{"data":[{"type":"rules","id":"EC2-001","attributes":{"title":"EC2 Security Group Port Range","description":"Ensure no security group opens range of ports","compliances":["AWAF-2025","AWS-SRA","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-002","attributes":{"title":"Unrestricted SSH Access","description":"Ensure no security groups allow ingress from 0.0.0.0/0 to port 22","compliances":["AWAF-2025","AWAF-ML-2025","AWS-SRA","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-003","attributes":{"title":"Unrestricted RDP Access","description":"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389","compliances":["AWAF-2025","AWAF-ML-2025","AWS-SRA","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-004","attributes":{"title":"Unrestricted Oracle Database Access","description":"Ensure no security group allows unrestricted ingress access to port 1521","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-005","attributes":{"title":"Unrestricted MySQL Database Access","description":"Ensure no security group allows unrestricted ingress access to port 3306","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-006","attributes":{"title":"Unrestricted PostgreSQL Database Access","description":"Ensure no security group allows unrestricted ingress access to port 5432","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-007","attributes":{"title":"Unrestricted DNS Access","description":"Ensure no security group allows unrestricted ingress access to port 53","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-008","attributes":{"title":"Unrestricted MSSQL Database Access","description":"Ensure no security group allows unrestricted ingress access to port 1433","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-016","attributes":{"title":"Default Security Group Unrestricted","description":"Ensure the default security group of every VPC restricts all traffic","compliances":["AWAF-2025","AWAF-ML-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-017","attributes":{"title":"Desired Instance Type(s)","description":"Ensure all EC2 instances are of a given instance type","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001-2022","HITRUST","PCI-V4","FEDRAMP","MAS","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-021","attributes":{"title":"EC2 Instance Using IAM Roles","description":"Ensure IAM instance roles are used for AWS resource access from instances","compliances":["AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-025","attributes":{"title":"EC2 Instance Tenancy","description":"Ensure EC2 instances have desired tenancy for compliance and regulatory requirements","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-027","attributes":{"title":"Instance In Auto Scaling Group","description":"Ensure every EC2 instance is launched inside an Auto Scaling Group to help improve the availability and scalability of your applications","compliances":["AWAF-2025","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-028","attributes":{"title":"Approved/Golden AMIs","description":"Ensure all EC2 instances are launched from your approved AMIs","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-029","attributes":{"title":"EC2 Instance Generation","description":"Ensure you always use the latest generation of EC2 instances to get better performance with lower cost","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-030","attributes":{"title":"EC2 Instance Termination Protection","description":"Ensure termination protection safety feature is enabled for ec2 instances that aren't part of ASGs","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-031","attributes":{"title":"Default Security Groups In Use","description":"Ensure default security groups aren't in use. Instead create unique security groups to better adhere to the principle of least privilege","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-032","attributes":{"title":"SecurityGroup RFC 1918","description":"Ensure no security group contains RFC 1918 CIDRs","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-033","attributes":{"title":"Unrestricted Outbound Access","description":"Ensure no security group contains any 0.0.0.0/0 egress rules","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-034","attributes":{"title":"Unrestricted Security Group Ingress on Uncommon Ports","description":"Ensure no security group contains any 0.0.0.0/0 ingress rules","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-035","attributes":{"title":"EC2 Instance Naming Conventions","description":"Follow proper naming conventions for EC2 instances","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST5","MAS","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-036","attributes":{"title":"Security Group Naming Conventions","description":"Follow proper naming conventions for security groups","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST5","MAS"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-038","attributes":{"title":"Unrestricted Telnet Access","description":"Ensure no security group allows unrestricted inbound access to TCP port 23 (Telnet)","compliances":["AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-039","attributes":{"title":"Unrestricted SMTP Access","description":"Ensure no security group allows unrestricted inbound access to TCP port 25 (SMTP)","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-040","attributes":{"title":"Unrestricted RPC Access","description":"Ensure no security group allows unrestricted inbound access to TCP port 135 (RPC)","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-041","attributes":{"title":"Unrestricted NetBIOS Access","description":"Ensure no security group allows unrestricted inbound access to port UDP/137, UDP/138, and TPC/139 (NetBIOS)","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-042","attributes":{"title":"Unrestricted FTP Access","description":"Ensure no security group allows unrestricted inbound access to TCP ports 20 and 21 (FTP)","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-043","attributes":{"title":"Unrestricted CIFS Access","description":"Ensure no security group allows unrestricted inbound access to UDP port 445 (CIFS)","compliances":["AWAF-2025","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-044","attributes":{"title":"Unrestricted ICMP Access","description":"Ensure no security group allows unrestricted inbound access to ICMP","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-045","attributes":{"title":"Unrestricted MongoDB Access","description":"Ensure no security group allows unrestricted ingress access to port 27017","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-046","attributes":{"title":"Blocklisted AMIs","description":"Ensure no EC2 instance is launched from any blocklisted AMIs","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-053","attributes":{"title":"EC2 Instance Dedicated Tenancy","description":"Ensure dedicated EC2 instances are regularly reviewed","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-058","attributes":{"title":"EC2 Instance Detailed Monitoring","description":"Ensure that detailed monitoring is enabled for the AWS EC2 instances that you need to monitor closely","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-059","attributes":{"title":"Descriptions for Security Group Rules","description":"Ensure AWS EC2 security group rules have descriptive text for organization and documentation","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST5","PCI","MAS","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-060","attributes":{"title":"Unused Elastic Network Interfaces","description":"Identify and delete any unused Elastic Network