# Standards reference for Security Hub CSPM Standards reference In AWS Security Hub CSPM, a *security standard* is a set of requirements that's based on regulatory frameworks, industry best practices, or company policies. Security Hub CSPM maps these requirements to controls, and runs security checks on the controls to assess whether the requirements of a standard are being met. Each standard includes multiple controls. Security Hub CSPM currently supports the following standards: + **AWS Foundational Security Best Practices** – Developed by AWS and industry professionals, this standard is a compilation of security best practices for organizations, regardless of sector or size. It provides a set of controls that detect when your AWS accounts and resources deviate from security best practices. It also provides prescriptive guidance about how to improve and maintain your security posture. + **AWS Resource Tagging** – Developed by Security Hub CSPM, this standard can help you determine whether your AWS resources have tags. A *tag* is a key-value pair that acts as metadata for an AWS resource. Tags can help you identify, categorize, manage, and search for AWS resources. For example, you can use tags to categorize resources by purpose, owner, or environment. + **CIS AWS Foundations Benchmark** – Developed by the Center for Internet Security (CIS), this standard provides secure configuration guidelines for AWS. It specifies a set of security configuration guidelines and best practices for a subset of AWS services and resources, with an emphasis on foundational, testable, and architecture agnostic settings. The guidelines include clear, step-by-step implementation and assessment procedures. + **NIST SP 800-53 Revision 5** – This standard aligns with National Institute of Standards and Technology (NIST) requirements for protecting the confidentiality, integrity, and availability of information systems and critical resources. The associated framework generally applies to U.S. federal agencies or organizations that work with U.S. federal agencies or information systems. However, private organizations can also use the requirements as a guiding framework. + **NIST SP 800-171 Revision 2** – This standard aligns with NIST security recommendations and requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) in systems and organizations that aren't part of the U.S. federal government. *CUI* is information that doesn't meet government criteria for classification, but is considered sensitive and is created or possessed by the U.S. federal government or other entities on behalf of the U.S. federal government. + **PCI DSS** – This standard aligns with the Payment Card Industry Data Security Standard (PCI DSS) compliance framework defined by the PCI Security Standards Council (SSC). The framework provides a set of rules and guidelines for safely handling credit and debit card information. The framework generally applies to organizations that store, process, or transmit cardholder data. + **Service-managed standard, AWS Control Tower** – This standard helps you configure the detective controls provided by Security Hub CSPM from AWS Control Tower. AWS Control Tower offers a straightforward way to set up and govern an AWS multi-account environment, following prescriptive best practices. Security Hub CSPM standards and controls don't guarantee compliance with any regulatory frameworks or audits. Instead, they provide a way to evaluate and monitor the state of your AWS accounts and resources. We recommend enabling each standard that's relevant to your business needs, industry, or use case. Individual controls can apply to more than one standard. If you enable multiple standards, we recommend that you also enable consolidated control findings. If you do this, Security Hub CSPM generates a single finding for each control, even if the control applies to more than one standard. If you don't turn on consolidated control findings, Security Hub CSPM generates a separate finding for each enabled standard that a control applies to. For example, if you enable two standards and a control applies to both of them, you receive two separate findings for the control, one for each standard. If you enable consolidated control findings, you receive only one finding for the control. For more information, see [Consolidated control findings](controls-findings-create-update.md#consolidated-control-findings). **Topics** + [AWS Foundational Security Best Practices](fsbp-standard.md) + [AWS Resource Tagging](standards-tagging.md) + [CIS AWS Foundations Benchmark](cis-aws-foundations-benchmark.md) + [NIST SP 800-53 Revision 5](standards-reference-nist-800-53.md) + [NIST SP 800-171 Revision 2](standards-reference-nist-800-171.md) + [PCI DSS](pci-standard.md) + [Service-managed standards](service-managed-standards.md) # AWS Foundational Security Best Practices standard in Security Hub CSPM AWS Foundational Security Best Practices Developed by AWS and industry professionals, the AWS Foundational Security Best Practices (FSBP) standard is a compilation of security best practices for organizations, regardless of organization sector or size. It provides a set of controls that detect when AWS accounts and resources deviate from security best practices. It also provides prescriptive guidance about how to improve and maintain your organization's security posture. In AWS Security Hub CSPM, the AWS Foundational Security Best Practices standard includes controls that continuously evaluate your AWS accounts and workloads, and help you identify areas that deviate from security best practices. The controls include security best practices for resources from multiple AWS services. Each control is assigned a category that reflects the security function that the control applies to. For a list of categories and additional details, see [Control categories](control-categories.md). ## Controls that apply to the standard The following list specifies which AWS Security Hub CSPM controls apply to the AWS Foundational Security Best Practices standard (v1.0.0). To review the details of a control, choose the control. [[Account.1] Security contact information should be provided for an AWS account](account-controls.md#account-1) [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) [[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled](apigateway-controls.md#apigateway-1) [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](apigateway-controls.md#apigateway-2) [[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled](apigateway-controls.md#apigateway-3) [[APIGateway.4] API Gateway should be associated with a WAF Web ACL](apigateway-controls.md#apigateway-4) [[APIGateway.5] API Gateway REST API cache data should be encrypted at rest](apigateway-controls.md#apigateway-5) [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) [[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections](apigateway-controls.md#apigateway-10) [[APIGateway.11] API Gateway domain names should use recommended security policies](apigateway-controls.md#apigateway-11) [[AppSync.1] AWS AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) [[AppSync.2] AWS AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) [[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) [[AppSync.6] AWS AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) [[Athena.4] Athena workgroups should have logging enabled](athena-controls.md#athena-4) [[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks](autoscaling-controls.md#autoscaling-1) [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) [[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses](autoscaling-controls.md#autoscaling-5) [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) [[Backup.1] AWS Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) [[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events](cloudtrail-controls.md#cloudtrail-1) [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) [[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs](cloudtrail-controls.md#cloudtrail-5) [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) [[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration](codebuild-controls.md#codebuild-4) [[CodeBuild.7] CodeBuild report group exports should be encrypted at rest](codebuild-controls.md#codebuild-7) [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) [[Config.1] AWS Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) [[DataSync.1] DataSync tasks should have logging enabled](datasync-controls.md#datasync-1) [[DMS.1] Database Migration Service replication instances should not be public](dms-controls.md#dms-1) [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) [[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand](dynamodb-controls.md#dynamodb-1) [[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled](dynamodb-controls.md#dynamodb-2) [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) [[DynamoDB.6] DynamoDB tables should have deletion protection enabled](dynamodb-controls.md#dynamodb-6) [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) [[EC2.1] Amazon EBS snapshots should not be configured to be publicly restorable](ec2-controls.md#ec2-1) [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) [[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest](ec2-controls.md#ec2-3) [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) [[EC2.7] EBS default encryption should be enabled](ec2-controls.md#ec2-7) [[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-8) [[EC2.9] Amazon EC2 instances should not have a public IPv4 address](ec2-controls.md#ec2-9) [[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service](ec2-controls.md#ec2-10) [[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses](ec2-controls.md#ec2-15) [[EC2.16] Unused Network Access Control Lists should be removed](ec2-controls.md#ec2-16) [[EC2.17] Amazon EC2 instances should not use multiple ENIs](ec2-controls.md#ec2-17) [[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports](ec2-controls.md#ec2-18) [[EC2.19] Security groups should not allow unrestricted access to ports with high risk](ec2-controls.md#ec2-19) [[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up](ec2-controls.md#ec2-20) [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) [[EC2.172] EC2 VPC Block Public Access settings should block internet gateway traffic](ec2-controls.md#ec2-172) [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) [[EC2.182] Block public access settings should be enabled for Amazon EBS snapshots](ec2-controls.md#ec2-182) [[EC2.183] EC2 VPN connections should use IKEv2 protocol](ec2-controls.md#ec2-183) [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) [[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions](ecs-controls.md#ecs-1) [[ECS.2] ECS services should not have public IP addresses assigned to them automatically](ecs-controls.md#ecs-2) [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) [[ECS.16] ECS task sets should not automatically assign public IP addresses](ecs-controls.md#ecs-16) [[ECS.18] ECS Task Definitions should use in-transit encryption for EFS volumes](ecs-controls.md#ecs-18) [[ECS.19] ECS capacity providers should have managed termination protection enabled](ecs-controls.md#ecs-19) [[ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions](ecs-controls.md#ecs-20) [[ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions](ecs-controls.md#ecs-21) [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](efs-controls.md#efs-1) [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) [[EFS.7] EFS file systems should have automatic backups enabled](efs-controls.md#efs-7) [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) [[EKS.1] EKS cluster endpoints should not be publicly accessible](eks-controls.md#eks-1) [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) [[EKS.9] EKS node groups should run on a supported Kubernetes version](eks-controls.md#eks-9) [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) [[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS](elb-controls.md#elb-1) [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager](elb-controls.md#elb-2) [[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination](elb-controls.md#elb-3) [[ELB.4] Application Load Balancer should be configured to drop invalid http headers](elb-controls.md#elb-4) [[ELB.5] Application and Classic Load Balancers logging should be enabled](elb-controls.md#elb-5) [[ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled](elb-controls.md#elb-6) [[ELB.7] Classic Load Balancers should have connection draining enabled](elb-controls.md#elb-7) [[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration](elb-controls.md#elb-8) [[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled](elb-controls.md#elb-9) [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) [[ELB.21] Application and Network Load Balancer target groups should use encrypted health check protocols](elb-controls.md#elb-21) [[ELB.22] ELB target groups should use encrypted transport protocols](elb-controls.md#elb-22) [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) [[ES.1] Elasticsearch domains should have encryption at-rest enabled](es-controls.md#es-1) [[ES.2] Elasticsearch domains should not be publicly accessible](es-controls.md#es-2) [[ES.3] Elasticsearch domains should encrypt data sent between nodes](es-controls.md#es-3) [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) [[ES.5] Elasticsearch domains should have audit logging enabled](es-controls.md#es-5) [[ES.6] Elasticsearch domains should have at least three data nodes](es-controls.md#es-6) [[ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes](es-controls.md#es-7) [[ES.8] Connections to Elasticsearch domains should be encrypted using the latest TLS security policy](es-controls.md#es-8) [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) [[FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-3) [[FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-4) [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) [[Glue.3] AWS Glue machine learning transforms should be encrypted at rest](glue-controls.md#glue-3) [[Glue.4] AWS Glue Spark jobs should run on supported versions