AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-05-31 · Documentation low

File: securityhub/latest/userguide/securityhub-controls-reference.md

Summary

Added NIST SP 800-171 Rev. 2 compliance standard references to multiple security controls across various services (ACM, APIGateway, CloudFront, CloudTrail, CloudWatch, EC2, ELB, GuardDuty, IAM, NetworkFirewall, S3, SNS, SSM, WAF) in the applicable standards column

Security assessment

The changes add references to NIST SP 800-171 Rev. 2 security framework across controls, enhancing documentation of compliance alignment but not addressing specific vulnerabilities. This indicates expanded security best practice documentation rather than fixing a security issue.

Diff

diff --git a/securityhub/latest/userguide/securityhub-controls-reference.md b/securityhub/latest/userguide/securityhub-controls-reference.md
index debdfdf94..f72db6c13 100644
--- a//securityhub/latest/userguide/securityhub-controls-reference.md
+++ b//securityhub/latest/userguide/securityhub-controls-reference.md
@@ -34 +34 @@ Security control ID | Security control title | Applicable standards | Severity |
-[ACM.1](./acm-controls.html#acm-1) |  Imported and ACM-issued certificates should be renewed after a specified time period  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 |  MEDIUM  |  Yes  |  Change triggered and periodic   
+[ACM.1](./acm-controls.html#acm-1) |  Imported and ACM-issued certificates should be renewed after a specified time period  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 |  MEDIUM  |  Yes  |  Change triggered and periodic   
@@ -40 +40 @@ Security control ID | Security control title | Applicable standards | Severity |
-[APIGateway.2](./apigateway-controls.html#apigateway-2) |  API Gateway REST API stages should be configured to use SSL certificates for backend authentication  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5  |  MEDIUM  |  No  |  Change triggered   
+[APIGateway.2](./apigateway-controls.html#apigateway-2) |  API Gateway REST API stages should be configured to use SSL certificates for backend authentication  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2  |  MEDIUM  |  No  |  Change triggered   
@@ -83 +83 @@ Security control ID | Security control title | Applicable standards | Severity |
-[CloudFront.7](./cloudfront-controls.html#cloudfront-7) |  CloudFront distributions should use custom SSL/TLS certificates  |  AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5  |  MEDIUM  |  No  |  Change triggered   
+[CloudFront.7](./cloudfront-controls.html#cloudfront-7) |  CloudFront distributions should use custom SSL/TLS certificates  |  AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2  |  MEDIUM  |  No  |  Change triggered   
@@ -86 +86 @@ Security control ID | Security control title | Applicable standards | Severity |
-[CloudFront.10](./cloudfront-controls.html#cloudfront-10) |  CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins  |  AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 |  MEDIUM  |  No  |  Change triggered   
+[CloudFront.10](./cloudfront-controls.html#cloudfront-10) |  CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins  |  AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 |  MEDIUM  |  No  |  Change triggered   
@@ -91,3 +91,3 @@ Security control ID | Security control title | Applicable standards | Severity |
-[CloudTrail.2](./cloudtrail-controls.html#cloudtrail-2) |  CloudTrail should have encryption at-rest enabled  | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0 AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower |  MEDIUM  |  No  |  Periodic   
-[CloudTrail.3](./cloudtrail-controls.html#cloudtrail-3) | At least one CloudTrail trail should be enabled | PCI DSS v3.2.1, PCI DSS v4.0.1 | HIGH |  No | Periodic  
-[CloudTrail.4](./cloudtrail-controls.html#cloudtrail-4) |  CloudTrail log file validation should be enabled  | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, PCI DSS v4.0.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5  |  LOW  |  No  |  Periodic   
+[CloudTrail.2](./cloudtrail-controls.html#cloudtrail-2) |  CloudTrail should have encryption at-rest enabled  | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0 AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower |  MEDIUM  |  No  |  Periodic   
