AWS securityhub documentation change
Summary
Removed 'Service-Managed Standard: AWS Control Tower' from applicable standards for multiple controls and added new controls: CloudFormation.3, Cognito.4, Cognito.5, Cognito.6, EC2.182, ECS.18, and SES.3.
Security assessment
The changes primarily involve removing references to AWS Control Tower from compliance standards without indicating a security vulnerability. New controls added (e.g., EBS snapshot public access prevention, Cognito MFA, EFS encryption) document security features but do not address specific vulnerabilities. No evidence of patching exploits or incident response.
Diff
diff --git a/securityhub/latest/userguide/securityhub-controls-reference.md b/securityhub/latest/userguide/securityhub-controls-reference.md index 034bee483..1a16f3477 100644 --- a//securityhub/latest/userguide/securityhub-controls-reference.md +++ b//securityhub/latest/userguide/securityhub-controls-reference.md @@ -34 +34 @@ Security control ID | Security control title | Applicable standards | Severity | -[Account.1](./account-controls.html#account-1) | Security contact information should be provided for an AWS account | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic +[Account.1](./account-controls.html#account-1) | Security contact information should be provided for an AWS account | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic @@ -36 +36 @@ Security control ID | Security control title | Applicable standards | Severity | -[ACM.1](./acm-controls.html#acm-1) | Imported and ACM-issued certificates should be renewed after a specified time period | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | Yes | Change triggered and periodic +[ACM.1](./acm-controls.html#acm-1) | Imported and ACM-issued certificates should be renewed after a specified time period | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | Yes | Change triggered and periodic @@ -41,7 +41,7 @@ Security control ID | Security control title | Applicable standards | Severity | -[APIGateway.1](./apigateway-controls.html#apigateway-1) | API Gateway REST and WebSocket API execution logging should be enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Change triggered -[APIGateway.2](./apigateway-controls.html#apigateway-2) | API Gateway REST API stages should be configured to use SSL certificates for backend authentication | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | No | Change triggered -[APIGateway.3](./apigateway-controls.html#apigateway-3) | API Gateway REST API stages should have AWS X-Ray tracing enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | No | Change triggered -[APIGateway.4](./apigateway-controls.html#apigateway-4) | API Gateway should be associated with a WAF Web ACL | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered -[APIGateway.5](./apigateway-controls.html#apigateway-5) | API Gateway REST API cache data should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered -[APIGateway.8](./apigateway-controls.html#apigateway-8) | API Gateway routes should specify an authorization type | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Periodic -[APIGateway.9](./apigateway-controls.html#apigateway-9) | Access logging should be configured for API Gateway V2 Stages | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[APIGateway.1](./apigateway-controls.html#apigateway-1) | API Gateway REST and WebSocket API execution logging should be enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Change triggered +[APIGateway.2](./apigateway-controls.html#apigateway-2) | API Gateway REST API stages should be configured to use SSL certificates for backend authentication | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | No | Change triggered +[APIGateway.3](./apigateway-controls.html#apigateway-3) | API Gateway REST API stages should have AWS X-Ray tracing enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | No | Change triggered +[APIGateway.4](./apigateway-controls.html#apigateway-4) | API Gateway should be associated with a WAF Web ACL | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[APIGateway.5](./apigateway-controls.html#apigateway-5) | API Gateway REST API cache data should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[APIGateway.8](./apigateway-controls.html#apigateway-8) | API Gateway routes should specify an authorization type | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Periodic +[APIGateway.9](./apigateway-controls.html#apigateway-9) | Access logging should be configured for API Gateway V2 Stages | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered @@ -63,6 +63,6 @@ Security control ID | Security control title | Applicable standards | Severity | -[AutoScaling.1](./autoscaling-controls.html#autoscaling-1) | Auto Scaling groups associated with a load balancer should use ELB health checks | AWS Foundational Security