AWS Security ChangesHomeSearch

AWS managedservices documentation change

Service: managedservices · 2025-12-10 · Documentation low

File: managedservices/latest/userguide/tr-supported-checks.md

Summary

Updated references from 'Security Hub controls' to 'Security Hub CSPM controls' throughout the document. Changed all corresponding Security Hub check links to specify CSPM controls.

Security assessment

The changes refine terminology to specify CSPM (Cloud Security Posture Management) controls but don't address any specific vulnerability. This enhances documentation accuracy for existing security features but doesn't introduce new security content or fix vulnerabilities. Evidence shows only terminology updates without security incident references.

Diff

diff --git a/managedservices/latest/userguide/tr-supported-checks.md b/managedservices/latest/userguide/tr-supported-checks.md
index 4296a9ae0..9905efd33 100644
--- a//managedservices/latest/userguide/tr-supported-checks.md
+++ b//managedservices/latest/userguide/tr-supported-checks.md
@@ -11 +11 @@ The following table lists the supported Trusted Advisor checks, SSM automation d
-Make sure that the corresponding config rule for each Trusted Advisor check is present for the supported checks that you want to enable remediation for. For more information, see [ View AWS Trusted Advisor checks powered by AWS Config](https://docs.aws.amazon.com/awssupport/latest/user/aws-config-integration-with-ta.html). If a check has corresponding AWS Security Hub controls, make sure that the Security Hub control is enabled. For more information, see [Enabling controls in Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable-controls.html). For information on managing preconfigured parameters, see [ Configure Trusted Advisor check remediation in Trusted Remediator](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/tr-configure-remediations.html).
+Make sure that the corresponding config rule for each Trusted Advisor check is present for the supported checks that you want to enable remediation for. For more information, see [ View AWS Trusted Advisor checks powered by AWS Config](https://docs.aws.amazon.com/awssupport/latest/user/aws-config-integration-with-ta.html). If a check has corresponding AWS Security Hub CSPM controls, make sure that the Security Hub CSPM control is enabled. For more information, see [Enabling controls in Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable-controls.html). For information on managing preconfigured parameters, see [ Configure Trusted Advisor check remediation in Trusted Remediator](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/tr-configure-remediations.html).
@@ -55,6 +55,6 @@ Check ID and name | SSM document name and expected outcome | Supported preconfig
-Hs4Ma3G127 - API Gateway REST and WebSocket API execution logging should be enabled Corresponding AWS Security Hub check: [APIGateway.1](https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#apigateway-1) | **AWSManagedServices-TrustedRemediatorEnableAPIGateWayExecutionLogging** Execution logging is enabled on the API stage. | **LogLevel:** Logging level to enable execution logging, `ERROR` \- Logging is enabled for errors only. `INFO` \- Logging is enabled for all events. You must grant API Gateway permission to read and write logs to CloudWatch for your account in order to enable execution log, refer to [Set up CloudWatch logging for REST APIs in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html) for detail.  
-Hs4Ma3G129 - API Gateway REST API stages should have AWS X-Ray tracing enabled Corresponding AWS Security Hub check: [APIGateway.3](https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#apigateway-3) | **AWSManagedServices-EnableApiGateWayXRayTracing** X-Ray tracing is enabled on the API stage. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G202 - API Gateway REST API cache data should be encrypted at rest Corresponding AWS Security Hub check: [APIGateway.5](https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#apigateway-5) | **AWSManagedServices-EnableAPIGatewayCacheEncryption** Enable encryption at rest for API Gateway REST API cache data if the API Gateway REST API stage has cache enabled. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G177 -  Corresponding AWS Security Hub check - Auto scaling groups associated with a load balancer should use load balancer health checks [AutoScaling.1](https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-1) | **AWSManagedServices-TrustedRemediatorEnableAutoScalingGroupELBHealthCheck** ELB health checks are enabled for the Auto Scaling Group. | **HealthCheckGracePeriod:** The amount of time, in seconds, that Auto Scaling waits before checking the health status of an Amazon Elastic Compute Cloud instance that has come into service. Turning on ELB health checks might result in replacing a running instance if any of the ELB load balancers attached to the Auto Scaling group report it as unhealthy. For more information, see [Attach an ELB load balancer to your Auto Scaling group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/attach-load-balancer-asg.html)  
-Hs4Ma3G245 - CloudFormation stacks should be integrated with Amazon Simple Notification Service Corresponding AWS Security Hub check: [CloudFormation.1](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudformation-controls.html#cloudformation-1) | **AWSManagedServices-EnableCFNStackNotification** Associate a CloudFormation stack with an Amazon SNS topic for notification. | **NotificationARNs:** The ARNs of the Amazon SNS topics to be associated with selected CloudFormation stacks. To enable auto remediation, The `NotificationARNs` preconfigured parameter must be provided.  
-Hs4Ma3G210 - CloudFront distributions should have logging enabled Corresponding AWS Security Hub check: [CloudFront.2](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-5) | **AWSManagedServices-EnableCloudFrontDistributionLogging** Logging is enabled for Amazon CloudFront distributions. | 
+Hs4Ma3G127 - API Gateway REST and WebSocket API execution logging should be enabled Corresponding AWS Security Hub CSPM check: [APIGateway.1](https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#apigateway-1) | **AWSManagedServices-TrustedRemediatorEnableAPIGateWayExecutionLogging** Execution logging is enabled on the API stage. | **LogLevel:** Logging level to enable execution logging, `ERROR` \- Logging is enabled for errors only. `INFO` \- Logging is enabled for all events. You must grant API Gateway permission to read and write logs to CloudWatch for your account in order to enable execution log, refer to [Set up CloudWatch logging for REST APIs in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html) for detail.  
