| 1.4 Ensure Databases running on RDS have encryption at rest enabled | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.5 Ensure all EBS volumes for Web-Tier are encrypted | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.6 Ensure all EBS volumes for App-Tier are encrypted | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.7 Ensure all Customer owned Amazon Machine Images for Web Tier are not shared publicly | ACCESS CONTROL |
| 1.8 Ensure all Customer owned Amazon Machine Images for Application Tier are not shared publicly | ACCESS CONTROL |
| 1.9 Ensure Web Tier ELB have SSL/TLS Certificate attached | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.10 Ensure Web Tier ELB have the latest SSL Security Policies configured | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.16 Ensure all S3 buckets have policy to require server-side and in transit encryption for all objects stored in bucket. | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1 Ensure IAM Policy for EC2 IAM Roles for Web tier is configured | ACCESS CONTROL |
| 2.2 Ensure IAM Policy for EC2 IAM Roles for App tier is configured | ACCESS CONTROL |
| 2.3 Ensure an IAM Role for Amazon EC2 is created for Web Tier | ACCESS CONTROL |
| 2.4 Ensure an IAM Role for Amazon EC2 is created for App Tier | ACCESS CONTROL |
| 2.5 Ensure AutoScaling Group Launch Configuration for Web Tier is configured to use a customer created Web-Tier IAM Role | ACCESS CONTROL |
| 2.6 Ensure AutoScaling Group Launch Configuration for App Tier is configured to use an App-Tier IAM Role | ACCESS CONTROL |
| 2.7 Ensure an IAM group for administration purposes is created | ACCESS CONTROL |
| 2.8 Ensure an IAM policy that allows admin privileges for all services used is created | ACCESS CONTROL |
| 2.9 Ensure SNS Topics do not Allow Everyone To Publish | ACCESS CONTROL |
| 2.10 Ensure SNS Topics do not Allow Everyone To Subscribe | ACCESS CONTROL |
| 3.1 Ensure each Auto-Scaling Group has an associated Elastic Load Balancer | CONFIGURATION MANAGEMENT |
| 3.2 Ensure each Auto-Scaling Group is configured for multiple Availability Zones | SYSTEM AND INFORMATION INTEGRITY |
| 3.3 Ensure Auto-Scaling Launch Configuration for Web-Tier is configured to use an approved Amazon Machine Image | CONFIGURATION MANAGEMENT |
| 3.4 Ensure Auto-Scaling Launch Configuration for App-Tier is configured to use an approved Amazon Machine Image | CONFIGURATION MANAGEMENT |
| 3.5 Ensure Relational Database Service is Multi-AZ Enabled | SYSTEM AND INFORMATION INTEGRITY |
| 3.6 Ensure Relational Database Service Instances have Auto Minor Version Upgrade Enabled | SYSTEM AND INFORMATION INTEGRITY |
| 3.7 Ensure Relational Database Service backup retention policy is set | CONTINGENCY PLANNING |
| 3.8 Ensure Web Tier Elastic Load Balancer has application layer Health Check Configured | AUDIT AND ACCOUNTABILITY |
| 3.9 Ensure App Tier Elastic Load Balancer has application layer Health Check Configured | AUDIT AND ACCOUNTABILITY |
| 3.10 Ensure S3 buckets have versioning enabled | CONTINGENCY PLANNING |
| 3.13 Ensure Web Tier Auto-Scaling Group has an associated Elastic Load Balancer | CONFIGURATION MANAGEMENT |
| 3.14 Ensure App Tier Auto-Scaling Group has an associated Elastic Load Balancer | CONFIGURATION MANAGEMENT |
| 4.1 Ensure a SNS topic is created for sending out notifications from Cloudtwatch Alarms and Auto-Scaling Groups | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
| 4.2 Ensure a SNS topic is created for sending out notifications from RDS events | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
| 4.3 Ensure RDS event subscriptions are enabled for Instance level events | AUDIT AND ACCOUNTABILITY |
| 4.4 Ensure RDS event subscriptions are enabled for DB security groups | AUDIT AND ACCOUNTABILITY |
| 4.6 Ensure that a log metric filter for the Cloudwatch group assigned to the "VPC Flow Logs" is created | AUDIT AND ACCOUNTABILITY |
| 4.7 Ensure that a Cloudwatch Alarm is created for the "VPC Flow Logs" metric filter, and an Alarm Action is configured | AUDIT AND ACCOUNTABILITY |
| 4.8 Ensure Billing Alerts are enabled for increments of X spend | CONFIGURATION MANAGEMENT |
| 5.1 Ensure all resources are correctly tagged | CONFIGURATION MANAGEMENT |
| 5.2 Ensure AWS Elastic Load Balancer logging is enabled | AUDIT AND ACCOUNTABILITY |
| 5.3 Ensure AWS Cloudfront Logging is enabled | AUDIT AND ACCOUNTABILITY |
| 5.4 Ensure Cloudwatch Log Group is created for Web Tier | AUDIT AND ACCOUNTABILITY |
| 5.5 Ensure Cloudwatch Log Group is created for App Tier | AUDIT AND ACCOUNTABILITY |
| 5.6 Ensure Cloudwatch Log Group for Web Tier has a retention period | AUDIT AND ACCOUNTABILITY |
| 5.7 Ensure Cloudwatch Log Group for App Tier has a retention period | AUDIT AND ACCOUNTABILITY |
| 5.8 Ensure an agent for AWS Cloudwatch Logs is installed within Auto-Scaling Group for Web-Tier | AUDIT AND ACCOUNTABILITY |
| 5.9 Ensure an agent for AWS Cloudwatch Logs is installed within Auto-Scaling Group for App-Tier | AUDIT AND ACCOUNTABILITY |
| 5.10 Ensure an AWS Managed Config Rule for encrypted volumes is applied to Web Tier | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.11 Ensure an AWS Managed Config Rule for encrypted volumes is applied to App Tier | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.12 Ensure an AWS Managed Config Rule for EIPs attached to EC2 instances within VPC | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.3 Use CloudFront Content Distribution Network | CONFIGURATION MANAGEMENT |
