AWS Security ChangesHomeSearch

AWS managedservices high security documentation change

Service: managedservices · 2025-03-30 · Security-related high

File: managedservices/latest/userguide/tr-supported-checks.md

Summary

Restructured Trusted Advisor checks documentation with added security checks, updated parameters, and new remediation automations. Added sections for security, fault tolerance, performance, service limits, and operational excellence checks.

Security assessment

Added multiple security checks referencing AWS Security Hub controls (e.g. APIGateway.1, EC2.23, DynamoDB.6) addressing encryption, public access, deletion protection, and IAM security. New entries like 'Exposed Access Keys' remediation directly address security vulnerabilities.

Diff

diff --git a/managedservices/latest/userguide/tr-supported-checks.md b/managedservices/latest/userguide/tr-supported-checks.md
index 612ff55df..378e5f8a3 100644
--- a/managedservices/latest/userguide/tr-supported-checks.md
+++ b/managedservices/latest/userguide/tr-supported-checks.md
@@ -4,0 +5,2 @@
+Supported Trusted Advisor cost-optimization checksSupported Trusted Advisor security checksSupported Trusted Advisor fault tolerance checksSupported Trusted Advisor performance checksSupported Trusted Advisor service limits checksSupported Trusted Advisor operational excellence checks
+
@@ -9,7 +11 @@ The following table lists the supported Trusted Advisor checks, SSM automation d
-Check ID and name | **SSM document name and expected outcome** | **Supported preconfigured parameters** | **Constraints**  
----|---|---|---  
-**Cost optimization checks**  
-[Z4AUBRNSmz](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#unassociated-elastic-ip-addresses) \- Unassociated Elastic IP Addresses | **AWSManagedServices-TrustedRemediatorReleaseElasticIP** \- Releases an elastic IP address that is not associated with any resource. | No preconfigured parameters are allowed. | No constraints  
-[c18d2gz128 ](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#amazon-ecr-repository-without-lifecycle-policy) \- Amazon ECR Repository Without Lifecycle Policy Configured | **AWSManagedServices-TrustedRemediatorPutECRLifecyclePolicy** \- Creates a lifecycle policy for the specified repository if a lifecycle policy does not already exist. | 
-
-  * **ImageAgeLimit:** The maximum age limit in days (1-365) for 'any' image in the Amazon ECR repository.
+## Trusted Advisor cost optimization checks supported by Trusted Remediator
@@ -17,2 +13,5 @@ Check ID and name | **SSM document name and expected outcome** | **Supported pre
-| No constraints  
-[DAvU99Dc4C](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#underutilized-amazon-ebs-volumes) \- Underutilized Amazon EBS Volumes | **AWSManagedServices-DeleteUnusedEBSVolume** \- Deletes underutilized Amazon EBS volumes if the volumes are unattached for the last 7 days. An Amazon EBS snapshot is created by default. | 
+Check ID and name | SSM document name and expected outcome | Supported preconfigured parameters | Constraints  
+---|---|---|---  
+[Z4AUBRNSmz](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#unassociated-elastic-ip-addresses) Unassociated Elastic IP Addresses | **AWSManagedServices-TrustedRemediatorReleaseElasticIP** Releases an elastic IP address that is not associated with any resource. | No preconfigured parameters are allowed. | No constraints  
+[c18d2gz128 ](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#amazon-ecr-repository-without-lifecycle-policy) Amazon ECR Repository Without Lifecycle Policy Configured | **AWSManagedServices-TrustedRemediatorPutECRLifecyclePolicy** Creates a lifecycle policy for the specified repository if a lifecycle policy does not already exist. | **ImageAgeLimit:** The maximum age limit in days (1-365) for 'any' image in the Amazon ECR repository. | No constraints  
+[DAvU99Dc4C](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#underutilized-amazon-ebs-volumes) Underutilized Amazon EBS Volumes | **AWSManagedServices-DeleteUnusedEBSVolume** Deletes underutilized Amazon EBS volumes if the volumes are unattached for the last 7 days. An Amazon EBS snapshot is created by default. | 
@@ -24,16 +23,5 @@ Check ID and name | **SSM document name and expected outcome** | **Supported pre
-[hjLMh88uM8](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#idle-load-balancers) \- Idle Load Balancers | **AWSManagedServices-DeleteIdleClassicLoadBalancer** \- Deletes an idle Classic Load Balancer if it's unused and no instances are registered. | 
-
-  * **IdleLoadBalancerDays:** The number of days that the Classic Load Balancer has 0 requested connections before considering it idle. The default is 7 days.