+Hs4Ma3G129 - API Gateway REST API stages should have AWS X-Ray tracing enabled Corresponding AWS Security Hub CSPM check: [APIGateway.3](https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#apigateway-3) | **AWSManagedServices-EnableApiGateWayXRayTracing** X-Ray tracing is enabled on the API stage. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G202 - API Gateway REST API cache data should be encrypted at rest Corresponding AWS Security Hub CSPM check: [APIGateway.5](https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#apigateway-5) | **AWSManagedServices-EnableAPIGatewayCacheEncryption** Enable encryption at rest for API Gateway REST API cache data if the API Gateway REST API stage has cache enabled. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G177 -  Corresponding AWS Security Hub CSPM check - Auto scaling groups associated with a load balancer should use load balancer health checks [AutoScaling.1](https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-1) | **AWSManagedServices-TrustedRemediatorEnableAutoScalingGroupELBHealthCheck** ELB health checks are enabled for the Auto Scaling Group. | **HealthCheckGracePeriod:** The amount of time, in seconds, that Auto Scaling waits before checking the health status of an Amazon Elastic Compute Cloud instance that has come into service. Turning on ELB health checks might result in replacing a running instance if any of the ELB load balancers attached to the Auto Scaling group report it as unhealthy. For more information, see [Attach an ELB load balancer to your Auto Scaling group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/attach-load-balancer-asg.html)  
+Hs4Ma3G245 - CloudFormation stacks should be integrated with Amazon Simple Notification Service Corresponding AWS Security Hub CSPM check: [CloudFormation.1](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudformation-controls.html#cloudformation-1) | **AWSManagedServices-EnableCFNStackNotification** Associate a CloudFormation stack with an Amazon SNS topic for notification. | **NotificationARNs:** The ARNs of the Amazon SNS topics to be associated with selected CloudFormation stacks. To enable auto remediation, The `NotificationARNs` preconfigured parameter must be provided.  
+Hs4Ma3G210 - CloudFront distributions should have logging enabled Corresponding AWS Security Hub CSPM check: [CloudFront.2](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-5) | **AWSManagedServices-EnableCloudFrontDistributionLogging** Logging is enabled for Amazon CloudFront distributions. | 
@@ -73,2 +73,2 @@ For this remediations constraints, see [ How do I turn on logging for my CloudFr
-Hs4Ma3G109 - CloudTrail log file validation should be enabled Corresponding AWS Security Hub check: [CloudTrail.4](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudtrail-controls.html#cloudtrail-4) | **AWSManagedServices-TrustedRemediatorEnableCloudTrailLogValidation** Enables CloudTrail trail log validation. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G108 - CloudTrail trails should be integrated with Amazon CloudWatch Logs Corresponding AWS Security Hub check: [CloudTrail.5](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudtrail-controls.html#cloudtrail-5) | **AWSManagedServices-IntegrateCloudTrailWithCloudWatch** AWS CloudTrail is integrated with CloudWatch Logs. | 
+Hs4Ma3G109 - CloudTrail log file validation should be enabled Corresponding AWS Security Hub CSPM check: [CloudTrail.4](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudtrail-controls.html#cloudtrail-4) | **AWSManagedServices-TrustedRemediatorEnableCloudTrailLogValidation** Enables CloudTrail trail log validation. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G108 - CloudTrail trails should be integrated with Amazon CloudWatch Logs Corresponding AWS Security Hub CSPM check: [CloudTrail.5](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudtrail-controls.html#cloudtrail-5) | **AWSManagedServices-IntegrateCloudTrailWithCloudWatch** AWS CloudTrail is integrated with CloudWatch Logs. | 
@@ -85,4 +85,4 @@ To enable auto remediation, the following preconfigured parameters must be provi
-Hs4Ma3G217 - CodeBuild project environments should have a logging AWS configuration Corresponding AWS Security Hub check: [CodeBuild.4](https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-4) | **AWSManagedServices-TrustedRemediatorEnableCodeBuildLoggingConfig** Enables the logging for CodeBuild project. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G306 - Neptune DB clusters should have deletion protection enabled Corresponding AWS Security Hub check: [DocumentDB.3](https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-3) | **AWSManagedServices-TrustedRemediatorDisablePublicAccessOnDocumentDBSnapshot** Removes public access from Amazon DocumentDB manual cluster snapshot. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G308 - Amazon DocumentDB clusters should have deletion protection enabled Corresponding AWS Security Hub check: [DocumentDB.5](https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-5) | **AWSManagedServices-TrustedRemediatorEnableDocumentDBClusterDeletionProtection** Enables deletion protection for Amazon DocumentDB cluster. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G323 - DynamoDB tables should have deletion protection enabled Corresponding AWS Security Hub check: [DynamoDB.6](https://docs.aws.amazon.com/securityhub/latest/userguide/dynamodb-controls.html#dynamodb-6) | **AWSManagedServices-TrustedRemediatorEnableDynamoDBTableDeletionProtection** Enables deletion protection for non-AMS DynamoDB tables. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G217 - CodeBuild project environments should have a logging AWS configuration Corresponding AWS Security Hub CSPM check: [CodeBuild.4](https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-4) | **AWSManagedServices-TrustedRemediatorEnableCodeBuildLoggingConfig** Enables the logging for CodeBuild project. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G306 - Neptune DB clusters should have deletion protection enabled Corresponding AWS Security Hub CSPM check: [DocumentDB.3](https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-3) | **AWSManagedServices-TrustedRemediatorDisablePublicAccessOnDocumentDBSnapshot** Removes public access from Amazon DocumentDB manual cluster snapshot. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G308 - Amazon DocumentDB clusters should have deletion protection enabled Corresponding AWS Security Hub CSPM check: [DocumentDB.5](https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-5) | **AWSManagedServices-TrustedRemediatorEnableDocumentDBClusterDeletionProtection** Enables deletion protection for Amazon DocumentDB cluster. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G323 - DynamoDB tables should have deletion protection enabled Corresponding AWS Security Hub CSPM check: [DynamoDB.6](https://docs.aws.amazon.com/securityhub/latest/userguide/dynamodb-controls.html#dynamodb-6) | **AWSManagedServices-TrustedRemediatorEnableDynamoDBTableDeletionProtection** Enables deletion protection for non-AMS DynamoDB tables. | No preconfigured parameters are allowed. No constraints  
@@ -90,2 +90,2 @@ Hs4Ma3G323 - DynamoDB tables should have deletion protection enabled Correspondi
