensure Security Hub findings are integrated with incident response workflow
medium
Ensure Security Hub has custom insights configured for security trends
low
Ensure Security Hub findings are enriched with resource tags
low
Ensure Security Hub has automated remediation for common findings
medium
Ensure Security Hub findings are not suppressed without justification
medium
Ensure Security Hub is integrated with AWS Organizations
high
Ensure Security Hub cross-region aggregation is enabled
medium
Ensure Security Hub has third-party integrations configured
low
Ensure Security Hub findings have defined SLAs for remediation
medium
Ensure Security Hub has configured suppression rules appropriately
medium
Ensure Security Hub data is retained for compliance requirements
medium
AWS Systems Manager
Ensure Systems Manager managed instances are compliant with patch baselines
CIS 9.1high
Ensure Systems Manager Session Manager is used instead of SSH/RDP
high
Ensure Session Manager has logging enabled to S3 and CloudWatch
high
Ensure Systems Manager Parameter Store uses SecureString for sensitive data
high
Ensure Systems Manager documents do not contain hardcoded credentials
critical
Ensure Systems Manager Run Command output is encrypted
medium
Ensure Systems Manager State Manager associations are compliant
medium
Ensure Systems Manager Inventory is enabled for asset management
medium
Ensure Systems Manager Compliance is monitored and violations addressed
medium
Ensure Systems Manager automation documents have appropriate IAM roles
medium
Ensure Systems Manager Maintenance Windows are scheduled appropriately
low
Ensure Systems Manager OpsCenter is used for operational issue management
low
Ensure Systems Manager Change Calendar is used for change control
low
Ensure Systems Manager Parameter Store has high-throughput parameters for frequently accessed values
low
Ensure Systems Manager managed instances use IMDSv2
high
Amazon Athena
Ensure Athena workgroup enforces query result encryption
CIS 10.1high
Ensure Athena workgroup enforces minimum encryption configuration
medium
Ensure Athena workgroup has CloudWatch metrics enabled
low
Ensure Athena query results have lifecycle policies for cost control
low
Ensure Athena databases use encrypted data sources
high
Ensure Athena access is controlled via IAM policies
medium
Ensure Athena workgroups have data usage controls configured
medium
Ensure Athena query execution is logged to CloudTrail
medium
Ensure Athena named queries do not contain sensitive data
medium
Ensure Athena uses latest engine version for security and features
low
AWS Glue
Ensure Glue Data Catalog encryption at rest is enabled
CIS 11.1high
Ensure Glue connection passwords are encrypted
high
Ensure Glue jobs have encryption for S3 data targets
high
Ensure Glue jobs have CloudWatch log encryption enabled
medium
Ensure Glue jobs are configured with job bookmarks
low
Ensure Glue Data Catalog resource policies restrict access appropriately
medium
Ensure Glue crawlers have appropriate IAM roles with least privilege
medium
Ensure Glue development endpoints are deleted when not in use
low
Ensure Glue jobs have timeout configured to prevent runaway costs
medium
Ensure Glue jobs use appropriate worker type for workload
low
Ensure Glue job retry configuration is set appropriately
low
Ensure Glue job scripts do not contain hardcoded credentials
critical
Ensure Glue connections are configured with VPC for database security
high
Ensure Glue crawlers have schedules appropriate for data freshness needs
low
Ensure Glue Data Quality rules are configured for critical datasets
medium
Amazon EMR
Ensure EMR clusters have encryption at rest enabled
CIS 12.1high
Ensure EMR clusters have encryption in transit enabled
high
Ensure EMR clusters are not publicly accessible
critical
Ensure EMR security groups restrict access appropriately
high
Ensure EMR clusters have Kerberos authentication enabled
high
Ensure EMR clusters have logging enabled to S3
medium
Ensure EMR clusters use IMDSv2 for instance metadata
high
Ensure EMR clusters have managed scaling configured appropriately
low
Ensure EMR clusters use latest AMI versions
medium
Ensure EMR step execution is monitored and alerted
medium
Amazon Kinesis
Ensure Kinesis Data Streams have encryption at rest enabled
CIS 13.1high
Ensure Kinesis Data Streams enforce encryption in transit
high
Ensure Kinesis Data Streams have enhanced monitoring enabled
low
Ensure Kinesis Data Firehose delivery streams encrypt data at rest
high
Ensure Kinesis Data Firehose has error logging enabled
medium
Ensure Kinesis Data Analytics applications use VPC configuration
medium
Ensure Kinesis Data Streams have appropriate retention period
low
Ensure Kinesis resource policies restrict access appropriately
medium
Ensure Kinesis streams are right-sized for throughput requirements
low
Ensure Kinesis Data Firehose has backup to S3 enabled
medium
Supported Compliance Frameworks
Every check is mapped to relevant compliance framework controls
CIS AWS v1.5.0
CIS AWS v2.0
CIS AWS v3.0
CIS AWS v4.0
NIST 800-53 Rev4
NIST 800-53 Rev5
NIST CSF 1.1
NIST CSF 2.0
PCI-DSS v3.2.1
PCI-DSS v4.0
HIPAA
SOC 2 Type II
ISO 27001:2022
FedRAMP Low
FedRAMP Moderate
GDPR
AWS Well-Architected
AWS FTR
MITRE ATT&CK
NIS2
Run All 579+ AWS Security Checks
Get a comprehensive AWS security assessment in minutes. See all misconfigurations and compliance gaps.
No credit card required • Free tier available • 14-day trial