of AWS Glue](glue-controls.md#glue-4) [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1) [[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled](guardduty-controls.md#guardduty-5) [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) [[Kinesis.3] Kinesis streams should have an adequate data retention period](kinesis-controls.md#kinesis-3) [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) [[KMS.3] AWS KMS keys should not be deleted unintentionally](kms-controls.md#kms-3) [[KMS.5] KMS keys should not be publicly accessible](kms-controls.md#kms-5) [[Lambda.1] Lambda function policies should prohibit public access](lambda-controls.md#lambda-1) [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) [[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled](mq-controls.md#mq-3) [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) [[PCA.1] AWS Private CA root certificate authority should be disabled](pca-controls.md#pca-1) [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) [[RDS.1] RDS snapshot should be private](rds-controls.md#rds-1) [[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration](rds-controls.md#rds-2) [[RDS.3] RDS DB instances should have encryption at-rest enabled](rds-controls.md#rds-3) [[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest](rds-controls.md#rds-4) [[RDS.5] RDS DB instances should be configured with multiple Availability Zones](rds-controls.md#rds-5) [[RDS.6] Enhanced monitoring should be configured for RDS DB instances](rds-controls.md#rds-6) [[RDS.7] RDS clusters should have deletion protection enabled](rds-controls.md#rds-7) [[RDS.8] RDS DB instances should have deletion protection enabled](rds-controls.md#rds-8) [[RDS.9] RDS DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-9) [[RDS.10] IAM authentication should be configured for RDS instances](rds-controls.md#rds-10) [[RDS.11] RDS instances should have automatic backups enabled](rds-controls.md#rds-11) [[RDS.12] IAM authentication should be configured for RDS clusters](rds-controls.md#rds-12) [[RDS.13] RDS automatic minor version upgrades should be enabled](rds-controls.md#rds-13) [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) [[RDS.15] RDS DB clusters should be configured for multiple Availability Zones](rds-controls.md#rds-15) [[RDS.16] Aurora DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-16) [[RDS.17] RDS DB instances should be configured to copy tags to snapshots](rds-controls.md#rds-17) [[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events](rds-controls.md#rds-19) [[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events](rds-controls.md#rds-20) [[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events](rds-controls.md#rds-21) [[RDS.22] An RDS event notifications subscription should be configured for critical database security group events](rds-controls.md#rds-22) [[RDS.23] RDS instances should not use a database engine default port](rds-controls.md#rds-23) [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) [[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-36) [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) [[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-40) [[RDS.41] RDS for SQL Server DB instances should be encrypted in transit](rds-controls.md#rds-41) [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) [[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways](rds-controls.md#rds-46) [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) [[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-48) [[RDS.50] RDS DB clusters should have enough backup retention period set](rds-controls.md#rds-50) [[Redshift.1] Amazon Redshift clusters should prohibit public access](redshift-controls.md#redshift-1) [[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit](redshift-controls.md#redshift-2) [[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled](redshift-controls.md#redshift-3) [[Redshift.4] Amazon Redshift clusters should have audit logging enabled](redshift-controls.md#redshift-4) [[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled](redshift-controls.md#redshift-6) [[Redshift.7] Redshift clusters should use enhanced VPC routing](redshift-controls.md#redshift-7) [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) [[S3.1] S3 general purpose buckets should have block public access settings enabled](s3-controls.md#s3-1) [[S3.2] S3 general purpose buckets should block public read access](s3-controls.md#s3-2) [[S3.3] S3 general purpose buckets should block public write access](s3-controls.md#s3-3) [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) [[S3.6] S3 general purpose bucket policies should restrict access to other AWS accounts](s3-controls.md#s3-6) [[S3.8] S3 general purpose buckets should block public access](s3-controls.md#s3-8) [[S3.9] S3 general purpose buckets should have server access logging enabled](s3-controls.md#s3-9) [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) [[S3.19] S3 access points should have block public access settings enabled](s3-controls.md#s3-19) [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) [[SageMaker.8] SageMaker notebook instances should run on supported platforms](sagemaker-controls.md#sagemaker-8) [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) [[SageMaker.16] SageMaker models should use private registry in VPC for primary containers](sagemaker-controls.md#sagemaker-16) [[SageMaker.17] SageMaker feature group offline stores should be encrypted with AWS KMS keys](sagemaker-controls.md#sagemaker-17) [[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled](secretsmanager-controls.md#secretsmanager-1) [[SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfully](secretsmanager-controls.md#secretsmanager-2) [[SecretsManager.3] Remove unused Secrets Manager secrets](secretsmanager-controls.md#secretsmanager-3) [[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days](secretsmanager-controls.md#secretsmanager-4) [[ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization only](servicecatalog-controls.md#servicecatalog-1) [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) [[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager](ssm-controls.md#ssm-1) [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2) [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](ssm-controls.md#ssm-3) [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) [[WAF.2] AWS WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) [[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) [[WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) [[WAF.10] AWS WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) [[WAF.12] AWS WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) # AWS Resource Tagging standard in Security Hub CSPM AWS Resource Tagging The AWS Resource Tagging standard, developed by AWS Security Hub CSPM, helps you determine whether your AWS resources are missing tags. *Tags* are key‐value pairs that act as metadata for organizing AWS resources. With most AWS resources, you have the option of adding tags to a resource when you create the resource or after you create the resource. Examples of resources include Amazon CloudFront distributions, Amazon Elastic Compute Cloud (Amazon EC2) instances, and secrets in AWS Secrets Manager. Tags can help you manage, identify, organize, search for, and filter AWS resources. Each tag has two parts: + A tag key—for example, `CostCenter`, `Environment`, or `Project`. Tag keys are case sensitive. + A tag value—for example, `111122223333` or `Production`. Like tag keys, tag values are case sensitive. You can use tags to categorize resources by purpose, owner, environment, or other criteria. For information about adding tags to AWS resources, see the [Tagging AWS Resources and Tag Editor User Guide](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html). For each control that applies to the AWS Resource Tagging standard in Security Hub CSPM, you can optionally use the supported parameter to specify tag keys that you want the control to check for. If you don't specify any tag keys, the control checks only for the existence of at least one tag key, and fails if a resource doesn't have any tag keys. Before you enable the AWS Resource Tagging standard, it's important to enable and configure resource recording in AWS Config. When you configure resource recording, also be sure to enable it for all the types of AWS resources that are checked by controls that apply to the standard. Otherwise, Security Hub CSPM might not be able to evaluate the appropriate resources, and generate accurate findings for controls that apply to the standard. For more information, including a list of the types of resources to record, see [Required AWS Config resources for control findings](controls-config-resources.md). After you enable the AWS Resource Tagging standard, you begin receiving findings for controls that apply to the standard. Note that it can take up to 18 hours for Security Hub CSPM to generate findings for controls that use the same AWS Config service-linked rule as controls that apply to other enabled standards. For more information, see [Schedule for running security checks](securityhub-standards-schedule.md). The AWS Resource Tagging standard has the following Amazon Resource Name (ARN): `arn:aws:securityhub:region::standards/aws-resource-tagging-standard/v/1.0.0`, where *region* is the Region code for the applicable AWS Region. You can also use the [GetEnabledStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetEnabledStandards.html) operation of the Security Hub CSPM API to retrieve the ARN of a standard that's currently enabled. **Note** The [AWS Resource Tagging standard](#standards-tagging) isn't available in the Asia Pacific (New Zealand) and Asia Pacific (Taipei) Regions. ## Controls that apply to the standard Controls that apply to the standard The following list specifies which AWS Security Hub CSPM controls apply to the AWS Resource Tagging standard (v1.0.0). To review the details of a control, choose the control. + [[ACM.3] ACM certificates should be tagged](acm-controls.md#acm-3) + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppConfig.1] AWS AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) + [[AppConfig.2] AWS AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) + [[AppConfig.3] AWS AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) + [[AppConfig.4] AWS AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.4] AWS AppSync GraphQL APIs should be tagged](appsync-controls.md#appsync-4) + [[Athena.2] Athena data catalogs should be tagged](athena-controls.md#athena-2) + [[Athena.3] Athena workgroups should be tagged](athena-controls.md#athena-3) + [[AutoScaling.10] EC2 Auto Scaling groups should be tagged](autoscaling-controls.md#autoscaling-10) + [[Backup.2] AWS Backup recovery points should be tagged](backup-controls.md#backup-2) + [[Backup.3] AWS Backup vaults should be tagged](backup-controls.md#backup-3) + [[Backup.4] AWS Backup report plans should be tagged](backup-controls.md#backup-4) + [[Backup.5] AWS Backup backup plans should be tagged](backup-controls.md#backup-5) + [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) + [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) + [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) + [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) + [[CloudFormation.2] CloudFormation stacks should be tagged](cloudformation-controls.md#cloudformation-2) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudTrail.9] CloudTrail trails should be tagged](cloudtrail-controls.md#cloudtrail-9) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) + [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) + [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) + [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) + [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) + [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) + [[DynamoDB.5] DynamoDB tables should be tagged](dynamodb-controls.md#dynamodb-5) + [[EC2.33] EC2 transit gateway attachments should be tagged](ec2-controls.md#ec2-33) + [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) + [[EC2.35] EC2 network interfaces should be tagged](ec2-controls.md#ec2-35) + [[EC2.36] EC2 customer gateways should be tagged](ec2-controls.md#ec2-36) + [[EC2.37] EC2 Elastic IP addresses should be tagged](ec2-controls.md#ec2-37) + [[EC2.38] EC2 instances should be tagged](ec2-controls.md#ec2-38) + [[EC2.39] EC2 internet gateways should be tagged](ec2-controls.md#ec2-39) + [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) + [[EC2.41] EC2 network ACLs should be tagged](ec2-controls.md#ec2-41) + [[EC2.42] EC2 route tables should be tagged](ec2-controls.md#ec2-42) + [[EC2.43] EC2 security groups should be tagged](ec2-controls.md#ec2-43) + [[EC2.44] EC2 subnets should be tagged](ec2-controls.md#ec2-44) + [[EC2.45] EC2 volumes should be tagged](ec2-controls.md#ec2-45) + [[EC2.46] Amazon VPCs should be tagged](ec2-controls.md#ec2-46) + [[EC2.47] Amazon VPC endpoint services should be tagged](ec2-controls.md#ec2-47) + [[EC2.48] Amazon VPC flow logs should be tagged](ec2-controls.md#ec2-48) + [[EC2.49] Amazon VPC peering connections should be tagged](ec2-controls.md#ec2-49) + [[EC2.50] EC2 VPN gateways should be tagged](ec2-controls.md#ec2-50) + [[EC2.52] EC2 transit gateways should be tagged](ec2-controls.md#ec2-52) + [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) + [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) + [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) + [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) + [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) + [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[ECS.13] ECS services should be tagged](ecs-controls.md#ecs-13) + [[ECS.14] ECS clusters should be tagged](ecs-controls.md#ecs-14) + [[ECS.15] ECS task definitions should be tagged](ecs-controls.md#ecs-15) + [[EFS.5] EFS access points should be tagged](efs-controls.md#efs-5) + [[EKS.6] EKS clusters should be tagged](eks-controls.md#eks-6) + [[EKS.7] EKS identity provider configurations should be tagged](eks-controls.md#eks-7) + [[ES.9] Elasticsearch domains should be