| 1.1 Maintain current contact details | INCIDENT RESPONSE |
| 1.2 Ensure security contact information is registered | CONTINGENCY PLANNING, INCIDENT RESPONSE |
| 1.3 Ensure security questions are registered in the AWS account | INCIDENT RESPONSE |
| 1.4 Ensure no 'root' user account access key exists - 'Access Key 1' | ACCESS CONTROL, MEDIA PROTECTION |
| 1.4 Ensure no 'root' user account access key exists - 'Access Key 2' | ACCESS CONTROL, MEDIA PROTECTION |
| 1.5 Ensure MFA is enabled for the 'root' user account | IDENTIFICATION AND AUTHENTICATION |
| 1.7 Eliminate use of the 'root' user for administrative and daily tasks | ACCESS CONTROL |
| 1.8 Ensure IAM password policy requires minimum length of 14 or greater | IDENTIFICATION AND AUTHENTICATION |
| 1.9 Ensure IAM password policy prevents password reuse | IDENTIFICATION AND AUTHENTICATION |
| 1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | IDENTIFICATION AND AUTHENTICATION |
| 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password | ACCESS CONTROL, MEDIA PROTECTION |
| 1.12 Ensure credentials unused for 45 days or greater are disabled | ACCESS CONTROL |
| 1.13 Ensure there is only one active access key available for any single IAM user | ACCESS CONTROL |
| 1.14 Ensure access keys are rotated every 90 days or less | ACCESS CONTROL |
| 1.15 Ensure IAM Users Receive Permissions Only Through Groups | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 1.16 Ensure IAM policies that allow full '*:*' administrative privileges are not attached | ACCESS CONTROL, MEDIA PROTECTION |
| 1.17 Ensure a support role has been created to manage incidents with AWS Support | INCIDENT RESPONSE |
| 1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 1.20 Ensure that IAM Access analyzer is enabled for all regions | ACCESS CONTROL, MEDIA PROTECTION |
| 1.22 Ensure access to AWSCloudShellFullAccess is restricted | ACCESS CONTROL |
| 2.1.4 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' | ACCESS CONTROL, MEDIA PROTECTION |
| 2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.1 Ensure that encryption-at-rest is enabled for RDS Instances | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 2.3.3 Ensure that public access is not given to RDS Instance | ACCESS CONTROL, MEDIA PROTECTION |
| 2.4.1 Ensure that encryption is enabled for EFS file systems | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1 Ensure CloudTrail is enabled in all regions - IncludeManagementEvents | AUDIT AND ACCOUNTABILITY |
| 3.1 Ensure CloudTrail is enabled in all regions - IsLogging | AUDIT AND ACCOUNTABILITY |
| 3.1 Ensure CloudTrail is enabled in all regions - IsMultiRegionTrail | AUDIT AND ACCOUNTABILITY |
| 3.1 Ensure CloudTrail is enabled in all regions - ReadWriteType | AUDIT AND ACCOUNTABILITY |
| 3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | ACCESS CONTROL, MEDIA PROTECTION |
| 3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs - 'CloudWatch Log Delivery' | AUDIT AND ACCOUNTABILITY |
| 3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs - 'log group is configured' | AUDIT AND ACCOUNTABILITY |
| 3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.2 Ensure management console sign-in without MFA is monitored | AUDIT AND ACCOUNTABILITY |
| 4.3 Ensure usage of 'root' account is monitored | AUDIT AND ACCOUNTABILITY |
| 4.4 Ensure IAM policy changes are monitored | AUDIT AND ACCOUNTABILITY |
| 4.5 Ensure CloudTrail configuration changes are monitored | AUDIT AND ACCOUNTABILITY |
| 4.8 Ensure S3 bucket policy changes are monitored | AUDIT AND ACCOUNTABILITY |
| 4.12 Ensure changes to network gateways are monitored | AUDIT AND ACCOUNTABILITY |
| 4.13 Ensure route table changes are monitored | AUDIT AND ACCOUNTABILITY |
| 4.14 Ensure VPC changes are monitored | AUDIT AND ACCOUNTABILITY |
| 4.15 Ensure AWS Organizations changes are monitored | AUDIT AND ACCOUNTABILITY |
| 5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 5.6 Ensure that EC2 Metadata Service only allows IMDSv2 | CONFIGURATION MANAGEMENT |
