• Ensure EC2 instances have tags
• Ensure an unused EBS volume is attached to an instance
• Ensure AWS EBS volumes are encrypted
• Ensure AWS RDS DB cluster encryption is enabled
• Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication
• Ensure DynamoDB PITR is enabled
• Ensure all data stored in the EBS snapshot is securely encrypted
• Ensure ECR image scan on push is enabled
• Ensure AWS ElastiCache Redis cluster with encryption for data at rest is enabled
• Ensure AWS ElastiCache Redis cluster with in-transit encryption is enabled
• Ensure all data stored in the ElastiCache Replication Group is securely encrypted in-transit
• Ensure EBS volumes have encrypted launch configurations
• Ensure all data stored in SageMaker is securely encrypted at rest
• Ensure AWS SNS topic has SSE enabled
• Ensure AWS SQS server side encryption is enabled
• Ensure AWS EFS with encryption for data at rest is enabled
• Ensure Neptune storage is securely encrypted
• Ensure all unused Elastic IPs are deleted
• Ensure unused network interfaces are deleted
• Ensure unused Elastic Load Balancers are deleted
• Ensure AWS Kinesis streams are encrypted using SSE
• Ensure DAX is securely encrypted at rest
• Ensure ECR image tags are immutable
• Ensure AWS Redshift cluster is encrypted using CMKt
• Ensure AWS resources that support tags have Tags
• Ensure CloudFront distribution has WAF enabled
• Ensure DocumentDB is encrypted at rest
• Ensure Athena Database is encrypted at rest
• Ensure CodeBuild project encryption is not disabled
• Ensure Instance Metadata Service version 1 is not enabled
• Ensure MSK cluster encryption at rest and in transit is enabled
• Ensure Athena workgroup prevents disabling encryption
• Ensure instances with scheduled reboots are rescheduled or manually rebooted
• Ensure PGAudit is enabled on RDS Postgres instances
• Ensure Glue Data Catalog encryption is enabled
• Ensure all data stored in Aurora is securely encrypted at rest
• Ensure EFS volumes in ECS task definitions have encryption in transit enabled
• Ensure AWS SageMaker notebook instance is configured with data encryption at rest using KMS key
• Ensure AWS SageMaker notebook instance is configured with data encryption at rest using KMS key
• Ensure AWS Glue security configuration encryption is enabled
• Ensure Neptune cluster instance is not publicly available
• Ensure AWS Load Balancer is using TLS 1.2
• Ensure API gateway caching is enabled
• Ensure DynamoDB Tables have Auto Scaling enabled
• Ensure Amazon ElastiCache Redis clusters have automatic backup turned on
• Ensure RDS instances have backup policy
• Ensure Redshift clusters have AWS Backup's backup plan
• Ensure Amazon EFS has an AWS Backup backup plan
• Ensure RDS clusters have an AWS Backup backup plan
• Ensure EBS has an AWS Backup backup plan
• Ensure KMS has a rotation policy
• Ensure DynamoDB tables are encrypted
• Ensure ECR repositories are encrypted
• Ensure RDS global clusters are encrypted
• Ensure Redshift cluster is encrypted by KMS
• Ensure S3 buckets are encrypted with KMS by default
• Ensure CodeBuild projects are encrypted
• Ensure Secret Manager secret is encrypted using KMS
• Ensure RDS database cluster snapshot is encrypted
• Ensure only encrypted EBS volumes are attached to EC2 instances
• Ensure load balancer has deletion protection enabled
• Ensure that AWS EMR clusters have Kerberos enabled
• Ensure AWS Lambda function is configured for function-level concurrent execution limit
• Ensure AWS Lambda function is configured for a DLQ
• Ensure AWS Lambda function is configured inside a VPC
• Ensure GuardDuty is enbaled to specific org/region
• Ensure Elastic Load Balancers use SSL certificates provided by AWS Certificate Manager
• Ensure EC2 is EBS optimized
• Ensure RDS clusters and instances have deletion protection enabled
• Ensure Redshift cluster allow version upgrade by default
• Ensure S3 bucket has lock configuration enabled by default
• Ensure S3 bucket has cross-region replication enabled
• Ensure RDS instances have Multi-AZ enabled
• Ensure DocDB has audit logs enabled
• Ensure Redshift uses SSL
• Ensure Session Manager data is encrypted in transit
• Ensure that RDS database cluster snapshot is encrypted
• Ensure that CodeBuild projects are encrypted
• Ensure that Secrets Manager secret is encrypted using KMS
• Ensure that Load Balancer has deletion protection enabled
• Ensure EBS default encryption is enabled
• Autoscaling groups should supply tags to launch configurations
• Ensure that Workspace user volumes are encrypted
• Ensure that Workspace root volumes are encrypted
• Ensure that CloudWatch Log Group is encrypted by KMS
• Ensure that Athena Workgroup is encrypted
• Ensure that Timestream database is encrypted with KMS CMK
• Ensure Dynamodb point in time recovery is enabled for global tables
• Ensure Backup Vault is encrypted at rest using KMS CMK
• Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it
• Ensure SQS queue policy is not public by only allowing specific services or principals to access it
• Ensure SNS topic policy is not public by only allowing specific services or principals to access it
• Ensure QLDB ledger permissions mode is set to STANDARD
• Ensure EMR Cluster security configuration encryption uses SSE-KMS
• Ensure Route53 A Record has an attached resource
• Ensure Route53 A Record has an attached resource
• Ensure Route 53 DNS service modifications are detected
• Ensure provisioned resources are not manually modified
• Ensure Glue component has a security configuration associated