-Hs4Ma3G118 - VPC default security groups should not allow inbound or outbound traffic Corresponding AWS Security Hub check: [EC2.2](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2) | **AWSManagedServices-TrustedRemediatorRemoveAllRulesFromDefaultSG** All ingress and egress rules in the default security group are removed. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G117 - Attached EBS volumes should be encrypted at-rest Corresponding AWS Security Hub check: [EC2.3](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-3) | **AWSManagedServices-EncryptInstanceVolume** The attached Amazon EBS volume on the instance is encrypted. | 
+Hs4Ma3G118 - VPC default security groups should not allow inbound or outbound traffic Corresponding AWS Security Hub CSPM check: [EC2.2](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2) | **AWSManagedServices-TrustedRemediatorRemoveAllRulesFromDefaultSG** All ingress and egress rules in the default security group are removed. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G117 - Attached EBS volumes should be encrypted at-rest Corresponding AWS Security Hub CSPM check: [EC2.3](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-3) | **AWSManagedServices-EncryptInstanceVolume** The attached Amazon EBS volume on the instance is encrypted. | 
@@ -97,4 +97,4 @@ The instance is rebooted as a part of the remediation and rollback is possible i
-Hs4Ma3G120 - Stopped EC2 instances should be removed after a specified time period Corresponding AWS Security Hub check: [EC2.4](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-4) | **AWSManagedServices-TerminateInstance** (default SSM document for both auto and manual execution mode) Amazon EC2 instances stopped for 30 days are terminated. | **CreateAMIBeforeTermination:**. To create the instance AMI as a backup before terminating the EC2 instance, choose `true`. To not create a backup before terminating, choose `false`. The default is `true`. No constraints  
-Hs4Ma3G120 - Stopped EC2 instances should be removed after a specified time period Corresponding AWS Security Hub check: [EC2.4](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-4) | **AWSManagedServices-TerminateEC2InstanceStoppedForPeriodOfTime** \- Amazon EC2 instances stopped for number of days defined in Security Hub (default value is 30) are terminated. | **CreateAMIBeforeTermination:** To create the instance AMI as a backup before terminating the EC2 instance, choose `true`. To not create a backup before terminating, choose `false`. The default is `true`. No constraints  
-Hs4Ma3G121 - EBS default encryption should be enabled Corresponding AWS Security Hub check: [EC2.7](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-7) | **AWSManagedServices-EncryptEBSByDefault** Amazon EBS encryption by default is enabled for the specific AWS Region | No preconfigured parameters are allowed. Encryption by default is a Region-specific setting. If you enable it for a Region, you can't disable it for individual volumes or snapshots in that Region.  
-Hs4Ma3G124 - Amazon EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) Corresponding AWS Security Hub check: [EC2.8](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-8) | **AWSManagedServices-TrustedRemediator****EnableEC2InstanceIMDSv2** Amazon EC2 instances use Instance Metadata Service Version 2 (IMDSv2). | 
+Hs4Ma3G120 - Stopped EC2 instances should be removed after a specified time period Corresponding AWS Security Hub CSPM check: [EC2.4](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-4) | **AWSManagedServices-TerminateInstance** (default SSM document for both auto and manual execution mode) Amazon EC2 instances stopped for 30 days are terminated. | **CreateAMIBeforeTermination:**. To create the instance AMI as a backup before terminating the EC2 instance, choose `true`. To not create a backup before terminating, choose `false`. The default is `true`. No constraints  
+Hs4Ma3G120 - Stopped EC2 instances should be removed after a specified time period Corresponding AWS Security Hub CSPM check: [EC2.4](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-4) | **AWSManagedServices-TerminateEC2InstanceStoppedForPeriodOfTime** \- Amazon EC2 instances stopped for number of days defined in Security Hub (default value is 30) are terminated. | **CreateAMIBeforeTermination:** To create the instance AMI as a backup before terminating the EC2 instance, choose `true`. To not create a backup before terminating, choose `false`. The default is `true`. No constraints  
+Hs4Ma3G121 - EBS default encryption should be enabled Corresponding AWS Security Hub CSPM check: [EC2.7](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-7) | **AWSManagedServices-EncryptEBSByDefault** Amazon EBS encryption by default is enabled for the specific AWS Region | No preconfigured parameters are allowed. Encryption by default is a Region-specific setting. If you enable it for a Region, you can't disable it for individual volumes or snapshots in that Region.  
+Hs4Ma3G124 - Amazon EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) Corresponding AWS Security Hub CSPM check: [EC2.8](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-8) | **AWSManagedServices-TrustedRemediator****EnableEC2InstanceIMDSv2** Amazon EC2 instances use Instance Metadata Service Version 2 (IMDSv2). | 
@@ -106,9 +106,9 @@ No constraints
-Hs4Ma3G207 - EC2 subnets should not automatically assign public IP addresses Corresponding AWS Security Hub check: [EC2.15](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-15) | **AWSManagedServices-UpdateAutoAssignPublicIpv4Addresses** VPC subnets are configured to not automatically assign public IP addresses. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G209 - Unused Network Access Control Lists are removed Corresponding AWS Security Hub check: [EC2.16](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-16) | **AWSManagedServices-DeleteUnusedNACL** Delete unused network ACL | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G215 - Unused Amazon EC2 security groups should be removed Corresponding AWS Security Hub check: [EC2.22](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-22) | **AWSManagedServices-DeleteSecurityGroups** Delete unused security groups. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G247 - Amazon EC2 Transit Gateway should not automatically accept VPC attachment requests Corresponding AWS Security Hub check: [EC2.23](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-23) | **AWSManagedServices-TrustedRemediatorDisableTGWAutoVPCAttach** \- Disables the automatic acceptance of VPC attachment requests for the specified non-AMS Amazon EC2 Transit Gateway. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G235 - ECR private repositories should have tag immutability configured Corresponding AWS Security Hub check: [ECR.2](https://docs.aws.amazon.com/securityhub/latest/userguide/ecr-controls.html#ecr-2) | **AWSManagedServices-TrustedRemediatorSetImageTagImmutability** Sets the image tag mutability settings to IMMUTABLE for the specified repository. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G216 - ECR repositories should have at least one lifecycle policy configured Corresponding AWS Security Hub check: [ECR.3](https://docs.aws.amazon.com/securityhub/latest/userguide/ecr-controls.html#ecr-3) | **AWSManagedServices-PutECRRepositoryLifecyclePolicy** ECR repository has a lifecycle policy configured. | **LifecyclePolicyText:** The JSON repository policy text to apply to the repository. To enable auto remediation, the following preconfigured parameters must be provided: **LifecyclePolicyText**  
