| 1.1 Ensure a customer created Customer Master Key (CMK) is created for the Web-tier | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | ACCESS CONTROL |
| 1.3 Ensure a customer created Customer Master Key (CMK) is created for the Database-Tier | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | ACCESS CONTROL |
| 1.8 Ensure all Customer owned Amazon Machine Images for Application Tier are not shared publicly | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | ACCESS CONTROL |
| 1.9 Ensure Web Tier ELB have SSL/TLS Certificate attached | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | |
| 1.11 Ensure Web Tier ELB is using HTTPS listener | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | IDENTIFICATION AND AUTHENTICATION |
| 1.12 Ensure App Tier ELB have SSL\TLS Certificate attached | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.13 Ensure App Tier ELB have the latest SSL Security Policies configured | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.14 Ensure App Tier ELB is using HTTPS listener | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | IDENTIFICATION AND AUTHENTICATION |
| 1.16 Ensure all S3 buckets have policy to require server-side and in transit encryption for all objects stored in bucket. | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1 Ensure each Auto-Scaling Group has an associated Elastic Load Balancer | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | CONFIGURATION MANAGEMENT |
| 3.7 Ensure Relational Database Service backup retention policy is set | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | CONTINGENCY PLANNING |
| 3.13 Ensure all CloudFront Distributions require HTTPS between CloudFront and your Web-Tier ELB origin | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1 Ensure a SNS topic is created for sending out notifications from Cloudtwatch Alarms and Auto-Scaling Groups - CloudwatchAlarms | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND INFORMATION INTEGRITY |
| 4.1 Ensure a SNS topic is created for sending out notifications from Cloudtwatch Alarms and Auto-Scaling Groups - List SNS Subscriptions | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | ACCESS CONTROL |
| 4.2 Ensure a SNS topic is created for sending out notifications from RDS events - List SNS Subscriptions | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | ACCESS CONTROL |
| 5.1 Ensure all resources are correctly tagged | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | |
| 5.2 Ensure AWS Elastic Load Balancer logging is enabled | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | AUDIT AND ACCOUNTABILITY |
| 5.10 Ensure an AWS Managed Config Rule for encrypted volumes is applied to Web Tier - Encryption | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.11 Ensure Access to Inappropriate File Extensions Is Restricted - 'httpd.conf approved extention FileMatch directive exists' | CIS Apache HTTP Server 2.2 L2 v3.6.0 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 5.11 Ensure Access to Inappropriate File Extensions Is Restricted - 'httpd.conf approved extention FileMatch directive exists' | CIS Apache HTTP Server 2.2 L2 v3.6.0 Middleware | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 5.11 Ensure an AWS Managed Config Rule for encrypted volumes is applied to App Tier - KMS ID | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.1 Ensure Root Domain Alias Record Points to ELB | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.2 Ensure a DNS alias record for the root domain | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.3 Use CloudFront Content Distribution Network | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | |
| 6.6 Ensure subnets for the Web tier are created | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.15 Ensure Routing Table associated with App tier subnet have the default route (0.0.0.0/0) defined to allow connectivity | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.19 Create the Web tier Security Group and ensure it allows inbound connections from Web tier ELB Security Group for explicit ports | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.20 Ensure Web tier Security Group has no inbound rules for CIDR of 0 (Global Allow) | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.28 Ensure EC2 instances within App Tier have no Elastic / Public IP addresses associated | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.30 Ensure RDS Database is not publically accessible | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 10.1 Ensure Web content directory is on a separate partition from the Tomcat system files | CIS Apache Tomcat 10 L1 v1.1.0 | Unix | CONFIGURATION MANAGEMENT, MAINTENANCE |
| AS24-U2-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application. | DISA STIG Apache Server 2.4 Unix Site v2r6 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application - Header HttpOnly Secure | DISA STIG Apache Server 2.4 Windows Site v2r2 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| DISA_STIG_Apache_Site-2.4_Windows_v2r2.audit from DISA Apache Server 2.4 Windows Site v2r2 STIG | DISA STIG Apache Server 2.4 Windows Site v2r2 | Windows | |
| DISA_STIG_Microsoft_Exchange_2016_Edge_Transport_Server_v2r5.audit from DISA Microsoft Exchange 2016 Edge Transport Server v2r5 STIG | DISA Microsoft Exchange 2016 Edge Transport Server STIG v2r5 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| DISA_STIG_Microsoft_Exchange_2016_Edge_Transport_Server_v2r6.audit from DISA Microsoft Exchange 2016 Edge Transport Server v2r6 STIG | DISA Microsoft Exchange 2016 Edge Transport Server STIG v2r6 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| JBOS-AS-000120 - JBoss must be configured to produce log records that establish which hosted application triggered the events. | DISA JBoss EAP 6.3 STIG v2r6 | Unix | AUDIT AND ACCOUNTABILITY |
| Keep Alive Timeout setting value should be appropriately configured. | TNS IBM HTTP Server Best Practice | Windows | ACCESS CONTROL |
| Keep Alive Timeout setting value should be appropriately configured. | TNS IBM HTTP Server Best Practice Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| WA230 A22 - The Web site software used with the web server must have all applicable security patches applied and documented. | DISA STIG Apache Server 2.2 Unix v1r11 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| WA230 A22 - The Web site software used with the web server must have all applicable security patches applied and documented. | DISA STIG Apache Server 2.2 Unix v1r11 Middleware | Unix | |
| WA00520 A22 - The web server must not be configured as a proxy server. | DISA STIG Apache Server 2.2 Unix v1r11 | Unix | CONFIGURATION MANAGEMENT |
| WA00520 W22 - The web server must not be configured as a proxy server. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | CONFIGURATION MANAGEMENT |
| WA00555 A22 - The web server must be configured to listen on a specific IP address and port - [::ffff:0.0.0.0]:80 | DISA STIG Apache Server 2.2 Unix v1r11 Middleware | Unix | |
| WA00555 A22 - The web server must be configured to listen on a specific IP address and port - 0.0.0.0:80 | DISA STIG Apache Server 2.2 Unix v1r11 Middleware | Unix | |
| WA00555 A22 - The web server must be configured to listen on a specific IP address and port - 0.0.0.0:80 | DISA STIG Apache Server 2.2 Unix v1r11 | Unix | CONFIGURATION MANAGEMENT |
| WA00555 A22 - The web server must be configured to listen on a specific IP address and port - listen | DISA STIG Apache Server 2.2 Unix v1r11 Middleware | Unix | |
| WA00555 A22 - The web server must be configured to listen on a specific IP address and port - listen | DISA STIG Apache Server 2.2 Unix v1r11 | Unix | CONFIGURATION MANAGEMENT |
| WA00555 W22 - The web server must be configured to listen on a specific IP address and port. - '[::ffff:0.0.0.0]:80' | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | CONFIGURATION MANAGEMENT |
| WA00555 W22 - The web server must be configured to listen on a specific IP address and port. - 'Listen 80 does not exists' | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | CONFIGURATION MANAGEMENT |