Best Practices, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | LOW | No | Change triggered -[AutoScaling.2](./autoscaling-controls.html#autoscaling-2) | Amazon EC2 Auto Scaling group should cover multiple Availability Zones | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Change triggered -[AutoScaling.3](./autoscaling-controls.html#autoscaling-3) | Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2) | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | No | Change triggered -[Autoscaling.5](./autoscaling-controls.html#autoscaling-5) | Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | No | Change triggered -[AutoScaling.6](./autoscaling-controls.html#autoscaling-6) | Auto Scaling groups should use multiple instance types in multiple Availability Zones | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered -[AutoScaling.9](./autoscaling-controls.html#autoscaling-9) | EC2 Auto Scaling groups should use EC2 launch templates | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[AutoScaling.1](./autoscaling-controls.html#autoscaling-1) | Auto Scaling groups associated with a load balancer should use ELB health checks | AWS Foundational Security Best Practices, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | LOW | No | Change triggered +[AutoScaling.2](./autoscaling-controls.html#autoscaling-2) | Amazon EC2 Auto Scaling group should cover multiple Availability Zones | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Change triggered +[AutoScaling.3](./autoscaling-controls.html#autoscaling-3) | Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2) | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | No | Change triggered +[Autoscaling.5](./autoscaling-controls.html#autoscaling-5) | Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | No | Change triggered +[AutoScaling.6](./autoscaling-controls.html#autoscaling-6) | Auto Scaling groups should use multiple instance types in multiple Availability Zones | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[AutoScaling.9](./autoscaling-controls.html#autoscaling-9) | EC2 Auto Scaling groups should use EC2 launch templates | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered @@ -79,0 +80 @@ Security control ID | Security control title | Applicable standards | Severity | +[CloudFormation.3](./cloudformation-controls.html#cloudformation-3) | CloudFormation stacks should have termination protection enabled | AWS Foundational Security Best Practices | MEDIUM | No | Change triggered @@ -94,2 +95,2 @@ Security control ID | Security control title | Applicable standards | Severity | -[CloudTrail.1](./cloudtrail-controls.html#cloudtrail-1) | CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | No | Periodic -[CloudTrail.2](./cloudtrail-controls.html#cloudtrail-2) | CloudTrail should have encryption at-rest enabled | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0 AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Periodic +[CloudTrail.1](./cloudtrail-controls.html#cloudtrail-1) | CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | HIGH | No | Periodic +[CloudTrail.2](./cloudtrail-controls.html#cloudtrail-2) | CloudTrail should have encryption at-rest enabled | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0 AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1 | MEDIUM | No | Periodic @@ -97,2 +98,2 @@ Security control ID | Security control title | Applicable standards | Severity | -[CloudTrail.4](./cloudtrail-controls.html#cloudtrail-4) | CloudTrail log file validation should be enabled | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, PCI DSS v3.2.1, Service-Managed Standard: AWS Control Tower | LOW | No | Periodic -[CloudTrail.5](./cloudtrail-controls.html#cloudtrail-5) | CloudTrail trails should be integrated with Amazon CloudWatch Logs | CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Periodic +[CloudTrail.4](./cloudtrail-controls.html#cloudtrail-4) | CloudTrail log file validation should be enabled | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, PCI DSS v3.2.1 | LOW | No | Periodic +[CloudTrail.5](./cloudtrail-controls.html#cloudtrail-5) | CloudTrail trails should be integrated with Amazon CloudWatch Logs | CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | MEDIUM | No | Periodic @@ -121,4 +122,4 @@ Security control ID | Security control title | Applicable standards | Severity | -[CodeBuild.1](./codebuild-controls.html#codebuild-1) | CodeBuild Bitbucket source repository URLs should not contain sensitive credentials | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | CRITICAL | No | Change triggered -[CodeBuild.2](./codebuild-controls.html#codebuild-2) | CodeBuild project environment variables should not contain clear text credentials | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | CRITICAL | No | Change triggered -[CodeBuild.3](./codebuild-controls.html#codebuild-3) | CodeBuild