Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save mchancloud/87b84dd532e2858af3a57cc875fc7d0b to your computer and use it in GitHub Desktop.
Save mchancloud/87b84dd532e2858af3a57cc875fc7d0b to your computer and use it in GitHub Desktop.
AWS Security Hub - AWS Foundational Security Best Practices controls
[ACM.1] Imported ACM certificates should be renewed within 90 days of expiration
[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-region trail
[CloudTrail.2] CloudTrail should have encryption at-rest enabled
[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
[Config.1AWS] Config should be enabled
[EC2.1] EBS snapshots should not be public, determined by the ability to be restorable by anyone
[EC2.2] The VPC default security group should not allow inbound and outbound traffic
[EC2.3] Attached EBS volumes should be encrypted at-rest
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS
[ELBv2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
[ES.1] ElasticSearch domains should have encryption at-rest enabled
[GuardDuty.1] GuardDuty should be enabled
[IAM.1] IAM policies should not allow full '*' administrative privileges
[IAM.2] IAM users should not have IAM policies attached
[IAM.3] IAM users access keys should be rotated every 90 days or less
[IAM.4] IAM root user access key should not exist
[IAM.5] MFA should be enabled for all IAM users that have console password
[IAM.6] Hardware MFA should be enabled for the root user
[IAM.7] Password policies for IAM users should have strong configurations
[Lambda.1] Lambda functions should prohibit public access by other accounts
[Lambda.2] Lambda functions should use latest runtimes
[RDS.1] RDS snapshot should be private
[RDS.2] RDS DB Instances should prohibit public access, determined by the PubliclyAccessible configuration
[RDS.3] RDS DB instances should have encryption at-rest enabled
[S3.1] S3 Block Public Access setting should be enabled
[S3.2] S3 buckets should prohibit public read access
[S3.3] S3 buckets should prohibit public write access
[S3.4] S3 buckets should have server-side encryption enabled
[SSM.1] EC2 instances should be managed by AWS Systems Manager
[SSM.2] EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment