AWS securityhub documentation change
Summary
Updated documentation to reflect Security Hub CSPM branding, removed version numbers from 'AWS Foundational Security Best Practices' references, and standardized control descriptions. Multiple control entries were updated to remove version-specific references to security standards.
Security assessment
The changes primarily update branding to Security Hub CSPM (Cloud Security Posture Management) and remove version numbers from compliance standard references. While this improves clarity about security posture management features, there is no evidence of addressing a specific vulnerability or security incident. The updates enhance documentation of existing security controls but do not indicate a direct security fix.
Diff
diff --git a/securityhub/latest/userguide/securityhub-controls-reference.md b/securityhub/latest/userguide/securityhub-controls-reference.md index f72db6c13..f8f3f7d13 100644 --- a//securityhub/latest/userguide/securityhub-controls-reference.md +++ b//securityhub/latest/userguide/securityhub-controls-reference.md @@ -3 +3 @@ -[Documentation](/index.html)[AWS Security Hub](/securityhub/index.html)[User Guide](what-is-securityhub.html) +[Documentation](/index.html)[AWS Security Hub](/securityhub/index.html)[ User Guide ](what-is-security-hub-adv.html) @@ -5 +5 @@ -# Security Hub controls reference +# Control reference for Security Hub CSPM @@ -7 +7 @@ -This controls reference provides a list of available AWS Security Hub controls with links to more information about each control. The overview table displays the controls in alphabetical order by control ID. Only controls in active use by Security Hub are included here. Retired controls are excluded from this list. The table provides the following information for each control: +This control reference provides a list of available AWS Security Hub Cloud Security Posture Management (CSPM) controls with links to more information about each control. The overview table displays the controls in alphabetical order by control ID. Only controls in active use by Security Hub CSPM are included here. Retired controls are excluded from this list. The table provides the following information for each control: @@ -9 +9 @@ This controls reference provides a list of available AWS Security Hub controls w - * **Security control ID** – This ID applies across standards and indicates the AWS service and resource that the control relates to. The Security Hub console displays security control IDs, regardless of whether [consolidated control findings](./controls-findings-create-update.html#consolidated-control-findings) is turned on or off in your account. However, Security Hub findings reference security control IDs only if consolidated control findings is turned on in your account. If consolidated control findings is turned off in your account, some control IDs vary by standard in your control findings. For a mapping of standard-specific control IDs to security control IDs, see [How consolidation impacts control IDs and titles](./asff-changes-consolidation.html#securityhub-findings-format-changes-ids-titles). + * **Security control ID** – This ID applies across standards and indicates the AWS service and resource that the control relates to. The Security Hub CSPM console displays security control IDs, regardless of whether [consolidated control findings](./controls-findings-create-update.html#consolidated-control-findings) is turned on or off in your account. However, Security Hub CSPM findings reference security control IDs only if consolidated control findings is turned on in your account. If consolidated control findings is turned off in your account, some control IDs vary by standard in your control findings. For a mapping of standard-specific control IDs to security control IDs, see [How consolidation impacts control IDs and titles](./asff-changes-consolidation.html#securityhub-findings-format-changes-ids-titles). @@ -11 +11 @@ This controls reference provides a list of available AWS Security Hub controls w -If you want to set up [automations](./automations.html) for security controls, we recommend filtering based on control ID rather than title or description. Whereas Security Hub may occasionally update control titles or descriptions, control IDs stay the same. +If you want to set up [automations](./automations.html) for security controls, we recommend filtering based on control ID rather than title or description. Whereas Security Hub CSPM may occasionally update control titles or descriptions, control IDs stay the same. @@ -17 +17 @@ Control IDs may skip numbers. These are placeholders for future controls. - * **Security control title** – This title applies across standards. The Security Hub console displays security control titles, regardless of whether consolidated control findings is turned on or off in your account. However, Security Hub findings reference security control titles only if consolidated control findings is turned on in your account. If consolidated control findings is turned off in your account, some control titles vary by standard in your control findings. For a mapping of standard-specific control IDs to security control IDs, see [How consolidation impacts control IDs and titles](./asff-changes-consolidation.html#securityhub-findings-format-changes-ids-titles). + * **Security control title** – This title applies across standards. The Security Hub CSPM console displays security control titles, regardless of whether consolidated control findings is turned on or off in your account. However, Security Hub CSPM findings reference security control titles only if consolidated control findings is turned on in your account. If consolidated control findings is turned off in your account, some control titles vary by standard in your control findings. For a mapping of standard-specific control IDs to security control IDs, see [How consolidation impacts control IDs and titles](./asff-changes-consolidation.html#securityhub-findings-format-changes-ids-titles). @@ -19 +19 @@ Control IDs may skip numbers. These are placeholders for future controls. - * **Severity** – The severity of a control identifies its importance from a security standpoint. For information about how Security Hub determines control severity, see [Severity level of control findings](./controls-findings-create-update.html#control-findings-severity). + * **Severity** – The severity of a control identifies its importance from a security standpoint. For information about how Security Hub CSPM determines control severity, see [Severity level of control findings](./controls-findings-create-update.html#control-findings-severity). @@ -23 +23 @@ Control IDs may skip numbers. These are placeholders for future controls. - * **Supports custom parameters** – Indicates whether the control supports custom values for one or more parameters. Choose a control to review the parameter details. For more information, see [Understanding control parameters in Security Hub](./custom-control-parameters.html). + * **Supports custom parameters** – Indicates whether the control supports custom values for one or more parameters. Choose a control to review the parameter details. For more information, see [Understanding control parameters in Security Hub CSPM](./custom-control-parameters.html). @@ -53 +53 @@ Security control ID | Security control title | Applicable standards | Severity | -[AppSync.1](./appsync-controls.html#appsync-1) | AWS AppSync API caches should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | No | Change triggered +[AppSync.1](./appsync-controls.html#appsync-1) | AWS AppSync API caches should be encrypted at rest | AWS Foundational Security Best Practices | MEDIUM | No | Change triggered @@ -57 +57 @@ Security control ID | Security control title | Applicable standards | Severity | -[AppSync.6](./appsync-controls.html#appsync-6) | AWS AppSync API caches should be encrypted in transit | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | No | Change triggered +[AppSync.6](./appsync-controls.html#appsync-6) | AWS AppSync API caches should be encrypted in transit | AWS Foundational Security Best Practices | MEDIUM | No | Change triggered @@ -60,2 +60,2 @@ Security control ID | Security control title | Applicable standards | Severity | -[Athena.4](./athena-controls.html#athena-4) | Athena workgroups should have logging enabled | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | No | Change triggered -[AutoScaling.1](./autoscaling-controls.html#autoscaling-1) | Auto Scaling groups associated with a load balancer should use ELB health checks | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | LOW | No | Change triggered +[Athena.4](./athena-controls.html#athena-4) | Athena workgroups should have logging enabled | AWS Foundational Security Best Practices | MEDIUM | No | Change triggered +[AutoScaling.1](./autoscaling-controls.html#autoscaling-1) | Auto Scaling groups associated with a load balancer should use ELB health checks | AWS Foundational Security Best Practices, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | LOW | No | Change triggered @@ -90 +90 @@ Security control ID | Security control title | Applicable standards | Severity | -[CloudTrail.1](./cloudtrail-controls.html#cloudtrail-1) | CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | No | Periodic +[CloudTrail.1](./cloudtrail-controls.html#cloudtrail-1) | CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | No | Periodic @@ -117,3 +117,3 @@ Security control ID | Security control title | Applicable standards | Severity | -[CodeBuild.1](./codebuild-controls.html#codebuild-1) | CodeBuild Bitbucket source repository URLs should not contain sensitive credentials | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | CRITICAL | No | Change triggered -[CodeBuild.2](./codebuild-controls.html#codebuild-2) | CodeBuild project environment variables should not contain clear text credentials | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | CRITICAL | No | Change triggered -[CodeBuild.3](./codebuild-controls.html#codebuild-3) | CodeBuild S3 logs should be encrypted | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower, | LOW | No | Change triggered +[CodeBuild.1](./codebuild-controls.html#codebuild-1) | CodeBuild Bitbucket source repository URLs should not contain sensitive credentials | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | CRITICAL | No | Change triggered +[CodeBuild.2](./codebuild-controls.html#codebuild-2) | CodeBuild project environment variables should not contain clear text credentials | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | CRITICAL | No | Change triggered +[CodeBuild.3](./codebuild-controls.html#codebuild-3) | CodeBuild S3 logs should be encrypted | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower, | LOW | No | Change triggered @@ -121 +121 @@ Security control ID | Security control title | Applicable standards | Severity | -[CodeBuild.7](./codebuild-controls.html#codebuild-7) | CodeBuild report group exports should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | No | Change triggered +[CodeBuild.7](./codebuild-controls.html#codebuild-7) | CodeBuild report group exports should be encrypted at rest | AWS Foundational Security Best Practices | MEDIUM | No | Change triggered @@ -124,2 +124,2 @@ Security control ID | Security control title | Applicable standards | Severity | -[Cognito.1](./cognito-controls.html#cognito-1) | Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Yes | Change triggered -[Config.1](./config-controls.html#config-1) | AWS Config should be enabled and use the service-linked role for resource recording | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1 | CRITICAL | Yes | Periodic +[Cognito.1](./cognito-controls.html#cognito-1) | Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication | AWS Foundational Security Best Practices | MEDIUM | Yes | Change triggered +[Config.1](./config-controls.html#config-1) | AWS Config should be enabled and use the service-linked role for resource recording | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1 | CRITICAL | Yes | Periodic @@ -127,3 +127,3 @@ Security control ID | Security control title | Applicable standards | Severity | -[Connect.2](./connect-controls.html#connect-2) | Amazon Connect instances should have CloudWatch logging enabled | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | No | Change triggered -[DataFirehose.1](./datafirehose-controls.html#datafirehose-1) | Firehose delivery streams should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic -[DataSync.1](./datasync-controls.html#datasync-1) | DataSync tasks should have logging enabled | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | No | Change triggered +[Connect.2](./connect-controls.html#connect-2) | Amazon Connect instances should have CloudWatch logging enabled | AWS Foundational Security Best Practices | MEDIUM | No | Change triggered +[DataFirehose.1](./datafirehose-controls.html#datafirehose-1) | Firehose delivery streams should be encrypted at rest | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic +[DataSync.1](./datasync-controls.html#datasync-1) | DataSync tasks should have logging enabled | AWS Foundational Security Best Practices | MEDIUM | No | Change triggered @@ -132 +132 @@ Security control ID | Security control title | Applicable standards | Severity | -[DMS.1](./dms-controls.html#dms-1) | Database Migration Service replication instances should not be public | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | CRITICAL | No | Periodic +[DMS.1](./dms-controls.html#dms-1) | Database Migration Service replication instances should not be public | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | CRITICAL | No | Periodic @@ -137,7 +137,7 @@ Security control ID | Security control title | Applicable standards | Severity | -[DMS.6](./dms-controls.html#dms-6) | DMS replication instances should have automatic minor version upgrade enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered -[DMS.7](./dms-controls.html#dms-7) | DMS replication tasks for the target database should have logging enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered -[DMS.8](./dms-controls.html#dms-8) | DMS replication tasks for the source database should have logging enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered -[DMS.9](./dms-controls.html#dms-9) | DMS endpoints should use SSL | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered -[DMS.10](./dms-controls.html#dms-10) | DMS endpoints for Neptune databases should have IAM authorization enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered -[DMS.11](./dms-controls.html#dms-11) | DMS endpoints for MongoDB should have an authentication mechanism enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered -[DMS.12](./dms-controls.html#dms-12) | DMS endpoints for Redis OSS should have TLS enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[DMS.6](./dms-controls.html#dms-6) | DMS replication instances should have automatic minor version upgrade enabled | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[DMS.7](./dms-controls.html#dms-7) | DMS replication tasks for the target database should have logging enabled | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[DMS.8](./dms-controls.html#dms-8) | DMS replication tasks for the source database should have logging enabled | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[DMS.9](./dms-controls.html#dms-9) | DMS endpoints should use SSL | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[DMS.10](./dms-controls.html#dms-10) | DMS endpoints for Neptune databases should have IAM authorization enabled | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[DMS.11](./dms-controls.html#dms-11) | DMS endpoints for MongoDB should have an authentication mechanism enabled | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[DMS.12](./dms-controls.html#dms-12) | DMS endpoints for Redis OSS should have TLS enabled | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered @@ -145,3 +145,3 @@ Security control ID | Security control title | Applicable standards | Severity | -[DocumentDB.2](./documentdb-controls.html#documentdb-2) | Amazon DocumentDB clusters should have an adequate backup retention period | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | Yes | Change triggered -[DocumentDB.3](./documentdb-controls.html#documentdb-3) | Amazon DocumentDB manual cluster snapshots should not be public | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | CRITICAL | No | Change triggered -[DocumentDB.4](./documentdb-controls.html#documentdb-4) | Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[DocumentDB.2](./documentdb-controls.html#documentdb-2) | Amazon DocumentDB clusters should have an adequate backup retention period | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | Yes | Change triggered +[DocumentDB.3](./documentdb-controls.html#documentdb-3) | Amazon DocumentDB manual cluster snapshots should not be public | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | CRITICAL | No | Change triggered +[DocumentDB.4](./documentdb-controls.html#documentdb-4) | Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered @@ -149 +149 @@ Security control ID | Security control title | Applicable standards | Severity | -[DocumentDB.6](./documentdb-controls.html#documentdb-6) | Amazon DocumentDB clusters should be encrypted in transit | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | No | Periodic +[DocumentDB.6](./documentdb-controls.html#documentdb-6) | Amazon DocumentDB clusters should be encrypted in transit | AWS Foundational Security Best Practices | MEDIUM | No | Periodic @@ -156 +156 @@ Security control ID | Security control title | Applicable standards | Severity | -[DynamoDB.7](./dynamodb-controls.html#dynamodb-7) | DynamoDB Accelerator clusters should be encrypted in transit | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Periodic +[DynamoDB.7](./dynamodb-controls.html#dynamodb-7) | DynamoDB Accelerator clusters should be encrypted in transit | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Periodic @@ -163 +163 @@ Security control ID | Security control title | Applicable standards | Severity | -[EC2.8](./ec2-controls.html#ec2-8) | EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) | CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered +[EC2.8](./ec2-controls.html#ec2-8) | EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) | CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered @@ -169,2 +169,2 @@ Security control ID | Security control title | Applicable standards | Severity | -[EC2.15](./ec2-controls.html#ec2-15) | EC2 subnets should not automatically assign public IP addresses | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower, | MEDIUM | No | Change triggered -[EC2.16](./ec2-controls.html#ec2-16) | Unused Network Access Control Lists should be removed | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower, | LOW | No | Change triggered +[EC2.15](./ec2-controls.html#ec2-15) | EC2 subnets should not automatically assign public IP addresses | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower, | MEDIUM | No | Change triggered +[EC2.16](./ec2-controls.html#ec2-16) | Unused Network Access Control Lists should be removed | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower, | LOW | No | Change triggered @@ -173 +173 @@ Security control ID | Security control title | Applicable standards | Severity | -[EC2.19](./ec2-controls.html#ec2-19) | Security groups should not allow unrestricted access to ports with high risk | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | CRITICAL | No | Change triggered and periodic +[EC2.19](./ec2-controls.html#ec2-19) | Security groups should not allow unrestricted