-
-| If auto execution is enabled, then the automation deletes idle Classic Load Balancers only if there are no active back-end instances. For all idle Classic Load Balancers that have active back-end instances, but don't have healthy back-end instances, auto remediation isn't used and OpsItems for manual remediation are created.  
-[Ti39halfu8](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#amazon-rds-idle-dbs-instances) \- Amazon RDS Idle DB Instances | **AWSManagedServices-StopIdleRDSInstance** \- Amazon RDS DB instance that has been in an idle state for the last 7 days is stopped. | 
-
-  * No preconfigured parameters are allowed.
-
-| No constraints  
-[Qch7DwouX1](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#low-utilization-amazon-ec2-instances) \- Low Utilization Amazon EC2 Instances | **AWSManagedServices-StopEC2Instance** (Default SSM document for both auto and manual execution mode.) Amazon EC2 instances with low utilization are stopped.  | 
-
-  * **ForceStopWithInstanceStore:** Set to `true` to force stop instances using instance store. Otherwise, set to `false`. The default value of `false` prevents instance from stopping. Valid values are true or false (case-sensitive).
-
-| No constraints  
-**AWSManagedServices-ResizeInstanceByOneLevel** \- Amazon EC2 instance is resized by one instance type down in the same instance family type. The instance is stopped and started during the resize operation and returned to the initial state after the SSM document run completes. This automation doesn't support resizing instances that are in an Auto Scaling Group. | 
+[hjLMh88uM8](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#idle-load-balancers) Idle Load Balancers | **AWSManagedServices-DeleteIdleClassicLoadBalancer** Deletes an idle Classic Load Balancer if it's unused and no instances are registered. | **IdleLoadBalancerDays:** The number of days that the Classic Load Balancer has 0 requested connections before considering it idle. The default is 7 days. | If auto execution is enabled, then the automation deletes idle Classic Load Balancers only if there are no active back-end instances. For all idle Classic Load Balancers that have active back-end instances, but don't have healthy back-end instances, auto remediation isn't used and OpsItems for manual remediation are created.  
+[Ti39halfu8](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#amazon-rds-idle-dbs-instances) Amazon RDS Idle DB Instances | **AWSManagedServices-StopIdleRDSInstance** Amazon RDS DB instance that has been in an idle state for the last 7 days is stopped. | No preconfigured parameters are allowed. | No constraints  
+[COr6dfpM05](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#aws-lambda-over-provisioned-functions-memory-size) AWS Lambda over-provisioned functions for memory size | **AWSManagedServices-ResizeLambdaMemory** AWS Lambda function's memory size is resized to the recommended memory size provided by Trusted Advisor. | **RecommendedMemorySize:** The recommended memory allocation for the Lambda function. Value range is between 128 and 10240. | If the Lambda function size was modified before the automation runs, then the settings might be overwritten by this automation with the value recommended by Trusted Advisor.   
+[Qch7DwouX1](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#low-utilization-amazon-ec2-instances) Low Utilization Amazon EC2 Instances | **AWSManagedServices-StopEC2Instance** (Default SSM document for both auto and manual execution mode.) Amazon EC2 instances with low utilization are stopped. | **ForceStopWithInstanceStore:** Set to `true` to force stop instances using instance store. Otherwise, set to `false`. The default value of `false` prevents instance from stopping. Valid values are true or false (case-sensitive). | No constraints  
+[Qch7DwouX1](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#low-utilization-amazon-ec2-instances) Low Utilization Amazon EC2 Instances | **AWSManagedServices-ResizeInstanceByOneLevel** Amazon EC2 instance is resized by one instance type down in the same instance family type. The instance is stopped and started during the resize operation and returned to the initial state after the SSM document run completes. This automation doesn't support resizing instances that are in an Auto Scaling Group. | 
@@ -45,42 +33,3 @@ Check ID and name | **SSM document name and expected outcome** | **Supported pre
-**AWSManagedServices-TerminateInstance** \- Low utilized Amazon EC2 instances are terminated if not part of an Auto Scaling Group and termination protection isn't enabled. An AMI is created by default. | 
-
-  * **CreateAMIBeforeTermination:** Set this option to `true` or `false` to create an instance AMI as a backup before terminating the EC2 instance. The default is `true`. Valid values are `true` and `false` (case-sensitive).