-Hs4Ma3G325 - EKS clusters should have audit logging enabled Corresponding AWS Security Hub check: [EKS.8](https://docs.aws.amazon.com/securityhub/latest/userguide/eks-controls.html#eks-8) | **AWSManagedServices-TrustedRemediatorEnableEKSAuditLog** Audit log is enabled for EKS cluster. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G183 - Application load balancer should be configured to drop HTTP headers Corresponding AWS Security Hub check: [ELB.4](https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-4) | **AWSConfigRemediation-DropInvalidHeadersForALB** Application Load Balancer is configured to invalid header fields. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G184 - Application Load Balancers and Classic Load Balancers logging should be enabled Corresponding AWS Security Hub check: [ELB.5](https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-5) | **AWSManagedServices-EnableELBLogging (default SSM document for both auto and manual execution mode)** Application Load Balancer and Classic Load Balancer logging is enabled. | 
+Hs4Ma3G207 - EC2 subnets should not automatically assign public IP addresses Corresponding AWS Security Hub CSPM check: [EC2.15](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-15) | **AWSManagedServices-UpdateAutoAssignPublicIpv4Addresses** VPC subnets are configured to not automatically assign public IP addresses. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G209 - Unused Network Access Control Lists are removed Corresponding AWS Security Hub CSPM check: [EC2.16](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-16) | **AWSManagedServices-DeleteUnusedNACL** Delete unused network ACL | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G215 - Unused Amazon EC2 security groups should be removed Corresponding AWS Security Hub CSPM check: [EC2.22](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-22) | **AWSManagedServices-DeleteSecurityGroups** Delete unused security groups. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G247 - Amazon EC2 Transit Gateway should not automatically accept VPC attachment requests Corresponding AWS Security Hub CSPM check: [EC2.23](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-23) | **AWSManagedServices-TrustedRemediatorDisableTGWAutoVPCAttach** \- Disables the automatic acceptance of VPC attachment requests for the specified non-AMS Amazon EC2 Transit Gateway. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G235 - ECR private repositories should have tag immutability configured Corresponding AWS Security Hub CSPM check: [ECR.2](https://docs.aws.amazon.com/securityhub/latest/userguide/ecr-controls.html#ecr-2) | **AWSManagedServices-TrustedRemediatorSetImageTagImmutability** Sets the image tag mutability settings to IMMUTABLE for the specified repository. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G216 - ECR repositories should have at least one lifecycle policy configured Corresponding AWS Security Hub CSPM check: [ECR.3](https://docs.aws.amazon.com/securityhub/latest/userguide/ecr-controls.html#ecr-3) | **AWSManagedServices-PutECRRepositoryLifecyclePolicy** ECR repository has a lifecycle policy configured. | **LifecyclePolicyText:** The JSON repository policy text to apply to the repository. To enable auto remediation, the following preconfigured parameters must be provided: **LifecyclePolicyText**  
+Hs4Ma3G325 - EKS clusters should have audit logging enabled Corresponding AWS Security Hub CSPM check: [EKS.8](https://docs.aws.amazon.com/securityhub/latest/userguide/eks-controls.html#eks-8) | **AWSManagedServices-TrustedRemediatorEnableEKSAuditLog** Audit log is enabled for EKS cluster. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G183 - Application load balancer should be configured to drop HTTP headers Corresponding AWS Security Hub CSPM check: [ELB.4](https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-4) | **AWSConfigRemediation-DropInvalidHeadersForALB** Application Load Balancer is configured to invalid header fields. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G184 - Application Load Balancers and Classic Load Balancers logging should be enabled Corresponding AWS Security Hub CSPM check: [ELB.5](https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-5) | **AWSManagedServices-EnableELBLogging (default SSM document for both auto and manual execution mode)** Application Load Balancer and Classic Load Balancer logging is enabled. | 
@@ -125 +125 @@ The Amazon S3 bucket must have a bucket policy that grants ELB permission to wri
-Hs4Ma3G184 - Application Load Balancers and Classic Load Balancers logging should be enabled Corresponding AWS Security Hub check: [ELB.5](https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-5) | **AWSManagedServices-EnableELBLoggingV2** Application Load Balancer and Classic Load Balancer logging is enabled. | 
+Hs4Ma3G184 - Application Load Balancers and Classic Load Balancers logging should be enabled Corresponding AWS Security Hub CSPM check: [ELB.5](https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-5) | **AWSManagedServices-EnableELBLoggingV2** Application Load Balancer and Classic Load Balancer logging is enabled. | 
@@ -136,11 +136,11 @@ The Amazon S3 bucket must have a bucket policy that grants ELB permission to wri
-Hs4Ma3G326 - Amazon EMR block public access setting should be enabled Corresponding AWS Security Hub check: [EMR.2](https://docs.aws.amazon.com/securityhub/latest/userguide/emr-controls.html#emr-2) | **AWSManagedServices-TrustedRemediatorEnableEMRBlockPublicAccess** Amazon EMR block public access settings is turned on for the account. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G135 - AWS KMS keys should not be deleted unintentionally Corresponding AWS Security Hub check: [KMS.3](https://docs.aws.amazon.com/securityhub/latest/userguide/kms-controls.html#kms-3) | **AWSManagedServices-CancelKeyDeletion** AWS KMS key deletion is canceled. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G299 - Amazon DocumentDB manual cluster snapshots should not be public Corresponding AWS Security Hub check: [Neptune.4](https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-4) | **AWSManagedServices-TrustedRemediatorEnableNeptuneDBClusterDeletionProtection** Enables deletion protection for Amazon Neptune cluster. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G319 - Network Firewall firewalls should have deletion protection enabled Corresponding AWS Security Hub check: [NetworkFirewall.9](https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-9) | **AWSManagedServices-TrustedRemediatorEnableNetworkFirewallDeletionProtection** \- Enables the delete protection for AWS Network Firewall. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G223 - OpenSearch domains should encrypt data sent between nodes Corresponding AWS Security Hub check: [OpenSearch.3](https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html#Opensearch-3) | **AWSManagedServices-EnableOpenSearchNodeToNodeEncryption** Node to Node encryption is enabled for the domain. | No preconfigured parameters are allowed. After node-to-node encryption is enabled, you can't disable the setting. Instead, take a manual snapshot of the encrypted domain, create another domain, migrate your data, and then delete the old domain.  
