AWS Security Hub controls

No security contact is set for AWS to reach you

Certificates are close to expiry

An ACM RSA certificate uses a key shorter than 2048 bits

REST/WebSocket API execution logging

REST stages should use SSL certs for backend auth

API Gateway should be associated with a WAF web ACL

REST API cache data should be encrypted at rest

Routes should specify an authorization type

V2 stages should have access logging

V2 integrations should use HTTPS for private connections

Domain names should use recommended security policies

AppSync should have field-level logging

An AppSync GraphQL API is authenticated with API keys

Athena query access is not logged

ASGs with an LB should use ELB health checks

A single-AZ Auto Scaling group is one outage from zero capacity

Launched instances still allow IMDSv1

A launch config gives ASG instances public IPs

ASGs should use multiple instance types/AZs

Deprecated launch configurations are still in use

Backup vault recovery points are not KMS-encrypted

Stacks can be deleted without termination protection

Stacks deploy with user creds instead of a scoped role

No default root object, exposing the distribution listing

Distributions should require encryption in transit

Distributions should have logging enabled

Distributions should have WAF enabled

Distributions should encrypt traffic to custom origins

No deprecated SSL protocols to custom origins

A distribution points at a non-existent S3 origin (takeover risk)

Distributions should use origin access control

Distributions should use recommended TLS policy

OAC for Lambda function URL origins

Use trusted key groups for signed URLs/cookies

No multi-Region trail captures read/write management events

CloudTrail logs are not KMS-encrypted

No CloudTrail trail is enabled at all

CloudTrail log file validation should be enabled

CloudTrail is not wired to CloudWatch for alerting

The CloudTrail log bucket is publicly accessible

Enable access logging on the CloudTrail S3 bucket

CloudTrail Lake stores should use customer-managed KMS

A CodeBuild Bitbucket URL contains embedded credentials

CodeBuild env vars contain clear-text credentials

CodeBuild S3 logs should be encrypted

Projects should have a logging configuration

Report group exports should be encrypted at rest

Cognito threat protection is not enforced

Cognito password policy is too weak

Cognito threat protection is not enforced

Cognito users can sign in without MFA

A Cognito user pool can be deleted by accident

AWS Config is off, so most other controls cannot evaluate

DataSync tasks should have logging enabled

A DMS replication instance is publicly accessible

DMS instances auto minor version upgrade

DMS target DB tasks should have logging

DMS source DB tasks should have logging

DMS endpoints should use SSL

DMS Neptune endpoints should have IAM auth

DMS MongoDB endpoints should have auth

DMS Redis endpoints should have TLS

DMS replication instances should be Multi-AZ

DocumentDB clusters should encrypt at rest

DocumentDB adequate backup retention

A DocumentDB manual snapshot is public

DocumentDB clusters should export audit logs to CW

DocumentDB clusters should have deletion protection

DocumentDB clusters should encrypt in transit

DynamoDB tables should auto-scale capacity

DynamoDB tables should have PITR

DAX clusters should be encrypted at rest

DynamoDB tables should be in a backup plan

DynamoDB tables should have deletion protection

DAX clusters should be encrypted in transit

An EBS snapshot is publicly restorable by any account

Default security groups still allow traffic

Attached EBS volumes are not encrypted at rest

Long-stopped instances are abandoned attack surface

No VPC flow logs, so there is no network audit trail

New EBS volumes are not encrypted by default

IMDSv1 lets an SSRF steal instance credentials

Instances are directly reachable on public IPv4

EC2 API traffic leaves the VPC over the internet

SSH (port 22) is open to the entire internet

RDP (port 3389) is open to the entire internet

Subnets auto-assign public IPs to new instances

Instances with multiple ENIs can bridge network boundaries

Security groups open ports beyond what is authorised

Security groups expose SSH, RDP, or database ports to the world

Both Site-to-Site VPN tunnels should be up

NACLs should not allow ingress to ports 22/3389

A Transit Gateway auto-accepts any VPC attachment request

Paravirtual instance types should not be used

A launch template assigns public IPs to new instances

Client VPN endpoints should log connections

VPC is missing an ECR API endpoint

VPC is missing a Docker Registry endpoint

VPC is missing a Systems Manager endpoint

VPC is missing an Incident Manager Contacts endpoint

VPC is missing an Incident Manager endpoint

Site-to-site VPN tunnels are not logging

VPC Block Public Access is not enabled

ENIs with source/dest check off can route around controls

A public EBS snapshot exposes an entire disk

VPN is using deprecated IKEv1

Container images are not scanned on push

Mutable image tags can be swapped under you

ECR repos grow without lifecycle cleanup

An ECS service auto-assigns public IPs to tasks

A task definition shares the host PID namespace

A container runs in privileged mode

A container has a writable root filesystem

Secrets are passed as plaintext container env vars

A task definition has no logging configuration

Fargate services should run latest platform version

ECS clusters should use Container Insights

An ECS task set auto-assigns public IPs

ECS task defs should encrypt EFS volumes in transit

Capacity providers managed termination protection

Linux containers should run as non-root users

Windows containers should run as non-admin users

EFS data is not encrypted at rest

EFS has no automatic backups

EFS access points should enforce a root directory

EFS access points should enforce a user identity

Mount targets not in public-IP subnets

EFS file systems should have automatic backups

EFS file systems should be encrypted at rest

An EKS cluster API endpoint is public

An EKS cluster runs an unsupported Kubernetes version

EKS clusters should use encrypted K8s secrets

EKS clusters should have audit logging

An EKS node group runs an unsupported Kubernetes version

A Redis cluster has no automatic backups

ElastiCache is not auto-applying minor patches

Replication groups should have auto-failover

Replication groups encrypted at rest

Replication groups encrypted in transit

Redis replication groups should have AUTH

A cluster uses the default subnet group

Environments should have enhanced health reporting

Managed platform updates are disabled

Beanstalk logs are not streamed to CloudWatch

ALB serves HTTP without redirecting to HTTPS

CLB SSL/HTTPS listeners should use ACM certs

CLB listeners should use HTTPS/TLS termination

ALB accepts malformed HTTP headers

Load balancers are not writing access logs

Load balancers can be deleted by accident

CLBs should have connection draining

CLB SSL listeners should use strong policy

CLBs should have cross-zone balancing

CLBs should span multiple AZs

ALB desync mitigation mode

A single-AZ load balancer is a data-plane single point of failure

CLB desync mitigation mode

ALBs should be associated with a WAF web ACL

TLS policy allows weak ciphers or TLS 1.0 to 1.1

A public listener exposes traffic over plain HTTP

Health-check probes ride unencrypted HTTP

Load-balancer-to-target traffic is not encrypted

ALB serves HTTP without redirecting to HTTPS

An EMR primary node has a public IP

EMR account-level block public access is off

EMR security configs should encrypt at rest

EMR security configs should encrypt in transit

ES domains should encrypt at rest

A legacy Elasticsearch domain is publicly accessible

ES should encrypt node-to-node traffic

ES error logging to CW should be enabled

ES domains should have audit logging

ES domains should have >= 3 data nodes

ES domains should have >= 3 dedicated master nodes

ES should use latest TLS policy

Custom event buses should have a resource policy

Global endpoints should have event replication

FSx for OpenZFS should be Multi-AZ

FSx for NetApp ONTAP should be Multi-AZ

FSx for Windows File Server should be Multi-AZ

Glue ML transforms should be encrypted at rest

Glue Spark jobs on supported versions

GuardDuty threat detection is not enabled

GuardDuty EKS audit log monitoring is off

GuardDuty S3 Protection is off

GuardDuty Runtime Monitoring is off

GuardDuty runtime monitoring is off for EC2

A policy grants full "*" administrative privileges

Policies attached directly to users do not scale or audit cleanly

Long-lived access keys have not been rotated

The root user still has long-lived access keys

Console users without MFA are one phish from compromise

The root user is not protected by hardware MFA

The IAM password policy is too weak

Unused IAM keys and passwords are waiting to be leaked

The root user can sign in without MFA

IAM user password policies should be strong (PCI DSS)

MFA should be enabled for all IAM users

Wildcard permissions grant far more access than intended

IAM credentials unused for 45 days should be removed

Expired IAM-managed SSL/TLS certs should be removed

Identities should not have AWSCloudShellFullAccess attached

No Access Analyzer is watching for unintended external access

EC2 is not being scanned for vulnerabilities

Container images are not scanned by Inspector

Lambda code is not scanned by Inspector

Lambda is not fully covered by Inspector

Kinesis streams should be encrypted at rest

Kinesis streams should have adequate retention

IAM policies should not allow decrypt on all KMS keys

Decrypt is granted on all KMS keys

A KMS key is scheduled for deletion and will take data with it

KMS key rotation should be enabled

A KMS key policy allows public access

A Lambda resource policy allows public invocation

Lambdas run on deprecated, unpatched runtimes

Lambda functions should be in a VPC

VPC Lambda functions should span multiple AZs

Sensitive data in S3 is not being discovered

Macie automated sensitive data discovery is off

MSK should encrypt in transit among broker nodes

MSK Connect connectors encrypted in transit

An MSK cluster allows public access

MSK connectors should have logging

MSK clusters should disable unauthenticated access

Neptune clusters should encrypt at rest

Neptune clusters should export audit logs to CW

A Neptune snapshot is shared publicly

Neptune clusters should have automated backups

Neptune snapshots should be encrypted at rest

Neptune clusters should have IAM DB auth

Neptune clusters should span multiple AZs

Firewalls should span multiple AZs

Network Firewall logging should be enabled

Policies should have >= 1 rule group

Default stateless action (full packets)

Default stateless action (fragmented)

Stateless rule groups should not be empty

Firewalls should have deletion protection

Firewalls should have subnet change protection

OpenSearch domains should encrypt at rest

An OpenSearch domain is reachable from the public internet

OpenSearch should encrypt node-to-node traffic

OpenSearch error logging to CW should be enabled

OpenSearch domains should have audit logging

OpenSearch domains should have >= 3 data nodes

OpenSearch has no fine-grained access control

OpenSearch should use latest TLS policy

OpenSearch should have latest software update

An RDS snapshot is shared publicly

An RDS instance is publicly accessible from the internet

RDS DB instances should be encrypted at rest

RDS snapshots should be encrypted at rest

RDS DB instances should use multiple AZs

RDS lacks enhanced monitoring

RDS clusters should have deletion protection

RDS DB instances should have deletion protection

RDS engine logs are not shipped to CloudWatch

RDS relies on long-lived database passwords

RDS instances should have automatic backups

IAM auth should be configured for RDS clusters

RDS is not receiving automatic minor security patches

Aurora has no backtracking safety net

The RDS or Aurora cluster is single-AZ

RDS sits in a public subnet reachable from the internet

RDS cluster event notification subscriptions

RDS instance event notification subscriptions

RDS parameter-group event notifications

RDS security-group event notifications

RDS runs on a well-known default port

RDS uses a default admin username

RDS instances should use a custom admin username

RDS instances should be in a backup plan

No alerts on RDS failovers or changes

Aurora MySQL clusters should export audit logs to CW

RDS clusters auto minor version upgrade

RDS MySQL accepts unencrypted connections

Aurora PostgreSQL clusters should export logs to CW

RDS PostgreSQL should be encrypted in transit

RDS MySQL should be encrypted in transit

RDS SQL Server should export logs to CW

RDS SQL Server should be encrypted in transit

RDS MariaDB should export logs to CW

RDS DB proxies should require TLS

RDS MariaDB should be encrypted in transit

Aurora MySQL audit logging is off

An RDS instance sits in a public subnet with an internet route

RDS clusters should have adequate backup retention

An Aurora MySQL global cluster runs an unsupported version

A Redshift cluster is publicly accessible

Connections to Redshift should be encrypted in transit

Redshift clusters should have automatic snapshots

Redshift clusters should have audit logging

Redshift should auto-upgrade major versions

Redshift clusters should use enhanced VPC routing

Redshift should not use the default admin username

Redshift clusters should be encrypted at rest

Redshift accepts cluster-port traffic from anywhere

Redshift subnet groups should span multiple AZs

Redshift clusters should have Multi-AZ enabled

DNS query logging is off

Account-level S3 public access is not fully blocked

Public S3 buckets expose data to anyone on the internet

Buckets can be written to by anyone on the internet

S3 is accepting unencrypted HTTP requests

Bucket policy grants broad access to other AWS accounts

Buckets can still be made public; Block Public Access is off

No S3 access logs, so reads and writes go unaudited

Versioned buckets should have lifecycle configurations

Buckets should have event notifications enabled

ACLs should not be used to manage bucket access

Buckets have no lifecycle rules and grow forever

Buckets should have Object Lock enabled

Buckets should be encrypted at rest with KMS keys

An S3 access point can expose the bucket publicly

Buckets should log object-level write events

Buckets should log object-level read events

A Multi-Region Access Point can expose data publicly

A SageMaker notebook has direct internet access

A SageMaker notebook is not launched in a VPC

Users have root access on a SageMaker notebook

Endpoint variants should have > 1 instance

Models should have network isolation enabled

Notebook instances should run supported platforms

Data quality jobs inter-container encryption

Explainability jobs inter-container encryption

Data quality jobs network isolation

Model bias jobs network isolation

Model quality jobs inter-container encryption

Monitoring schedules network isolation

Model bias jobs inter-container encryption

Private registry for primary containers

Feature group offline stores KMS encryption

Private registry for multi-container pipelines

Secrets are not rotated automatically

Rotation-configured secrets should rotate successfully

Stale unused secrets linger as a leak risk

Secrets lack a rotation schedule

An SNS topic policy allows public access

SQS messages are not encrypted at rest

An SQS queue policy allows public access

Instances are not managed by Systems Manager, so no patching or audit

Instances are missing security patches

SSM associations are non-compliant

SSM documents can be shared publicly

SSM Automation runs are not logged

SSM documents can be shared publicly

State machines should have logging on

Transfer servers should not use FTP

Transfer connectors should have logging

WAF Classic global web ACL logging

WAF Classic regional rules should have a condition

WAF Classic regional rule groups should have a rule

WAF Classic regional web ACLs should have a rule

WAF Classic global rules should have a condition

WAF Classic global rule groups should have a rule

WAF Classic global web ACLs should have a rule

WAFv2 web ACLs should have a rule or rule group

WAFv2 web ACL logging should be enabled

WorkSpaces user volumes should be encrypted at rest

WorkSpaces root volumes should be encrypted at rest