-
-| No constraints  
-[G31sQ1E9U](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#underutilized-amazon-redshift-clusters) \- Underutilized Amazon Redshift Clusters | **AWSManagedServices-PauseRedshiftCluster** \- The Amazon Redshift cluster is paused. | 
-
-  * No preconfigured parameters are allowed.
-
-| No constraints  
-[c1cj39rr6v](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#s3-incomplete-multipart-upload-abort-config) \- Amazon S3 Incomplete Multipart Upload Abort Configuration | **AWSManagedServices-TrustedRemediatorEnableS3AbortIncompleteMultipartUpload** \- Amazon S3 bucket is configured with a lifecycle rule to abort multipart uploads that remain incomplete after certain days. | 
-
-  * **DaysAfterInitiation:** The number of days after which Amazon S3 stops an incomplete multipart upload. Default is set to 7 days.
-
-| No constraints  
-**Security checks**  
-Hs4Ma3G323 - DynamoDB tables should have deletion protection enabled Corresponding AWS Security Hub check: [DynamoDB.6](https://docs.aws.amazon.com/securityhub/latest/userguide/dynamodb-controls.html#dynamodb-6) | **AWSManagedServices-TrustedRemediatorEnableDynamoDBTableDeletionProtection** \- Enables deletion protection for non-AMS DynamoDB tables. | 
-
-  * No preconfigured parameters are allowed.
-
-| No constraints  
-Hs4Ma3G247 - Amazon EC2 Transit Gateway should not automatically accept VPC attachment requests Corresponding AWS Security Hub check: [EC2.23](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-23) | **AWSManagedServices-TrustedRemediatorDisableTGWAutoVPCAttach** \- Disables the automatic acceptance of VPC attachment requests for the specified non-AMS Amazon EC2 Transit Gateway. | 
-
-  * No preconfigured parameters are allowed.
-
-| No constraints  
-Hs4Ma3G308 - Amazon DocumentDB clusters should have deletion protection enabled Corresponding AWS Security Hub check: [DocumentDB.5](https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-5) | **AWSManagedServices-TrustedRemediatorEnableDocumentDBClusterDeletionProtection** \- Enables deletion protection for Amazon DocumentDB cluster. | 
-
-  * No preconfigured parameters are allowed.
-
-| No constraints  
-Hs4Ma3G299 - Amazon DocumentDB manual cluster snapshots should not be public Corresponding AWS Security Hub check: [Neptune.4](https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-4) | **AWSManagedServices-TrustedRemediatorEnableNeptuneDBClusterDeletionProtection** \- Enables deletion protection for Amazon Neptune cluster. | 
-
-  * No preconfigured parameters are allowed.
-
-| No constraints  
-Hs4Ma3G306 - Neptune DB clusters should have deletion protection enabled Corresponding AWS Security Hub check: [DocumentDB.3](https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-3) | **AWSManagedServices-TrustedRemediatorDisablePublicAccessOnDocumentDBSnapshot** \- Removes public access from Amazon DocumentDB manual cluster snapshot. | 
-
-  * No preconfigured parameters are allowed.
-
-| No constraints  
-Hs4Ma3G109 - CloudTrail log file validation should be enabled Corresponding AWS Security Hub check: [CloudTrail.4](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudtrail-controls.html#cloudtrail-4) | **AWSManagedServices-TrustedRemediatorEnableCloudTrailLogValidation** \- Enables CloudTrail trail log validation. | 
+[Qch7DwouX1](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#low-utilization-amazon-ec2-instances) Low Utilization Amazon EC2 Instances | **AWSManagedServices-TerminateInstance** Low utilized Amazon EC2 instances are terminated if not part of an Auto Scaling Group and termination protection isn't enabled. An AMI is created by default. | **CreateAMIBeforeTermination:** Set this option to `true` or `false` to create an instance AMI as a backup before terminating the EC2 instance. The default is `true`. Valid values are `true` and `false` (case-sensitive). | No constraints  
+[G31sQ1E9U](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#underutilized-amazon-redshift-clusters) Underutilized Amazon Redshift Clusters | **AWSManagedServices-PauseRedshiftCluster** The Amazon Redshift cluster is paused. | No preconfigured parameters are allowed. | No constraints  
+[c1cj39rr6v](https://docs.aws.amazon.com/awssupport/latest/user/cost-optimization-checks.html#s3-incomplete-multipart-upload-abort-config) Amazon S3 Incomplete Multipart Upload Abort Configuration | **AWSManagedServices-TrustedRemediatorEnableS3AbortIncompleteMultipartUpload** Amazon S3 bucket is configured with a lifecycle rule to abort multipart uploads that remain incomplete after certain days. | **DaysAfterInitiation:** The number of days after which Amazon S3 stops an incomplete multipart upload. Default is set to 7 days. | No constraints  
@@ -88 +37 @@ Hs4Ma3G109 - CloudTrail log file validation should be enabled Corresponding AWS
-  * No preconfigured parameters are allowed.