-Hs4Ma3G222 - OpenSearch domain error logging to CloudWatch Logs should be enabled Corresponding AWS Security Hub check: [Opensearch.4](https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html#opensearch-4) | **AWSManagedServices-EnableOpenSearchLogging** Error logging is enabled for the OpenSearch domain. | CloudWatchLogGroupArn: The ARN of anAmazon CloudWatch Logs log group. To enable auto remediation, the following preconfigured parameter must be provided: **CloudWatchLogGroupArn**. Amazon CloudWatch resource policy must be configured with permissions. For more information, see [Enabling audit logs](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/audit-logs.html#audit-log-enabling) in the _Amazon OpenSearch Service User Guide_  
-Hs4Ma3G221 - OpenSearch domains should have audit logging enabled Corresponding AWS Security Hub check: [Opensearch.5](https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html#opensearch-5) | **AWSManagedServices-EnableOpenSearchLogging** OpenSearch domains are configured with audit logging enabled. | **CloudWatchLogGroupArn:** The ARN of the CloudWatch Logs group to publish logs to. To enable auto remediation, the following preconfigured parameter must be provided: **CloudWatchLogGroupArn** Amazon CloudWatch resource policy must be configured with permissions. For more information, see [Enabling audit logs](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/audit-logs.html#audit-log-enabling) in the _Amazon OpenSearch Service User Guide_  
-Hs4Ma3G220 - Connections to OpenSearch domains should be encrypted using TLS 1.2 Corresponding AWS Security Hub check: [Opensearch.8](https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html#opensearch-8) | **AWSManagedServices-EnableOpenSearchEndpointEncryptionTLS1.2** TLS policy is set to `Policy-Min-TLS-1-2-2019-07` and only encrypted connections over HTTPS (TLS) are allowed. | No preconfigured parameters are allowed. Connections to OpenSearch domains are required to use TLS 1.2. Encrypting data in transit can affect performance. Test your applications with this feature to understand the performance profile and the impact of TLS.  
-Hs4Ma3G194 - Amazon RDS snapshot should be private Corresponding AWS Security Hub check: [RDS.1](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-1) | **AWSManagedServices-DisablePublicAccessOnRDSSnapshotV2** Public access for Amazon RDS snapshot is disabled. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G192 - RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible AWS Configuration Corresponding AWS Security Hub check: [RDS.2](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-2) | **AWSManagedServices-TrustedRemediatorDisablePublicAccessOnRDSInstance** Disable public access on RDS DB instance. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G189 - Enhanced monitoring are configured for Amazon RDS DB instances Corresponding AWS Security Hub check: [RDS.6](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-6) | **AWSManagedServices-TrustedRemediatorEnableRDSEnhancedMonitoring** Enable enhanced monitoring for Amazon RDS DB instances | 
+Hs4Ma3G326 - Amazon EMR block public access setting should be enabled Corresponding AWS Security Hub CSPM check: [EMR.2](https://docs.aws.amazon.com/securityhub/latest/userguide/emr-controls.html#emr-2) | **AWSManagedServices-TrustedRemediatorEnableEMRBlockPublicAccess** Amazon EMR block public access settings is turned on for the account. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G135 - AWS KMS keys should not be deleted unintentionally Corresponding AWS Security Hub CSPM check: [KMS.3](https://docs.aws.amazon.com/securityhub/latest/userguide/kms-controls.html#kms-3) | **AWSManagedServices-CancelKeyDeletion** AWS KMS key deletion is canceled. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G299 - Amazon DocumentDB manual cluster snapshots should not be public Corresponding AWS Security Hub CSPM check: [Neptune.4](https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-4) | **AWSManagedServices-TrustedRemediatorEnableNeptuneDBClusterDeletionProtection** Enables deletion protection for Amazon Neptune cluster. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G319 - Network Firewall firewalls should have deletion protection enabled Corresponding AWS Security Hub CSPM check: [NetworkFirewall.9](https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-9) | **AWSManagedServices-TrustedRemediatorEnableNetworkFirewallDeletionProtection** \- Enables the delete protection for AWS Network Firewall. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G223 - OpenSearch domains should encrypt data sent between nodes Corresponding AWS Security Hub CSPM check: [OpenSearch.3](https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html#Opensearch-3) | **AWSManagedServices-EnableOpenSearchNodeToNodeEncryption** Node to Node encryption is enabled for the domain. | No preconfigured parameters are allowed. After node-to-node encryption is enabled, you can't disable the setting. Instead, take a manual snapshot of the encrypted domain, create another domain, migrate your data, and then delete the old domain.  
+Hs4Ma3G222 - OpenSearch domain error logging to CloudWatch Logs should be enabled Corresponding AWS Security Hub CSPM check: [Opensearch.4](https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html#opensearch-4) | **AWSManagedServices-EnableOpenSearchLogging** Error logging is enabled for the OpenSearch domain. | CloudWatchLogGroupArn: The ARN of anAmazon CloudWatch Logs log group. To enable auto remediation, the following preconfigured parameter must be provided: **CloudWatchLogGroupArn**. Amazon CloudWatch resource policy must be configured with permissions. For more information, see [Enabling audit logs](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/audit-logs.html#audit-log-enabling) in the _Amazon OpenSearch Service User Guide_  
+Hs4Ma3G221 - OpenSearch domains should have audit logging enabled Corresponding AWS Security Hub CSPM check: [Opensearch.5](https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html#opensearch-5) | **AWSManagedServices-EnableOpenSearchLogging** OpenSearch domains are configured with audit logging enabled. | **CloudWatchLogGroupArn:** The ARN of the CloudWatch Logs group to publish logs to. To enable auto remediation, the following preconfigured parameter must be provided: **CloudWatchLogGroupArn** Amazon CloudWatch resource policy must be configured with permissions. For more information, see [Enabling audit logs](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/audit-logs.html#audit-log-enabling) in the _Amazon OpenSearch Service User Guide_  
+Hs4Ma3G220 - Connections to OpenSearch domains should be encrypted using TLS 1.2 Corresponding AWS Security Hub CSPM check: [Opensearch.8](https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html#opensearch-8) | **AWSManagedServices-EnableOpenSearchEndpointEncryptionTLS1.2** TLS policy is set to `Policy-Min-TLS-1-2-2019-07` and only encrypted connections over HTTPS (TLS) are allowed. | No preconfigured parameters are allowed. Connections to OpenSearch domains are required to use TLS 1.2. Encrypting data in transit can affect performance. Test your applications with this feature to understand the performance profile and the impact of TLS.  
+Hs4Ma3G194 - Amazon RDS snapshot should be private Corresponding AWS Security Hub CSPM check: [RDS.1](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-1) | **AWSManagedServices-DisablePublicAccessOnRDSSnapshotV2** Public access for Amazon RDS snapshot is disabled. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G192 - RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible AWS Configuration Corresponding AWS Security Hub CSPM check: [RDS.2](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-2) | **AWSManagedServices-TrustedRemediatorDisablePublicAccessOnRDSInstance** Disable public access on RDS DB instance. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G189 - Enhanced monitoring are configured for Amazon RDS DB instances Corresponding AWS Security Hub CSPM check: [RDS.6](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-6) | **AWSManagedServices-TrustedRemediatorEnableRDSEnhancedMonitoring** Enable enhanced monitoring for Amazon RDS DB instances | 
@@ -152,8 +152,8 @@ If enhanced monitoring is enabled before the automation execution, then the sett
-Hs4Ma3G190 - Amazon RDS clusters should have deletion protection enabled Corresponding AWS Security Hub check: [RDS.7](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-7) | **AWSManagedServices-TrustedRemediatorEnableRDSDeletionProtection** Deletion protection is enabled for Amazon RDS clusters. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G198 - Amazon RDS DB instances should have deletion protection enabled Corresponding AWS Security Hub check: [RDS.8](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-8) | **AWSManagedServices-TrustedRemediatorEnableRDSDeletionProtection** Deletion protection is enabled for Amazon RDS instances. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G199 - RDS DB instances should publish logs to CloudWatch Logs Corresponding AWS Security Hub check: [RDS.9](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-9) | **AWSManagedServices-TrustedRemediatorEnableRDSLogExports** RDS log exports is enabled for the RDS DB instance or RDS DB cluster. | No preconfigured parameters are allowed. Service-linked role [ AWSServiceRoleForRDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Procedural.UploadtoCloudWatch.html#integrating_cloudwatchlogs.configure) is required.  
-Hs4Ma3G160 - IAM authentication should be configured for RDS instances Corresponding AWS Security Hub check: [RDS.10](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-10>RDS.10) | **AWSManagedServices-UpdateRDSIAMDatabaseAuthentication** AWS Identity and Access Management authentication is enabled for the RDS instance. | **ApplyImmediately:** Indicates if the modifications in this request and any pending modifications are asynchronously applied as soon as possible, To apply the change immediately, choose `true`. To schedule the change for the next maintenance window, choose `false`. No constraints  
-Hs4Ma3G161 - IAM authentication should be configured for RDS clusters Corresponding AWS Security Hub check: [RDS.12](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-12) | **AWSManagedServices-UpdateRDSIAMDatabaseAuthentication** IAM authentication is enabled for the RDS cluster. | **ApplyImmediately:** Indicates if the modifications in this request and any pending modifications are asynchronously applied as soon as possible, To apply the change immediately, choose `true`. To schedule the change for the next maintenance window, choose `false`. No constraints  
-Hs4Ma3G162 - RDS automatic minor version upgrades should be enabled Corresponding AWS Security Hub check: [RDS.13](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-13) | **AWSManagedServices-UpdateRDSInstanceMinorVersionUpgrade** Automatic minor version upgrade configuration for Amazon RDS is enabled. | No preconfigured parameters are allowed. The Amazon RDS instance must be in the `available` state for this remediation to happen.  
-Hs4Ma3G163 - RDS DB clusters should be configured to copy tags to snapshots Corresponding AWS Security Hub check: [RDS.16](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-16) | **AWSManagedServices-UpdateRDSCopyTagsToSnapshots** `CopyTagtosnapshot` setting for Amazon RDS clusters is enabled. | No preconfigured parameters are allowed. Amazon RDS instances must be in available state for this remediation to happen.  
-Hs4Ma3G164 - RDS DB instances should be configured to copy tags to snapshots Corresponding AWS Security Hub check: [RDS.17](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-17) | **AWSManagedServices-UpdateRDSCopyTagsToSnapshots** `CopyTagsToSnapshot` setting for Amazon RDS is enabled. | No preconfigured parameters are allowed. Amazon RDS instances must be in available state for this remediation to happen.  
+Hs4Ma3G190 - Amazon RDS clusters should have deletion protection enabled Corresponding AWS Security Hub CSPM check: [RDS.7](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-7) | **AWSManagedServices-TrustedRemediatorEnableRDSDeletionProtection** Deletion protection is enabled for Amazon RDS clusters. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G198 - Amazon RDS DB instances should have deletion protection enabled Corresponding AWS Security Hub CSPM check: [RDS.8](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-8) | **AWSManagedServices-TrustedRemediatorEnableRDSDeletionProtection** Deletion protection is enabled for Amazon RDS instances. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G199 - RDS DB instances should publish logs to CloudWatch Logs Corresponding AWS Security Hub CSPM check: [RDS.9](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-9) | **AWSManagedServices-TrustedRemediatorEnableRDSLogExports** RDS log exports is enabled for the RDS DB instance or RDS DB cluster. | No preconfigured parameters are allowed. Service-linked role [ AWSServiceRoleForRDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Procedural.UploadtoCloudWatch.html#integrating_cloudwatchlogs.configure) is required.  