Interfaces","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001","AGISM-2024","PCI","PCI-V4","MAS","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-061","attributes":{"title":"Security Group Name Prefixed With 'launch-wizard'","description":"Ensure no security group name is prefixed with 'launch-wizard'","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST5","ASAE-3150","MAS","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-063","attributes":{"title":"Unrestricted OpenSearch Access","description":"Ensure no security group allows unrestricted ingress access to port 9200","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-064","attributes":{"title":"Unrestricted HTTP Access","description":"Ensure no security group allows unrestricted ingress access to port 80","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-065","attributes":{"title":"Unrestricted HTTPS Access","description":"Ensure no security group allows unrestricted ingress access to port 443","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-066","attributes":{"title":"EC2 Hibernation","description":"Enable hibernation as an additional stop behavior for your EC2 instances backed by Amazon EBS in order to reduce the time it takes for these instances to return to service at restart","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-069","attributes":{"title":"Web-Tier EC2 Instance Using IAM Roles","description":"Ensure web-tier IAM instance roles are used for AWS resource access from instances","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-070","attributes":{"title":"App-Tier EC2 Instance Using IAM Roles","description":"Ensure that your app-tier EC2 instances are using IAM roles to grant permissions to applications running on these instances","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-071","attributes":{"title":"EC2 Instances with Unapproved Instance Types","description":"Ensure there is no EC2 instance with the instance type blocklisted, available in your AWS account","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-074","attributes":{"title":"Unrestricted Redis Cache Access","description":"Ensure that no security group allows unrestricted inbound access on TCP port 6379 (Redis)","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-075","attributes":{"title":"Unrestricted Memcached Access","description":"Ensure that no security group allows unrestricted inbound access on TCP/UDP port 11211 (Memcached)","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-077","attributes":{"title":"Require IMDSv2 for EC2 Instances","description":"Ensure that all the Amazon EC2 instances require the use of Instance Metadata Service Version 2 (IMDSv2)","compliances":["AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI-V4","APRA","NIS-2","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"ELB-002","attributes":{"title":"ELB Cross-Zone Load Balancing Enabled","description":"Ensure Cross-Zone Load Balancing is enabled for all load balancers. Also select at least two subnets in different availability zones to provide higher availability","compliances":["AWAF-2025","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-003","attributes":{"title":"ELB Connection Draining Enabled","description":"Ensure connection draining is enabled for all load balancers","compliances":["AWAF-2025","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-004","attributes":{"title":"ELB Security Policy","description":"Ensure ELBs use the latest predefined security policies","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-005","attributes":{"title":"ELB Insecure SSL Protocols","description":"Ensure ELBs don't use insecure SSL protocols","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-006","attributes":{"title":"ELB Insecure SSL Ciphers","description":"Ensure ELBs don't use insecure SSL ciphers","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-008","attributes":{"title":"ELB Listener Security","description":"Ensure ELB listener uses a secure HTTPS or SSL protocol","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-009","attributes":{"title":"ELB Access Log","description":"Ensure ELB access logging is enabled for security, troubleshooting, and statistical analysis purposes","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-011","attributes":{"title":"Classic Load Balancer","description":"Ensure HTTP/HTTPS applications are using Application Load Balancer instead of Classic Load Balancer for cost and web traffic distribution optimization","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-013","attributes":{"title":"Internet Facing ELBs","description":"Ensure Amazon internet-facing ELBs/ALBs are regularly reviewed for security purposes","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-015","attributes":{"title":"Web-Tier ELB Security Policy","description":"Ensure web-tier ELBs use the latest predefined security policies","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-016","attributes":{"title":"App-Tier ELB Security Policy","description":"Ensure app-tier ELBs use the latest predefined security policies","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-017","attributes":{"title":"Web-Tier ELB Listener Security","description":"Ensure web-tier ELB listener uses a secure HTTPS or SSL protocol","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-018","attributes":{"title":"App-Tier ELB Listener Security","description":"Ensure app-tier ELB listener uses a secure HTTPS or SSL protocol","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-021","attributes":{"title":"Web-Tier ELBs Health Check","description":"Ensure web tier Elastic Load Balancer has application layer health check configured","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-022","attributes":{"title":"App-Tier ELBs Health Check","description":"Ensure app tier Elastic Load Balancer has application layer health check configured","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"EBS-001","attributes":{"title":"EBS Encrypted","description":"Ensure EBS volumes are encrypted to meet security and encryption compliance requirements. Encryption is a key mechanism for you to ensure that you are in full control over who has access to your data","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EBS"}},{"type":"rules","id":"EBS-002","attributes":{"title":"EBS Encrypted With KMS Customer Master Keys","description":"Ensure EBS volumes are encrypted with CMKs to have full control over encrypting and decrypting data","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EBS"}},{"type":"rules","id":"EBS-003","attributes":{"title":"Unused EBS Volumes","description":"Identify and remove any unused Elastic Block Store volumes to improve cost optimization and security","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","PCI","FEDRAMP","MAS","ISMS-P"],"provider":"aws","service":"EBS"}},{"type":"rules","id":"EBS-006","attributes":{"title":"EBS Volume Naming Conventions","description":"Follow proper naming conventions for EBS volumes","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST5","MAS","FISC-V12"],"provider":"aws","service":"EBS"}},{"type":"rules","id":"EBS-007","attributes":{"title":"EBS General Purpose SSD","description":"Ensure EC2 instances are using General Purpose SSD (gp2) EBS volumes instead of Provisioned IOPS SSD (io1) volumes to optimize AWS EBS costs","compliances":["AWAF-2025","NIST5","NIST-CSF-2_0","MAS","FISC-V12"],"provider":"aws","service":"EBS"}},{"type":"rules","id":"EBS-012","attributes":{"title":"Web-Tier EBS Encrypted","description":"Ensure web-tier Amazon Elastic Block Store (EBS) volumes are encrypted","compliances":["GDPR","AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EBS"}},{"type":"rules","id":"EBS-013","attributes":{"title":"App-Tier