+## Trusted Advisor security checks supported by Trusted Remediator
@@ -90,24 +39,9 @@ Hs4Ma3G109 - CloudTrail log file validation should be enabled Corresponding AWS
-| No constraints  
-Hs4Ma3G217 - CodeBuild project environments should have a logging AWS configuration Corresponding AWS Security Hub check: [CodeBuild.4](https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-4) | **AWSManagedServices-TrustedRemediatorEnableCodeBuildLoggingConfig** \- Enables the logging for CodeBuild project. | 
-
-  * No preconfigured parameters are allowed.
-
-| No constraints  
-Hs4Ma3G158 - SSM documents should not be public Corresponding AWS Security Hub check: [SSM.4](https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html#ssm-4) | **AWSManagedServices-TrustedRemediatorDisableSSMDocPublicSharing** \- Disables the public sharing of SSM document. | 
-
-  * No preconfigured parameters are allowed.
-
-| No constraints  
-Hs4Ma3G319 - Network Firewall firewalls should have deletion protection enabled Corresponding AWS Security Hub check: [NetworkFirewall.9](https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-9) | **AWSManagedServices-TrustedRemediatorEnableNetworkFirewallDeletionProtection** \- Enables the delete protection for AWS Network Firewall. | 
-
-  * No preconfigured parameters are allowed.
-
-| No constraints  
-Hs4Ma3G105 - Amazon Redshiftshould have automatic upgrades to major versions enabled Corresponding AWS Security Hub check: [Redshift.6](https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-6) | **AWSManagedServices-EnableRedshiftClusterVersionAutoUpgrade** \- Major version upgrades are applied automatically to the cluster during the maintenance window. There is no immediate downtime for the Amazon Redshift cluster, but your Amazon Redshift cluster might have downtime during its maintenance window if it upgrades to a major version. | 
-
-  * No preconfigured parameters are allowed.
-
-| No constraints  
-Hs4Ma3G177 -  Corresponding AWS Security Hub check - Auto scaling groups associated with a load balancer should use load balancer health checks [AutoScaling.1](https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-1) | **AWSManagedServices-TrustedRemediatorEnableAutoScalingGroupELBHealthCheck** \- Elastic Load Balancing health checks are enabled for the Auto Scaling Group. | 
-
-  * **HealthCheckGracePeriod:** The amount of time, in seconds, that Auto Scaling waits before checking the health status of an Amazon Elastic Compute Cloud instance that has come into service. 
+Check ID and name | SSM document name and expected outcome | Supported preconfigured parameters | Constraints  
+---|---|---|---  
+[12Fnkpl8Y5](https://docs.aws.amazon.com/awssupport/latest/user/security-checks.html#exposed-access-keys) Exposed Access Keys | **AWSManagedServices-TrustedRemediatorDeactivateIAMAccessKey** The exposed IAM access key is deactivated. | No preconfigured parameters are allowed. | Applications configured with an exposed IAM access key can't authenticate.  
+Hs4Ma3G127 - API Gateway REST and WebSocket API execution logging should be enabled Corresponding AWS Security Hub check: [APIGateway.1](https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#apigateway-1) | **AWSManagedServices-TrustedRemediatorEnableAPIGateWayExecutionLogging** Execution logging is enabled on the API stage. | **LogLevel:** Logging level to enable execution logging, `ERROR` \- Logging is enabled for errors only. `INFO` \- Logging is enabled for all events. | You must grant API Gateway permission to read and write logs to CloudWatch for your account in order to enable execution log, refer to [Set up CloudWatch logging for REST APIs in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html) for detail.  