+[CloudTrail.3](./cloudtrail-controls.html#cloudtrail-3) | At least one CloudTrail trail should be enabled | NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, PCI DSS v3.2.1 | HIGH |  No | Periodic  
+[CloudTrail.4](./cloudtrail-controls.html#cloudtrail-4) |  CloudTrail log file validation should be enabled  | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, PCI DSS v3.2.1, Service-Managed Standard: AWS Control Tower |  LOW  |  No  |  Periodic   
@@ -99,2 +99,2 @@ Security control ID | Security control title | Applicable standards | Severity |
-[CloudWatch.1](./cloudwatch-controls.html#cloudwatch-1) |  A log metric filter and alarm should exist for usage of the "root" user  |  CIS AWS Foundations Benchmark v1.2.0, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0  |  LOW  |  No  |  Periodic   
-[CloudWatch.2](./cloudwatch-controls.html#cloudwatch-2) |  Ensure a log metric filter and alarm exist for unauthorized API calls  |  CIS AWS Foundations Benchmark v1.2.0  |  LOW  |  No  |  Periodic   
+[CloudWatch.1](./cloudwatch-controls.html#cloudwatch-1) |  A log metric filter and alarm should exist for usage of the "root" user  | CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1 |  LOW  |  No  |  Periodic   
+[CloudWatch.2](./cloudwatch-controls.html#cloudwatch-2) |  Ensure a log metric filter and alarm exist for unauthorized API calls  | CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 |  LOW  |  No  |  Periodic   
@@ -102,12 +102,12 @@ Security control ID | Security control title | Applicable standards | Severity |
-[CloudWatch.4](./cloudwatch-controls.html#cloudwatch-4) |  Ensure a log metric filter and alarm exist for IAM policy changes  |  CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0  |  LOW  |  No  |  Periodic   
-[CloudWatch.5](./cloudwatch-controls.html#cloudwatch-5) |  Ensure a log metric filter and alarm exist for CloudTrail configuration changes  |  CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0  |  LOW  |  No  |  Periodic   
-[CloudWatch.6](./cloudwatch-controls.html#cloudwatch-6) |  Ensure a log metric filter and alarm exist for AWS Management Console authentication failures  |  CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0  |  LOW  |  No  |  Periodic   
-[CloudWatch.7](./cloudwatch-controls.html#cloudwatch-7) |  Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs  |  CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0  |  LOW  |  No  |  Periodic   
-[CloudWatch.8](./cloudwatch-controls.html#cloudwatch-8) |  Ensure a log metric filter and alarm exist for S3 bucket policy changes  |  CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0  |  LOW  |  No  |  Periodic   
-[CloudWatch.9](./cloudwatch-controls.html#cloudwatch-9) |  Ensure a log metric filter and alarm exist for AWS Config configuration changes  |  CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0  |  LOW  |  No  |  Periodic   
-[CloudWatch.10](./cloudwatch-controls.html#cloudwatch-10) |  Ensure a log metric filter and alarm exist for security group changes  |  CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0  |  LOW  |  No  |  Periodic   
-[CloudWatch.11](./cloudwatch-controls.html#cloudwatch-11) |  Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)  |  CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0  |  LOW  |  No  |  Periodic   
-[CloudWatch.12](./cloudwatch-controls.html#cloudwatch-12) |  Ensure a log metric filter and alarm exist for changes to network gateways  |  CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0  |  LOW  |  No  |  Periodic   
-[CloudWatch.13](./cloudwatch-controls.html#cloudwatch-13) |  Ensure a log metric filter and alarm exist for route table changes  |  CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0  |  LOW  |  No  |  Periodic   
-[CloudWatch.14](./cloudwatch-controls.html#cloudwatch-14) |  Ensure a log metric filter and alarm exist for VPC changes  |  CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0  |  LOW  |  No  |  Periodic   
-[CloudWatch.15](./cloudwatch-controls.html#cloudwatch-15) |  CloudWatch alarms should have specified actions configured  |  NIST SP 800-53 Rev. 5  |  HIGH  |  Yes  |  Change triggered   
