| 2.1 Maintain current contact details | INCIDENT RESPONSE |
| 2.2 Ensure security contact information is registered | CONTINGENCY PLANNING, INCIDENT RESPONSE |
| 2.3 Ensure no 'root' user account access key exists | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.4 Ensure MFA is enabled for the 'root' user account | IDENTIFICATION AND AUTHENTICATION |
| 2.6 Eliminate use of the 'root' user for administrative and daily tasks | ACCESS CONTROL |
| 2.7 Ensure IAM password policy requires minimum length of 14 or greater | IDENTIFICATION AND AUTHENTICATION |
| 2.8 Ensure IAM password policy prevents password reuse | IDENTIFICATION AND AUTHENTICATION |
| 2.9 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | IDENTIFICATION AND AUTHENTICATION |
| 2.10 Do not create access keys during initial setup for IAM users with a console password | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 2.11 Ensure credentials unused for 45 days or more are disabled | ACCESS CONTROL |
| 2.12 Ensure there is only one active access key for any single IAM user | ACCESS CONTROL |
| 2.13 Ensure access keys are rotated every 90 days or less | ACCESS CONTROL |
| 2.14 Ensure IAM users receive permissions only through groups | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.15 Ensure IAM policies that allow full "*:*" administrative privileges are not attached | ACCESS CONTROL |
| 2.16 Ensure a support role has been created to manage incidents with AWS Support | INCIDENT RESPONSE |
| 2.18 Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 2.19 Ensure that IAM External Access Analyzer is enabled for all regions | ACCESS CONTROL, MEDIA PROTECTION |
| 2.21 Ensure access to AWSCloudShellFullAccess is restricted | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 3.1.4 Ensure that S3 is configured with 'Block Public Access' enabled | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2.1 Ensure that encryption-at-rest is enabled for RDS instances | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.2 Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 3.2.3 Ensure that RDS instances are not publicly accessible | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2.4 Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3.1 Ensure that encryption is enabled for EFS file systems | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1 Ensure CloudTrail is enabled in all regions | AUDIT AND ACCOUNTABILITY |
| 4.4 Ensure that server access logging is enabled on the CloudTrail S3 bucket | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.2 Ensure management console sign-in without MFA is monitored | AUDIT AND ACCOUNTABILITY |
| 5.3 Ensure usage of the 'root' account is monitored | AUDIT AND ACCOUNTABILITY |
| 5.4 Ensure IAM policy changes are monitored | AUDIT AND ACCOUNTABILITY |
| 5.5 Ensure CloudTrail configuration changes are monitored | AUDIT AND ACCOUNTABILITY |
| 5.8 Ensure S3 bucket policy changes are monitored | AUDIT AND ACCOUNTABILITY |
| 5.12 Ensure changes to network gateways are monitored | AUDIT AND ACCOUNTABILITY |
| 5.13 Ensure route table changes are monitored | AUDIT AND ACCOUNTABILITY |
| 5.14 Ensure VPC changes are monitored | AUDIT AND ACCOUNTABILITY |
| 5.15 Ensure AWS Organizations changes are monitored | AUDIT AND ACCOUNTABILITY |
| 6.1.1 Ensure EBS volume encryption is enabled in all regions | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.1.2 Ensure CIFS access is restricted to trusted networks to prevent unauthorized access | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.2 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.3 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.4 Ensure no security groups allow ingress from ::/0 to remote server administration ports | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.7 Ensure that the EC2 Metadata Service only allows IMDSv2 | CONFIGURATION MANAGEMENT |
