From 6d7f49fd45dc2a4c8010c3716773fb0af09683ee Mon Sep 17 00:00:00 2001
From: GitHub Actions <actions@github.com>
Date: Wed, 27 Sep 2023 05:25:56 +0000
Subject: [PATCH] Dump controls

---
 security-hub-controls.jsonl | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/security-hub-controls.jsonl b/security-hub-controls.jsonl
index fbe90d1..889381c 100644
--- a/security-hub-controls.jsonl
+++ b/security-hub-controls.jsonl
@@ -1,6 +1,6 @@
-{"Id":"Account.1","Title":"Security contact information should be provided for an AWS account","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"Account.1","Title":"Security contact information should be provided for an AWS account","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5","Service-Managed Standard: AWS Control Tower"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
 {"Id":"Account.2","Title":"AWS account should be part of an AWS Organizations organization","ApplicableStandards":["NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
-{"Id":"ACM.1","Title":"Imported and ACM-issued certificates should be renewed after a specified time period","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered and periodic"}
+{"Id":"ACM.1","Title":"Imported and ACM-issued certificates should be renewed after a specified time period","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5","Service-Managed Standard: AWS Control Tower"],"Severity":"MEDIUM","ScheduleType":"Change triggered and periodic"}
 {"Id":"ACM.2","Title":"RSA certificates managed by ACM should use a key length of at least 2,048 bits","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0"],"Severity":"HIGH","ScheduleType":"Change triggered"}
 {"Id":"APIGateway.1","Title":"API Gateway REST and WebSocket API execution logging should be enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"APIGateway.2","Title":"API Gateway REST API stages should be configured to use SSL certificates for backend authentication","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
@@ -10,7 +10,7 @@
 {"Id":"APIGateway.8","Title":"API Gateway routes should specify an authorization type","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
 {"Id":"APIGateway.9","Title":"Access logging should be configured for API Gateway V2 Stages","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"AppSync.2","Title":"AWS AppSync should have request-level and field-level logging turned on","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"Athena.1","Title":"Athena workgroups should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"Athena.1","Title":"Athena workgroups should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"AutoScaling.1","Title":"Auto scaling groups associated with a Classic Load Balancer should use load balancer health checks","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
 {"Id":"AutoScaling.2","Title":"Amazon EC2 Auto Scaling group should cover multiple Availability Zones","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"AutoScaling.3","Title":"Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
@@ -62,8 +62,8 @@
 {"Id":"CodeBuild.5","Title":"CodeBuild project environments should not have privileged mode enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
 {"Id":"Config.1","Title":"AWS Config should be enabled","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
 {"Id":"DMS.1","Title":"Database Migration Service replication instances should not be public","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic"}
-{"Id":"DocumentDB.1","Title":"Amazon DocumentDB clusters should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"Medium","ScheduleType":"Change triggered"}
-{"Id":"DocumentDB.2","Title":"Amazon DocumentDB clusters should have an adequate backup retention period","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"Medium","ScheduleType":"Change triggered"}
+{"Id":"DocumentDB.1","Title":"Amazon DocumentDB clusters should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5","Service-Managed Standard: AWS Control Tower"],"Severity":"Medium","ScheduleType":"Change triggered"}
+{"Id":"DocumentDB.2","Title":"Amazon DocumentDB clusters should have an adequate backup retention period","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5","Service-Managed Standard: AWS Control Tower"],"Severity":"Medium","ScheduleType":"Change triggered"}
 {"Id":"DynamoDB.1","Title":"DynamoDB tables should automatically scale capacity with demand","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
 {"Id":"DynamoDB.2","Title":"DynamoDB tables should have point-in-time recovery enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"DynamoDB.3","Title":"DynamoDB Accelerator (DAX) clusters should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
@@ -175,14 +175,14 @@
 {"Id":"Lambda.2","Title":"Lambda functions should use supported runtimes","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"Lambda.3","Title":"Lambda functions should be in a VPC","ApplicableStandards":["PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
 {"Id":"Lambda.5","Title":"VPC Lambda functions should operate in more than one Availability Zone","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"Neptune.1","Title":"Neptune DB clusters should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"Neptune.2","Title":"Neptune DB clusters should publish audit logs to CloudWatch Logs","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"Neptune.3","Title":"Neptune DB cluster snapshots should not be public","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
-{"Id":"Neptune.4","Title":"Neptune DB clusters should have deletion protection enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"Low","ScheduleType":"Change triggered"}
-{"Id":"Neptune.5","Title":"Neptune DB clusters should have automated backups enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"Medium","ScheduleType":"Change triggered"}
-{"Id":"Neptune.6","Title":"Neptune DB cluster snapshots should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"Medium","ScheduleType":"Change triggered"}
-{"Id":"Neptune.7","Title":"Neptune DB clusters should have IAM database authentication enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"Medium","ScheduleType":"Change triggered"}
-{"Id":"Neptune.8","Title":"Neptune DB clusters should be configured to copy tags to snapshots","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"Low","ScheduleType":"Change triggered"}
+{"Id":"Neptune.1","Title":"Neptune DB clusters should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5","Service-Managed Standard: AWS Control Tower"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"Neptune.2","Title":"Neptune DB clusters should publish audit logs to CloudWatch Logs","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5","Service-Managed Standard: AWS Control Tower"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"Neptune.3","Title":"Neptune DB cluster snapshots should not be public","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5","Service-Managed Standard: AWS Control Tower"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
+{"Id":"Neptune.4","Title":"Neptune DB clusters should have deletion protection enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5","Service-Managed Standard: AWS Control Tower"],"Severity":"Low","ScheduleType":"Change triggered"}
+{"Id":"Neptune.5","Title":"Neptune DB clusters should have automated backups enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5","Service-Managed Standard: AWS Control Tower"],"Severity":"Medium","ScheduleType":"Change triggered"}
+{"Id":"Neptune.6","Title":"Neptune DB cluster snapshots should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5","Service-Managed Standard: AWS Control Tower"],"Severity":"Medium","ScheduleType":"Change triggered"}
+{"Id":"Neptune.7","Title":"Neptune DB clusters should have IAM database authentication enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5","Service-Managed Standard: AWS Control Tower"],"Severity":"Medium","ScheduleType":"Change triggered"}
+{"Id":"Neptune.8","Title":"Neptune DB clusters should be configured to copy tags to snapshots","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5","Service-Managed Standard: AWS Control Tower"],"Severity":"Low","ScheduleType":"Change triggered"}
 {"Id":"NetworkFirewall.3","Title":"Network Firewall policies should have at least one rule group associated","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"NetworkFirewall.4","Title":"The default stateless action for Network Firewall policies should be drop or forward for full packets","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"NetworkFirewall.5","Title":"The default stateless action for Network Firewall policies should be drop or forward for fragmented packets","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
@@ -221,7 +221,7 @@
 {"Id":"RDS.24","Title":"RDS Database Clusters should use a custom administrator username","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"RDS.25","Title":"RDS database instances should use a custom administrator username","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"RDS.26","Title":"RDS DB instances should be protected by a backup plan","ApplicableStandards":["NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"RDS.27","Title":"RDS DB clusters should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"RDS.27","Title":"RDS DB clusters should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5","Service-Managed Standard: AWS Control Tower"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"Redshift.1","Title":"Amazon Redshift clusters should prohibit public access","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
 {"Id":"Redshift.2","Title":"Connections to Amazon Redshift clusters should be encrypted in transit","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"Redshift.3","Title":"Amazon Redshift clusters should have automatic snapshots enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}