EBS Encrypted","description":"Ensure app-tier Amazon Elastic Block Store (EBS) volumes are encrypted","compliances":["GDPR","AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EBS"}},{"type":"rules","id":"VPC-001","attributes":{"title":"VPC Flow Logs Enabled","description":"Ensure VPC flow logging is enabled in all VPCs","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","AWS-SRA-AI","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"VPC"}},{"type":"rules","id":"VPC-004","attributes":{"title":"VPC Naming Conventions","description":"Follow proper naming conventions for Virtual Private Clouds","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","MAS"],"provider":"aws","service":"VPC"}},{"type":"rules","id":"VPC-005","attributes":{"title":"VPC Endpoint Exposed","description":"Ensure Amazon VPC endpoints aren't exposed to everyone","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"VPC"}},{"type":"rules","id":"VPC-006","attributes":{"title":"VPC Endpoint Cross Account Access","description":"Ensure Amazon VPC endpoints don't allow unknown cross account access","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"VPC"}},{"type":"rules","id":"VPC-010","attributes":{"title":"Unrestricted Network ACL Outbound Traffic","description":"Ensure that no Network ACL (NACL) allows outbound/egress traffic to all ports","compliances":["AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"VPC"}},{"type":"rules","id":"VPC-011","attributes":{"title":"Unrestricted Network ACL Inbound Traffic","description":"Ensure that no Network ACL (NACL) allows inbound/ingress traffic from all ports","compliances":["AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"VPC"}},{"type":"rules","id":"VPC-015","attributes":{"title":"Ineffective Network ACL DENY Rules","description":"Ensure that Amazon Network ACL DENY rules are effective within the VPC configuration","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"VPC"}},{"type":"rules","id":"VPC-017","attributes":{"title":"Unrestricted Inbound Traffic on Remote Server Administration Ports","description":"Ensure that no Network ACL (NACL) allows unrestricted inbound traffic on TCP ports 22 and 3389","compliances":["AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"VPC"}},{"type":"rules","id":"S3-001","attributes":{"title":"S3 Bucket Public 'READ' Access","description":"Ensure S3 buckets don't allow public READ access","compliances":["GDPR","AWAF-2025","AWAF-AI-2025","AWS-SRA","AWS-SRA-AI","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-002","attributes":{"title":"S3 Bucket Public 'READ_ACP' Access","description":"Ensure S3 buckets don't allow public READ_ACP access","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-003","attributes":{"title":"S3 Bucket Public 'WRITE' ACL Access","description":"Ensure S3 buckets don't allow public WRITE ACL access","compliances":["AWAF-2025","AWAF-AI-2025","AWS-SRA","AWS-SRA-AI","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-004","attributes":{"title":"S3 Bucket Public 'WRITE_ACP' Access","description":"Ensure S3 buckets don't allow public WRITE_ACP access","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-005","attributes":{"title":"S3 Bucket Public 'FULL_CONTROL' Access","description":"Ensure S3 buckets don't allow public FULL_CONTROL access","compliances":["AWAF-2025","AWAF-AI-2025","AWS-SRA","AWS-SRA-AI","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-006","attributes":{"title":"S3 Bucket Authenticated Users 'READ' Access","description":"Ensure S3 buckets don't allow authenticated users READ access","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-007","attributes":{"title":"S3 Bucket Authenticated Users 'READ_ACP' Access","description":"Ensure S3 buckets don't allow authenticated users READ_ACP access","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-008","attributes":{"title":"S3 Bucket Authenticated Users 'WRITE' Access","description":"Ensure S3 buckets don't allow authenticated users WRITE access","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-009","attributes":{"title":"S3 Bucket Authenticated Users 'WRITE_ACP' Access","description":"Ensure S3 buckets don't allow authenticated users WRITE_ACP access","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-010","attributes":{"title":"S3 Bucket Authenticated Users 'FULL_CONTROL' Access","description":"Ensure S3 buckets don't allow authenticated users FULL_CONTROL access","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-011","attributes":{"title":"S3 Bucket Logging Enabled","description":"Ensure S3 bucket access logging is enabled for security and access audits","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","AWS-SRA","AWS-SRA-AI","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-012","attributes":{"title":"S3 Bucket Versioning Enabled","description":"Ensure S3 bucket versioning is enabled for additional level of data protection","compliances":["AWAF-2025","AWS-SRA","AWS-SRA-AI","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-013","attributes":{"title":"S3 Bucket MFA Delete Enabled","description":"Ensure S3 buckets have an MFA-Delete policy to prevent deletion of files without an MFA token","compliances":["GDPR","AWAF-2025","AWS-SRA","AWS-SRA-AI","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-015","attributes":{"title":"S3 Cross Account Access","description":"Ensure Amazon S3 buckets don't allow unknown cross account access via bucket policies","compliances":["AWAF-2025","AWAF-AI-2025","AWS-SRA","AWS-SRA-AI","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-016","attributes":{"title":"Server Side Encryption","description":"Ensure AWS S3 buckets enforce Server-Side Encryption","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","AWS-SRA","AWS-SRA-AI","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-017","attributes":{"title":"Secure Transport","description":"Ensure AWS S3 buckets enforce SSL to secure data in transit","compliances":["AWAF-2025","AWAF-ML-2025","AWS-SRA-AI","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-018","attributes":{"title":"DNS Compliant S3 Bucket Names","description":"Ensure that your AWS S3 buckets are using DNS-compliant bucket names","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST5","MAS","FISC-V12"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-019","attributes":{"title":"S3 Buckets with Website Hosting Configuration Enabled","description":"Review S3 Buckets with Website Configuration Enabled","compliances":["NIST4","AWAF-2025","CIS-V8","CIS-V8_1","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-020","attributes":{"title":"S3 Buckets Lifecycle Configuration","description":"Ensure that AWS S3 buckets utilize lifecycle configurations to manage S3 objects during their lifetime","compliances":["AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","AWS-SRA-AI","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-023","attributes":{"title":"S3 Object Lock","description":"Enable AWS S3 Object Lock","compliances":["AWAF-2025","AWS-SRA","AWS-SRA-AI","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-024","attributes":{"title":"S3 Transfer Acceleration","description":"Enable AWS S3 Transfer Acceleration","compliances":["AWAF-2025","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","AGISM-2024","HITRUST","PCI-V4","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-026","attributes":{"title":"Enable S3 Block Public Access for S3 Buckets","description":"Ensure that Amazon S3 Block Public Access feature is enabled for your S3 buckets to restrict public access to all objects available within these buckets","compliances":["AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-028","attributes":{"title":"Enable S3 Bucket Keys","description":"Ensure