| 1.1 Maintain current contact details | INCIDENT RESPONSE |
| 1.2 Ensure security contact information is registered | CONTINGENCY PLANNING, INCIDENT RESPONSE |
| 1.3 Ensure security questions are registered in the AWS account | ACCESS CONTROL |
| 1.4 Ensure no 'root' user account access key exists | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 1.5 Ensure MFA is enabled for the 'root' user account | IDENTIFICATION AND AUTHENTICATION |
| 1.7 Eliminate use of the 'root' user for administrative and daily tasks | ACCESS CONTROL |
| 1.8 Ensure IAM password policy requires minimum length of 14 or greater | IDENTIFICATION AND AUTHENTICATION |
| 1.9 Ensure IAM password policy prevents password reuse | IDENTIFICATION AND AUTHENTICATION |
| 1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | IDENTIFICATION AND AUTHENTICATION |
| 1.11 Do not create access keys during initial setup for IAM users with a console password | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 1.12 Ensure credentials unused for 45 days or more are disabled | ACCESS CONTROL |
| 1.13 Ensure there is only one active access key for any single IAM user | ACCESS CONTROL |
| 1.14 Ensure access keys are rotated every 90 days or less | ACCESS CONTROL |
| 1.15 Ensure IAM users receive permissions only through groups | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached | ACCESS CONTROL |
| 1.17 Ensure a support role has been created to manage incidents with AWS Support | INCIDENT RESPONSE |
| 1.19 Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 1.20 Ensure that IAM Access Analyzer is enabled for all regions | ACCESS CONTROL, MEDIA PROTECTION |
| 1.22 Ensure access to AWSCloudShellFullAccess is restricted | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 2.1.4 Ensure that S3 is configured with 'Block Public Access' enabled | ACCESS CONTROL, MEDIA PROTECTION |
| 2.2.1 Ensure that encryption-at-rest is enabled for RDS instances | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.2.2 Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 2.2.3 Ensure that RDS instances are not publicly accessible | ACCESS CONTROL, MEDIA PROTECTION |
| 2.2.4 Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.1 Ensure that encryption is enabled for EFS file systems | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1 Ensure CloudTrail is enabled in all regions | AUDIT AND ACCOUNTABILITY |
| 3.4 Ensure that server access logging is enabled on the CloudTrail S3 bucket | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.2 Ensure management console sign-in without MFA is monitored | AUDIT AND ACCOUNTABILITY |
| 4.3 Ensure usage of the 'root' account is monitored | AUDIT AND ACCOUNTABILITY |
| 4.4 Ensure IAM policy changes are monitored | AUDIT AND ACCOUNTABILITY |
| 4.5 Ensure CloudTrail configuration changes are monitored | AUDIT AND ACCOUNTABILITY |
| 4.8 Ensure S3 bucket policy changes are monitored | AUDIT AND ACCOUNTABILITY |
| 4.12 Ensure changes to network gateways are monitored | AUDIT AND ACCOUNTABILITY |
| 4.13 Ensure route table changes are monitored | AUDIT AND ACCOUNTABILITY |
| 4.14 Ensure VPC changes are monitored | AUDIT AND ACCOUNTABILITY |
| 4.15 Ensure AWS Organizations changes are monitored | AUDIT AND ACCOUNTABILITY |
| 5.1.1 Ensure EBS volume encryption is enabled in all regions | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1.2 Ensure CIFS access is restricted to trusted networks to prevent unauthorized access | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.2 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.3 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4 Ensure no security groups allow ingress from ::/0 to remote server administration ports | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7 Ensure that the EC2 Metadata Service only allows IMDSv2 | CONFIGURATION MANAGEMENT |