+Hs4Ma3G129 - API Gateway REST API stages should have AWS X-Ray tracing enabled Corresponding AWS Security Hub check: [APIGateway.3](https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#apigateway-3) | **AWSManagedServices-EnableApiGateWayXRayTracing** X-Ray tracing is enabled on the API stage. | No preconfigured parameters are allowed. | No constraints  
+Hs4Ma3G202 - API Gateway REST API cache data should be encrypted at rest Corresponding AWS Security Hub check: [APIGateway.5](https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#apigateway-5) | **AWSManagedServices-EnableAPIGatewayCacheEncryption** Enable encryption at rest for API Gateway REST API cache data if the API Gateway REST API stage has cache enabled. | No preconfigured parameters are allowed. | No constraints  
+Hs4Ma3G177 -  Corresponding AWS Security Hub check - Auto scaling groups associated with a load balancer should use load balancer health checks [AutoScaling.1](https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-1) | **AWSManagedServices-TrustedRemediatorEnableAutoScalingGroupELBHealthCheck** Elastic Load Balancing health checks are enabled for the Auto Scaling Group. | **HealthCheckGracePeriod:** The amount of time, in seconds, that Auto Scaling waits before checking the health status of an Amazon Elastic Compute Cloud instance that has come into service. | Turning on Elastic Load Balancing health checks might result in replacing a running instance if any of the Elastic Load Balancing load balancers attached to the Auto Scaling group report it as unhealthy. For more information, see [Attach an Elastic Load Balancing load balancer to your Auto Scaling group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/attach-load-balancer-asg.html)  
+Hs4Ma3G245 - AWS CloudFormation stacks should be integrated with Amazon Simple Notification Service Corresponding AWS Security Hub check: [CloudFormation.1](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudformation-controls.html#cloudformation-1) | **AWSManagedServices-EnableCFNStackNotification** Associate a CloudFormation stack with an Amazon SNS topic for notification. | **NotificationARNs:** The ARNs of the Amazon SNS topics to be associated with selected CloudFormation stacks. | To enable auto remediation, The `NotificationARNs` preconfigured parameter must be provided.  
+Hs4Ma3G210 - CloudFront distributions should have logging enabled Corresponding AWS Security Hub check: [CloudFront.2](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-5) | **AWSManagedServices-EnableCloudFrontDistributionLogging** Logging is enabled for Amazon CloudFront distributions. | 
@@ -115,2 +49,3 @@ Hs4Ma3G177 -  Corresponding AWS Security Hub check - Auto scaling groups associa
-| Turning on Elastic Load Balancing health checks might result in replacing a running instance if any of the Elastic Load Balancing load balancers attached to the Auto Scaling group report it as unhealthy. For more information, see [Attach an Elastic Load Balancing load balancer to your Auto Scaling group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/attach-load-balancer-asg.html)  
-Hs4Ma3G106 - Amazon Redshift clusters should have audit logging enabled Corresponding AWS Security Hub check: [Redshift.4](https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-4) | **AWSManagedServices-TrustedRemediatorEnableRedshiftClusterAuditLogging** \- Audit logging is enabled to your Amazon Redshift cluster during the maintenance window. | 
+  * **BucketName:** The name of the Amazon S3 bucket where you want to store access logs.
+  * **S3KeyPrefix:** The prefix for the location in the S3 bucket for theAmazon CloudFront distribution logs.
+  * **IncludeCookies:** Indicates whether to include cookies in access logs.
@@ -118 +53 @@ Hs4Ma3G106 - Amazon Redshift clusters should have audit logging enabled Correspo
-  * No preconfigured parameters are allowed.
+| To enable auto remediation, the following preconfigured parameters must be provided:
@@ -120 +55,3 @@ Hs4Ma3G106 - Amazon Redshift clusters should have audit logging enabled Correspo
-| To enable auto remediation, the following preconfigured parameters must be provided.
+  * **BucketName**
+  * **S3KeyPrefix**
+  * **IncludeCookies**
@@ -122 +59,3 @@ Hs4Ma3G106 - Amazon Redshift clusters should have audit logging enabled Correspo
-  * **BucketName:** The bucket must be in the same AWS Region. The cluster must have read bucket and put object permissions.