that Amazon S3 buckets are using S3 bucket keys to optimize service costs","compliances":["AWAF-2025","AWAF-AI-2025","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","HITRUST","PCI-V4","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"S3"}},{"type":"rules","id":"CT-007","attributes":{"title":"CloudTrail Log File Integrity Validation","description":"Ensure CloudTrail log file validation is enabled","compliances":["GDPR","AWAF-2025","AWS-SRA","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"CloudTrail"}},{"type":"rules","id":"CT-008","attributes":{"title":"CloudTrail Logs Encrypted","description":"Ensure CloudTrail logs are encrypted at rest using KMS CMKs","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","AWS-SRA","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"CloudTrail"}},{"type":"rules","id":"CT-009","attributes":{"title":"CloudTrail Integrated With CloudWatch","description":"Ensure CloudTrail trails are integrated with CloudWatch Logs","compliances":["GDPR","AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","AWS-SRA","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"CloudTrail"}},{"type":"rules","id":"CT-010","attributes":{"title":"CloudTrail Management Events","description":"Ensure management events are included into AWS CloudTrail trails configuration","compliances":["GDPR","AWAF-2025","AWAF-AI-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"CloudTrail"}},{"type":"rules","id":"CT-011","attributes":{"title":"CloudTrail Delivery Failing","description":"Ensure Amazon CloudTrail trail log files are delivered as expected","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","ASAE-3150","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"CloudTrail"}},{"type":"rules","id":"CT-012","attributes":{"title":"CloudTrail Data Events","description":"Ensure CloudTrail trails are configured to log Data events","compliances":["AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","AWS-SRA","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"CloudTrail"}},{"type":"rules","id":"CT-014","attributes":{"title":"CloudTrail S3 Bucket","description":"Ensure that AWS CloudTrail trail uses the designated Amazon S3 bucket","compliances":["AWAF-2025","AWS-SRA","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","ISMS-P"],"provider":"aws","service":"CloudTrail"}},{"type":"rules","id":"RDS-002","attributes":{"title":"RDS Automated Backups Enabled","description":"Ensure automated backups are enabled for RDS instances. This feature of Amazon RDS enables point-in-time recovery of your database instance","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-003","attributes":{"title":"RDS Sufficient Backup Retention Period","description":"Ensure RDS instances have sufficient backup retention period for compliance purposes","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-004","attributes":{"title":"RDS Encryption Enabled","description":"Ensure encryption is setup for RDS instances to fulfill compliance requirements for data-at-rest encryption","compliances":["GDPR","AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-005","attributes":{"title":"RDS Encrypted With KMS Customer Master Keys","description":"Ensure RDS instances are encrypted with CMKs to have full control over encrypting and decrypting data","compliances":["GDPR","AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-006","attributes":{"title":"RDS Auto Minor Version Upgrade","description":"Ensure Auto Minor Version Upgrade is enabled for RDS to automatically receive minor engine upgrades during the maintenance window","compliances":["AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-007","attributes":{"title":"RDS Multi-AZ","description":"Ensure RDS instances are launched into Multi-AZ","compliances":["AWAF-2025","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-008","attributes":{"title":"RDS Publicly Accessible","description":"Ensure RDS instances aren't public facing to minimise security risks","compliances":["GDPR","AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-009","attributes":{"title":"DB Instance Generation","description":"Ensure you always use the latest generation of DB instances to get better performance with lower cost","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","HITRUST","ASAE-3150","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-010","attributes":{"title":"RDS General Purpose SSD","description":"Ensure RDS instances are using General Purpose SSD storage instead of Provisioned IOPS SSD storage to optimize the RDS service costs","compliances":["AWAF-2025","NIST5","NIST-CSF-2_0","MAS","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-011","attributes":{"title":"RDS Default Port","description":"Ensure Amazon RDS database instances aren't using the default ports","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-012","attributes":{"title":"RDS Master Username","description":"Ensure AWS RDS instances are using secure and unique master usernames for their databases","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-025","attributes":{"title":"RDS Desired Instance Type","description":"Ensure that all your AWS RDS database instances are of given instance types","compliances":["AWAF-2025","NIST5","NIST-CSF-2_0","HITRUST","MAS"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-026","attributes":{"title":"RDS Copy Tags to Snapshots","description":"Enable RDS Copy Tags to Snapshots","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001-2022","AGISM-2024","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-030","attributes":{"title":"IAM Database Authentication","description":"Enable IAM Database Authentication","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-031","attributes":{"title":"Instance Deletion Protection","description":"Enable AWS RDS Instance Deletion Protection","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST5","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","APRA","MAS","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-032","attributes":{"title":"Performance Insights","description":"Enable AWS RDS Performance Insights","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-033","attributes":{"title":"Log Exports","description":"Enable AWS RDS Log Exports","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-034","attributes":{"title":"Backtrack","description":"Enable Amazon Aurora Backtrack","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-035","attributes":{"title":"Cluster Deletion Protection","description":"Enable AWS RDS Cluster Deletion Protection","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-041","attributes":{"title":"Enable Instance Storage AutoScaling","description":"Ensure that RDS Storage AutoScaling feature is enabled to support unpredictable database workload","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-042","attributes":{"title":"Enable Aurora Cluster Copy Tags to Snapshots","description":"Ensure that Amazon Aurora clusters have Copy Tags to Snapshots feature enabled","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001-2022","AGISM-2024","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"IAM-017","attributes":{"title":"Unused IAM Group","description":"Ensure all IAM groups have at least one user","compliances":["AWAF-2025","AWS-SRA","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-022","attributes":{"title":"IAM Group With Inline Policies","description":"Ensure IAM groups don't have inline policies attached","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-045","attributes":{"title":"IAM Policies With Full Administrative Privileges","description":"Ensure IAM policies that allow full '*:*' administrative privileges aren't