| 2.1.1 Ensure centralized root access in AWS Organizations | ACCESS CONTROL |
| 2.1.2 Ensure authorization guardrails for all AWS Organization accounts | ACCESS CONTROL |
| 2.1.3 Ensure Organizations management account is not used for workloads | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.4 Ensure Organizational Units are structured by environment and sensitivity | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.5 Ensure delegated admin manages AWS Organizations policies | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.1.6 Ensure delegated admins manage AWS Organizations-integrated services | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.6 Ensure hardware MFA is enabled for the 'root' user account | IDENTIFICATION AND AUTHENTICATION |
| 2.16 Ensure IAM instance roles are used for AWS resource access from instances | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.19 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments | ACCESS CONTROL |
| 3.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.2 Ensure MFA Delete is enabled on S3 buckets | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MEDIA PROTECTION |
| 3.1.3 Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 4.2 Ensure CloudTrail log file validation is enabled | AUDIT AND ACCOUNTABILITY |
| 4.3 Ensure AWS Config is enabled in all regions | CONFIGURATION MANAGEMENT, PROGRAM MANAGEMENT |
| 4.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs | AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.6 Ensure rotation for customer-created symmetric CMKs is enabled | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.7 Ensure VPC flow logging is enabled in all VPCs | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 4.8 Ensure that object-level logging for write events is enabled for S3 buckets | AUDIT AND ACCOUNTABILITY |
| 4.9 Ensure that object-level logging for read events is enabled for S3 buckets | AUDIT AND ACCOUNTABILITY |
| 5.1 Ensure unauthorized API calls are monitored | AUDIT AND ACCOUNTABILITY |
| 5.6 Ensure AWS Management Console authentication failures are monitored | AUDIT AND ACCOUNTABILITY |
| 5.7 Ensure disabling or scheduled deletion of customer created CMKs is monitored | AUDIT AND ACCOUNTABILITY |
| 5.9 Ensure AWS Config configuration changes are monitored | AUDIT AND ACCOUNTABILITY |
| 5.10 Ensure security group changes are monitored | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION |
| 5.11 Ensure Network Access Control List (NACL) changes are monitored | AUDIT AND ACCOUNTABILITY |
| 5.16 Ensure AWS Security Hub is enabled | RISK ASSESSMENT |
| 6.5 Ensure the default security group of every VPC restricts all traffic | ACCESS CONTROL, MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.6 Ensure routing tables for VPC peering are "least access" | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.8 Ensure VPC Endpoints are used for access to AWS Services | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
