| 1.5 Ensure hardware MFA is enabled for the 'root' user account | IDENTIFICATION AND AUTHENTICATION |
| 1.17 Ensure IAM instance roles are used for AWS resource access from instances | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 1.20 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments | ACCESS CONTROL |
| 2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.2 Ensure MFA Delete is enabled on S3 buckets | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MEDIA PROTECTION |
| 2.1.3 Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 3.2 Ensure CloudTrail log file validation is enabled | AUDIT AND ACCOUNTABILITY |
| 3.3 Ensure AWS Config is enabled in all regions | CONFIGURATION MANAGEMENT, PROGRAM MANAGEMENT |
| 3.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs | AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.6 Ensure rotation for customer-created symmetric CMKs is enabled | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.7 Ensure VPC flow logging is enabled in all VPCs | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 3.8 Ensure that object-level logging for write events is enabled for S3 buckets | AUDIT AND ACCOUNTABILITY |
| 3.9 Ensure that object-level logging for read events is enabled for S3 buckets | AUDIT AND ACCOUNTABILITY |
| 4.1 Ensure unauthorized API calls are monitored | AUDIT AND ACCOUNTABILITY |
| 4.6 Ensure AWS Management Console authentication failures are monitored | AUDIT AND ACCOUNTABILITY |
| 4.7 Ensure disabling or scheduled deletion of customer created CMKs is monitored | AUDIT AND ACCOUNTABILITY |
| 4.9 Ensure AWS Config configuration changes are monitored | AUDIT AND ACCOUNTABILITY |
| 4.10 Ensure security group changes are monitored | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION |
| 4.11 Ensure Network Access Control List (NACL) changes are monitored | AUDIT AND ACCOUNTABILITY |
| 4.16 Ensure AWS Security Hub is enabled | RISK ASSESSMENT |
| 5.5 Ensure the default security group of every VPC restricts all traffic | ACCESS CONTROL, MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.6 Ensure routing tables for VPC peering are "least access" | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