created","compliances":["AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-049","attributes":{"title":"IAM Role Policy Too Permissive","description":"Ensure that the access policies attached to your IAM roles adhere to the principle of least privilege","compliances":["AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-050","attributes":{"title":"Cross-Account Access Lacks External ID and MFA","description":"Ensure cross-account access roles are using Multi-Factor Authentication (MFA) or External IDs","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-057","attributes":{"title":"Check for Untrusted Cross-Account IAM Roles","description":"Ensure that AWS IAM roles cannot be used by untrusted accounts via cross-account access feature","compliances":["AWAF-2025","AWAF-AI-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-069","attributes":{"title":"Check for Overly Permissive IAM Group Policies","description":"Ensure that Amazon IAM policies attached to IAM groups aren't too permissive","compliances":["AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-072","attributes":{"title":"IAM Roles Should Not be Assumed by Multiple Services","description":"Ensure that Amazon IAM roles can only be assumed by a single, trusted service","compliances":["AWAF-2025","AWAF-AI-2025","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"KMS-002","attributes":{"title":"Key Rotation Enabled","description":"Ensure rotation for customer created CMKs is enabled","compliances":["AWAF-2025","AWAF-ML-2025","AWS-SRA","AWS-SRA-AI","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"KMS"}},{"type":"rules","id":"KMS-003","attributes":{"title":"Unused Customer Master Key","description":"Identify unused customer master keys, and delete them to help lower the cost of your monthly AWS bill","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","NIST-CSF-2_0","ISO27001","AGISM-2024","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","FISC-V12"],"provider":"aws","service":"KMS"}},{"type":"rules","id":"KMS-004","attributes":{"title":"KMS Customer Master Key Pending Deletion","description":"Ensure KMS Customer Master Keys aren't scheduled for deletion","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"KMS"}},{"type":"rules","id":"KMS-005","attributes":{"title":"Key Exposed","description":"Ensure Amazon KMS master keys aren't exposed to everyone","compliances":["GDPR","AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","AWS-SRA","AWS-SRA-AI","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"KMS"}},{"type":"rules","id":"KMS-006","attributes":{"title":"KMS Cross Account Access","description":"Ensure Amazon KMS master keys don't allow unknown cross account access","compliances":["AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","AWS-SRA","AWS-SRA-AI","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"KMS"}},{"type":"rules","id":"SNS-001","attributes":{"title":"SNS Topic Exposed","description":"Ensure SNS topics aren't exposed to everyone","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"SNS"}},{"type":"rules","id":"SNS-002","attributes":{"title":"SNS Cross Account Access","description":"Ensure Amazon SNS topics don't allow unknown cross account access","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"SNS"}},{"type":"rules","id":"SNS-003","attributes":{"title":"AWS SNS Appropriate Subscribers","description":"Ensure appropriate subscribers to each SNS topic","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"SNS"}},{"type":"rules","id":"SNS-004","attributes":{"title":"SNS Topic Accessible For Publishing","description":"Ensure SNS topics don't allow 'Everyone' to publish","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","LGPD"],"provider":"aws","service":"SNS"}},{"type":"rules","id":"SNS-005","attributes":{"title":"SNS Topic Accessible For Subscription","description":"Ensure SNS topics don't allow 'Everyone' to subscribe","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","LGPD"],"provider":"aws","service":"SNS"}},{"type":"rules","id":"SNS-006","attributes":{"title":"SNS Topic Encrypted","description":"Enable Server-Side Encryption for AWS SNS Topics","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"SNS"}},{"type":"rules","id":"SNS-007","attributes":{"title":"SNS Topic Encrypted With KMS Customer Master Keys","description":"Ensure that Amazon SNS topics are encrypted with KMS Customer Master Keys","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"SNS"}},{"type":"rules","id":"SQS-001","attributes":{"title":"SQS Queue Exposed","description":"Ensure SQS queues aren't exposed to everyone","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"SQS"}},{"type":"rules","id":"SQS-002","attributes":{"title":"SQS Cross Account Access","description":"Ensure SQS queues don't allow unknown cross account access","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"SQS"}},{"type":"rules","id":"SQS-003","attributes":{"title":"Queue Unprocessed Messages","description":"Ensure SQS queues aren't holding a high number of unprocessed messages due to unresponsive or incapacitated consumers","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"SQS"}},{"type":"rules","id":"SQS-004","attributes":{"title":"Queue Server Side Encryption","description":"Ensure Amazon SQS queues enforce Server-Side Encryption","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"SQS"}},{"type":"rules","id":"SQS-005","attributes":{"title":"SQS Encrypted With KMS Customer Master Keys","description":"Ensure SQS queues are encrypted with KMS CMKs to gain full control over data encryption and decryption","compliances":["GDPR","AWAF-2025","AWS-SRA","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"SQS"}},{"type":"rules","id":"SQS-006","attributes":{"title":"SQS Dead Letter Queue","description":"Ensure Dead Letter Queue (DLQ) is configured for SQS queue","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"SQS"}},{"type":"rules","id":"CFM-001","attributes":{"title":"CloudFormation Stack Notification","description":"Ensure CloudFormation stacks are integrated with SNS to receive notifications about stack events","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"CloudFormation"}},{"type":"rules","id":"CFM-004","attributes":{"title":"CloudFormation Stack Failed Status","description":"Ensure AWS CloudFormation stacks aren't in 'Failed' mode for more than 6 hours","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI","PCI-V4","APRA","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"CloudFormation"}},{"type":"rules","id":"CFM-005","attributes":{"title":"CloudFormation Stack Termination Protection","description":"Ensure Termination Protection feature is enabled for your AWS CloudFormation stacks","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"CloudFormation"}},{"type":"rules","id":"ASG-001","attributes":{"title":"Auto Scaling Group Health Check","description":"Ensure ELB health check is enabled if Elastic Load Balancing is being used for an Auto Scaling group. Ensure EC2 health check is enabled if Elastic Load Balancing isn't being used for an Auto Scaling group","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"ASG-005","attributes":{"title":"Auto Scaling Group Notifications","description":"Ensure notifications are enabled for ASGs to receive additional information about scaling operations","compliances":["AWAF-2025","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"ASG-006","attributes":{"title":"Launch Configuration Referencing Missing AMI","description":"Ensure AWS Launch Configurations are utilizing active Amazon Machine Images","compliances":["AWAF-2025","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"ASG-007","attributes":{"title":"Auto Scaling Group Referencing Missing ELB","description":"Ensure Amazon Auto