tagged](es-controls.md#es-9) + [[EventBridge.2] EventBridge event buses should be tagged](eventbridge-controls.md#eventbridge-2) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[Glue.1] AWS Glue jobs should be tagged](glue-controls.md#glue-1) + [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) + [[GuardDuty.3] GuardDuty IPSets should be tagged](guardduty-controls.md#guardduty-3) + [[GuardDuty.4] GuardDuty detectors should be tagged](guardduty-controls.md#guardduty-4) + [[IAM.23] IAM Access Analyzer analyzers should be tagged](iam-controls.md#iam-23) + [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) + [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) + [[IoT.1] AWS IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) + [[IoT.2] AWS IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) + [[IoT.3] AWS IoT Core dimensions should be tagged](iot-controls.md#iot-3) + [[IoT.4] AWS IoT Core authorizers should be tagged](iot-controls.md#iot-4) + [[IoT.5] AWS IoT Core role aliases should be tagged](iot-controls.md#iot-5) + [[IoT.6] AWS IoT Core policies should be tagged](iot-controls.md#iot-6) + [[IoTEvents.1] AWS IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] AWS IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] AWS IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] AWS IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] AWS IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[Kinesis.2] Kinesis streams should be tagged](kinesis-controls.md#kinesis-2) + [[Lambda.6] Lambda functions should be tagged](lambda-controls.md#lambda-6) + [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) + [[NetworkFirewall.7] Network Firewall firewalls should be tagged](networkfirewall-controls.md#networkfirewall-7) + [[NetworkFirewall.8] Network Firewall firewall policies should be tagged](networkfirewall-controls.md#networkfirewall-8) + [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) + [[PCA.2] AWS Private CA certificate authorities should be tagged](pca-controls.md#pca-2) + [[RDS.28] RDS DB clusters should be tagged](rds-controls.md#rds-28) + [[RDS.29] RDS DB cluster snapshots should be tagged](rds-controls.md#rds-29) + [[RDS.30] RDS DB instances should be tagged](rds-controls.md#rds-30) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RDS.32] RDS DB snapshots should be tagged](rds-controls.md#rds-32) + [[RDS.33] RDS DB subnet groups should be tagged](rds-controls.md#rds-33) + [[Redshift.11] Redshift clusters should be tagged](redshift-controls.md#redshift-11) + [[Redshift.12] Redshift event notification subscriptions should be tagged](redshift-controls.md#redshift-12) + [[Redshift.13] Redshift cluster snapshots should be tagged](redshift-controls.md#redshift-13) + [[Redshift.14] Redshift cluster subnet groups should be tagged](redshift-controls.md#redshift-14) + [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) + [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) + [[SecretsManager.5] Secrets Manager secrets should be tagged](secretsmanager-controls.md#secretsmanager-5) + [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) + [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) + [[SNS.3] SNS topics should be tagged](sns-controls.md#sns-3) + [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) + [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) + [[StepFunctions.2] Step Functions activities should be tagged](stepfunctions-controls.md#stepfunctions-2) + [[Transfer.1] AWS Transfer Family workflows should be tagged](transfer-controls.md#transfer-1) + [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) + [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) + [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) + [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) # CIS AWS Foundations Benchmark in Security Hub CSPM CIS AWS Foundations Benchmark The Center for Internet Security (CIS) AWS Foundations Benchmark serves as a set of security configuration best practices for AWS. These industry-accepted best practices provide you with clear, step-by-step implementation and assessment procedures. Ranging from operating systems to cloud services and network devices, the controls in this benchmark help you protect the specific systems that your organization uses. AWS Security Hub CSPM supports CIS AWS Foundations Benchmark versions 5.0.0, 3.0.0, 1.4.0, and 1.2.0. This page lists the security controls that each version supports. It also provides a comparison of the versions. ## CIS AWS Foundations Benchmark version 5.0.0 Security Hub CSPM supports version 5.0.0 (v5.0.0) of the CIS AWS Foundations Benchmark. Security Hub CSPM has satisfied the requirements of CIS Security Software Certification and has been awarded CIS Security Software Certification for the following CIS Benchmarks: + CIS Benchmark for CIS AWS Foundations Benchmark, v5.0.0, Level 1 + CIS Benchmark for CIS AWS Foundations Benchmark, v5.0.0, Level 2 ### Controls that apply to CIS AWS Foundations Benchmark version 5.0.0 [[Account.1] Security contact information should be provided for an AWS account](account-controls.md#account-1) [[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events](cloudtrail-controls.md#cloudtrail-1) [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) [[Config.1] AWS Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) [[EC2.7] EBS default encryption should be enabled](ec2-controls.md#ec2-7) [[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-8) [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](efs-controls.md#efs-1) [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) [[KMS.4] AWS KMS key rotation should be enabled](kms-controls.md#kms-4) [[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration](rds-controls.md#rds-2) [[RDS.3] RDS DB instances should have encryption at-rest enabled](rds-controls.md#rds-3) [[RDS.5] RDS DB instances should be configured with multiple Availability Zones](rds-controls.md#rds-5) [[RDS.13] RDS automatic minor version upgrades should be enabled](rds-controls.md#rds-13) [[RDS.15] RDS DB clusters should be configured for multiple Availability Zones](rds-controls.md#rds-15) [[S3.1] S3 general purpose buckets should have block public access settings enabled](s3-controls.md#s3-1) [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) [[S3.8] S3 general purpose buckets should block public access](s3-controls.md#s3-8) [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) ## CIS AWS Foundations Benchmark version 3.0.0 Security Hub CSPM supports version 3.0.0 (v3.0.0) of the CIS AWS Foundations Benchmark. Security Hub CSPM has satisfied the requirements of CIS Security Software Certification and has been awarded CIS Security Software Certification for the following CIS Benchmarks: + CIS Benchmark for CIS AWS Foundations Benchmark, v3.0.0, Level 1 + CIS Benchmark for CIS AWS Foundations Benchmark, v3.0.0, Level 2 ### Controls that apply to CIS AWS Foundations Benchmark version 3.0.0 [[Account.1] Security contact information should be provided for an AWS account](account-controls.md#account-1) [[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events](cloudtrail-controls.md#cloudtrail-1) [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) [[Config.1] AWS Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) [[EC2.7] EBS default encryption should be enabled](ec2-controls.md#ec2-7) [[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-8) [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](efs-controls.md#efs-1) [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) [[KMS.4] AWS KMS key rotation should be enabled](kms-controls.md#kms-4) [[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration](rds-controls.md#rds-2) [[RDS.3] RDS DB instances should have encryption at-rest enabled](rds-controls.md#rds-3) [[RDS.13] RDS automatic minor version upgrades should be enabled](rds-controls.md#rds-13) [[S3.1] S3 general purpose buckets should have block public access settings enabled](s3-controls.md#s3-1) [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) [[S3.8] S3 general purpose buckets should block public access](s3-controls.md#s3-8) [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) ## CIS AWS Foundations Benchmark version 1.4.0 Security Hub CSPM supports version 1.4.0 (v1.4.0) of the CIS AWS Foundations Benchmark. ### Controls that apply to CIS AWS Foundations Benchmark version 1.4.0 [[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events](cloudtrail-controls.md#cloudtrail-1) [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) [[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs](cloudtrail-controls.md#cloudtrail-5) [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](cloudwatch-controls.md#cloudwatch-1) [[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes](cloudwatch-controls.md#cloudwatch-4) [[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes](cloudwatch-controls.md#cloudwatch-5) [[CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures](cloudwatch-controls.md#cloudwatch-6) [[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys](cloudwatch-controls.md#cloudwatch-7) [[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes](cloudwatch-controls.md#cloudwatch-8) [[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes](cloudwatch-controls.md#cloudwatch-9) [[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes](cloudwatch-controls.md#cloudwatch-10) [[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)](cloudwatch-controls.md#cloudwatch-11) [[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways](cloudwatch-controls.md#cloudwatch-12) [[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes](cloudwatch-controls.md#cloudwatch-13) [[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes](cloudwatch-controls.md#cloudwatch-14) [[Config.1] AWS Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) [[EC2.7] EBS default encryption should be enabled](ec2-controls.md#ec2-7) [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) [[KMS.4] AWS KMS key rotation should be enabled](kms-controls.md#kms-4) [[RDS.3] RDS DB instances should have encryption at-rest enabled](rds-controls.md#rds-3) [[S3.1] S3 general purpose buckets should have block public access settings enabled](s3-controls.md#s3-1) [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) [[S3.8] S3 general purpose buckets should block public access](s3-controls.md#s3-8) [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) ## CIS AWS Foundations Benchmark version 1.2.0 CIS AWS Foundations Benchmark version 1.2.0 Security Hub CSPM supports version 1.2.0 (v1.2.0) of the CIS AWS Foundations Benchmark. Security Hub CSPM has satisfied the requirements of CIS Security Software Certification and has been awarded CIS Security Software Certification for the following CIS Benchmarks: + CIS Benchmark for CIS AWS Foundations Benchmark, v1.2.0, Level 1 + CIS Benchmark for CIS AWS Foundations Benchmark, v1.2.0, Level 2 ### Controls that apply to CIS AWS Foundations Benchmark version 1.2.0 [[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events](cloudtrail-controls.md#cloudtrail-1) [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) [[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs](cloudtrail-controls.md#cloudtrail-5) [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](cloudwatch-controls.md#cloudwatch-1) [[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls](cloudwatch-controls.md#cloudwatch-2) [[CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA](cloudwatch-controls.md#cloudwatch-3) [[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes](cloudwatch-controls.md#cloudwatch-4) [[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes](cloudwatch-controls.md#cloudwatch-5) [[CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures](cloudwatch-controls.md#cloudwatch-6) [[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys](cloudwatch-controls.md#cloudwatch-7) [[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes](cloudwatch-controls.md#cloudwatch-8) [[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes](cloudwatch-controls.md#cloudwatch-9) [[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes](cloudwatch-controls.md#cloudwatch-10) [[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)](cloudwatch-controls.md#cloudwatch-11) [[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways](cloudwatch-controls.md#cloudwatch-12) [[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes](cloudwatch-controls.md#cloudwatch-13) [[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes](cloudwatch-controls.md#cloudwatch-14) [[Config.1] AWS Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) [[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22](ec2-controls.md#ec2-13) [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) [[KMS.4] AWS KMS key rotation should be enabled](kms-controls.md#kms-4) ## Version comparison for CIS AWS Foundations Benchmark This section summarizes the differences between specific versions of the Center for Internet Security (CIS) AWS Foundations Benchmark—v5.0.0, v3.0.0, v1.4.0, and v1.2.0. AWS Security Hub CSPM supports each of these versions of the CIS AWS Foundations Benchmark. However, we recommend using v5.0.0 to stay current with security best practices. You can have multiple versions of CIS AWS Foundations Benchmark standards enabled at the same time. For information about enabling standards, see [Enabling a security standard](enable-standards.md). If you want to upgrade to v5.0.0, enable it before you disable an older version. This prevents gaps in your security checks. If you use the Security Hub CSPM integration with AWS Organizations and want to batch enable v5.0.0 in multiple accounts, we recommend using [central configuration](central-configuration-intro.md). ### Mapping of controls to CIS requirements in each version Understand which controls each version of the CIS AWS Foundations Benchmark supports. | Control ID and title | CIS v5.0.0 requirement | CIS v3.0.0 requirement | CIS v1.4.0 requirement | CIS v1.2.0 requirement | | --- | --- | --- | --- | --- | | [[Account.1] Security contact information should be provided for an AWS account](account-controls.md#account-1) | 1.2 | 1.2 | 1.2 | 1.18 | | [[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events](cloudtrail-controls.md#cloudtrail-1) | 3.1 | 3.1 | 3.1 | 2.1 | | [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) | 3.5 | 3.5 | 3.7 | 2.7 | | [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) | 3.2 | 3.2 | 3.2 | 2.2 | | [[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs](cloudtrail-controls.md#cloudtrail-5) | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | 3.4 | 2.4 | | [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | 3.3 | 2.3 | | [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) | 3.4 | 3.4 | 3.6 | 2.6 | | [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](cloudwatch-controls.md#cloudwatch-1) | Not supported – manual check | Not supported – manual check | 4.3 | 3.3 | | [[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls](cloudwatch-controls.md#cloudwatch-2) | Not supported – manual check | Not supported – manual check | Not supported – manual check | 3.1 | | [[CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA](cloudwatch-controls.md#cloudwatch-3) | Not supported – manual check | Not supported – manual check | Not supported – manual check | 3.2 | | [[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes](cloudwatch-controls.md#cloudwatch-4) | Not supported – manual check | Not supported – manual check | 4.4 | 3.4 | | [[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes](cloudwatch-controls.md#cloudwatch-5) | Not supported – manual check | Not supported – manual check | 4.5 | 3.5 | | [[CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures](cloudwatch-controls.md#cloudwatch-6) | Not supported – manual check | Not supported – manual check | 4.6 | 3.6 | | [[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys](cloudwatch-controls.md#cloudwatch-7) | Not supported – manual check | Not supported – manual check | 4.7 | 3.7 | | [[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes](cloudwatch-controls.md#cloudwatch-8) | Not supported – manual check | Not supported – manual check | 4.8 | 3.8 | | [[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes](cloudwatch-controls.md#cloudwatch-9) | Not supported – manual check | Not supported – manual check | 4.9 | 3.9 | | [[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes](cloudwatch-controls.md#cloudwatch-10) | Not supported – manual check | Not supported – manual check | 4.10 | 3.10 | | [[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)](cloudwatch-controls.md#cloudwatch-11) | Not supported – manual check | Not supported – manual check | 4.11 | 3.11 | | [[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways](cloudwatch-controls.md#cloudwatch-12) | Not supported – manual check | Not supported – manual check | 4.12 | 3.12 | | [[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes](cloudwatch-controls.md#cloudwatch-13) | Not supported – manual check | Not supported – manual check | 4.13 | 3.13 | | [[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes](cloudwatch-controls.md#cloudwatch-14) | Not supported – manual check | Not supported – manual check | 4.14 | 3.14 | | [[Config.1] AWS Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) | 3.3 | 3.3 | 3.5 | 2.5 | | [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) | 5.5 | 5.4 | 5.3 | 4.3 | | [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) | 3.7 | 3.7 | 3.9 | 2.9 | | [[EC2.7] EBS default encryption should be enabled](ec2-controls.md#ec2-7) | 5.1.1 | 2.2.1 | 2.2.1 | Not supported | | [[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-8) | 5.7 | 5.6 | Not supported | Not supported | | [[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22](ec2-controls.md#ec2-13) | Not supported – replaced by requirements 5.3 and 5.4 | Not supported – replaced by requirements 5.2 and 5.3 | Not supported – replaced by requirements 5.2 and 5.3 | 4.1 | | [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) | Not supported – replaced by requirements 5.3 and 5.4 | Not supported – replaced by requirements 5.2 and 5.3 | Not supported – replaced by requirements 5.2 and 5.3 | 4.2 | | [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) | 5.2 | 5.1 | 5.1 | Not supported | | [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) | 5.3 | 5.2 | Not supported | Not supported | | [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) | 5.4 | 5.3 | Not supported | Not supported | | [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](efs-controls.md#efs-1) | 2.3.1 | 2.4.1 | Not supported | Not supported | | [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) | 2.3.1 | Not supported | Not supported | Not supported | | [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) | Not supported | Not supported | 1.16 | 1.22 | | [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) | 1.14 | 1.15 | Not supported | 1.16 | | [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) | 1.13 | 1.14 | 1.14 | 1.4 | | [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) | 1.3 | 1.4 | 1.4 | 1.12 | | [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) | 1.9 | 1.10 | 1.10 | 1.2 | | [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) | 1.5 | 1.6 | 1.6 | 1.14 | | [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) | Not supported – see [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) instead | Not supported – see [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) instead | Not supported – see [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) instead | 1.3 | | [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) | 1.4 | 1.5 | 1.5 | 1.13 | | [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | 1.5 | | [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | 1.6 | | [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | 1.7 | | [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | 1.8 | | [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) | 1.7 | 1.8 | 1.8 | 1.9 | | [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) | 1.8 | 1.9 | 1.9 | 1.10 | | [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | 1.11 | | [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) | 1.16 | 1.17 | 1.17 | 1.2 | | [[IAM.20] Avoid the use of the root user](iam-controls.md#iam-20) | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | 1.1 | | [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) | 1.11 | 1.12 | 1.12 | Not supported – CIS added this requirement in later versions | | [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) | 1.18 | 1.19 | Not supported – CIS added this requirement in later versions | Not supported – CIS added this requirement in later versions | | [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) | 1.21 | 1.22 | Not supported – CIS added this requirement in later versions | Not supported – CIS added this requirement in later versions | | [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) | 1.19 | 1.20 | Not supported – CIS added this requirement in later versions | Not supported – CIS added this requirement in later versions | | [[KMS.4] AWS KMS key rotation should be enabled](kms-controls.md#kms-4) | 3.6 | 3.6 | 3.8 | 2.8 | | [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) | Not supported – manual check | Not supported – manual check | Not supported – manual check | Not supported – manual check | | [[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration](rds-controls.md#rds-2) | 2.2.3 | 2.3.3 | Not supported – CIS added this requirement in later versions | Not supported – CIS added this requirement in later versions | | [[RDS.3] RDS DB instances should have encryption at-rest enabled](rds-controls.md#rds-3) | 2.2.1 | 2.3.1 | 2.3.1 | Not supported – CIS added this requirement in later versions | | [[RDS.5] RDS DB instances should be configured with multiple Availability Zones](rds-controls.md#rds-5) | 2.2.4 | Not supported – CIS added this requirement in later versions | Not supported – CIS added this requirement in later versions | Not supported – CIS added this requirement in later versions | | [[RDS.13] RDS automatic minor version upgrades should be enabled](rds-controls.md#rds-13) | 2.2.2 | 2.3.2 | Not supported – CIS added this requirement in later versions | Not supported – CIS added this requirement in later versions | | [[RDS.15] RDS DB clusters should be configured for multiple Availability Zones](rds-controls.md#rds-15) | 2.2.4 | Not supported – CIS added this requirement in later versions | Not supported – CIS added this requirement in later versions | Not supported – CIS added this requirement in later versions | | [[S3.1] S3 general purpose buckets should have block public access settings enabled](s3-controls.md#s3-1) | 2.1.4 | 2.1.4 | 2.1.5 | Not supported – CIS added this requirement in later versions | | [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) | 2.1.1 | 2.1.1 | 2.1.2 | Not supported – CIS added this requirement in later versions | | [[S3.8] S3 general purpose buckets should block public access](s3-controls.md#s3-8) | 2.1.4 | 2.1.4 | 2.1.5 | Not supported – CIS added this requirement in later versions | | [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) | 2.1.2 | 2.1.2 | 2.1.3 | Not supported – CIS added this requirement in later versions | ### ARNs for CIS AWS Foundations Benchmarks When you enable one or more versions of the CIS AWS Foundations Benchmark, you begin receiving findings in the AWS Security Finding Format (ASFF). In ASFF, each version uses the following Amazon Resource Name (ARN): **CIS AWS Foundations Benchmark v5.0.0** `arn:aws:securityhub:region::standards/cis-aws-foundations-benchmark/v/5.0.0` **CIS AWS Foundations Benchmark v3.0.0** `arn:aws:securityhub:region::standards/cis-aws-foundations-benchmark/v/3.0.0` **CIS AWS Foundations Benchmark v1.4.0** `arn:aws:securityhub:region::standards/cis-aws-foundations-benchmark/v/1.4.0` **CIS AWS Foundations Benchmark v1.2.0** `arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0` You can use the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetEnabledStandards.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetEnabledStandards.html) operation of the Security Hub CSPM API to find the ARN of an enabled standard. The preceding values are for `StandardsArn`. However, `StandardsSubscriptionArn` refers to the standard subscription resource that Security Hub CSPM creates when you subscribe to a standard by calling [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchEnableStandards.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchEnableStandards.html) in a Region. **Note** When you enable a version of the CIS AWS Foundations Benchmark, it can take up to 18 hours for Security Hub CSPM to generate findings for controls that use the same AWS Config service-linked rule as enabled controls in other enabled standards. For more information about the schedule for generating control findings, see [Schedule for running security checks](securityhub-standards-schedule.md). Finding fields differ if you turn on consolidated control findings. For information about these differences, see [Impact of consolidation on ASFF fields and values](asff-changes-consolidation.md). For sample control findings, see [Samples of control findings](sample-control-findings.md). ### CIS requirements that aren't supported in Security Hub CSPM As noted in the preceding table, Security Hub CSPM doesn't support every CIS requirement in every version of the CIS AWS Foundations Benchmark. Many of the unsupported requirements can be evaluated only by manually reviewing the state of your AWS resources. # NIST SP 800-53 Revision 5 in Security Hub CSPM NIST SP 800-53 Revision 5 NIST Special Publication 800-53 Revision 5 (NIST SP 800-53 Rev. 5) is a cybersecurity and compliance framework developed by the National Institute of Standards and Technology (NIST), an agency that's part of the U.S. Department of Commerce. This compliance framework provides a catalog of security and privacy requirements for protecting the confidentiality, integrity, and availability of information systems and critical resources. U.S. federal government agencies and contractors must comply with these requirements to protect their systems and organizations. Private organizations can also voluntarily use the requirements as a guiding framework for reducing cybersecurity risk. For more information about the framework and its requirements, see [NIST SP 800-53 Rev. 5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final) in the *NIST Computer Security Resource Center*. AWS Security Hub CSPM provides security controls that support a subset of NIST SP 800-53 Revision 5 requirements. The controls perform automated security checks for certain AWS services and resources. To enable and manage these controls, you can enable the NIST SP 800-53 Revision 5 framework as a standard in Security Hub CSPM. Note that the controls don't support NIST SP 800-53 Revision 5 requirements that require manual checks. Unlike other frameworks, the NIST SP 800-53 Revision 5 framework isn't prescriptive about how its requirements should be evaluated. Instead, the framework provides guidelines. In Security Hub CSPM, the NIST SP 800-53 Revision 5 standard and controls represent the service's understanding of these guidelines. **Topics** + [Configuring resource recording for the standard](#standards-reference-nist-800-53-recording) + [Determining which controls apply to the standard](#standards-reference-nist-800-53-controls) ## Configuring resource recording for controls that apply to the standard Configuring resource recording for the standard To optimize coverage and the accuracy of findings, it's important to enable and configure resource recording in AWS Config before you enable the NIST SP 800-53 Revision 5 standard in AWS Security Hub CSPM. When you configure resource recording, also be sure to enable it for all the types of AWS resources that are checked by controls that apply to the standard. This is primarily for controls that have a *change triggered* schedule type. However, some controls with a *periodic* schedule type also require resource recording. If resource recording isn't enabled or configured correctly, Security Hub CSPM might not be able to evaluate the appropriate resources, and generate