| 1.1 Maintain current contact details | INCIDENT RESPONSE |
| 1.2 Ensure security contact information is registered | CONTINGENCY PLANNING, INCIDENT RESPONSE |
| 1.3 Ensure security questions are registered in the AWS account | INCIDENT RESPONSE |
| 1.4 Ensure no 'root' user account access key exists - 'Access Key 1' | ACCESS CONTROL, MEDIA PROTECTION |
| 1.4 Ensure no 'root' user account access key exists - 'Access Key 2' | ACCESS CONTROL, MEDIA PROTECTION |
| 1.5 Ensure MFA is enabled for the 'root' user account | IDENTIFICATION AND AUTHENTICATION |
| 1.7 Eliminate use of the 'root' user for administrative and daily tasks | ACCESS CONTROL |
| 1.8 Ensure IAM password policy requires minimum length of 14 or greater | IDENTIFICATION AND AUTHENTICATION |
| 1.9 Ensure IAM password policy prevents password reuse | IDENTIFICATION AND AUTHENTICATION |
| 1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | IDENTIFICATION AND AUTHENTICATION |
| 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password | ACCESS CONTROL, MEDIA PROTECTION |
| 1.12 Ensure credentials unused for 45 days or greater are disabled | ACCESS CONTROL |
| 1.13 Ensure there is only one active access key available for any single IAM user | ACCESS CONTROL |
| 1.14 Ensure access keys are rotated every 90 days or less | ACCESS CONTROL |
| 1.15 Ensure IAM Users Receive Permissions Only Through Groups | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 1.16 Ensure IAM policies that allow full '*:*' administrative privileges are not attached - *:* administrative privileges are not attached | ACCESS CONTROL, MEDIA PROTECTION |
| 1.17 Ensure a support role has been created to manage incidents with AWS Support | INCIDENT RESPONSE |
| 1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 1.20 Ensure that IAM Access analyzer is enabled for all regions | ACCESS CONTROL, MEDIA PROTECTION |
| 2.1.3 Ensure MFA Delete is enabled on S3 buckets - MfaDelete | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MEDIA PROTECTION |
| 2.1.3 Ensure MFA Delete is enabled on S3 buckets - versioning status | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MEDIA PROTECTION |
| 2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' | ACCESS CONTROL, MEDIA PROTECTION |
| 2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.1 Ensure that encryption is enabled for RDS Instances | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 2.3.3 Ensure that public access is not given to RDS Instance | ACCESS CONTROL, MEDIA PROTECTION |
| 2.4.1 Ensure that encryption is enabled for EFS file systems | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1 Ensure CloudTrail is enabled in all regions - IncludeManagementEvents | AUDIT AND ACCOUNTABILITY |
| 3.1 Ensure CloudTrail is enabled in all regions - IsLogging | AUDIT AND ACCOUNTABILITY |
| 3.1 Ensure CloudTrail is enabled in all regions - IsMultiRegionTrail | AUDIT AND ACCOUNTABILITY |
| 3.1 Ensure CloudTrail is enabled in all regions - ReadWriteType | AUDIT AND ACCOUNTABILITY |
| 3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | ACCESS CONTROL, MEDIA PROTECTION |
| 3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs - 'log group is configured' | AUDIT AND ACCOUNTABILITY |
| 3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs - 'LogWatch Log Delivery' | AUDIT AND ACCOUNTABILITY |
| 3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1 Ensure a log metric filter and alarm exist for unauthorized API calls - 'alarm exists' | AUDIT AND ACCOUNTABILITY |
| 4.1 Ensure a log metric filter and alarm exist for unauthorized API calls - 'metric filter exists' | AUDIT AND ACCOUNTABILITY |
| 4.1 Ensure a log metric filter and alarm exist for unauthorized API calls - 'subscription exists' | AUDIT AND ACCOUNTABILITY |
| 4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA - 'alarm exists' | AUDIT AND ACCOUNTABILITY |
| 4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA - 'metric filter exists' | AUDIT AND ACCOUNTABILITY |
| 4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA - 'subscription exists' | AUDIT AND ACCOUNTABILITY |
| 4.3 Ensure a log metric filter and alarm exist for usage of 'root' account - 'alarm exists' | AUDIT AND ACCOUNTABILITY |
| 4.3 Ensure a log metric filter and alarm exist for usage of 'root' account - 'metric filter exists' | AUDIT AND ACCOUNTABILITY |
| 4.3 Ensure a log metric filter and alarm exist for usage of 'root' account - 'subscription exists' | AUDIT AND ACCOUNTABILITY |
| 4.4 Ensure a log metric filter and alarm exist for IAM policy changes - 'alarm exists' | AUDIT AND ACCOUNTABILITY |
| 4.4 Ensure a log metric filter and alarm exist for IAM policy changes - 'metric filter exists' | AUDIT AND ACCOUNTABILITY |
| 4.4 Ensure a log metric filter and alarm exist for IAM policy changes - 'subscription exists' | AUDIT AND ACCOUNTABILITY |
| 4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes - 'alarm exists' | AUDIT AND ACCOUNTABILITY |
| 4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes - 'metric filter exists' | AUDIT AND ACCOUNTABILITY |
| 4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes - 'subscription exists' | AUDIT AND ACCOUNTABILITY |