Scaling Groups are utilizing active Elastic Load Balancers","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"ASG-008","attributes":{"title":"Launch Configuration Referencing Missing Security Groups","description":"Ensure AWS Launch Configurations are utilizing active Security Groups","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"ASG-009","attributes":{"title":"Auto Scaling Group Cooldown Period","description":"Ensure Amazon Auto Scaling Groups are utilizing cooldown periods","compliances":["AWAF-2025","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"ASG-010","attributes":{"title":"Multi-AZ Auto Scaling Groups","description":"Ensure AWS Auto Scaling Groups utilize multiple Availability Zones to improve environment reliability","compliances":["AWAF-2025","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"ASG-012","attributes":{"title":"Auto Scaling Group associated ELB","description":"Ensure that each Auto Scaling Group (ASG) has an associated Elastic Load Balancer (ELB) in order to maintain the availability of the EC2 compute resources in the event of a failure and provide an evenly distributed application load","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"ASG-013","attributes":{"title":"Web-Tier Auto Scaling Group associated ELB","description":"Ensure that each web-tier Auto Scaling Group (ASG) has an associated Elastic Load Balancer (ELB) in order to maintain the availability of the EC2 compute resources in the event of a failure and provide an evenly distributed application load","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"ASG-014","attributes":{"title":"App-Tier Auto Scaling Group associated ELB","description":"Ensure that each app-tier Auto Scaling Group (ASG) has an associated Elastic Load Balancer (ELB) in order to maintain the availability of the EC2 compute resources in the event of a failure and provide an evenly distributed application load","compliances":["AWAF-2025","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"RS-001","attributes":{"title":"Redshift Cluster Publicly Accessible","description":"Ensure Redshift clusters aren't publicly accessible to minimise security risks","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-002","attributes":{"title":"Redshift Cluster Encrypted","description":"Ensure encryption is setup for Redshift clusters to fulfill compliance requirements for data-at-rest encryption","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-003","attributes":{"title":"Redshift Cluster Encrypted With KMS Customer Master Keys","description":"Ensure Redshift clusters are encrypted with CMKs to have full control over encrypting and decrypting data","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-005","attributes":{"title":"Redshift Cluster Allow Version Upgrade","description":"Ensure Version Upgrade is enabled for Redshift clusters to automatically receive upgrades during the maintenance window","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-006","attributes":{"title":"Redshift Cluster Audit Logging Enabled","description":"Ensure audit logging is enabled for Redshift clusters for security and troubleshooting purposes","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-007","attributes":{"title":"Redshift Parameter Group Require SSL","description":"Ensure that all the parameter groups associated with your Amazon Redshift clusters have the require_ssl parameter enabled","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-008","attributes":{"title":"Redshift Instance Generation","description":"Ensure Redshift clusters are using the latest generation of nodes for cost and performance improvements","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001-2022","HITRUST","ASAE-3150","PCI-V4","FEDRAMP","MAS","NIS-2","ISMS-P"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-017","attributes":{"title":"Redshift Cluster Default Port","description":"Ensure Amazon Redshift clusters aren't using port 5439 (default port) for database access","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-018","attributes":{"title":"Redshift Cluster Default Master Username","description":"Ensure AWS Redshift database clusters aren't using 'awsuser' (default master username) for database access","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-019","attributes":{"title":"Redshift Automated Snapshot Retention Period","description":"Ensure that retention period is enabled for Amazon Redshift automated snapshots","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-022","attributes":{"title":"Redshift Desired Node Type","description":"Ensure that your AWS Redshift cluster nodes are of given types","compliances":["AWAF-2025","NIST5","NIST-CSF-2_0","HITRUST","MAS","FISC-V12"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-023","attributes":{"title":"Enable Redshift User Activity Logging","description":"Ensure that user activity logging is enabled for Redshift clusters","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RG-001","attributes":{"title":"Tags","description":"Use tags metadata for identifying and organizing your AWS resources by purpose, owner, environment, or other criteria","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","ASAE-3150","PCI-V4","FEDRAMP","MAS","NIS-2","ISMS-P"],"provider":"aws","service":"ResourceGroup"}},{"type":"rules","id":"DynamoDB-003","attributes":{"title":"DynamoDB Continuous Backups","description":"Enable DynamoDB Continuous Backups","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"DynamoDB"}},{"type":"rules","id":"DynamoDB-004","attributes":{"title":"Enable Encryption at Rest with Amazon KMS Keys","description":"Use KMS keys for encryption at rest in Amazon DynamoDB","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"DynamoDB"}},{"type":"rules","id":"DynamoDB-006","attributes":{"title":"Enable Deletion Protection","description":"Ensure that Deletion Protection feature is enabled for your Amazon DynamoDB tables","compliances":[],"provider":"aws","service":"DynamoDB"}},{"type":"rules","id":"DynamoDB-007","attributes":{"title":"Configure DynamoDB Table Class for Cost Optimization","description":"Use Amazon DynamoDB Standard-IA table class for cost optimization","compliances":[],"provider":"aws","service":"DynamoDB"}},{"type":"rules","id":"EC-001","attributes":{"title":"ElastiCache Instance Generation","description":"Ensure ElastiCache clusters are using the latest generation of nodes for cost and performance improvements","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001-2022","HITRUST","ASAE-3150","PCI-V4","FEDRAMP","MAS","NIS-2","ISMS-P"],"provider":"aws","service":"ElastiCache"}},{"type":"rules","id":"EC-011","attributes":{"title":"ElastiCache Desired Node Type","description":"Ensure that all your Amazon ElastiCache cluster cache nodes are of given types","compliances":["AWAF-2025","NIST5","NIST-CSF-2_0","HITRUST","MAS","FISC-V12"],"provider":"aws","service":"ElastiCache"}},{"type":"rules","id":"EC-012","attributes":{"title":"ElastiCache Cluster Default Port","description":"Ensure that AWS ElastiCache clusters aren't using their default endpoint ports","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"ElastiCache"}},{"type":"rules","id":"EC-013","attributes":{"title":"ElastiCache Engine Version","description":"Ensure that your Amazon ElastiCache clusters are using the stable latest version of Redis/Memcached/Valkey cache engine","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ElastiCache"}},{"type":"rules","id":"EC-014","attributes":{"title":"ElastiCache Redis In-Transit and At-Rest Encryption","description":"Ensure that your AWS ElastiCache Redis clusters are encrypted in order to meet security and compliance