| 1.4 Ensure Databases running on RDS have encryption at rest enabled | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.5 Ensure all EBS volumes for Web-Tier are encrypted | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.8 Ensure all Customer owned Amazon Machine Images for Application Tier are not shared publicly | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | ACCESS CONTROL |
| 1.9 Ensure Web Tier ELB have SSL/TLS Certificate attached | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.10 Ensure Web Tier ELB have the latest SSL Security Policies configured | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.11 Ensure Web Tier ELB is using HTTPS listener | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | IDENTIFICATION AND AUTHENTICATION |
| 1.13 Ensure App Tier ELB have the latest SSL Security Policies configured | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.15 Ensure all Public Web Tier SSL\TLS certificates are >30 days from Expiration | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | SYSTEM AND INFORMATION INTEGRITY |
| 1.16 Ensure all S3 buckets have policy to require server-side and in transit encryption for all objects stored in bucket. | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.1 Disable Bluetooth, if no paired devices exist | CIS Apple OSX 10.10 Yosemite L1 v1.2.0 | Unix | |
| 2.1.1 Disable Bluetooth, if no paired devices exist - Bluetooth is paired | CIS Apple OSX 10.11 El Capitan L1 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| 2.3 Ensure an IAM Role for Amazon EC2 is created for Web Tier | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | ACCESS CONTROL |
| 2.4 Ensure an IAM Role for Amazon EC2 is created for App Tier | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | ACCESS CONTROL |
| 2.5 Ensure AutoScaling Group Launch Configuration for Web Tier is configured to use a customer created Web-Tier IAM Role | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | ACCESS CONTROL |
| 2.7 Ensure an IAM group for administration purposes is created | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | ACCESS CONTROL |
| 2.8 Ensure an IAM policy that allows admin privileges for all services used is created | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | ACCESS CONTROL |
| 3.2 Ensure each Auto-Scaling Group is configured for multiple Availability Zones | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND INFORMATION INTEGRITY |
| 3.5 Ensure Relational Database Service is Multi-AZ Enabled | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND INFORMATION INTEGRITY |
| 3.10 Ensure S3 buckets have versioning enabled | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | CONTINGENCY PLANNING |
| 3.13 Ensure all CloudFront Distributions require HTTPS between CloudFront and your Web-Tier ELB origin | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.13 Ensure Web Tier Auto-Scaling Group has an associated Elastic Load Balancer | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | CONFIGURATION MANAGEMENT |
| 3.14 Ensure App Tier Auto-Scaling Group has an associated Elastic Load Balancer | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | CONFIGURATION MANAGEMENT |
| 4.2 Ensure a SNS topic is created for sending out notifications from RDS events | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
| 4.7 Ensure that a Cloudwatch Alarm is created for the "VPC Flow Logs" metric filter, and an Alarm Action is configured | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | AUDIT AND ACCOUNTABILITY |
| 4.8 Ensure Billing Alerts are enabled for increments of X spend | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | CONFIGURATION MANAGEMENT |
| 5.1 Ensure all resources are correctly tagged | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | CONFIGURATION MANAGEMENT |
| 5.2 Ensure AWS Elastic Load Balancer logging is enabled | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | AUDIT AND ACCOUNTABILITY |
| 5.4 Ensure Cloudwatch Log Group is created for Web Tier | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | AUDIT AND ACCOUNTABILITY |
| 5.5 Ensure Cloudwatch Log Group is created for App Tier | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | AUDIT AND ACCOUNTABILITY |
| 5.6 Ensure Cloudwatch Log Group for Web Tier has a retention period | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | AUDIT AND ACCOUNTABILITY |
| 5.8 Ensure an agent for AWS Cloudwatch Logs is installed within Auto-Scaling Group for Web-Tier | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | AUDIT AND ACCOUNTABILITY |
| 5.9 Ensure an agent for AWS Cloudwatch Logs is installed within Auto-Scaling Group for App-Tier | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | AUDIT AND ACCOUNTABILITY |
| 5.10 Ensure an AWS Managed Config Rule for encrypted volumes is applied to Web Tier | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.11 Ensure an AWS Managed Config Rule for encrypted volumes is applied to App Tier | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.12 Ensure an AWS Managed Config Rule for EIPs attached to EC2 instances within VPC | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.2 Ensure a DNS alias record for the root domain | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.3 Use CloudFront Content Distribution Network | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | CONFIGURATION MANAGEMENT |
| 6.10 Ensure NAT Gateways are created in at least 2 Availability Zones | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.14 Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.15 Ensure Routing Table associated with App tier subnet have the default route (0.0.0.0/0) defined to allow connectivity | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.17 Use a Web-Tier ELB Security Group to accept only HTTP/HTTPS | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.27 Ensure EC2 instances within Web Tier have no Elastic / Public IP addresses associated | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.29 Ensure EC2 instances within Data Tier have no Elastic / Public IP addresses associated | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.30 Ensure RDS Database is not publically accessible | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.31 Don't use the default VPC | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| Brocade - Bottleneck alerts must be enabled | Tenable Best Practices Brocade FabricOS | Brocade | AUDIT AND ACCOUNTABILITY |
| GOOG-16-013400 - Google Android 16 devices must have a Mobile Threat Detection (MTD) app installed. | AirWatch - DISA Google Android 16 COBO STIG v1r1 | MDM | CONFIGURATION MANAGEMENT |
| RHEL-06-000285 - The system must have a host-based intrusion detection tool installed - hipclient process | DISA Red Hat Enterprise Linux 6 STIG v2r2 | Unix | CONFIGURATION MANAGEMENT |
| SYMP-AG-000270 - Symantec ProxySG providing intermediary services for HTTP must inspect outbound HTTP traffic for protocol compliance and protocol anomalies - External | DISA Symantec ProxySG Benchmark ALG v1r3 | BlueCoat | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| WBLC-02-000069 - Oracle WebLogic must generate audit records for the DoD-selected list of auditable events. | Oracle WebLogic Server 12c Windows v2r2 | Windows | AUDIT AND ACCOUNTABILITY |