+[CloudWatch.4](./cloudwatch-controls.html#cloudwatch-4) |  Ensure a log metric filter and alarm exist for IAM policy changes  | CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 |  LOW  |  No  |  Periodic   
+[CloudWatch.5](./cloudwatch-controls.html#cloudwatch-5) |  Ensure a log metric filter and alarm exist for CloudTrail configuration changes  | CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 |  LOW  |  No  |  Periodic   
+[CloudWatch.6](./cloudwatch-controls.html#cloudwatch-6) |  Ensure a log metric filter and alarm exist for AWS Management Console authentication failures  | CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 |  LOW  |  No  |  Periodic   
+[CloudWatch.7](./cloudwatch-controls.html#cloudwatch-7) |  Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs  | CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2  |  LOW  |  No  |  Periodic   
+[CloudWatch.8](./cloudwatch-controls.html#cloudwatch-8) |  Ensure a log metric filter and alarm exist for S3 bucket policy changes  | CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 |  LOW  |  No  |  Periodic   
+[CloudWatch.9](./cloudwatch-controls.html#cloudwatch-9) |  Ensure a log metric filter and alarm exist for AWS Config configuration changes  | CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2  |  LOW  |  No  |  Periodic   
+[CloudWatch.10](./cloudwatch-controls.html#cloudwatch-10) |  Ensure a log metric filter and alarm exist for security group changes  | CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 |  LOW  |  No  |  Periodic   
+[CloudWatch.11](./cloudwatch-controls.html#cloudwatch-11) |  Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)  | CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2  |  LOW  |  No  |  Periodic   
+[CloudWatch.12](./cloudwatch-controls.html#cloudwatch-12) |  Ensure a log metric filter and alarm exist for changes to network gateways  | CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 |  LOW  |  No  |  Periodic   
+[CloudWatch.13](./cloudwatch-controls.html#cloudwatch-13) |  Ensure a log metric filter and alarm exist for route table changes  | CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2  |  LOW  |  No  |  Periodic   
+[CloudWatch.14](./cloudwatch-controls.html#cloudwatch-14) |  Ensure a log metric filter and alarm exist for VPC changes  | CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 |  LOW  |  No  |  Periodic   
+[CloudWatch.15](./cloudwatch-controls.html#cloudwatch-15) |  CloudWatch alarms should have specified actions configured  | NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 |  HIGH  |  Yes  |  Change triggered   
@@ -161 +161 @@ Security control ID | Security control title | Applicable standards | Severity |
-[EC2.6](./ec2-controls.html#ec2-6) |  VPC flow logging should be enabled in all VPCs  | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5  |  MEDIUM  |  No  |  Periodic   
+[EC2.6](./ec2-controls.html#ec2-6) |  VPC flow logging should be enabled in all VPCs  | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2  |  MEDIUM  |  No  |  Periodic   
@@ -165 +165 @@ Security control ID | Security control title | Applicable standards | Severity |
-[EC2.10](./ec2-controls.html#ec2-10) |  Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5  |  MEDIUM  |  No  |  Periodic   
+[EC2.10](./ec2-controls.html#ec2-10) |  Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2  |  MEDIUM  |  No  |  Periodic   
@@ -167 +167 @@ Security control ID | Security control title | Applicable standards | Severity |
-[EC2.13](./ec2-controls.html#ec2-13) | Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 | CIS AWS Foundations Benchmark v1.2.0, PCI DSS v3.2.1, PCI DSS v4.0.1, NIST SP 800-53 Rev. 5 | HIGH |  No | Change triggered and periodic  
+[EC2.13](./ec2-controls.html#ec2-13) | Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 | CIS AWS Foundations Benchmark v1.2.0, PCI DSS v3.2.1, PCI DSS v4.0.1, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | HIGH |  No | Change triggered and periodic  
@@ -170 +170 @@ Security control ID | Security control title | Applicable standards | Severity |
-[EC2.16](./ec2-controls.html#ec2-16) |  Unused Network Access Control Lists should be removed  | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower, |  LOW  |  No  |  Change triggered   
