| 1.6 Ensure hardware MFA is enabled for the 'root' user account | IDENTIFICATION AND AUTHENTICATION |
| 1.18 Ensure IAM instance roles are used for AWS resource access from instances | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments | ACCESS CONTROL |
| 2.1.1 Ensure all S3 buckets employ encryption-at-rest | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required. | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 3.2 Ensure CloudTrail log file validation is enabled | AUDIT AND ACCOUNTABILITY |
| 3.5 Ensure AWS Config is enabled in all regions - 'Include global resources' | CONFIGURATION MANAGEMENT, PROGRAM MANAGEMENT |
| 3.5 Ensure AWS Config is enabled in all regions - 'Record all resources supported in this region' | CONFIGURATION MANAGEMENT, PROGRAM MANAGEMENT |
| 3.5 Ensure AWS Config is enabled in all regions - 'Review defined S3 Bucket' | CONFIGURATION MANAGEMENT, PROGRAM MANAGEMENT |
| 3.5 Ensure AWS Config is enabled in all regions - 'Review defined SNS Topic' | CONFIGURATION MANAGEMENT, PROGRAM MANAGEMENT |
| 3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.8 Ensure rotation for customer created symmetric CMKs is enabled | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.9 Ensure VPC flow logging is enabled in all VPCs | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 3.10 Ensure that Object-level logging for write events is enabled for S3 bucket | AUDIT AND ACCOUNTABILITY |
| 3.11 Ensure that Object-level logging for read events is enabled for S3 bucket | AUDIT AND ACCOUNTABILITY |
| 4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures - 'alarm exists' | AUDIT AND ACCOUNTABILITY |
| 4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures - 'metric filter exists' | AUDIT AND ACCOUNTABILITY |
| 4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures - 'subscription exists' | AUDIT AND ACCOUNTABILITY |
| 4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs - 'alarm exists' | AUDIT AND ACCOUNTABILITY |
| 4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs - 'metric filter exists' | AUDIT AND ACCOUNTABILITY |
| 4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs - 'subscription exists' | AUDIT AND ACCOUNTABILITY |
| 4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes - 'alarm exists' | AUDIT AND ACCOUNTABILITY |
| 4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes - 'metric filter exists' | AUDIT AND ACCOUNTABILITY |
| 4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes - 'subscription exists' | AUDIT AND ACCOUNTABILITY |
| 4.10 Ensure a log metric filter and alarm exist for security group changes - 'alarm exists' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION |
| 4.10 Ensure a log metric filter and alarm exist for security group changes - 'metric filter exists' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION |
| 4.10 Ensure a log metric filter and alarm exist for security group changes - 'subscription exists' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION |
| 4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) - 'alarm exists' | AUDIT AND ACCOUNTABILITY |
| 4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) - 'metric filter exists' | AUDIT AND ACCOUNTABILITY |
| 4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) - 'subscription exists' | AUDIT AND ACCOUNTABILITY |
| 4.16 Ensure AWS Security Hub is enabled | CONFIGURATION MANAGEMENT |
| 5.4 Ensure the default security group of every VPC restricts all traffic - 'No Inbound Rules exist | ACCESS CONTROL, MEDIA PROTECTION |
| 5.4 Ensure the default security group of every VPC restricts all traffic - 'No Outbound Rules exist | ACCESS CONTROL, MEDIA PROTECTION |
| 5.5 Ensure routing tables for VPC peering are 'least access' - least access | ACCESS CONTROL, MEDIA PROTECTION |