requirements","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"ElastiCache"}},{"type":"rules","id":"ES-001","attributes":{"title":"OpenSearch General Purpose SSD","description":"Ensure OpenSearch nodes are using General Purpose SSD storage instead of Provisioned IOPS SSD storage to optimize the service costs","compliances":["AWAF-2025","NIST5","NIST-CSF-2_0","MAS","ISMS-P"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-002","attributes":{"title":"OpenSearch Zone Awareness Enabled","description":"Ensure high availability for your Amazon OpenSearch clusters by enabling the Zone Awareness feature","compliances":["AWAF-2025","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-003","attributes":{"title":"OpenSearch Domain Exposed","description":"Ensure Amazon OpenSearch domains aren't exposed to everyone","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-004","attributes":{"title":"OpenSearch Dedicated Master Enabled","description":"Ensure Amazon OpenSearch clusters are using dedicated master nodes to increase the production environment stability","compliances":["AWAF-2025","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-005","attributes":{"title":"OpenSearch Cross Account Access","description":"Ensure Amazon OpenSearch clusters don't allow unknown cross account access","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-006","attributes":{"title":"OpenSearch Accessible Only From Safelisted IP Addresses","description":"Ensure only safelisted IP addresses can access your Amazon OpenSearch domains","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-007","attributes":{"title":"OpenSearch Version","description":"Ensure that you always use the latest version of OpenSearch engine for your AWS OpenSearch domains","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-009","attributes":{"title":"OpenSearch Desired Instance Type(s)","description":"Ensure that Amazon OpenSearch cluster instances are of given instance type","compliances":["AWAF-2025","NIST5","NIST-CSF-2_0","HITRUST","MAS","FISC-V12"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-010","attributes":{"title":"OpenSearch Domain In VPC","description":"Ensure that your Amazon OpenSearch domains are accessible only from AWS VPCs","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-011","attributes":{"title":"AWS OpenSearch Slow Logs","description":"Ensure that your AWS OpenSearch domains publish slow logs to AWS CloudWatch Logs","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-012","attributes":{"title":"Encryption At Rest","description":"Ensure that your Amazon OpenSearch domains are encrypted in order to meet security and compliance requirements","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-013","attributes":{"title":"OpenSearch Domains Encrypted with KMS CMKs","description":"Ensure that OpenSearch domains are encrypted with KMS Customer Master Keys (CMKs)","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-015","attributes":{"title":"OpenSearch Node To Node Encryption","description":"Ensure that your Amazon OpenSearch clusters are using node to node encryption in order to meet security and compliance requirements","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"WS-001","attributes":{"title":"Unused WorkSpaces","description":"Identify and remove any unused WorkSpaces to lower the cost of your monthly AWS bill","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001","AGISM-2024","PCI","PCI-V4","APRA","FEDRAMP","MAS"],"provider":"aws","service":"WorkSpaces"}},{"type":"rules","id":"WS-002","attributes":{"title":"WorkSpaces Operational State","description":"Ensure that your Amazon WorkSpaces instances are healthy","compliances":["AWAF-2025","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"WorkSpaces"}},{"type":"rules","id":"WS-004","attributes":{"title":"WorkSpaces Desired Bundle Type","description":"Ensure that all your Amazon WorkSpaces bundles are of given types","compliances":["AWAF-2025","NIST5","NIST-CSF-2_0","HITRUST","MAS","FISC-V12"],"provider":"aws","service":"WorkSpaces"}},{"type":"rules","id":"WS-005","attributes":{"title":"WorkSpaces Storage Encryption","description":"Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirement","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"WorkSpaces"}},{"type":"rules","id":"EMR-001","attributes":{"title":"AWS EMR Instance Type Generation","description":"Ensure AWS EMR clusters are using the latest generation of instances for performance and cost optimization","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001-2022","HITRUST","ASAE-3150","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EMR"}},{"type":"rules","id":"EMR-002","attributes":{"title":"EMR Cluster Logging","description":"Ensure AWS Elastic MapReduce clusters capture detailed log data to Amazon S3","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EMR"}},{"type":"rules","id":"EMR-004","attributes":{"title":"EMR Desired Instance Type","description":"Ensure that all your Amazon EMR cluster instances are of given instance types","compliances":["AWAF-2025","NIST5","NIST-CSF-2_0","HITRUST","MAS"],"provider":"aws","service":"EMR"}},{"type":"rules","id":"EMR-005","attributes":{"title":"Cluster In VPC","description":"Ensure that your Amazon Elastic MapReduce clusters are provisioned using the AWS EC2-VPC platform instead of EC2-Classic platform","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EMR"}},{"type":"rules","id":"EMR-006","attributes":{"title":"EMR In-Transit and At-Rest Encryption","description":"Ensure that your AWS Elastic MapReduce clusters are encrypted in order to meet security and compliance requirements","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EMR"}},{"type":"rules","id":"Lambda-001","attributes":{"title":"Lambda Using Latest Runtime Environment","description":"Ensure that the latest version of the runtime environment is used for your AWS Lambda functions","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Lambda"}},{"type":"rules","id":"Lambda-002","attributes":{"title":"Lambda Cross Account Access","description":"Ensure AWS Lambda functions don't allow unknown cross account access via permission policies","compliances":["AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Lambda"}},{"type":"rules","id":"Lambda-003","attributes":{"title":"Tracing Enabled","description":"Ensure that tracing (Lambda support for Amazon X-Ray service) is enabled for your AWS Lambda functions","compliances":["AWAF-2025","AWAF-AI-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Lambda"}},{"type":"rules","id":"Lambda-004","attributes":{"title":"Function Exposed","description":"Ensure that your Amazon Lambda functions aren't exposed to everyone","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Lambda"}},{"type":"rules","id":"Lambda-007","attributes":{"title":"VPC Access for AWS Lambda Functions","description":"Ensure that your Amazon Lambda functions have access to VPC-only resources","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"Lambda"}},{"type":"rules","id":"Lambda-009","attributes":{"title":"Enable Encryption at Rest for Environment Variables using Customer Master Keys","description":"Ensure that Lambda environment variables are encrypted at rest with Customer Master Keys (CMKs) to gain full control over data encryption/decryption","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Lambda"}},{"type":"rules","id":"Lambda-010","attributes":{"title":"Enable IAM Authentication for Lambda Function URLs","description":"Ensure that IAM authorization is enabled for your Lambda function URLs","compliances":["AWAF-2025","AWAF-ML-2025","NIST-CSF-2_0","AGISM-2024","HITRUST","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Lambda"}},{"type":"rules","id":"Lambda-011","attributes":{"title":"Check Lambda