+Hs4Ma3G160 - IAM authentication should be configured for RDS instances Corresponding AWS Security Hub CSPM check: [RDS.10](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-10>RDS.10) | **AWSManagedServices-UpdateRDSIAMDatabaseAuthentication** AWS Identity and Access Management authentication is enabled for the RDS instance. | **ApplyImmediately:** Indicates if the modifications in this request and any pending modifications are asynchronously applied as soon as possible, To apply the change immediately, choose `true`. To schedule the change for the next maintenance window, choose `false`. No constraints  
+Hs4Ma3G161 - IAM authentication should be configured for RDS clusters Corresponding AWS Security Hub CSPM check: [RDS.12](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-12) | **AWSManagedServices-UpdateRDSIAMDatabaseAuthentication** IAM authentication is enabled for the RDS cluster. | **ApplyImmediately:** Indicates if the modifications in this request and any pending modifications are asynchronously applied as soon as possible, To apply the change immediately, choose `true`. To schedule the change for the next maintenance window, choose `false`. No constraints  
+Hs4Ma3G162 - RDS automatic minor version upgrades should be enabled Corresponding AWS Security Hub CSPM check: [RDS.13](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-13) | **AWSManagedServices-UpdateRDSInstanceMinorVersionUpgrade** Automatic minor version upgrade configuration for Amazon RDS is enabled. | No preconfigured parameters are allowed. The Amazon RDS instance must be in the `available` state for this remediation to happen.  
+Hs4Ma3G163 - RDS DB clusters should be configured to copy tags to snapshots Corresponding AWS Security Hub CSPM check: [RDS.16](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-16) | **AWSManagedServices-UpdateRDSCopyTagsToSnapshots** `CopyTagtosnapshot` setting for Amazon RDS clusters is enabled. | No preconfigured parameters are allowed. Amazon RDS instances must be in available state for this remediation to happen.  
+Hs4Ma3G164 - RDS DB instances should be configured to copy tags to snapshots Corresponding AWS Security Hub CSPM check: [RDS.17](https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-17) | **AWSManagedServices-UpdateRDSCopyTagsToSnapshots** `CopyTagsToSnapshot` setting for Amazon RDS is enabled. | No preconfigured parameters are allowed. Amazon RDS instances must be in available state for this remediation to happen.  
@@ -161,6 +161,6 @@ Hs4Ma3G164 - RDS DB instances should be configured to copy tags to snapshots Cor
-Hs4Ma3G103 - Amazon Redshift clusters should prohibit public access Corresponding AWS Security Hub check: [Redshift.1](https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-1) | **AWSManagedServices-DisablePublicAccessOnRedshiftCluster** Public access on Amazon Redshift cluster is disabled. | No preconfigured parameters are allowed. Disabling public access blocks all clients coming from the internet. And the Amazon Redshift cluster is in the modifying state for a few minutes while the remediation disables public access on the cluster.  
-Hs4Ma3G106 - Amazon Redshift clusters should have audit logging enabled Corresponding AWS Security Hub check: [Redshift.4](https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-4) | **AWSManagedServices-TrustedRemediatorEnableRedshiftClusterAuditLogging** Audit logging is enabled to your Amazon Redshift cluster during the maintenance window. | No preconfigured parameters are allowed. To enable auto remediation, the following preconfigured parameters must be provided. **BucketName:** The bucket must be in the same AWS Region. The cluster must have read bucket and put object permissions. If Redshift cluster logging is enabled before the automation execution, then the logging settings might be overwritten by this automation with the `BucketName` and `S3KeyPrefix` values configured in the preconfigured parameters.  
-Hs4Ma3G105 - Amazon Redshiftshould have automatic upgrades to major versions enabled Corresponding AWS Security Hub check: [Redshift.6](https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-6) | **AWSManagedServices-EnableRedshiftClusterVersionAutoUpgrade** \- Major version upgrades are applied automatically to the cluster during the maintenance window. There is no immediate downtime for the Amazon Redshift cluster, but your Amazon Redshift cluster might have downtime during its maintenance window if it upgrades to a major version. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G104 - Amazon Redshift clusters should use enhanced VPC routing Corresponding AWS Security Hub check: [Redshift.7](https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-7) | **AWSManagedServices-TrustedRemediatorEnableRedshiftClusterEnhancedVPCRouting** Enhanced VPC routing is enabled for Amazon Redshift clusters. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G173 - S3 Block Public Access setting should be enabled at the bucket-level Corresponding AWS Security Hub check: [S3.8](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-8) | **AWSManagedServices-TrustedRemediatorBlockS3BucketPublicAccess** Bucket-level public access blocks are applied for the Amazon S3 bucket. | No preconfigured parameters are allowed. This remediation might affect S3 object availability. For information on how Amazon S3 evaluates access, see [Blocking public access to your Amazon S3 storage](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html).  
-Hs4Ma3G230 - S3 bucket server access logging should be enabled  Corresponding AWS Security Hub check: [S3.9](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-9) | **AWSManagedServices-EnableBucketAccessLogging** (default SSM document for both auto and manual execution mode) Amazon S3 server access logging is enabled. | 
+Hs4Ma3G103 - Amazon Redshift clusters should prohibit public access Corresponding AWS Security Hub CSPM check: [Redshift.1](https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-1) | **AWSManagedServices-DisablePublicAccessOnRedshiftCluster** Public access on Amazon Redshift cluster is disabled. | No preconfigured parameters are allowed. Disabling public access blocks all clients coming from the internet. And the Amazon Redshift cluster is in the modifying state for a few minutes while the remediation disables public access on the cluster.  
+Hs4Ma3G106 - Amazon Redshift clusters should have audit logging enabled Corresponding AWS Security Hub CSPM check: [Redshift.4](https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-4) | **AWSManagedServices-TrustedRemediatorEnableRedshiftClusterAuditLogging** Audit logging is enabled to your Amazon Redshift cluster during the maintenance window. | No preconfigured parameters are allowed. To enable auto remediation, the following preconfigured parameters must be provided. **BucketName:** The bucket must be in the same AWS Region. The cluster must have read bucket and put object permissions. If Redshift cluster logging is enabled before the automation execution, then the logging settings might be overwritten by this automation with the `BucketName` and `S3KeyPrefix` values configured in the preconfigured parameters.  
+Hs4Ma3G105 - Amazon Redshiftshould have automatic upgrades to major versions enabled Corresponding AWS Security Hub CSPM check: [Redshift.6](https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-6) | **AWSManagedServices-EnableRedshiftClusterVersionAutoUpgrade** \- Major version upgrades are applied automatically to the cluster during the maintenance window. There is no immediate downtime for the Amazon Redshift cluster, but your Amazon Redshift cluster might have downtime during its maintenance window if it upgrades to a major version. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G104 - Amazon Redshift clusters should use enhanced VPC routing Corresponding AWS Security Hub CSPM check: [Redshift.7](https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-7) | **AWSManagedServices-TrustedRemediatorEnableRedshiftClusterEnhancedVPCRouting** Enhanced VPC routing is enabled for Amazon Redshift clusters. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G173 - S3 Block Public Access setting should be enabled at the bucket-level Corresponding AWS Security Hub CSPM check: [S3.8](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-8) | **AWSManagedServices-TrustedRemediatorBlockS3BucketPublicAccess** Bucket-level public access blocks are applied for the Amazon S3 bucket. | No preconfigured parameters are allowed. This remediation might affect S3 object availability. For information on how Amazon S3 evaluates access, see [Blocking public access to your Amazon S3 storage](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html).  
+Hs4Ma3G230 - S3 bucket server access logging should be enabled  Corresponding AWS Security Hub CSPM check: [S3.9](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-9) | **AWSManagedServices-EnableBucketAccessLogging** (default SSM document for both auto and manual execution mode) Amazon S3 server access logging is enabled. | 
@@ -172 +172 @@ To enable auto remediation, the following preconfigured parameter must be provid
-Hs4Ma3G230 – S3 bucket server access logging should be enabled Corresponding AWS Security Hub check: [S3.9](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-9) | **AWSManagedServices-TrustedRemediatorEnableBucketAccessLoggingV2** \- Amazon S3 bucket logging is enabled. | 
+Hs4Ma3G230 – S3 bucket server access logging should be enabled Corresponding AWS Security Hub CSPM check: [S3.9](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-9) | **AWSManagedServices-TrustedRemediatorEnableBucketAccessLoggingV2** \- Amazon S3 bucket logging is enabled. | 
@@ -180,4 +180,4 @@ To enable auto remediation, the following parameters must be provided: **TargetB
-Hs4Ma3G272 - Users should not have root access to SageMaker notebook instances Corresponding AWS Security Hub check: [SageMaker.3](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-3) | **AWSManagedServices-TrustedRemediatorDisableSageMakerNotebookInstanceRootAccess** Root access for users is disabled for SageMaker notebook instance. | No preconfigured parameters are allowed. This remediation causes outage if the SageMaker notebook instance is in the InService state.  
-Hs4Ma3G179 - SNS topics should be encrypted at-rest using AWS KMS Corresponding AWS Security Hub check: [SNS.1](https://docs.aws.amazon.com/securityhub/latest/userguide/sns-controls.html#sns-1) | **AWSManagedServices-EnableSNSEncryptionAtRest** SNS topic is configured with server-side encryption. | **KmsKeyId:** The ID of an AWS managed customer master key (CMK) for Amazon SNS or a custom CMK to be used for server-side encryption (SSE). Default is set to `alias/aws/sns`. If a custom AWS KMS key is used, it must be configured with the correct permissions. For more information, see [Enabling server-side encryption (SSE) for an Amazon SNS topic](https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic.html)  
-Hs4Ma3G158 - SSM documents should not be public Corresponding AWS Security Hub check: [SSM.4](https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html#ssm-4) | **AWSManagedServices-TrustedRemediatorDisableSSMDocPublicSharing** \- Disables the public sharing of SSM document. | No preconfigured parameters are allowed. No constraints  
-Hs4Ma3G136 - Amazon SQS queues should be encrypted at rest Corresponding AWS Security Hub check: [SQS.1](https://docs.aws.amazon.com/securityhub/latest/userguide/sqs-controls.html#sqs-1) | **AWSManagedServices-EnableSQSEncryptionAtRest** Messages in Amazon SQS are encrypted. | 
+Hs4Ma3G272 - Users should not have root access to SageMaker notebook instances Corresponding AWS Security Hub CSPM check: [SageMaker.3](https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-3) | **AWSManagedServices-TrustedRemediatorDisableSageMakerNotebookInstanceRootAccess** Root access for users is disabled for SageMaker notebook instance. | No preconfigured parameters are allowed. This remediation causes outage if the SageMaker notebook instance is in the InService state.  
+Hs4Ma3G179 - SNS topics should be encrypted at-rest using AWS KMS Corresponding AWS Security Hub CSPM check: [SNS.1](https://docs.aws.amazon.com/securityhub/latest/userguide/sns-controls.html#sns-1) | **AWSManagedServices-EnableSNSEncryptionAtRest** SNS topic is configured with server-side encryption. | **KmsKeyId:** The ID of an AWS managed customer master key (CMK) for Amazon SNS or a custom CMK to be used for server-side encryption (SSE). Default is set to `alias/aws/sns`. If a custom AWS KMS key is used, it must be configured with the correct permissions. For more information, see [Enabling server-side encryption (SSE) for an Amazon SNS topic](https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic.html)  
+Hs4Ma3G158 - SSM documents should not be public Corresponding AWS Security Hub CSPM check: [SSM.4](https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html#ssm-4) | **AWSManagedServices-TrustedRemediatorDisableSSMDocPublicSharing** \- Disables the public sharing of SSM document. | No preconfigured parameters are allowed. No constraints  
+Hs4Ma3G136 - Amazon SQS queues should be encrypted at rest Corresponding AWS Security Hub CSPM check: [SQS.1](https://docs.aws.amazon.com/securityhub/latest/userguide/sqs-controls.html#sqs-1) | **AWSManagedServices-EnableSQSEncryptionAtRest** Messages in Amazon SQS are encrypted. |