accurate findings for controls that apply to the standard. For information about how Security Hub CSPM uses resource recording in AWS Config, see [Enabling and configuring AWS Config for Security Hub CSPM](securityhub-setup-prereqs.md). For information about configuring resource recording in AWS Config, see [Working with the configuration recorder](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html) in the *AWS Config Developer Guide*. The following table specifies the types of resources to record for controls that apply to the NIST SP 800-53 Revision 5 standard in Security Hub CSPM. | AWS service | Resource types | | --- | --- | | Amazon API Gateway | `AWS::ApiGateway::Stage`, `AWS::ApiGatewayV2::Stage` | | AWS AppSync | `AWS::AppSync::GraphQLApi` | | AWS Backup | `AWS::Backup::RecoveryPoint` | | AWS Certificate Manager (ACM) | `AWS::ACM::Certificate` | | AWS CloudFormation | `AWS::CloudFormation::Stack` | | Amazon CloudFront | `AWS::CloudFront::Distribution` | | Amazon CloudWatch | `AWS::CloudWatch::Alarm` | | AWS CodeBuild | `AWS::CodeBuild::Project` | | AWS Database Migration Service (AWS DMS) | `AWS::DMS::Endpoint`, `AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationTask` | | Amazon DynamoDB | `AWS::DynamoDB::Table` | | Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::EIP`, `AWS::EC2::Instance`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`, `AWS::EC2::Subnet`, `AWS::EC2::TransitGateway`, `AWS::EC2::VPNConnection`, `AWS::EC2::Volume` | | Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup`, `AWS::AutoScaling::LaunchConfiguration` | | Amazon Elastic Container Registry (Amazon ECR) | `AWS::ECR::Repository` | | Amazon Elastic Container Service (Amazon ECS) | `AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition` | | Amazon Elastic File System (Amazon EFS) | `AWS::EFS::AccessPoint` | | Amazon Elastic Kubernetes Service (Amazon EKS) | `AWS::EKS::Cluster` | | AWS Elastic Beanstalk | `AWS::ElasticBeanstalk::Environment` | | Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::ElasticLoadBalancingV2::Listener`, `AWS::ElasticLoadBalancingV2::LoadBalancer` | | Amazon ElasticSearch | `AWS::Elasticsearch::Domain` | | Amazon EMR | `AWS::EMR::SecurityConfiguration` | | Amazon EventBridge | `AWS::Events::Endpoint`, `AWS::Events::EventBus` | | AWS Glue | `AWS::Glue::Job` | | AWS Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, `AWS::IAM::User` | | AWS Key Management Service (AWS KMS) | `AWS::KMS::Alias`, `AWS::KMS::Key` | | Amazon Kinesis | `AWS::Kinesis::Stream` | | AWS Lambda | `AWS::Lambda::Function` | | Amazon Managed Streaming for Apache Kafka (Amazon MSK) | `AWS::MSK::Cluster` | | Amazon MQ | `AWS::AmazonMQ::Broker` | | AWS Network Firewall | `AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` | | Amazon OpenSearch Service | `AWS::OpenSearch::Domain` | | Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSnapshot`, `AWS::RDS::EventSubscription` | | Amazon Redshift | `AWS::Redshift::Cluster`, `AWS::Redshift::ClusterSubnetGroup` | | Amazon Route 53 | `AWS::Route53::HostedZone` | | Amazon Simple Storage Service (Amazon S3) | `AWS::S3::AccessPoint`, `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket` | | AWS Service Catalog | `AWS::ServiceCatalog::Portfolio` | | Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` | | Amazon Simple Queue Service (Amazon SQS) | `AWS::SQS::Queue` | | Amazon EC2 Systems Manager (SSM) | `AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance` | | Amazon SageMaker AI | `AWS::SageMaker::NotebookInstance` | | AWS Secrets Manager | `AWS::SecretsManager::Secret` | | AWS Transfer Family | `AWS::Transfer::Connector` | | AWS WAF | `AWS::WAF::Rule`, `AWS::WAF::RuleGroup`, `AWS::WAF::WebACL`, `AWS::WAFRegional::Rule`, `AWS::WAFRegional::RuleGroup`, `AWS::WAFRegional::WebACL`, `AWS::WAFv2::RuleGroup`, `AWS::WAFv2::WebACL` | ## Determining which controls apply to the standard Determining which controls apply to the standard The following list specifies the controls that support NIST SP 800-53 Revision 5 requirements and apply to the NIST SP 800-53 Revision 5 standard in AWS Security Hub CSPM. For details about specific requirements that a control supports, choose the control. Then refer to the **Related requirements** field in the details for the control. This field specifies each NIST requirement that the control supports. If the field doesn't specify a particular NIST requirement, the control doesn't support the requirement. + [[Account.1] Security contact information should be provided for an AWS account](account-controls.md#account-1) + [[Account.2] AWS accounts should be part of an AWS Organizations organization](account-controls.md#account-2) + [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) + [[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled](apigateway-controls.md#apigateway-1) + [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](apigateway-controls.md#apigateway-2) + [[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled](apigateway-controls.md#apigateway-3) + [[APIGateway.4] API Gateway should be associated with a WAF Web ACL](apigateway-controls.md#apigateway-4) + [[APIGateway.5] API Gateway REST API cache data should be encrypted at rest](apigateway-controls.md#apigateway-5) + [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) + [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) + [[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) + [[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks](autoscaling-controls.md#autoscaling-1) + [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) + [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) + [[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses](autoscaling-controls.md#autoscaling-5) + [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) + [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) + [[Backup.1] AWS Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events](cloudtrail-controls.md#cloudtrail-1) + [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) + [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) + [[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs](cloudtrail-controls.md#cloudtrail-5) + [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed AWS KMS keys](cloudtrail-controls.md#cloudtrail-10) + [[CloudWatch.15] CloudWatch alarms should have specified actions configured](cloudwatch-controls.md#cloudwatch-15) + [[CloudWatch.16] CloudWatch log groups should be retained for a specified time period](cloudwatch-controls.md#cloudwatch-16) + [[CloudWatch.17] CloudWatch alarm actions should be activated](cloudwatch-controls.md#cloudwatch-17) + [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) + [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) + [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) + [[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration](codebuild-controls.md#codebuild-4) + [[Config.1] AWS Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) + [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) + [[DMS.1] Database Migration Service replication instances should not be public](dms-controls.md#dms-1) + [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) + [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) + [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) + [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) + [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand](dynamodb-controls.md#dynamodb-1) + [[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled](dynamodb-controls.md#dynamodb-2) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) + [[DynamoDB.6] DynamoDB tables should have deletion protection enabled](dynamodb-controls.md#dynamodb-6) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.1] Amazon EBS snapshots should not be configured to be publicly restorable](ec2-controls.md#ec2-1) + [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) + [[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest](ec2-controls.md#ec2-3) + [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) + [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) + [[EC2.7] EBS default encryption should be enabled](ec2-controls.md#ec2-7) + [[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-8) + [[EC2.9] Amazon EC2 instances should not have a public IPv4 address](ec2-controls.md#ec2-9) + [[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service](ec2-controls.md#ec2-10) + [[EC2.12] Unused Amazon EC2 EIPs should be removed](ec2-controls.md#ec2-12) + [[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22](ec2-controls.md#ec2-13) + [[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses](ec2-controls.md#ec2-15) + [[EC2.16] Unused Network Access Control Lists should be removed](ec2-controls.md#ec2-16) + [[EC2.17] Amazon EC2 instances should not use multiple ENIs](ec2-controls.md#ec2-17) + [[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports](ec2-controls.md#ec2-18) + [[EC2.19] Security groups should not allow unrestricted access to ports with high risk](ec2-controls.md#ec2-19) + [[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up](ec2-controls.md#ec2-20) + [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) + [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) + [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) + [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) + [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) + [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) + [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) + [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) + [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) + [[ECR.5] ECR repositories should be encrypted with customer managed AWS KMS keys](ecr-controls.md#ecr-5) + [[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions](ecs-controls.md#ecs-1) + [[ECS.2] ECS services should not have public IP addresses assigned to them automatically](ecs-controls.md#ecs-2) + [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) + [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) + [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) + [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) + [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) + [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) + [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) + [[ECS.17] ECS task definitions should not use host network mode](ecs-controls.md#ecs-17) + [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](efs-controls.md#efs-1) + [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) + [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) + [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) + [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) + [[EKS.1] EKS cluster endpoints should not be publicly accessible](eks-controls.md#eks-1) + [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) + [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) + [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) + [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) + [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) + [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) + [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) + [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) + [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) + [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) + [[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS](elb-controls.md#elb-1) + [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager](elb-controls.md#elb-2) + [[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination](elb-controls.md#elb-3) + [[ELB.4] Application Load Balancer should be configured to drop invalid http headers](elb-controls.md#elb-4) + [[ELB.5] Application and Classic Load Balancers logging should be enabled](elb-controls.md#elb-5) + [[ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled](elb-controls.md#elb-6) + [[ELB.7] Classic Load Balancers should have connection draining enabled](elb-controls.md#elb-7) + [[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration](elb-controls.md#elb-8) + [[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled](elb-controls.md#elb-9) + [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) + [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) + [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) + [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) + [[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL](elb-controls.md#elb-16) + [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) + [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) + [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) + [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) + [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) + [[ES.1] Elasticsearch domains should have encryption at-rest enabled](es-controls.md#es-1) + [[ES.2] Elasticsearch domains should not be publicly accessible](es-controls.md#es-2) + [[ES.3] Elasticsearch domains should encrypt data sent between nodes](es-controls.md#es-3) + [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) + [[ES.5] Elasticsearch domains should have audit logging enabled](es-controls.md#es-5) + [[ES.6] Elasticsearch domains should have at least three data nodes](es-controls.md#es-6) + [[ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes](es-controls.md#es-7) + [[ES.8] Connections to Elasticsearch domains should be encrypted using the latest TLS security policy](es-controls.md#es-8) + [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) + [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) + [[Glue.4] AWS Glue Spark jobs should run on supported versions of AWS Glue](glue-controls.md#glue-4) + [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1) + [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) + [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) + [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) + [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) + [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) + [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) + [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) + [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) + [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) + [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) + [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) + [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) + [[KMS.3] AWS KMS keys should not be deleted unintentionally](kms-controls.md#kms-3) + [[KMS.4] AWS KMS key rotation should be enabled](kms-controls.md#kms-4) + [[Lambda.1] Lambda function policies should prohibit public access](lambda-controls.md#lambda-1) + [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) + [[Lambda.3] Lambda functions should be in a VPC](lambda-controls.md#lambda-3) + [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) + [[Lambda.7] Lambda functions should have AWS X-Ray active tracing enabled](lambda-controls.md#lambda-7) + [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) + [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) + [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) + [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) + [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) + [[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled](mq-controls.md#mq-3) + [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) + [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) + [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) + [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) + [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) + [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) + [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) + [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) + [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) + [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) + [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) + [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) + [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) + [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) + [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) + [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) + [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) + [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) + [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) + [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) + [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) + [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) + [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) + [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) + [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) + [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) + [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) + [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) + [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) + [[PCA.1] AWS Private CA root certificate authority should be disabled](pca-controls.md#pca-1) + [[RDS.1] RDS snapshot should be private](rds-controls.md#rds-1) + [[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration](rds-controls.md#rds-2) + [[RDS.3] RDS DB instances should have encryption at-rest enabled](rds-controls.md#rds-3) + [[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest](rds-controls.md#rds-4) + [[RDS.5] RDS DB instances should be configured with multiple Availability Zones](rds-controls.md#rds-5) + [[RDS.6] Enhanced monitoring should be configured for RDS DB instances](rds-controls.md#rds-6) + [[RDS.7] RDS clusters should have deletion protection enabled](rds-controls.md#rds-7) + [[RDS.8] RDS DB instances should have deletion protection enabled](rds-controls.md#rds-8) + [[RDS.9] RDS DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-9) + [[RDS.10] IAM authentication should be configured for RDS instances](rds-controls.md#rds-10) + [[RDS.11] RDS instances should have automatic backups enabled](rds-controls.md#rds-11) + [[RDS.12] IAM authentication should be configured for RDS clusters](rds-controls.md#rds-12) + [[RDS.13] RDS automatic minor version upgrades should be enabled](rds-controls.md#rds-13) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.15] RDS DB clusters should be configured for multiple Availability Zones](rds-controls.md#rds-15) + [[RDS.16] Aurora DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-16) + [[RDS.17] RDS DB instances should be configured to copy tags to snapshots](rds-controls.md#rds-17) + [[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events](rds-controls.md#rds-19) + [[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events](rds-controls.md#rds-20) + [[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events](rds-controls.md#rds-21) + [[RDS.22] An RDS event notifications subscription should be configured for critical database security group events](rds-controls.md#rds-22) + [[RDS.23] RDS instances should not use a database engine default port](rds-controls.md#rds-23) + [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) + [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) + [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) + [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) + [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) + [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) + [[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-40) + [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) + [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) + [[Redshift.1] Amazon Redshift clusters should prohibit public access](redshift-controls.md#redshift-1) + [[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit](redshift-controls.md#redshift-2) + [[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled](redshift-controls.md#redshift-3) + [[Redshift.4] Amazon Redshift clusters should have audit logging enabled](redshift-controls.md#redshift-4) + [[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled](redshift-controls.md#redshift-6) + [[Redshift.7] Redshift clusters should use enhanced VPC routing](redshift-controls.md#redshift-7) + [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) + [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) + [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed AWS KMS keys](redshiftserverless-controls.md#redshiftserverless-4) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.1] S3 general purpose buckets should have block public access settings enabled](s3-controls.md#s3-1) + [[S3.2] S3 general purpose buckets should block public read access](s3-controls.md#s3-2) + [[S3.3] S3 general purpose buckets should block public write access](s3-controls.md#s3-3) + [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) + [[S3.6] S3 general purpose bucket policies should restrict access to other AWS accounts](s3-controls.md#s3-6) + [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) + [[S3.8] S3 general purpose buckets should block public access](s3-controls.md#s3-8) + [[S3.9] S3 general purpose buckets should have server access logging enabled](s3-controls.md#s3-9) + [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) + [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) + [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) + [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) + [[S3.14] S3 general purpose buckets should have versioning enabled](s3-controls.md#s3-14) + [[S3.15] S3 general purpose buckets should have Object Lock enabled](s3-controls.md#s3-15) + [[S3.17] S3 general purpose buckets should be encrypted at rest with AWS KMS keys](s3-controls.md#s3-17) + [[S3.19] S3 access points should have block public access settings enabled](s3-controls.md#s3-19) + [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) + [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) + [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) + [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) + [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) + [[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled](secretsmanager-controls.md#secretsmanager-1) + [[SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfully](secretsmanager-controls.md#secretsmanager-2) + [[SecretsManager.3] Remove unused Secrets Manager secrets](secretsmanager-controls.md#secretsmanager-3) + [[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days](secretsmanager-controls.md#secretsmanager-4) + [[ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization only](servicecatalog-controls.md#servicecatalog-1) + [[SNS.1] SNS topics should be encrypted at-rest using AWS KMS](sns-controls.md#sns-1) + [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) + [[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager](ssm-controls.md#ssm-1) + [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2) + [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](ssm-controls.md#ssm-3) + [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) + [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) + [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) + [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.2] AWS WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) + [[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) + [[WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) + [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WAF.10] AWS WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) + [[WAF.11] AWS WAF web ACL logging should be enabled](waf-controls.md#waf-11) + [[WAF.12] AWS WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) # NIST SP 800-171 Revision 2 in Security Hub CSPM NIST SP 800-171 Revision 2 NIST Special Publication 800-171 Revision 2 (NIST SP 800-171 Rev. 2) is a cybersecurity and compliance framework developed by the National Institute of Standards and Technology (NIST), an agency that's part of the U.S. Department of Commerce. This compliance framework provides recommended security requirements for protecting the confidentiality of Controlled Unclassified Information in systems and organizations that aren't part of the U.S. federal government. *Controlled Unclassified Information*, also referred to as *CUI*, is sensitive information that doesn't meet government criteria for classification but must be protected. It's information that is considered sensitive and is created or possessed by the U.S. federal government or other entities on behalf of the U.S. federal government. NIST SP 800-171 Rev. 2 provides recommended security requirements for protecting the confidentiality of CUI when: + The information resides in non-federal systems and organizations, + The non-federal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency, and + There are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry. The requirements apply to all components of non-federal systems and organizations that process, store, or transmit CUI, or provide security protection for the components. For more information, see [NIST SP 800-171 Rev. 2](https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final) in the *NIST Computer Security Resource Center*. AWS Security Hub CSPM provides security controls that support a subset of NIST SP 800-171 Revision 2 requirements. The controls perform automated security checks for certain AWS services and resources. To enable and manage these controls, you can enable the NIST SP 800-171 Revision 2 framework as a standard in Security Hub CSPM. Note that the controls don't support NIST SP 800-171 Revision 2 requirements that require manual checks. **Topics** + [Configuring resource recording for the standard](#standards-reference-nist-800-171-recording) + [Determining which controls apply to the standard](#standards-reference-nist-800-171-controls) ## Configuring resource recording for controls that apply to the standard Configuring resource recording for the standard To optimize coverage and the accuracy of findings, it's important to enable and configure resource recording in AWS Config before you enable the NIST SP 800-171 Revision 2 standard in AWS Security Hub CSPM. When you configure resource recording, also be sure to enable it for all the types of AWS resources that are checked by controls that apply to the standard. Otherwise, Security Hub CSPM might not be able to evaluate the appropriate resources, and generate accurate findings for controls that apply to the standard. For information about how Security Hub CSPM uses resource recording in AWS Config, see [Enabling and configuring AWS Config for Security Hub CSPM](securityhub-setup-prereqs.md). For information about configuring resource recording in AWS Config, see [Working with the configuration recorder](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html) in the *AWS Config Developer Guide*. The following table specifies the types of resources to record for controls that apply to the NIST SP 800-171 Revision 2 standard in Security Hub CSPM. | AWS service | Resource types | | --- | --- | | AWS Certificate Manager (ACM) | `AWS::ACM::Certificate` | | Amazon API Gateway | `AWS::ApiGateway::Stage` | | Amazon CloudFront | `AWS::CloudFront::Distribution` | | Amazon CloudWatch | `AWS::CloudWatch::Alarm` | | Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`, `AWS::EC2::VPC`, `AWS::EC2::VPNConnection` | | Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer` | | AWS Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` | | AWS Key Management Service (AWS KMS) | `AWS::KMS::Alias`, `AWS::KMS::Key` | | AWS Network Firewall | `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` | | Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` | | Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` | | AWS Systems Manager (SSM) | `AWS::SSM::PatchCompliance` | | AWS WAF | `AWS::WAFv2::RuleGroup` | ## Determining which controls apply to the standard Determining which controls apply to the standard The following list specifies the controls that support NIST SP 800-171 Revision 2 requirements and apply to the NIST SP 800-171 Revision 2 standard in AWS Security Hub CSPM. For details about specific requirements that a control supports, choose the control. Then refer to the **Related requirements** field in the details for the control. This field specifies each NIST requirement that the control supports. If the field doesn't specify a particular NIST requirement, the control doesn't support the requirement. + [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) + [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](apigateway-controls.md#apigateway-2) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) + [[CloudTrail.3] At least one CloudTrail trail should be enabled](cloudtrail-controls.md#cloudtrail-3) + [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) + [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](cloudwatch-controls.md#cloudwatch-1) + [[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls](cloudwatch-controls.md#cloudwatch-2) + [[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes](cloudwatch-controls.md#cloudwatch-4) + [[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes](cloudwatch-controls.md#cloudwatch-5) + [[CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures](cloudwatch-controls.md#cloudwatch-6) + [[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys](cloudwatch-controls.md#cloudwatch-7) + [[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes](cloudwatch-controls.md#cloudwatch-8) + [[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes](cloudwatch-controls.md#cloudwatch-9) + [[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes](cloudwatch-controls.md#cloudwatch-10) + [[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)](cloudwatch-controls.md#cloudwatch-11) + [[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways](cloudwatch-controls.md#cloudwatch-12) + [[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes](cloudwatch-controls.md#cloudwatch-13) + [[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes](cloudwatch-controls.md#cloudwatch-14) + [[CloudWatch.15] CloudWatch alarms should have specified actions configured](cloudwatch-controls.md#cloudwatch-15) + [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) + [[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service](ec2-controls.md#ec2-10) + [[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22](ec2-controls.md#ec2-13) + [[EC2.16] Unused Network Access Control Lists should be removed](ec2-controls.md#ec2-16) + [[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports](ec2-controls.md#ec2-18) + [[EC2.19] Security groups should not allow unrestricted access to ports with high risk](ec2-controls.md#ec2-19) + [[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up](ec2-controls.md#ec2-20) + [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) + [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) + [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager](elb-controls.md#elb-2) + [[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination](elb-controls.md#elb-3) + [[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration](elb-controls.md#elb-8) + [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1) + [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) + [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) + [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) + [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) + [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) + [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) + [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) + [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) + [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) + [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) + [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) + [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) + [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) + [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) + [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) + [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) + [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) + [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) + [[S3.6] S3 general purpose bucket policies should restrict access to other AWS accounts](s3-controls.md#s3-6) + [[S3.9] S3 general purpose buckets should have server access logging enabled](s3-controls.md#s3-9) + [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) + [[S3.14] S3 general purpose buckets should have versioning enabled](s3-controls.md#s3-14) + [[S3.17] S3 general purpose buckets should be encrypted at rest with AWS KMS keys](s3-controls.md#s3-17) + [[SNS.1] SNS topics should be encrypted at-rest using AWS KMS](sns-controls.md#sns-1) + [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2) + [[WAF.12] AWS WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) # PCI DSS in Security Hub CSPM PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) is a third-party compliance framework that provides a set of rules and guidelines for safely handling credit and debit card information. The PCI Security Standards Council (SSC) creates and updates this framework. AWS Security Hub CSPM provides a PCI DSS standard that can help you stay compliant with this third-party framework. You can use this standard to discover security vulnerabilities in AWS resources that handle cardholder data. We recommend enabling this standard in AWS accounts that have resources that store, process, or transmit cardholder data or sensitive authentication data. Assessments by the PCI SSC validated this standard. Security Hub CSPM offers support for both PCI DSS v3.2.1 and PCI DSS v4.0.1. We recommend using v4.0.1 to stay current with security best practices. You can have both versions of the standard enabled at the same time. For information about enabling standards, see [Enabling a security standard](enable-standards.md). If you currently use v3.2.1 but want to use only v4.0.1, enable the newer version before disabling the older version. This prevents gaps in your security checks. If you use the Security Hub CSPM integration with AWS Organizations and want to batch enable v4.0.1 in multiple accounts, we recommend using [central configuration](central-configuration-intro.md) to do so. The following sections specify which controls apply to PCI DSS v3.2.1 and PCI DSS v4.0.1. ## Controls that apply to PCI DSS v3.2.1 The following list specifies which Security Hub CSPM controls apply to PCI DSS v3.2.1. To review the details of a control, choose the control. [[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks](autoscaling-controls.md#autoscaling-1) [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) [[CloudTrail.3] At least one CloudTrail trail should be enabled](cloudtrail-controls.md#cloudtrail-3) [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) [[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs](cloudtrail-controls.md#cloudtrail-5) [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](cloudwatch-controls.md#cloudwatch-1) [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) [[Config.1] AWS Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) [[DMS.1] Database Migration Service replication instances should not be public](dms-controls.md#dms-1) [[EC2.1] Amazon EBS snapshots should not be configured to be publicly restorable](ec2-controls.md#ec2-1) [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) [[EC2.12] Unused Amazon EC2 EIPs should be removed](ec2-controls.md#ec2-12) [[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22](ec2-controls.md#ec2-13) [[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS](elb-controls.md#elb-1) [[ES.1] Elasticsearch domains should have encryption at-rest enabled](es-controls.md#es-1) [[ES.2] Elasticsearch domains should not be publicly accessible](es-controls.md#es-2) [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1) [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) [[KMS.4] AWS KMS key rotation should be enabled](kms-controls.md#kms-4) [[Lambda.1] Lambda function policies should prohibit public access](lambda-controls.md#lambda-1) [[Lambda.3] Lambda functions should be in a VPC](lambda-controls.md#lambda-3) [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) [[RDS.1] RDS snapshot should be private](rds-controls.md#rds-1) [[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration](rds-controls.md#rds-2) [[Redshift.1] Amazon Redshift clusters should prohibit public access](redshift-controls.md#redshift-1) [[S3.1] S3 general purpose buckets should have block public access settings enabled](s3-controls.md#s3-1) [[S3.2] S3 general purpose buckets should block public read access](s3-controls.md#s3-2) [[S3.3] S3 general purpose buckets should block public write access](s3-controls.md#s3-3) [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) [[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager](ssm-controls.md#ssm-1) [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2) [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](ssm-controls.md#ssm-3) ## Controls that apply to PCI DSS v4.0.1 The following list specifies which Security Hub CSPM controls apply to PCI DSS v4.0.1. To review the details of a control, choose the control. [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) [[AppSync.2] AWS AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) [[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses](autoscaling-controls.md#autoscaling-5) [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) [[CloudTrail.3] At least one CloudTrail trail should be enabled](cloudtrail-controls.md#cloudtrail-3) [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) [[DMS.1] Database Migration Service replication instances should not be public](dms-controls.md#dms-1) [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) [[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22](ec2-controls.md#ec2-13) [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) [[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses](ec2-controls.md#ec2-15) [[EC2.16] Unused Network Access Control Lists should be removed](ec2-controls.md#ec2-16) [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) [[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-8) [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) [[ECS.16] ECS task sets should not automatically assign public IP addresses](ecs-controls.md#ecs-16) [[ECS.2] ECS services should not have public IP addresses assigned to them automatically](ecs-controls.md#ecs-2) [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) [[EKS.1] EKS cluster endpoints should not be publicly accessible](eks-controls.md#eks-1) [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) [[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination](elb-controls.md#elb-3) [[ELB.4] Application Load Balancer should be configured to drop invalid http headers](elb-controls.md#elb-4) [[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration](elb-controls.md#elb-8) [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) [[ES.2] Elasticsearch domains should not be publicly accessible](es-controls.md#es-2) [[ES.3] Elasticsearch domains should encrypt data sent between nodes](es-controls.md#es-3) [[ES.5] Elasticsearch domains should have audit logging enabled](es-controls.md#es-5) [[ES.8] Connections to Elasticsearch domains should be encrypted using the latest TLS security policy](es-controls.md#es-8) [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1) [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18) [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) [[KMS.4] AWS KMS key rotation should be enabled](kms-controls.md#kms-4) [[Lambda.1] Lambda function policies should prohibit public access](lambda-controls.md#lambda-1) [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) [[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled](mq-controls.md#mq-3) [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) [[RDS.13] RDS automatic minor version upgrades should be enabled](rds-controls.md#rds-13) [[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration](rds-controls.md#rds-2) [[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events](rds-controls.md#rds-20) [[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events](rds-controls.md#rds-21) [[RDS.22] An RDS event notifications subscription should be configured for critical database security group events](rds-controls.md#rds-22) [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) [[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-36) [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) [[RDS.9] RDS DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-9) [[Redshift.1] Amazon Redshift clusters should prohibit public access](redshift-controls.md#redshift-1) [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) [[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit](redshift-controls.md#redshift-2) [[Redshift.4] Amazon Redshift clusters should have audit logging enabled](redshift-controls.md#redshift-4) [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) [[S3.1] S3 general purpose buckets should have block public access settings enabled](s3-controls.md#s3-1) [[S3.15] S3 general purpose buckets should have Object Lock enabled](s3-controls.md#s3-15) [[S3.17] S3 general purpose buckets should be encrypted at rest with AWS KMS keys](s3-controls.md#s3-17) [[S3.19] S3 access points should have block public access settings enabled](s3-controls.md#s3-19) [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) [[S3.8] S3 general purpose buckets should block public access](s3-controls.md#s3-8) [[S3.9] S3 general purpose buckets should have server access logging enabled](s3-controls.md#s3-9) [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) [[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled](secretsmanager-controls.md#secretsmanager-1) [[SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfully](secretsmanager-controls.md#secretsmanager-2) [[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days](secretsmanager-controls.md#secretsmanager-4) [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2) [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](ssm-controls.md#ssm-3) [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) [[WAF.11] AWS WAF web ACL logging should be enabled](waf-controls.md#waf-11) # Service-managed