+[EC2.16](./ec2-controls.html#ec2-16) |  Unused Network Access Control Lists should be removed  | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower, |  LOW  |  No  |  Change triggered   
@@ -172,4 +172,4 @@ Security control ID | Security control title | Applicable standards | Severity |
-[EC2.18](./ec2-controls.html#ec2-18) |  Security groups should only allow unrestricted incoming traffic for authorized ports  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5  |  HIGH  |  Yes  |  Change triggered   
-[EC2.19](./ec2-controls.html#ec2-19) | Security groups should not allow unrestricted access to ports with high risk | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | CRITICAL |  No | Change triggered and periodic  
-[EC2.20](./ec2-controls.html#ec2-20) |  Both VPN tunnels for an AWS Site-to-Site VPN connection should be up  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5  |  MEDIUM  |  No  |  Change triggered   
-[EC2.21](./ec2-controls.html#ec2-21) |  Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389  | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 |  MEDIUM  |  No  |  Change triggered   
+[EC2.18](./ec2-controls.html#ec2-18) |  Security groups should only allow unrestricted incoming traffic for authorized ports  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2  |  HIGH  |  Yes  |  Change triggered   
+[EC2.19](./ec2-controls.html#ec2-19) | Security groups should not allow unrestricted access to ports with high risk | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | CRITICAL |  No | Change triggered and periodic  
+[EC2.20](./ec2-controls.html#ec2-20) |  Both VPN tunnels for an AWS Site-to-Site VPN connection should be up  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2  |  MEDIUM  |  No  |  Change triggered   
+[EC2.21](./ec2-controls.html#ec2-21) |  Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389  | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 |  MEDIUM  |  No  |  Change triggered   
@@ -199 +199 @@ Security control ID | Security control title | Applicable standards | Severity |
-[EC2.51](./ec2-controls.html#ec2-51) |  EC2 Client VPN endpoints should have client connection logging enabled  | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 |  LOW  |  No  |  Change triggered   
+[EC2.51](./ec2-controls.html#ec2-51) |  EC2 Client VPN endpoints should have client connection logging enabled  | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 |  LOW  |  No  |  Change triggered   
@@ -262,2 +262,2 @@ Security control ID | Security control title | Applicable standards | Severity |
-[ELB.2](./elb-controls.html#elb-2) |  Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5  |  MEDIUM  |  No  |  Change triggered   
-[ELB.3](./elb-controls.html#elb-3) |  Classic Load Balancer listeners should be configured with HTTPS or TLS termination  | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower |  MEDIUM  |  No  |  Change triggered   
+[ELB.2](./elb-controls.html#elb-2) |  Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2  |  MEDIUM  |  No  |  Change triggered   
+[ELB.3](./elb-controls.html#elb-3) |  Classic Load Balancer listeners should be configured with HTTPS or TLS termination  | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower |  MEDIUM  |  No  |  Change triggered   
@@ -268 +268 @@ Security control ID | Security control title | Applicable standards | Severity |
-[ELB.8](./elb-controls.html#elb-8) |  Classic Load Balancers with SSL listeners should use a predefined security policy that has strong configuration  | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower |  MEDIUM  |  No  |  Change triggered   
+[ELB.8](./elb-controls.html#elb-8) |  Classic Load Balancers with SSL listeners should use a predefined security policy that has strong configuration  | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower |  MEDIUM  |  No  |  Change triggered   
@@ -305 +305 @@ Security control ID | Security control title | Applicable standards | Severity |
-[GuardDuty.1](./guardduty-controls.html#guardduty-1) |  GuardDuty should be enabled  | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower |  HIGH  |  No  |  Periodic   
+[GuardDuty.1](./guardduty-controls.html#guardduty-1) |  GuardDuty should be enabled  | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower |  HIGH  |  No  |  Periodic   
@@ -318,2 +318,2 @@ Security control ID | Security control title | Applicable standards | Severity |
-[IAM.1](./iam-controls.html#iam-1) |  IAM policies should not allow full "*" administrative privileges  |  CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5  |  HIGH  |  No  |  Change triggered   
-[IAM.2](./iam-controls.html#iam-2) |  IAM users should not have IAM policies attached  | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5  |  LOW  |  No  |  Change triggered   
+[IAM.1](./iam-controls.html#iam-1) |  IAM policies should not allow full "*" administrative privileges  | CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2  |  HIGH  |  No  |  Change triggered   
+[IAM.2](./iam-controls.html#iam-2) |  IAM users should not have IAM policies attached  | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2  |  LOW  |  No  |  Change triggered   
@@ -324,2 +324,2 @@ Security control ID | Security control title | Applicable standards | Severity |
-[IAM.7](./iam-controls.html#iam-7) |  Password policies for IAM users should have strong configurations  | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower |  MEDIUM  |  Yes  |  Periodic   
-[IAM.8](./iam-controls.html#iam-8) |  Unused IAM user credentials should be removed  | CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower |  MEDIUM  |  No  |  Periodic   
+[IAM.7](./iam-controls.html#iam-7) |  Password policies for IAM users should have strong configurations  | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower |  MEDIUM  |  Yes  |  Periodic   
+[IAM.8](./iam-controls.html#iam-8) |  Unused IAM user credentials should be removed  | CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower |  MEDIUM  |  No  |  Periodic   
@@ -327,12 +327,12 @@ Security control ID | Security control title | Applicable standards | Severity |
-[IAM.10](./iam-controls.html#iam-10) |  Password policies for IAM users should have strong configurations  | PCI DSS v3.2.1, PCI DSS v4.0.1 |  MEDIUM  |  No  |  Periodic   
-[IAM.11](./iam-controls.html#iam-11) |  Ensure IAM password policy requires at least one uppercase letter  | CIS AWS Foundations Benchmark v1.2.0, PCI DSS v4.0.1 |  MEDIUM  |  No  |  Periodic   
-[IAM.12](./iam-controls.html#iam-12) |  Ensure IAM password policy requires at least one lowercase letter  | CIS AWS Foundations Benchmark v1.2.0, PCI DSS v4.0.1 |  MEDIUM  |  No  |  Periodic   
-[IAM.13](./iam-controls.html#iam-13) |  Ensure IAM password policy requires at least one symbol  | CIS AWS Foundations Benchmark v1.2.0, PCI DSS v4.0.1 |  MEDIUM  |  No  |  Periodic   
-[IAM.14](./iam-controls.html#iam-14) |  Ensure IAM password policy requires at least one number  | CIS AWS Foundations Benchmark v1.2.0, PCI DSS v4.0.1 |  MEDIUM  |  No  |  Periodic   
-[IAM.15](./iam-controls.html#iam-15) |  Ensure IAM password policy requires minimum password length of 14 or greater  | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0 |  MEDIUM  |  No  |  Periodic   
-[IAM.16](./iam-controls.html#iam-16) |  Ensure IAM password policy prevents password reuse  | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, PCI DSS v4.0.1 |  LOW  |  No  |  Periodic   
-[IAM.17](./iam-controls.html#iam-17) |  Ensure IAM password policy expires passwords within 90 days or less  | CIS AWS Foundations Benchmark v1.2.0, PCI DSS v4.0.1 |  LOW  |  No  |  Periodic   
-[IAM.18](./iam-controls.html#iam-18) |  Ensure a support role has been created to manage incidents with Support  | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, PCI DSS v4.0.1 |  LOW  |  No  |  Periodic   
-[IAM.19](./iam-controls.html#iam-19) |  MFA should be enabled for all IAM users  | NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 |  MEDIUM  |  No  |  Periodic   
-[IAM.21](./iam-controls.html#iam-21) |  IAM customer managed policies that you create should not allow wildcard actions for services  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5  |  LOW  |  No  |  Change triggered   
-[IAM.22](./iam-controls.html#iam-22) |  IAM user credentials unused for 45 days should be removed  | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0 |  MEDIUM  |  No  |  Periodic   