+For this remediations constraints, see [ How do I turn on logging for my CloudFront distribution?](https://repost.aws/knowledge-center/cloudfront-logging-requests)  
+Hs4Ma3G109 - CloudTrail log file validation should be enabled Corresponding AWS Security Hub check: [CloudTrail.4](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudtrail-controls.html#cloudtrail-4) | **AWSManagedServices-TrustedRemediatorEnableCloudTrailLogValidation** Enables CloudTrail trail log validation. | No preconfigured parameters are allowed. | No constraints  
+Hs4Ma3G108 - CloudTrail trails should be integrated with Amazon CloudWatch Logs Corresponding AWS Security Hub check: [CloudTrail.5](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudtrail-controls.html#cloudtrail-5) | **AWSManagedServices-IntegrateCloudTrailWithCloudWatch** AWS CloudTrail is integrated with CloudWatch Logs. | 
@@ -124,11 +63,2 @@ Hs4Ma3G106 - Amazon Redshift clusters should have audit logging enabled Correspo
-If Redshift cluster logging is enabled before the automation execution, then the logging settings might be overwritten by this automation with the `BucketName` and `S3KeyPrefix` values configured in the preconfigured parameters.   
-Hs4Ma3G135 - AWS KMS keys should not be deleted unintentionally Corresponding AWS Security Hub check: [KMS.3](https://docs.aws.amazon.com/securityhub/latest/userguide/kms-controls.html#kms-3) | **AWSManagedServices-CancelKeyDeletion** \- AWS KMS key deletion is canceled. | No preconfigured parameters are allowed. | No constraints  
-Hs4Ma3G198 - Amazon RDS DB instances should have deletion protection enabled Corresponding AWS Security Hub check: [RDS.8](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-8) | **AWSManagedServices-TrustedRemediatorEnableRDSDeletionProtection** \- Deletion protection is enabled for Amazon RDS instances. | No preconfigured parameters are allowed. | No constraints  
-Hs4Ma3G190 - Amazon RDS clusters should have deletion protection enabled Corresponding AWS Security Hub check: [RDS.7](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-7) | **AWSManagedServices-TrustedRemediatorEnableRDSDeletionProtection** \- Deletion protection is enabled for Amazon RDS clusters. | No preconfigured parameters are allowed. | No constraints  
-Hs4Ma3G104 - Amazon Redshift clusters should use enhanced VPC routing Corresponding AWS Security Hub check: [Redshift.7](https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-7) | **AWSManagedServices-TrustedRemediatorEnableRedshiftClusterEnhancedVPCRouting** \- Enhanced VPC routing is enabled for Amazon Redshift clusters. | No preconfigured parameters are allowed. | No constraints  
-[rSs93HQwa1](https://docs.aws.amazon.com/awssupport/latest/user/security-checks.html#amazon-rds-public-snapshots) \- Amazon RDS Public Snapshots | **AWSManagedServices-DisablePublicAccessOnRDSSnapshotV2** \- Public access for Amazon RDS snapshot is disabled. | No preconfigured parameters are allowed. | No constraints  
-[ePs02jT06w](https://docs.aws.amazon.com/awssupport/latest/user/security-checks.html#amazon-ebs-public-snapshots) \- Amazon EBS Public Snapshots | **AWSManagedServices-TrustedRemediatorDisablePublicAccessOnEBSSnapshot** \- Public access for Amazon EBS snapshot is disabled. | No preconfigured parameters are allowed. | No constraints  
-Hs4Ma3G194 - Amazon RDS snapshot should be private Corresponding AWS Security Hub check: [RDS.1](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-1) | **AWSManagedServices-DisablePublicAccessOnRDSSnapshotV2** \- Public access for Amazon RDS snapshot is disabled. | No preconfigured parameters are allowed. | No constraints  
-[Pfx0RwqBli](https://docs.aws.amazon.com/awssupport/latest/user/security-checks.html#amazon-s3-bucket-permissions) \- Amazon S3 Bucket Permissions | **AWSManagedServices-TrustedRemediatorBlockS3BucketPublicAccess** \- Block public access | No preconfigured parameters are allowed. | This check consists of multiple alert criteria. This automation remediates public access issues. Remediation for other configuration issues flagged by Trusted Advisor isn't supported. This remediation does support remediating AWS service created S3 buckets (for example, cf-templates-000000000000).  