standards in Security Hub CSPM Service-managed standards A service-managed standard is a security standard that another AWS service manages but that you can view in Security Hub CSPM. For example, [Service-Managed Standard: AWS Control Tower](service-managed-standard-aws-control-tower.md) is a service-managed standard that AWS Control Tower manages. A service-managed standard differs from a security standard that AWS Security Hub CSPM manages in the following ways: + **Standard creation and deletion** – You create and delete a service-managed standard with the managing service's console or API, or with the AWS CLI. Until you create the standard in the managing service in one of those ways, the standard doesn't appear in the Security Hub CSPM console and isn't accessible by the Security Hub CSPM API or AWS CLI. + **No automatic enablement of controls** – When you create a service-managed standard, Security Hub CSPM and the managing service don't automatically enable the controls that apply to the standard. In addition, when Security Hub CSPM releases new controls for the standard, they're not automatically enabled. This is a departure from standards that Security Hub CSPM manages. For more information about the usual way of configuring controls in Security Hub CSPM, see [Understanding security controls in Security Hub CSPM](controls-view-manage.md). + **Enabling and disabling controls** – We recommend enabling and disabling controls in the managing service to avoid drift. + **Availability of controls** – The managing service chooses which controls are available as part of the service-managed standard. Available controls may include all, or a subset of, the existing Security Hub CSPM controls. After the managing service creates the service-managed standard and makes controls available for it, you can access your control findings, control statuses, and standard security score in the Security Hub CSPM console, Security Hub CSPM API, or AWS CLI. Some or all of this information may also be available in the managing service. Select a service-managed standard from the following list to view more details about it. **Topics** + [ # Service-Managed Standard: AWS Control Tower ](service-managed-standard-aws-control-tower.md) # Service-Managed Standard: AWS Control Tower This section provides information about Service-Managed Standard: AWS Control Tower. ## What is Service-Managed Standard: AWS Control Tower? Service-Managed Standard: AWS Control Tower is a service-managed standard which AWS Control Tower manages that supports a subset of Security Hub controls. This standard is designed for users of AWS Security Hub CSPM and AWS Control Tower. It lets you configure the detective controls of Security Hub CSPM from the AWS Control Tower service. Detective controls detect noncompliance of resources (for example, misconfigurations) within your AWS accounts. **Tip** Service-managed standards differ from standards that AWS Security Hub CSPM manages. For example, you must create and delete a service-managed standard in the managing service. For more information, see [Service-managed standards in Security Hub CSPM](service-managed-standards.md). When you enable a Security Hub CSPM control through AWS Control Tower, Control Tower also enables Security Hub CSPM for you in those specific accounts and Regions, if not already enabled. In the Security Hub CSPM console and API, you can view Service-Managed Standard: AWS Control Tower alongside other Security Hub CSPM standards, once the standard is enabled from AWS Control Tower. For more information about this standard, see [Security Hub CSPM controls](https://docs.aws.amazon.com/controltower/latest/userguide/security-hub-controls.html) in the *AWS Control Tower User Guide*. ## Creating the standard This standard is available in Security Hub CSPM only if you enable Security Hub CSPM controls from AWS Control Tower. AWS Control Tower creates the standard when you first enable an applicable control by using one of the following methods: + AWS Control Tower console + AWS Control Tower API (call the [https://docs.aws.amazon.com/controltower/latest/APIReference/API_EnableControl.html](https://docs.aws.amazon.com/controltower/latest/APIReference/API_EnableControl.html) API) + AWS CLI (run the [https://docs.aws.amazon.com/cli/latest/reference/controltower/enable-control.html](https://docs.aws.amazon.com/cli/latest/reference/controltower/enable-control.html) command) When you enable a Security Hub CSPM control through AWS Control Tower, if you haven’t already enabled Security Hub CSPM, AWS Control Tower also enables Security Hub CSPM for you in those specific accounts and Regions. To identify an Security Hub CSPM control by control ID in Control Catalog, you can use the field `Implementation.Identifier` in AWS Control Tower. This field maps to Security Hub CSPM control ID and can be used to filter for a specific control ID. To retrieve control metadata for a specific Security Hub CSPM control (say, "CodeBuild.1") in AWS Control Tower, you can use the [https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListControls.html](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListControls.html) API: `aws controlcatalog list-controls --filter '{"Implementations":{"Identifiers":["CodeBuild.1"],"Types":["AWS::SecurityHub::SecurityControl"]}}'` You can't view or access this standard in the Security Hub CSPM console, Security Hub CSPM API, or AWS CLI without first setting up AWS Control Tower and enabling Security Hub CSPM controls from AWS Control Tower using one of the preceding methods. This standard is only available in the [AWS Regions where AWS Control Tower is available](https://docs.aws.amazon.com/controltower/latest/userguide/region-how.html). ## Enabling and disabling controls in the standard After you've enabled Security Hub CSPM controls through AWS Control Tower and the Service-Managed Standard: AWS Control Tower standard has been created, you can view the standard and its available controls in Security Hub CSPM. When Security Hub CSPM adds new controls to the Service-Managed Standard: AWS Control Tower standard, they aren't automatically enabled for customers who have the standard enabled. You should enable and disable controls for the standard from AWS Control Tower by using one of the following methods: + AWS Control Tower console + AWS Control Tower API (call the [https://docs.aws.amazon.com/controltower/latest/APIReference/API_EnableControl.html](https://docs.aws.amazon.com/controltower/latest/APIReference/API_EnableControl.html) and [https://docs.aws.amazon.com/controltower/latest/APIReference/API_DisableControl.html](https://docs.aws.amazon.com/controltower/latest/APIReference/API_DisableControl.html) APIs) + AWS CLI (run the [https://docs.aws.amazon.com/cli/latest/reference/controltower/enable-control.html](https://docs.aws.amazon.com/cli/latest/reference/controltower/enable-control.html) and [https://docs.aws.amazon.com/cli/latest/reference/controltower/disable-control.html](https://docs.aws.amazon.com/cli/latest/reference/controltower/disable-control.html) commands) When you change the enablement status of a control in AWS Control Tower, the change is also reflected in Security Hub CSPM. However, disabling a control in Security Hub CSPM that's enabled in AWS Control Tower results in control drift. The control status in AWS Control Tower shows as `Drifted`. You can resolve this drift by using the [ResetEnabledControl](https://docs.aws.amazon.com/controltower/latest/APIReference/API_ResetEnabledControl.html) API to reset the control which is in drift, or by selecting [Re-register OU](https://docs.aws.amazon.com/controltower/latest/userguide/drift.html#resolving-drift) in the AWS Control Tower console, or by disabling and re-enabling the control in AWS Control Tower using one of the preceding methods. Completing enablement and disablement actions in AWS Control Tower helps you avoid control drift. When you enable or disable controls in AWS Control Tower, the action applies across accounts and Regions governed by AWS Control Tower. If you enable and disable controls in Security Hub CSPM (not recommended for this standard), the action applies only to the current account and region. **Note** [Central configuration](central-configuration-intro.md) can't be used to manage Service-Managed Standard: AWS Control Tower. You can use *only* the AWS Control Tower service to enable and disable controls in this standard. ## Viewing enablement status and control status You can view the enablement status of a control by using one of the following methods: + Security Hub CSPM console, Security Hub CSPM API, or AWS CLI + AWS Control Tower console + AWS Control Tower API to see a list of enabled controls (call the [https://docs.aws.amazon.com/controltower/latest/APIReference/API_ListEnabledControls.html](https://docs.aws.amazon.com/controltower/latest/APIReference/API_ListEnabledControls.html) API) + AWS CLI to see a list of enabled controls (run the [https://docs.aws.amazon.com/cli/latest/reference/controltower/list-enabled-controls.html](https://docs.aws.amazon.com/cli/latest/reference/controltower/list-enabled-controls.html) command) A control that you disable in AWS Control Tower has an enablement status of `Disabled` in Security Hub CSPM unless you explicitly enable that control in Security Hub CSPM. Security Hub CSPM calculates control status based on the workflow status and compliance status of the control findings. For more information about enablement status and control status, see [Reviewing the details of controls in Security Hub CSPM](securityhub-standards-control-details.md). Based on control statuses, Security Hub CSPM calculates a [security score](standards-security-score.md) for Service-Managed Standard: AWS Control Tower. This score is only available in Security Hub CSPM. In addition, you can only view [control findings](controls-findings-create-update.md) in Security Hub CSPM. The standard security score and control findings aren't available in AWS Control Tower. **Note** When you enable controls for Service-Managed Standard: AWS Control Tower, Security Hub CSPM may take up to 18 hours to generate findings for controls that use an existing AWS Config service-linked rule. You may have existing service-linked rules if you've enabled other standards and controls in Security Hub CSPM. For more information, see [Schedule for running security checks](securityhub-standards-schedule.md). ## Deleting the standard You can delete this service managed standard in AWS Control Tower by disabling all applicable controls using one of the following methods: + AWS Control Tower console + AWS Control Tower API (call the [https://docs.aws.amazon.com/controltower/latest/APIReference/API_DisableControl.html](https://docs.aws.amazon.com/controltower/latest/APIReference/API_DisableControl.html) API) + AWS CLI (run the [https://docs.aws.amazon.com/cli/latest/reference/controltower/disable-control.html](https://docs.aws.amazon.com/cli/latest/reference/controltower/disable-control.html) command) Disabling all controls deletes the standard in all managed accounts and governed Regions in AWS Control Tower. Deleting the standard in AWS Control Tower removes it from the **Standards** page of the Security Hub CSPM console, and you can no longer access it by using the Security Hub CSPM API or AWS CLI. **Note** Disabling all controls from the standard in Security Hub CSPM doesn't disable or delete the standard. Disabling the Security Hub CSPM service removes Service-Managed Standard: AWS Control Tower and any other standards that you’ve enabled. ## Finding field format for Service-Managed Standard: AWS Control Tower When you create Service-Managed Standard: AWS Control Tower and enable controls for it, you'll start to receive control findings in Security Hub CSPM. Security Hub CSPM reports control findings in the [AWS Security Finding Format (ASFF)](securityhub-findings-format.md). These are the ASFF values for this standard's Amazon Resource Name (ARN) and `GeneratorId`: + **Standard ARN** – `arn:aws:us-east-1:securityhub:::standards/service-managed-aws-control-tower/v/1.0.0` + **GeneratorId** – `service-managed-aws-control-tower/v/1.0.0/CodeBuild.1` For a sample finding for Service-Managed Standard: AWS Control Tower, see [Samples of control findings](sample-control-findings.md). ## Controls that apply to Service-Managed Standard: AWS Control Tower Service-Managed Standard: AWS Control Tower supports a subset of controls that are part of the AWS Foundational Security Best Practices (FSBP) standard. Choose a control to view information about it, including remediation steps for failed findings. To see what Security Hub CSPM controls are supported by AWS Control Tower, you can use one of the following methods: + AWS Control Catalog console where you can filter for `“Control owner = AWS Security Hub”` + AWS Control Catalog API (call the [https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListControls.html](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListControls.html) API) with filter for `Implementations` to check for `Types` is `AWS::SecurityHub::SecurityControl` + AWS CLI (run the [https://docs.aws.amazon.com/cli/latest/reference/controlcatalog/list-controls.html](https://docs.aws.amazon.com/cli/latest/reference/controlcatalog/list-controls.html) command) with filter for `Implementations`. Example CLI command: `aws controlcatalog list-controls --filter '{"Implementations":{"Types":["AWS::SecurityHub::SecurityControl"]}}'` Regional limits on Security Hub CSPM controls when enabled through Control Tower standard may not match Regional limits on the underlying controls. In Security Hub CSPM, if [consolidated control findings](controls-findings-create-update.md#consolidated-control-findings) is turned off in your account, the `ProductFields.ControlId` field in the generated findings uses the standard-based control ID. The standard-based control ID is formatted as **CT.*ControlId*** (for example, **CT.CodeBuild.1**). For more information about this standard, see [Security Hub CSPM controls](https://docs.aws.amazon.com/controltower/latest/userguide/security-hub-controls.html) in the *AWS Control Tower User Guide*.