+[IAM.10](./iam-controls.html#iam-10) |  Password policies for IAM users should have strong configurations  | NIST SP 800-171 Rev. 2, PCI DSS v3.2.1 |  MEDIUM  |  No  |  Periodic   
+[IAM.11](./iam-controls.html#iam-11) |  Ensure IAM password policy requires at least one uppercase letter  | CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 |  MEDIUM  |  No  |  Periodic   
+[IAM.12](./iam-controls.html#iam-12) |  Ensure IAM password policy requires at least one lowercase letter  | CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 |  MEDIUM  |  No  |  Periodic   
+[IAM.13](./iam-controls.html#iam-13) |  Ensure IAM password policy requires at least one symbol  | CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 |  MEDIUM  |  No  |  Periodic   
+[IAM.14](./iam-controls.html#iam-14) |  Ensure IAM password policy requires at least one number  | CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 |  MEDIUM  |  No  |  Periodic   
+[IAM.15](./iam-controls.html#iam-15) |  Ensure IAM password policy requires minimum password length of 14 or greater  | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 |  MEDIUM  |  No  |  Periodic   
+[IAM.16](./iam-controls.html#iam-16) |  Ensure IAM password policy prevents password reuse  | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 |  LOW  |  No  |  Periodic   
+[IAM.17](./iam-controls.html#iam-17) |  Ensure IAM password policy expires passwords within 90 days or less  | CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 |  LOW  |  No  |  Periodic   
+[IAM.18](./iam-controls.html#iam-18) |  Ensure a support role has been created to manage incidents with AWS Support  | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 |  LOW  |  No  |  Periodic   
+[IAM.19](./iam-controls.html#iam-19) |  MFA should be enabled for all IAM users  | NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1 |  MEDIUM  |  No  |  Periodic   
+[IAM.21](./iam-controls.html#iam-21) |  IAM customer managed policies that you create should not allow wildcard actions for services  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2  |  LOW  |  No  |  Change triggered   
+[IAM.22](./iam-controls.html#iam-22) |  IAM user credentials unused for 45 days should be removed  | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-171 Rev. 2 |  MEDIUM  |  No  |  Periodic   
@@ -407,2 +407,2 @@ Security control ID | Security control title | Applicable standards | Severity |
-[NetworkFirewall.2](./networkfirewall-controls.html#networkfirewall-2) |  Network Firewall logging should be enabled  |  AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5  |  MEDIUM  |  No  |  Periodic   
-[NetworkFirewall.3](./networkfirewall-controls.html#networkfirewall-3) |  Network Firewall policies should have at least one rule group associated  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5  |  MEDIUM  |  No  |  Change triggered   
+[NetworkFirewall.2](./networkfirewall-controls.html#networkfirewall-2) |  Network Firewall logging should be enabled  |  AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2  |  MEDIUM  |  No  |  Periodic   
+[NetworkFirewall.3](./networkfirewall-controls.html#networkfirewall-3) |  Network Firewall policies should have at least one rule group associated  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2  |  MEDIUM  |  No  |  Change triggered   
@@ -410,2 +410,2 @@ Security control ID | Security control title | Applicable standards | Severity |
-[NetworkFirewall.5](./networkfirewall-controls.html#networkfirewall-5) |  The default stateless action for Network Firewall policies should be drop or forward for fragmented packets  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5  |  MEDIUM  |  No  |  Change triggered   
-[NetworkFirewall.6](./networkfirewall-controls.html#networkfirewall-6) |  Stateless network firewall rule group should not be empty  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5  |  MEDIUM  |  No  |  Change triggered   
+[NetworkFirewall.5](./networkfirewall-controls.html#networkfirewall-5) |  The default stateless action for Network Firewall policies should be drop or forward for fragmented packets  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2  |  MEDIUM  |  No  |  Change triggered   
+[NetworkFirewall.6](./networkfirewall-controls.html#networkfirewall-6) |  Stateless network firewall rule group should not be empty  |  AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2  |  MEDIUM  |  No  |  Change triggered   
@@ -500,2 +500,2 @@ Security control ID | Security control title | Applicable standards | Severity |
-[S3.5](./s3-controls.html#s3-5) | S3 general purpose buckets should require requests to use SSL | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM |  No | Change triggered  
-[S3.6](./s3-controls.html#s3-6) | S3 general purpose bucket policies should restrict access to other AWS accounts | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH |  No | Change triggered  
+[S3.5](./s3-controls.html#s3-5) | S3 general purpose buckets should require requests to use SSL | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM |  No | Change triggered  
+[S3.6](./s3-controls.html#s3-6) | S3 general purpose bucket policies should restrict access to other AWS accounts | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | HIGH |  No | Change triggered  
@@ -504 +504 @@ Security control ID | Security control title | Applicable standards | Severity |
-[S3.9](./s3-controls.html#s3-9) | S3 general purpose buckets should have server access logging enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM |  No | Change triggered  
+[S3.9](./s3-controls.html#s3-9) | S3 general purpose buckets should have server access logging enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM |  No | Change triggered  
@@ -506 +506 @@ Security control ID | Security control title | Applicable standards | Severity |
-[S3.11](./s3-controls.html#s3-11) | S3 general purpose buckets should have event notifications enabled | NIST SP 800-53 Rev. 5 | MEDIUM |  Yes | Change triggered  
+[S3.11](./s3-controls.html#s3-11) | S3 general purpose buckets should have event notifications enabled | NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM |  Yes | Change triggered  
@@ -509 +509 @@ Security control ID | Security control title | Applicable standards | Severity |
-[S3.14](./s3-controls.html#s3-14) | S3 general purpose buckets should have versioning enabled | NIST SP 800-53 Rev. 5 | LOW |  No | Change triggered  
+[S3.14](./s3-controls.html#s3-14) | S3 general purpose buckets should have versioning enabled | NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | LOW |  No | Change triggered  
@@ -511 +511 @@ Security control ID | Security control title | Applicable standards | Severity |
-[S3.17](./s3-controls.html#s3-17) | S3 general purpose buckets should be encrypted at rest with AWS KMS keys | NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM |  No | Change triggered  
+[S3.17](./s3-controls.html#s3-17) | S3 general purpose buckets should be encrypted at rest with AWS KMS keys | NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM |  No | Change triggered  
@@ -533 +533 @@ Security control ID | Security control title | Applicable standards | Severity |
-[SNS.1](./sns-controls.html#sns-1) | SNS topics should be encrypted at-rest using AWS KMS | NIST SP 800-53 Rev. 5 | MEDIUM |  No | Change triggered  
+[SNS.1](./sns-controls.html#sns-1) | SNS topics should be encrypted at-rest using AWS KMS | NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM |  No | Change triggered  
@@ -540 +540 @@ Security control ID | Security control title | Applicable standards | Severity |
-[SSM.2](./ssm-controls.html#ssm-2) |  EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation  | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower |  HIGH  |  No  |  Change triggered   
+[SSM.2](./ssm-controls.html#ssm-2) |  EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation  | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower |  HIGH  |  No  |  Change triggered   
@@ -562 +562 @@ Security control ID | Security control title | Applicable standards | Severity |
-[WAF.12](./waf-controls.html#waf-12) |  AWS WAF rules should have CloudWatch metrics enabled  |  AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5  |  MEDIUM  |  No  |  Change triggered   
+[WAF.12](./waf-controls.html#waf-12) |  AWS WAF rules should have CloudWatch metrics enabled  |  AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2  |  MEDIUM  |  No  |  Change triggered