-Hs4Ma3G209 - Unused Network Access Control Lists are removed Corresponding AWS Security Hub check: [EC2.16](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-16) | **AWSManagedServices-DeleteUnusedNACL** \- Delete unused network ACL | No preconfigured parameters are allowed. | No constraints  
-Hs4Ma3G189 - Enhanced monitoring are configured for Amazon RDS DB instances Corresponding AWS Security Hub check: [RDS.6](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-6) | **AWSManagedServices-TrustedRemediatorEnableRDSEnhancedMonitoring** \- Enable enhanced monitoring for Amazon RDS DB instances | 
+  * **CloudWatchLogsLogGroupArn:** The Amazon Resource Name (ARN) of an Amazon CloudWatch Logs log group.
+  * **CloudWatchLogsRoleArn:** The ARN of an IAM role used by AWS CloudTrail to integrate with CloudWatch.
@@ -136,2 +66 @@ Hs4Ma3G189 - Enhanced monitoring are configured for Amazon RDS DB instances Corr
-  * **MonitoringInterval:** The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. Valid intervals are 0, 1, 5, 10, 15, 30 and 60. To disable collecting Enhanced Monitoring metrics, specify 0.
-  * **MonitoringRoleName:** The name of the IAM role that permits Amazon RDS to send enhanced monitoring metrics to Amazon CloudWatch Logs. If a role isn't specified, then the default role `rds-monitoring-role` is used or created, if it doesn't exist.
+| To enable auto remediation, the following preconfigured parameters must be provided:
@@ -139,3 +68,2 @@ Hs4Ma3G189 - Enhanced monitoring are configured for Amazon RDS DB instances Corr
-| If enhanced monitoring is enabled before the automation execution, then the settings might be overwritten by this automation with the MonitoringInterval and MonitoringRoleName values configured in the preconfigured parameters.  
-Hs4Ma3G215 - Unused Amazon EC2 security groups should be removed Corresponding AWS Security Hub check: [EC2.22](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-22) | **AWSManagedServices-DeleteSecurityGroups** \- Delete unused security groups. | No preconfigured parameters are allowed. | No constraints  
-Hs4Ma3G245 - >AWS CloudFormation stacks should be integrated with Amazon Simple Notification Service Corresponding AWS Security Hub check: [CloudFormation.1](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudformation-controls.html#cloudformation-1) | **AWSManagedServices-EnableCFNStackNotification** \- Associate a CloudFormation stack with an Amazon SNS topic for notification. | 
+  * **CloudWatchLogsLogGroupArn**
+  * **CloudWatchLogsRoleArn**
@@ -143 +70,0 @@ Hs4Ma3G245 - >AWS CloudFormation stacks should be integrated with Amazon Simple
-  * **NotificationARNs:** The ARNs of the Amazon SNS topics to be associated with selected CloudFormation stacks.
@@ -145,4 +72,7 @@ Hs4Ma3G245 - >AWS CloudFormation stacks should be integrated with Amazon Simple
-| To enable auto remediation, The `NotificationARNs` preconfigured parameter must be provided.  
-Hs4Ma3G103 - Amazon Redshift clusters should prohibit public access Corresponding AWS Security Hub check: [Redshift.1](https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-1) | **AWSManagedServices-DisablePublicAccessOnRedshiftCluster** \- Public access on Amazon Redshift cluster is disabled. | No preconfigured parameters are allowed. | Disabling public access blocks all clients coming from the internet. And the Amazon Redshift cluster is in the modifying state for a few minutes while the remediation disables public access on the cluster.  
-Hs4Ma3G121 - EBS default encryption should be enabled Corresponding AWS Security Hub check: [EC2.7](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-7) | **AWSManagedServices-EncryptEBSByDefault** \- Amazon EBS encryption by default is enabled for the specific AWS Region | No preconfigured parameters are allowed. | Encryption by default is a Region-specific setting. If you enable it for a Region, you can't disable it for individual volumes or snapshots in that Region.  
-Hs4Ma3G117 - Attached EBS volumes should be encrypted at-rest Corresponding AWS Security Hub check: [EC2.3](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-3) | **AWSManagedServices-EncryptInstanceVolume** \- The attached Amazon EBS volume on the instance is encrypted. | 
+Hs4Ma3G217 - CodeBuild project environments should have a logging AWS configuration Corresponding AWS Security Hub check: [CodeBuild.4](https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-4) | **AWSManagedServices-TrustedRemediatorEnableCodeBuildLoggingConfig** Enables the logging for CodeBuild project. | No preconfigured parameters are allowed. | No constraints  
+Hs4Ma3G306 - Neptune DB clusters should have deletion protection enabled Corresponding AWS Security Hub check: [DocumentDB.3](https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-3) | **AWSManagedServices-TrustedRemediatorDisablePublicAccessOnDocumentDBSnapshot** Removes public access from Amazon DocumentDB manual cluster snapshot. | No preconfigured parameters are allowed. | No constraints  
+Hs4Ma3G308 - Amazon DocumentDB clusters should have deletion protection enabled Corresponding AWS Security Hub check: [DocumentDB.5](https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-5) | **AWSManagedServices-TrustedRemediatorEnableDocumentDBClusterDeletionProtection** Enables deletion protection for Amazon DocumentDB cluster. | No preconfigured parameters are allowed. | No constraints  
+Hs4Ma3G323 - DynamoDB tables should have deletion protection enabled Corresponding AWS Security Hub check: [DynamoDB.6](https://docs.aws.amazon.com/securityhub/latest/userguide/dynamodb-controls.html#dynamodb-6) | **AWSManagedServices-TrustedRemediatorEnableDynamoDBTableDeletionProtection** Enables deletion protection for non-AMS DynamoDB tables. | No preconfigured parameters are allowed. | No constraints  
+[ePs02jT06w](https://docs.aws.amazon.com/awssupport/latest/user/security-checks.html#amazon-ebs-public-snapshots) \- Amazon EBS Public Snapshots | **AWSManagedServices-TrustedRemediatorDisablePublicAccessOnEBSSnapshot** Public access for Amazon EBS snapshot is disabled. | No preconfigured parameters are allowed. | No constraints  
+Hs4Ma3G118 - VPC default security groups should not allow inbound or outbound traffic Corresponding AWS Security Hub check: [EC2.2](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2) | **AWSManagedServices-TrustedRemediatorRemoveAllRulesFromDefaultSG** All ingress and egress rules in the default security group are removed. | No preconfigured parameters are allowed. | No constraints  
+Hs4Ma3G117 - Attached EBS volumes should be encrypted at-rest Corresponding AWS Security Hub check: [EC2.3](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-3) | **AWSManagedServices-EncryptInstanceVolume** The attached Amazon EBS volume on the instance is encrypted. | 
@@ -154,13 +84,3 @@ Hs4Ma3G117 - Attached EBS volumes should be encrypted at-rest Corresponding AWS
-Hs4Ma3G183 - Application load balancer should be configured to drop HTTP headers Corresponding AWS Security Hub check: [ELB.4](https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-4) | **AWSConfigRemediation-DropInvalidHeadersForALB** \- Application Load Balancer is configured to invalid header fields. | No preconfigured parameters are allowed. | No constraints  
-Hs4Ma3G179 - SNS topics should be encrypted at-rest using AWS KMS Corresponding AWS Security Hub check: [SNS.1](https://docs.aws.amazon.com/securityhub/latest/userguide/sns-controls.html#sns-1) | **AWSManagedServices-EnableSNSEncryptionAtRest** \- SNS topic is configured with server-side encryption. | 
-
-  * **KmsKeyId:** The ID of an AWS managed customer master key (CMK) for Amazon SNS or a custom CMK to be used for server-side encryption (SSE). Default is set to alias/aws/sns.
-
-| If a custom AWS KMS key is used, it must be configured with the correct permissions. For more information, see [Enabling server-side encryption (SSE) for an Amazon SNS topic](https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic.html)  
-Hs4Ma3G216 - ECR repositories should have at least one lifecycle policy configured Corresponding AWS Security Hub check: [ECR.3](https://docs.aws.amazon.com/securityhub/latest/userguide/ecr-controls.html#ecr-3) | **AWSManagedServices-PutECRRepositoryLifecyclePolicy** \- ECR repository has a lifecycle policy configured. | 
-
-  * **LifecyclePolicyText:** The JSON repository policy text to apply to the repository.
-
-| To enable auto remediation, the following preconfigured parameters must be provided:
-
-  * **LifecyclePolicyText**