Function URL Not in Use","description":"Check your Amazon Lambda functions are not using function URLs","compliances":["NIST-CSF-2_0","AGISM-2024","NIS-2","FISC-V12"],"provider":"aws","service":"Lambda"}},{"type":"rules","id":"Lambda-012","attributes":{"title":"Lambda Using Supported Runtime Environment","description":"Ensure that the version of the runtime environment used by AWS Lambda functions is currently supported","compliances":["AWAF-2025","NIST-CSF-2_0","AGISM-2024","HITRUST","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Lambda"}},{"type":"rules","id":"Kinesis-001","attributes":{"title":"Kinesis Server Side Encryption","description":"Ensure Amazon Kinesis streams enforce Server-Side Encryption (SSE)","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Kinesis"}},{"type":"rules","id":"Kinesis-002","attributes":{"title":"Kinesis Stream Encrypted With CMK","description":"Ensure AWS Kinesis streams are encrypted with KMS Customer Master Keys for complete control over data encryption and decryption","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Kinesis"}},{"type":"rules","id":"EFS-001","attributes":{"title":"EFS Encryption Enabled","description":"Ensure encryption is enabled for AWS EFS file systems to protect your data at rest","compliances":["GDPR","AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EFS"}},{"type":"rules","id":"EFS-002","attributes":{"title":"AWS KMS Customer Master Keys for EFS Encryption","description":"Ensure EFS file systems are encrypted with KMS Customer Master Keys (CMKs) in order to have full control over data encryption and decryption","compliances":["GDPR","AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CISAWSF-7_0","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EFS"}},{"type":"rules","id":"ELBv2-001","attributes":{"title":"ELBv2 Elastic Load Balancing Deletion Protection","description":"Ensure ELBv2 Load Balancers have Deletion Protection feature enabled in order to protect them from being accidentally deleted","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"ELBv2"}},{"type":"rules","id":"ELBv2-002","attributes":{"title":"ELBv2 Access Log","description":"Ensure that Amazon ALBs have Access Logging feature enabled for security, troubleshooting and statistical analysis purposes","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"ELBv2"}},{"type":"rules","id":"ELBv2-003","attributes":{"title":"ELBv2 ALB Security Policy","description":"Ensure that Amazon ALBs are using the latest predefined security policy for their SSL negotiation configuration in order to follow security best practices and protect their front-end connections against SSL/TLS vulnerabilities","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELBv2"}},{"type":"rules","id":"ELBv2-005","attributes":{"title":"ELBv2 ALB Listener Security","description":"Ensure ELBv2 ALBs are using a secure protocol","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELBv2"}},{"type":"rules","id":"ELBv2-006","attributes":{"title":"ELBv2 ALB Security Group","description":"Ensure ELBv2 load balancers have secure and valid security groups","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELBv2"}},{"type":"rules","id":"ELBv2-007","attributes":{"title":"Internet Facing ELBv2 Load Balancers","description":"Ensure Amazon internet-facing ELBv2 Load Balancers are regularly reviewed for security purposes","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELBv2"}},{"type":"rules","id":"ELBv2-009","attributes":{"title":"Network Load Balancer Security Policy","description":"Ensure Amazon Network Load Balancers (NLBs) are using the latest recommended predefined security policy for TLS negotiation configuration","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELBv2"}},{"type":"rules","id":"ELBv2-010","attributes":{"title":"ELBv2 NLB Listener Security","description":"Ensure that your AWS Network Load Balancer listeners are using a secure protocol such as TLS","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELBv2"}},{"type":"rules","id":"ELBv2-011","attributes":{"title":"Enable HTTP to HTTPS Redirect for Application Load Balancers","description":"Ensure that your Application Load Balancers have a rule that redirects HTTP traffic to HTTPS","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELBv2"}},{"type":"rules","id":"AG-001","attributes":{"title":"APIs CloudWatch Logs","description":"Ensure that AWS CloudWatch logs are enabled for all your APIs created with Amazon API Gateway service in order to track and analyze execution behavior at the API stage level","compliances":["GDPR","AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"APIGateway"}},{"type":"rules","id":"AG-002","attributes":{"title":"APIs Detailed CloudWatch Metrics","description":"Ensure that detailed CloudWatch metrics are enabled for all APIs created with AWS API Gateway service in order to monitor API stages caching, latency and detected errors at a more granular level and set alarms accordingly","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"APIGateway"}},{"type":"rules","id":"AG-003","attributes":{"title":"Tracing Enabled","description":"Ensure that tracing is enabled for all stages in all APIs created with AWS API Gateway service in order to analyze latencies in APIs and their backend services","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"APIGateway"}},{"type":"rules","id":"AG-004","attributes":{"title":"Content Encoding","description":"Ensure Content Encoding is enabled for your APIs","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2"],"provider":"aws","service":"APIGateway"}},{"type":"rules","id":"AG-005","attributes":{"title":"Private Endpoint","description":"Ensure Amazon API Gateway APIs are only accessible through private API endpoints","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"APIGateway"}},{"type":"rules","id":"AG-006","attributes":{"title":"Client Certificate","description":"Enable SSL Client Certificate","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"APIGateway"}},{"type":"rules","id":"AG-007","attributes":{"title":"API Gateway Integrated With AWS WAF","description":"Ensure that AWS Web Application Firewall (WAF) is integrated with Amazon API Gateway","compliances":["AWAF-2025","AWAF-ML-2025","AWS-SRA","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"APIGateway"}},{"type":"rules","id":"AG-008","attributes":{"title":"Rotate Expiring SSL Client Certificates","description":"Ensure that SSL client certificates associated with API Gateway APIs are rotated every 365 days","compliances":["AWAF-2025","CIS-V8","CIS-V8_1","NIST4","NIST5","SOC2","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"APIGateway"}},{"type":"rules","id":"Bedrock-012","attributes":{"title":"Configure Permissions Boundaries for IAM Identities used by Amazon Bedrock","description":"For enhanced security, ensure that permissions boundaries are set for IAM identities used by Amazon Bedrock","compliances":["AWAF-ML-2025","AWS-SRA","AWS-SRA-AI","CIS-V8_1"],"provider":"aws","service":"Bedrock"}},{"type":"rules","id":"Bedrock-013","attributes":{"title":"Check for Missing Model Customization Job Security Groups","description":"Ensure that Bedrock model customization jobs are referencing active (available) VPC security groups","compliances":["AWAF-AI-2025","AWAF-ML-2025","AWS-SRA-AI"],"provider":"aws","service":"Bedrock"}},{"type":"rules","id":"BedrockAgentCore-003","attributes":{"title":"Cross-Service Confused Deputy Prevention for AgentCore","description":"Ensure that IAM role trust policies used by Amazon Bedrock AgentCore include aws:SourceArn and aws:SourceAccount condition keys to prevent cross-service confused deputy attacks","compliances":["CIS-V8_1"],"provider":"aws","service":"BedrockAgentCore"}}]}