mchancloud · April 24, 2020 19:36
diff --git a/aws-foundational-security-best-practices-controls.txt b/aws-foundational-security-best-practices-controls.txt
 [ACM.1] Imported ACM certificates should be renewed within 90 days of expiration
 [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-region trail
 [CloudTrail.2] CloudTrail should have encryption at-rest enabled
 [CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
 [CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
 [Config.1AWS] Config should be enabled
 [EC2.1] EBS snapshots should not be public, determined by the ability to be restorable by anyone
 [EC2.2] The VPC default security group should not allow inbound and outbound traffic
 [EC2.3] Attached EBS volumes should be encrypted at-rest
 [EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS
 [ELBv2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
 [ES.1] ElasticSearch domains should have encryption at-rest enabled
 [GuardDuty.1] GuardDuty should be enabled
 [IAM.1] IAM policies should not allow full '*' administrative privileges
 [IAM.2] IAM users should not have IAM policies attached
 [IAM.3] IAM users access keys should be rotated every 90 days or less
 [IAM.4] IAM root user access key should not exist
 [IAM.5] MFA should be enabled for all IAM users that have console password
 [IAM.6] Hardware MFA should be enabled for the root user
 [IAM.7] Password policies for IAM users should have strong configurations
 [Lambda.1] Lambda functions should prohibit public access by other accounts
 [Lambda.2] Lambda functions should use latest runtimes
 [RDS.1] RDS snapshot should be private
 [RDS.2] RDS DB Instances should prohibit public access, determined by the PubliclyAccessible configuration
 [RDS.3] RDS DB instances should have encryption at-rest enabled
 [S3.1] S3 Block Public Access setting should be enabled
 [S3.2] S3 buckets should prohibit public read access
 [S3.3] S3 buckets should prohibit public write access
 [S3.4] S3 buckets should have server-side encryption enabled
 [SSM.1] EC2 instances should be managed by AWS Systems Manager
 [SSM.2] EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation
	[ACM.1] Imported ACM certificates should be renewed within 90 days of expiration
	[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-region trail
	[CloudTrail.2] CloudTrail should have encryption at-rest enabled
	[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
	[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
	[Config.1AWS] Config should be enabled
	[EC2.1] EBS snapshots should not be public, determined by the ability to be restorable by anyone
	[EC2.2] The VPC default security group should not allow inbound and outbound traffic
	[EC2.3] Attached EBS volumes should be encrypted at-rest
	[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS
	[ELBv2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
	[ES.1] ElasticSearch domains should have encryption at-rest enabled
	[GuardDuty.1] GuardDuty should be enabled
	[IAM.1] IAM policies should not allow full '*' administrative privileges
	[IAM.2] IAM users should not have IAM policies attached
	[IAM.3] IAM users access keys should be rotated every 90 days or less
	[IAM.4] IAM root user access key should not exist
	[IAM.5] MFA should be enabled for all IAM users that have console password
	[IAM.6] Hardware MFA should be enabled for the root user
	[IAM.7] Password policies for IAM users should have strong configurations
	[Lambda.1] Lambda functions should prohibit public access by other accounts
	[Lambda.2] Lambda functions should use latest runtimes
	[RDS.1] RDS snapshot should be private
	[RDS.2] RDS DB Instances should prohibit public access, determined by the PubliclyAccessible configuration
	[RDS.3] RDS DB instances should have encryption at-rest enabled
	[S3.1] S3 Block Public Access setting should be enabled
	[S3.2] S3 buckets should prohibit public read access
	[S3.3] S3 buckets should prohibit public write access
	[S3.4] S3 buckets should have server-side encryption enabled
	[SSM.1] EC2 instances should be managed by AWS Systems Manager
	[SSM.2] EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation