| 1.1 Ensure a customer created Customer Master Key (CMK) is created for the Web-tier | ACCESS CONTROL |
| 1.2 Ensure a customer created Customer Master Key (CMK) is created for the App-tier | ACCESS CONTROL |
| 1.3 Ensure a customer created Customer Master Key (CMK) is created for the Database-Tier | ACCESS CONTROL |
| 1.11 Ensure Web Tier ELB is using HTTPS listener | IDENTIFICATION AND AUTHENTICATION |
| 1.12 Ensure App Tier ELB have SSL\TLS Certificate attached | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.13 Ensure App Tier ELB have the latest SSL Security Policies configured | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.14 Ensure App Tier ELB is using HTTPS listener | IDENTIFICATION AND AUTHENTICATION |
| 1.15 Ensure all Public Web Tier SSL\TLS certificates are >30 days from Expiration | SYSTEM AND INFORMATION INTEGRITY |
| 1.17 Ensure CloudFront to Origin connection is configured using TLS1.1+ as the SSL\TLS protocol | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.12 Configure HTTP to HTTPS Redirects with a CloudFront Viewer Protocol Policy | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.13 Ensure all CloudFront Distributions require HTTPS between CloudFront and your Web-Tier ELB origin | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.1 Ensure Root Domain Alias Record Points to ELB | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.2 Ensure a DNS alias record for the root domain | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.4 Ensure Geo-Restriction is enabled within Cloudfront Distribution | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.30 Ensure RDS Database is not publically accessible | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.31 Don't use the default VPC | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