S3 logs should be encrypted | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower, | LOW | No | Change triggered -[CodeBuild.4](./codebuild-controls.html#codebuild-4) | CodeBuild project environments should have a logging configuration | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[CodeBuild.1](./codebuild-controls.html#codebuild-1) | CodeBuild Bitbucket source repository URLs should not contain sensitive credentials | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | CRITICAL | No | Change triggered +[CodeBuild.2](./codebuild-controls.html#codebuild-2) | CodeBuild project environment variables should not contain clear text credentials | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | CRITICAL | No | Change triggered +[CodeBuild.3](./codebuild-controls.html#codebuild-3) | CodeBuild S3 logs should be encrypted | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, | LOW | No | Change triggered +[CodeBuild.4](./codebuild-controls.html#codebuild-4) | CodeBuild project environments should have a logging configuration | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered @@ -130,0 +132,3 @@ Security control ID | Security control title | Applicable standards | Severity | +[Cognito.4](./cognito-controls.html#cognito-4) | Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication | AWS Foundational Security Best Practices | MEDIUM | No | Change triggered +[Cognito.5](./cognito-controls.html#cognito-5) | MFA should be enabled for Cognito user pools | AWS Foundational Security Best Practices | MEDIUM | No | Change triggered +[Cognito.6](./cognito-controls.html#cognito-6) | Cognito user pools should have deletion protection enabled | AWS Foundational Security Best Practices | MEDIUM | No | Change triggered @@ -138 +142 @@ Security control ID | Security control title | Applicable standards | Severity | -[DMS.1](./dms-controls.html#dms-1) | Database Migration Service replication instances should not be public | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | CRITICAL | No | Periodic +[DMS.1](./dms-controls.html#dms-1) | Database Migration Service replication instances should not be public | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | CRITICAL | No | Periodic @@ -151,2 +155,2 @@ Security control ID | Security control title | Applicable standards | Severity | -[DocumentDB.1](./documentdb-controls.html#documentdb-1) | Amazon DocumentDB clusters should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered -[DocumentDB.2](./documentdb-controls.html#documentdb-2) | Amazon DocumentDB clusters should have an adequate backup retention period | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | Yes | Change triggered +[DocumentDB.1](./documentdb-controls.html#documentdb-1) | Amazon DocumentDB clusters should be encrypted at rest | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[DocumentDB.2](./documentdb-controls.html#documentdb-2) | Amazon DocumentDB clusters should have an adequate backup retention period | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | Yes | Change triggered @@ -157,2 +161,2 @@ Security control ID | Security control title | Applicable standards | Severity | -[DynamoDB.1](./dynamodb-controls.html#dynamodb-1) | DynamoDB tables should automatically scale capacity with demand | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Periodic -[DynamoDB.2](./dynamodb-controls.html#dynamodb-2) | DynamoDB tables should have point-in-time recovery enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[DynamoDB.1](./dynamodb-controls.html#dynamodb-1) | DynamoDB tables should automatically scale capacity with demand | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Periodic +[DynamoDB.2](./dynamodb-controls.html#dynamodb-2) | DynamoDB tables should have point-in-time recovery enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered @@ -164,9 +168,9 @@ Security control ID | Security control title | Applicable standards | Severity | -[EC2.1](./ec2-controls.html#ec2-1) | EBS snapshots should not be publicly restorable | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | No | Periodic -[EC2.2](./ec2-controls.html#ec2-2) | VPC default security groups should not allow inbound or outbound traffic | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | HIGH | No | Change triggered -[EC2.3](./ec2-controls.html#ec2-3) | Attached EBS volumes should be encrypted at-rest | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered -[EC2.4](./ec2-controls.html#ec2-4) | Stopped EC2 instances should be removed after a specified time period | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Periodic -[EC2.6](./ec2-controls.html#ec2-6) | VPC flow logging should be enabled in all VPCs | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | No | Periodic -[EC2.7](./ec2-controls.html#ec2-7) | EBS default encryption should be enabled | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic -[EC2.8](./ec2-controls.html#ec2-8) | EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered -[EC2.9](./ec2-controls.html#ec2-9) | EC2 instances should not have a public IPv4 address | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | No | Change triggered -[EC2.10](./ec2-controls.html#ec2-10) | Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | No | Periodic +[EC2.1](./ec2-controls.html#ec2-1) | EBS snapshots should not be publicly restorable | AWS Foundational Security Best Practices v1.0.0, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | No | Periodic +[EC2.2](./ec2-controls.html#ec2-2) | VPC default security groups should not allow inbound or outbound traffic | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | HIGH | No | Change triggered +[EC2.3](./ec2-controls.html#ec2-3) | Attached EBS volumes should be encrypted at-rest | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[EC2.4](./ec2-controls.html#ec2-4) | Stopped EC2 instances should be removed after a specified time period | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Periodic +[EC2.6](./ec2-controls.html#ec2-6) | VPC flow logging should be enabled in all VPCs | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | No | Periodic +[EC2.7](./ec2-controls.html#ec2-7) | EBS default encryption should be enabled | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices v1.0.0, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic +[EC2.8](./ec2-controls.html#ec2-8) | EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | No | Change triggered +[EC2.9](./ec2-controls.html#ec2-9) | EC2 instances should not have a public IPv4 address | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | No | Change triggered +[EC2.10](./ec2-controls.html#ec2-10) | Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | No | Periodic @@ -176,8 +180,8 @@ Security control ID | Security control title | Applicable standards | Severity | -[EC2.15](./ec2-controls.html#ec2-15) | EC2 subnets should not automatically assign public IP addresses | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower, | MEDIUM | No | Change triggered -[EC2.16](./ec2-controls.html#ec2-16) | Unused Network Access Control Lists should be removed | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower, | LOW | No | Change triggered -[EC2.17](./ec2-controls.html#ec2-17) | EC2 instances should not use multiple ENIs | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | No | Change triggered -[EC2.18](./ec2-controls.html#ec2-18) | Security groups should only allow unrestricted incoming traffic for authorized ports | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | HIGH | Yes | Change triggered -[EC2.19](./ec2-controls.html#ec2-19) | Security groups should not allow unrestricted access to ports with high risk | AWS Foundational Security Best Practices, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | CRITICAL | No | Change triggered and periodic -[EC2.20](./ec2-controls.html#ec2-20) | Both VPN tunnels for an AWS Site-to-Site VPN connection should be up | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | No | Change triggered -[EC2.21](./ec2-controls.html#ec2-21) | Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | No | Change triggered -[EC2.22](./ec2-controls.html#ec2-22) | Unused EC2 security groups should be removed | Service-Managed Standard: AWS Control Tower | MEDIUM | No | Periodic +[EC2.15](./ec2-controls.html#ec2-15) | EC2 subnets should not automatically assign public IP addresses | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, | MEDIUM | No | Change triggered +[EC2.16](./ec2-controls.html#ec2-16) | Unused Network Access Control Lists should be removed | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, | LOW | No | Change triggered +[EC2.17](./ec2-controls.html#ec2-17) | EC2 instances should not use multiple ENIs | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | No | Change triggered +[EC2.18](./ec2-controls.html#ec2-18) | Security groups should only allow unrestricted incoming traffic for authorized ports | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | HIGH | Yes | Change triggered +[EC2.19](./ec2-controls.html#ec2-19) | Security groups should not allow unrestricted access to ports with high risk | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | CRITICAL | No | Change triggered and periodic +[EC2.20](./ec2-controls.html#ec2-20) | Both VPN tunnels for an AWS Site-to-Site VPN connection should be up | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | No | Change triggered +[EC2.21](./ec2-controls.html#ec2-21) | Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[EC2.22](./ec2-controls.html#ec2-22) | Unused EC2 security groups should be removed | | MEDIUM | No | Periodic @@ -186 +190 @@ Security control ID | Security control title | Applicable standards | Severity | -[EC2.25](./ec2-controls.html#ec2-25) | EC2 launch templates should not assign public IPs to network interfaces | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered +[EC2.25](./ec2-controls.html#ec2-25) | EC2 launch templates should not assign public IPs to network interfaces | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | No | Change triggered @@ -227,3 +231,4 @@ Security control ID | Security control title | Applicable standards | Severity | -[ECR.1](./ecr-controls.html#ecr-1) | ECR private repositories should have image scanning configured | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Periodic -[ECR.2](./ecr-controls.html#ecr-2) | ECR private repositories should have tag immutability configured | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered -[ECR.3](./ecr-controls.html#ecr-3) | ECR repositories should have at least one lifecycle policy configured | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[EC2.182](./ec2-controls.html#ec2-182) | EBS Snapshots should not be publicly accessible | AWS Foundational Security Best Practices | HIGH | No | Change triggered +[ECR.1](./ecr-controls.html#ecr-1) | ECR private repositories should have image scanning configured | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | No | Periodic +[ECR.2](./ecr-controls.html#ecr-2) | ECR private repositories should have tag immutability configured | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[ECR.3](./ecr-controls.html#ecr-3) | ECR repositories should have at least one lifecycle policy configured | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered @@ -232,6 +237,6 @@ Security control ID | Security control title | Applicable standards | Severity | -[ECS.1](./ecs-controls.html#ecs-1) | Amazon ECS task definitions should have secure networking modes and user definitions. | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | No | Change triggered -[ECS.2](./ecs-controls.html#ecs-2) | ECS services should not have public IP addresses assigned to them automatically | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered -[ECS.3](./ecs-controls.html#ecs-3) | ECS task definitions should not share the host's process namespace | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | No | Change triggered -[ECS.4](./ecs-controls.html#ecs-4) | ECS containers should run as non-privileged | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | No | Change triggered -[ECS.5](./ecs-controls.html#ecs-5) | ECS containers should be limited to read-only access to root filesystems | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | No | Change triggered -[ECS.8](./ecs-controls.html#ecs-8) | Secrets should not be passed as container environment variables | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered +[ECS.1](./ecs-controls.html#ecs-1) | Amazon ECS task definitions should have secure networking modes and user definitions. | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | No | Change triggered +[ECS.2](./ecs-controls.html#ecs-2) | ECS services should not have public IP addresses assigned to them automatically | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | No | Change triggered +[ECS.3](./ecs-controls.html#ecs-3) | ECS task definitions should not share the host's process namespace | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | No | Change triggered +[ECS.4](./ecs-controls.html#ecs-4) | ECS containers should run as non-privileged | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | No | Change triggered +[ECS.5](./ecs-controls.html#ecs-5) | ECS containers should be limited to read-only access to root filesystems | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | No | Change triggered +[ECS.8](./ecs-controls.html#ecs-8) | Secrets should not be passed as container environment variables | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | No | Change triggered @@ -239,2 +244,2 @@ Security control ID | Security control title | Applicable standards | Severity | -[ECS.10](./ecs-controls.html#ecs-10) | ECS Fargate services should run on the latest Fargate platform version | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered -[ECS.12](./ecs-controls.html#ecs-12) | ECS clusters should use Container Insights | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[ECS.10](./ecs-controls.html#ecs-10) | ECS Fargate services should run on the latest Fargate platform version | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[ECS.12](./ecs-controls.html#ecs-12) | ECS clusters should use Container Insights | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered @@ -246,4 +251,5 @@ Security control ID | Security control title | Applicable standards | Severity | -[EFS.1](./efs-controls.html#efs-1) | Elastic File System should be configured to encrypt file data at-rest using AWS KMS | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic -[EFS.2](./efs-controls.html#efs-2) | Amazon EFS volumes should be in backup plans | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic -[EFS.3](./efs-controls.html#efs-3) | EFS access points should enforce a root directory | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered -[EFS.4](./efs-controls.html#efs-4) | EFS access points should enforce a user identity | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered +[ECS.18](./ecs-controls.html#ecs-18) | ECS Task Definitions should use in-transit encryption for EFS volumes | AWS Foundational Security Best Practices | MEDIUM | No | Change triggered +[EFS.1](./efs-controls.html#efs-1) | Elastic File System should be configured to encrypt file data at-rest using AWS KMS | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic +[EFS.2](./efs-controls.html#efs-2) | Amazon EFS volumes should be in backup plans | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic +[EFS.3](./efs-controls.html#efs-3) | EFS access points should enforce a root directory | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[EFS.4](./efs-controls.html#efs-4) | EFS access points should enforce a user identity | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered @@ -255 +261 @@ Security control ID | Security control title | Applicable standards | Severity | -[EKS.2](./eks-controls.html#eks-2) | EKS clusters should run on a supported Kubernetes version | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered +[EKS.2](./eks-controls.html#eks-2) | EKS clusters should run on a supported Kubernetes version | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | No | Change triggered @@ -267,2 +273,2 @@ Security control ID | Security control title | Applicable standards | Severity | -[ElasticBeanstalk.1](./elasticbeanstalk-controls.html#elasticbeanstalk-1) | Elastic Beanstalk environments should have enhanced health reporting enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | No | Change triggered -[ElasticBeanstalk.2](./elasticbeanstalk-controls.html#elasticbeanstalk-2) | Elastic Beanstalk managed platform updates should be enabled | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | Yes | Change triggered +[ElasticBeanstalk.1](./elasticbeanstalk-controls.html#elasticbeanstalk-1) | Elastic Beanstalk environments should have enhanced health reporting enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | No | Change triggered +[ElasticBeanstalk.2](./elasticbeanstalk-controls.html#elasticbeanstalk-2) | Elastic Beanstalk managed platform updates should be enabled | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | Yes | Change triggered @@ -270,13 +276,13 @@ Security control ID | Security control title | Applicable standards | Severity | -[ELB.1](./elb-controls.html#elb-1) | Application Load Balancer should be configured to redirect all HTTP requests to HTTPS | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic -[ELB.2](./elb-controls.html#elb-2) | Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | No | Change triggered -[ELB.3](./elb-controls.html#elb-3) | Classic Load Balancer listeners should be configured with HTTPS or TLS termination | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered -[ELB.4](./elb-controls.html#elb-4) | Application Load Balancer should be configured to drop http headers | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered -[ELB.5](./elb-controls.html#elb-5) | Application and Classic Load Balancers logging should be enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered -[ELB.6](./elb-controls.html#elb-6) | Application, Gateway, and Network Load Balancers should have deletion protection enabled | AWS Foundational Security Best Practices, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered -[ELB.7](./elb-controls.html#elb-7) | Classic Load Balancers should have connection draining enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | LOW | No | Change triggered -[ELB.8](./elb-controls.html#elb-8) | Classic Load Balancers with SSL listeners should use a predefined security policy that has strong configuration | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered -[ELB.9](./elb-controls.html#elb-9) | Classic Load Balancers should have cross-zone load balancing enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered -[ELB.10](./elb-controls.html#elb-10) | Classic Load Balancer should span multiple Availability Zones | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Change triggered -[ELB.12](./elb-controls.html#elb-12) | Application Load Balancer should be configured with defensive or strictest desync mitigation mode | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered -[ELB.13](./elb-controls.html#elb-13) | Application, Network and Gateway Load Balancers should span multiple Availability Zones | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Change triggered -[ELB.14](./elb-controls.html#elb-14) | Classic Load Balancer should be configured with defensive or strictest desync mitigation mode | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered +[ELB.1](./elb-controls.html#elb-1) | Application Load Balancer should be configured to redirect all HTTP requests to HTTPS | AWS Foundational Security Best Practices v1.0.0, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic +[ELB.2](./elb-controls.html#elb-2) | Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | No | Change triggered +[ELB.3](./elb-controls.html#elb-3) | Classic Load Balancer listeners should be configured with HTTPS or TLS termination | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[ELB.4](./elb-controls.html#elb-4) | Application Load Balancer should be configured to drop http headers | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[ELB.5](./elb-controls.html#elb-5) | Application and Classic Load Balancers logging should be enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[ELB.6](./elb-controls.html#elb-6) | Application, Gateway, and Network Load Balancers should have deletion protection enabled | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[ELB.7](./elb-controls.html#elb-7) | Classic Load Balancers should have connection draining enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | No | Change triggered +[ELB.8](./elb-controls.html#elb-8) | Classic Load Balancers with SSL listeners should use a predefined security policy that has strong configuration | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[ELB.9](./elb-controls.html#elb-9) | Classic Load Balancers should have cross-zone load balancing enabled | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[ELB.10](./elb-controls.html#elb-10) | Classic Load Balancer should span multiple Availability Zones | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Change triggered +[ELB.12](./elb-controls.html#elb-12) | Application Load Balancer should be configured with defensive or strictest desync mitigation mode | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[ELB.13](./elb-controls.html#elb-13) | Application, Network and Gateway Load Balancers should span multiple Availability Zones | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | Yes | Change triggered +[ELB.14](./elb-controls.html#elb-14) | Classic Load Balancer should be configured with defensive or strictest desync mitigation mode | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | No | Change triggered @@ -286 +292 @@ Security control ID | Security control title | Applicable standards | Severity | -[EMR.1](./emr-controls.html#emr-1) | Amazon EMR cluster primary nodes should not have public IP addresses | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Periodic +[EMR.1](./emr-controls.html#emr-1) | Amazon EMR cluster primary nodes should not have public IP addresses | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | No | Periodic @@ -290,8 +296,8 @@ Security control ID | Security control title | Applicable standards | Severity | -[ES.1](./es-controls.html#es-1) | Elasticsearch domains should have encryption at-rest enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic -[ES.2](./es-controls.html#es-2) | Elasticsearch domains should not be publicly accessible | AWS Foundational Security Best Practices, PCI DSS v3.2.1, PCI DSS v4.0.1, NIST SP 800-53 Rev. 5, Service-Managed Standard: AWS Control Tower | CRITICAL | No | Periodic -[ES.3](./es-controls.html#es-3) | Elasticsearch domains should encrypt data sent between nodes | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower, | MEDIUM | No | Change triggered -[ES.4](./es-controls.html#es-4) | Elasticsearch domain error logging to CloudWatch Logs should be enabled | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered -[ES.5](./es-controls.html#es-5) | Elasticsearch domains should have audit logging enabled | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered -[ES.6](./es-controls.html#es-6) | Elasticsearch domains should have at least three data nodes | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered -[ES.7](./es-controls.html#es-7) | Elasticsearch domains should be configured with at least three dedicated master nodes | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered -[ES.8](./es-controls.html#es-8) | Connections to Elasticsearch domains should be encrypted using the latest TLS security policy | AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered +[ES.1](./es-controls.html#es-1) | Elasticsearch domains should have encryption at-rest enabled | AWS Foundational Security Best Practices v1.0.0, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic +[ES.2](./es-controls.html#es-2) | Elasticsearch domains should not be publicly accessible | AWS Foundational Security Best Practices, PCI DSS v3.2.1, PCI DSS v4.0.1, NIST SP 800-53 Rev. 5 | CRITICAL | No | Periodic