access to ports with high risk | AWS Foundational Security Best Practices, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | CRITICAL | No | Change triggered and periodic @@ -175 +175 @@ Security control ID | Security control title | Applicable standards | Severity | -[EC2.21](./ec2-controls.html#ec2-21) | Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[EC2.21](./ec2-controls.html#ec2-21) | Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | No | Change triggered @@ -179 +179 @@ Security control ID | Security control title | Applicable standards | Severity | -[EC2.25](./ec2-controls.html#ec2-25) | EC2 launch templates should not assign public IPs to network interfaces | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered +[EC2.25](./ec2-controls.html#ec2-25) | EC2 launch templates should not assign public IPs to network interfaces | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered @@ -199 +199 @@ Security control ID | Security control title | Applicable standards | Severity | -[EC2.51](./ec2-controls.html#ec2-51) | EC2 Client VPN endpoints should have client connection logging enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | LOW | No | Change triggered +[EC2.51](./ec2-controls.html#ec2-51) | EC2 Client VPN endpoints should have client connection logging enabled | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | LOW | No | Change triggered @@ -203,9 +203,9 @@ Security control ID | Security control title | Applicable standards | Severity | -[EC2.55](./ec2-controls.html#ec2-55) | VPCs should be configured with an interface endpoint for ECR API | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Periodic -[EC2.56](./ec2-controls.html#ec2-56) | VPCs should be configured with an interface endpoint for Docker Registry | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Periodic -[EC2.57](./ec2-controls.html#ec2-57) | VPCs should be configured with an interface endpoint for Systems Manager | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Periodic -[EC2.58](./ec2-controls.html#ec2-58) | VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Periodic -[EC2.60](./ec2-controls.html#ec2-60) | VPCs should be configured with an interface endpoint for Systems Manager Incident Manager | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Periodic -[EC2.170](./ec2-controls.html#ec2-170) | EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2) | AWS Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 | LOW | No | Change triggered -[EC2.171](./ec2-controls.html#ec2-171) | EC2 VPN connections should have logging enabled | AWS Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 | MEDIUM | No | Change triggered -[EC2.172](./ec2-controls.html#ec2-172) | EC2 VPC Block Public Access settings should block internet gateway traffic | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Yes | Change triggered -[EC2.173](./ec2-controls.html#ec2-173) | EC2 Spot Fleet requests should enable encryption for attached EBS volumes | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | No | Change triggered +[EC2.55](./ec2-controls.html#ec2-55) | VPCs should be configured with an interface endpoint for ECR API | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Periodic +[EC2.56](./ec2-controls.html#ec2-56) | VPCs should be configured with an interface endpoint for Docker Registry | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Periodic +[EC2.57](./ec2-controls.html#ec2-57) | VPCs should be configured with an interface endpoint for Systems Manager | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Periodic +[EC2.58](./ec2-controls.html#ec2-58) | VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Periodic +[EC2.60](./ec2-controls.html#ec2-60) | VPCs should be configured with an interface endpoint for Systems Manager Incident Manager | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Periodic +[EC2.170](./ec2-controls.html#ec2-170) | EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2) | AWS Foundational Security Best Practices, PCI DSS v4.0.1 | LOW | No | Change triggered +[EC2.171](./ec2-controls.html#ec2-171) | EC2 VPN connections should have logging enabled | AWS Foundational Security Best Practices, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[EC2.172](./ec2-controls.html#ec2-172) | EC2 VPC Block Public Access settings should block internet gateway traffic | AWS Foundational Security Best Practices | MEDIUM | Yes | Change triggered +[EC2.173](./ec2-controls.html#ec2-173) | EC2 Spot Fleet requests should enable encryption for attached EBS volumes | AWS Foundational Security Best Practices | MEDIUM | No | Change triggered @@ -218 +218 @@ Security control ID | Security control title | Applicable standards | Severity | -[ECR.1](./ecr-controls.html#ecr-1) | ECR private repositories should have image scanning configured | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Periodic +[ECR.1](./ecr-controls.html#ecr-1) | ECR private repositories should have image scanning configured | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Periodic @@ -224 +224 @@ Security control ID | Security control title | Applicable standards | Severity | -[ECS.2](./ecs-controls.html#ecs-2) | ECS services should not have public IP addresses assigned to them automatically | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered +[ECS.2](./ecs-controls.html#ecs-2) | ECS services should not have public IP addresses assigned to them automatically | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered @@ -228 +228 @@ Security control ID | Security control title | Applicable standards | Severity | -[ECS.8](./ecs-controls.html#ecs-8) | Secrets should not be passed as container environment variables | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered +[ECS.8](./ecs-controls.html#ecs-8) | Secrets should not be passed as container environment variables | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered @@ -230 +230 @@ Security control ID | Security control title | Applicable standards | Severity | -[ECS.10](./ecs-controls.html#ecs-10) | ECS Fargate services should run on the latest Fargate platform version | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered +[ECS.10](./ecs-controls.html#ecs-10) | ECS Fargate services should run on the latest Fargate platform version | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered @@ -235 +235 @@ Security control ID | Security control title | Applicable standards | Severity | -[ECS.16](./ecs-controls.html#ecs-16) | ECS task sets should not automatically assign public IP addresses | AWS Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 | HIGH | No | Change triggered +[ECS.16](./ecs-controls.html#ecs-16) | ECS task sets should not automatically assign public IP addresses | AWS Foundational Security Best Practices, PCI DSS v4.0.1 | HIGH | No | Change triggered @@ -240 +240 @@ Security control ID | Security control title | Applicable standards | Severity | -[EFS.4](./efs-controls.html#efs-4) | EFS access points should enforce a user identity | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered +[EFS.4](./efs-controls.html#efs-4) | EFS access points should enforce a user identity | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered @@ -242,6 +242,6 @@ Security control ID | Security control title | Applicable standards | Severity | -[EFS.6](./efs-controls.html#efs-6) | EFS mount targets should not be associated with a public subnet | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | No | Periodic -[EFS.7](./efs-controls.html#efs-7) | EFS file systems should have automatic backups enabled | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | No | Change triggered -[EFS.8](./efs-controls.html#efs-8) | EFS file systems should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0 | MEDIUM | Yes | Change triggered -[EKS.1](./eks-controls.html#eks-1) | EKS cluster endpoints should not be publicly accessible | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | No | Periodic -[EKS.2](./eks-controls.html#eks-2) | EKS clusters should run on a supported Kubernetes version | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered -[EKS.3](./eks-controls.html#eks-3) | EKS clusters should use encrypted Kubernetes secrets | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Periodic +[EFS.6](./efs-controls.html#efs-6) | EFS mount targets should not be associated with a public subnet | AWS Foundational Security Best Practices | MEDIUM | No | Periodic +[EFS.7](./efs-controls.html#efs-7) | EFS file systems should have automatic backups enabled | AWS Foundational Security Best Practices | MEDIUM | No | Change triggered +[EFS.8](./efs-controls.html#efs-8) | EFS file systems should be encrypted at rest | AWS Foundational Security Best Practices | MEDIUM | Yes | Change triggered +[EKS.1](./eks-controls.html#eks-1) | EKS cluster endpoints should not be publicly accessible | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | No | Periodic +[EKS.2](./eks-controls.html#eks-2) | EKS clusters should run on a supported Kubernetes version | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered +[EKS.3](./eks-controls.html#eks-3) | EKS clusters should use encrypted Kubernetes secrets | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Periodic @@ -250 +250 @@ Security control ID | Security control title | Applicable standards | Severity | -[EKS.8](./eks-controls.html#eks-8) | EKS clusters should have audit logging enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[EKS.8](./eks-controls.html#eks-8) | EKS clusters should have audit logging enabled | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered @@ -252 +252 @@ Security control ID | Security control title | Applicable standards | Severity | -[ElastiCache.2](./elasticache-controls.html#elasticache-2) | ElastiCache clusters should have automatic minor version upgrades enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | No | Periodic +[ElastiCache.2](./elasticache-controls.html#elasticache-2) | ElastiCache clusters should have automatic minor version upgrades enabled | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | No | Periodic @@ -255,2 +255,2 @@ Security control ID | Security control title | Applicable standards | Severity | -[ElastiCache.5](./elasticache-controls.html#elasticache-5) | ElastiCache replication groups should be encrypted-in-transit | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Periodic -[ElastiCache.6](./elasticache-controls.html#elasticache-6) | ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Periodic +[ElastiCache.5](./elasticache-controls.html#elasticache-5) | ElastiCache replication groups should be encrypted-in-transit | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Periodic +[ElastiCache.6](./elasticache-controls.html#elasticache-6) | ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Periodic @@ -259,2 +259,2 @@ Security control ID | Security control title | Applicable standards | Severity | -[ElasticBeanstalk.2](./elasticbeanstalk-controls.html#elasticbeanstalk-2) | Elastic Beanstalk managed platform updates should be enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | Yes | Change triggered -[ElasticBeanstalk.3](./elasticbeanstalk-controls.html#elasticbeanstalk-3) | Elastic Beanstalk should stream logs to CloudWatch | AWS Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 | HIGH | Yes | Change triggered +[ElasticBeanstalk.2](./elasticbeanstalk-controls.html#elasticbeanstalk-2) | Elastic Beanstalk managed platform updates should be enabled | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | Yes | Change triggered +[ElasticBeanstalk.3](./elasticbeanstalk-controls.html#elasticbeanstalk-3) | Elastic Beanstalk should stream logs to CloudWatch | AWS Foundational Security Best Practices, PCI DSS v4.0.1 | HIGH | Yes | Change triggered @@ -263,2 +263,2 @@ Security control ID | Security control title | Applicable standards | Severity | -[ELB.3](./elb-controls.html#elb-3) | Classic Load Balancer listeners should be configured with HTTPS or TLS termination | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered -[ELB.4](./elb-controls.html#elb-4) | Application Load Balancer should be configured to drop http headers | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered +[ELB.3](./elb-controls.html#elb-3) | Classic Load Balancer listeners should be configured with HTTPS or TLS termination | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered +[ELB.4](./elb-controls.html#elb-4) | Application Load Balancer should be configured to drop http headers | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered @@ -266 +266 @@ Security control ID | Security control title | Applicable standards | Severity | -[ELB.6](./elb-controls.html#elb-6) | Application, Gateway, and Network Load Balancers should have deletion protection enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[ELB.6](./elb-controls.html#elb-6) | Application, Gateway, and Network Load Balancers should have deletion protection enabled | AWS Foundational Security Best Practices, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered @@ -268 +268 @@ Security control ID | Security control title | Applicable standards | Severity | -[ELB.8](./elb-controls.html#elb-8) | Classic Load Balancers with SSL listeners should use a predefined security policy that has strong configuration | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered +[ELB.8](./elb-controls.html#elb-8) | Classic Load Balancers with SSL listeners should use a predefined security policy that has strong configuration | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered @@ -271 +271 @@ Security control ID | Security control title | Applicable standards | Severity | -[ELB.12](./elb-controls.html#elb-12) | Application Load Balancer should be configured with defensive or strictest desync mitigation mode | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered +[ELB.12](./elb-controls.html#elb-12) | Application Load Balancer should be configured with defensive or strictest desync mitigation mode | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered @@ -273 +273 @@ Security control ID | Security control title | Applicable standards | Severity | -[ELB.14](./elb-controls.html#elb-14) | Classic Load Balancer should be configured with defensive or strictest desync mitigation mode | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered +[ELB.14](./elb-controls.html#elb-14) | Classic Load Balancer should be configured with defensive or strictest desync mitigation mode | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered @@ -275,5 +275,5 @@ Security control ID | Security control title | Applicable standards | Severity | -[ELB.17](./elb-controls.html#elb-17) | Application and Network Load Balancers with listeners should use recommended security policies | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered