From c686ae30b7b21f104f9f43d150c9962dd2c2b2cf Mon Sep 17 00:00:00 2001
From: GitHub Actions <actions@github.com>
Date: Tue, 20 Jun 2023 10:40:08 +0000
Subject: [PATCH] Dump controls

---
 security-hub-controls.jsonl | 522 ++++++++++++++++++------------------
 1 file changed, 261 insertions(+), 261 deletions(-)

diff --git a/security-hub-controls.jsonl b/security-hub-controls.jsonl
index 932f79a..811dc23 100644
--- a/security-hub-controls.jsonl
+++ b/security-hub-controls.jsonl
@@ -1,261 +1,261 @@
-{"Id":"Account.1","Title":"Security contact information should be provided for an AWS account","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"Account.2","Title":"AWS account should be part of an AWS Organizations organization","LinkedStandards":["NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
-{"Id":"ACM.1","Title":"Imported and ACM-issued certificates should be renewed after a specified time period","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ACM.2","Title":"RSA certificates managed by ACM should use a key length of at least 2,048 bits","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"APIGateway.1","Title":"API Gateway REST and WebSocket API execution logging should be enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"APIGateway.2","Title":"API Gateway REST API stages should be configured to use SSL certificates for backend authentication","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"APIGateway.3","Title":"API Gateway REST API stages should have AWS X-Ray tracing enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"APIGateway.4","Title":"API Gateway should be associated with a WAF Web ACL","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"APIGateway.5","Title":"API Gateway REST API cache data should be encrypted at rest","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"APIGateway.8","Title":"API Gateway routes should specify an authorization type","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"APIGateway.9","Title":"Access logging should be configured for API Gateway V2 Stages","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"AppSync.2","Title":"AWS AppSync should have request-level and field-level logging turned on","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"AutoScaling.1","Title":"Auto scaling groups associated with a Classic Load Balancer should use load balancer health checks","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"AutoScaling.2","Title":"Amazon EC2 Auto Scaling group should cover multiple Availability Zones","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"AutoScaling.3","Title":"Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"AutoScaling.4","Title":"Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"Autoscaling.5","Title":"Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"AutoScaling.6","Title":"Auto Scaling groups should use multiple instance types in multiple Availability Zones","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"AutoScaling.9","Title":"EC2 Auto Scaling groups should use EC2 launch templates","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"CloudFormation.1","Title":"CloudFormation stacks should be integrated with Simple Notification Service (SNS)","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"CloudFront.1","Title":"CloudFront distributions should have a default root object configured","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
-{"Id":"CloudFront.2","Title":"CloudFront distributions should have origin access identity enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"CloudFront.3","Title":"CloudFront distributions should require encryption in transit","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"CloudFront.4","Title":"CloudFront distributions should have origin failover configured","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"CloudFront.5","Title":"CloudFront distributions should have logging enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"CloudFront.6","Title":"CloudFront distributions should have WAF enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"CloudFront.7","Title":"CloudFront distributions should use custom SSL/TLS certificates","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"CloudFront.8","Title":"CloudFront distributions should use SNI to serve HTTPS requests","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"CloudFront.9","Title":"CloudFront distributions should encrypt traffic to custom origins","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"CloudFront.10","Title":"CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"CloudFront.12","Title":"CloudFront distributions should not point to non-existent S3 origins","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
-{"Id":"CloudFront.13","Title":"CloudFront distributions should use origin access control","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"CloudTrail.1","Title":"CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
-{"Id":"CloudTrail.2","Title":"CloudTrail should have encryption at-rest enabled","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"CloudTrail.3","Title":"CloudTrail should be enabled","LinkedStandards":["PCI DSS v3.2.1"],"Severity":"HIGH","ScheduleType":"Periodic"}
-{"Id":"CloudTrail.4","Title":"CloudTrail log file validation should be enabled","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"CloudTrail.5","Title":"CloudTrail trails should be integrated with Amazon CloudWatch Logs","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"CloudTrail.6","Title":"Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"CRITICAL","ScheduleType":"Periodic and change triggered"}
-{"Id":"CloudTrail.7","Title":"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"CloudWatch.1","Title":"A log metric filter and alarm should exist for usage of the \"root\" user","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"CloudWatch.2","Title":"Ensure a log metric filter and alarm exist for unauthorized API calls","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"CloudWatch.3","Title":"Ensure a log metric filter and alarm exist for Management Console sign-in without MFA","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"CloudWatch.4","Title":"Ensure a log metric filter and alarm exist for IAM policy changes","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"CloudWatch.5","Title":"Ensure a log metric filter and alarm exist for CloudTrail configuration changes","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"CloudWatch.6","Title":"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"CloudWatch.7","Title":"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"CloudWatch.8","Title":"Ensure a log metric filter and alarm exist for S3 bucket policy changes","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"CloudWatch.9","Title":"Ensure a log metric filter and alarm exist for AWS Config configuration changes","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"CloudWatch.10","Title":"Ensure a log metric filter and alarm exist for security group changes","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"CloudWatch.11","Title":"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"CloudWatch.12","Title":"Ensure a log metric filter and alarm exist for changes to network gateways","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"CloudWatch.13","Title":"Ensure a log metric filter and alarm exist for route table changes","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"CloudWatch.14","Title":"Ensure a log metric filter and alarm exist for VPC changes","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"CloudWatch.15","Title":"CloudWatch Alarms should have an action configured for theALARMstate","LinkedStandards":["NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"CloudWatch.16","Title":"CloudWatch log groups should be retained for at least 1 year","LinkedStandards":["NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"CloudWatch.17","Title":"CloudWatch alarm actions should be enabled","LinkedStandards":["NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"CodeBuild.1","Title":"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
-{"Id":"CodeBuild.2","Title":"CodeBuild project environment variables should not contain clear text credentials","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
-{"Id":"CodeBuild.3","Title":"CodeBuild S3 logs should be encrypted","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"CodeBuild.4","Title":"CodeBuild project environments should have a logging configuration","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"CodeBuild.5","Title":"CodeBuild project environments should not have privileged mode enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"Config.1","Title":"AWS Config should be enabled","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"DMS.1","Title":"Database Migration Service replication instances should not be public","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic"}
-{"Id":"DynamoDB.1","Title":"DynamoDB tables should automatically scale capacity with demand","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"DynamoDB.2","Title":"DynamoDB tables should have point-in-time recovery enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"DynamoDB.3","Title":"DynamoDB Accelerator (DAX) clusters should be encrypted at rest","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"DynamoDB.4","Title":"DynamoDB tables should be present in a backup plan","LinkedStandards":["NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"EC2.1","Title":"EBS snapshots should not be publicly restorable","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic"}
-{"Id":"EC2.2","Title":"The VPC default security group should not allow inbound and outbound traffic","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"EC2.3","Title":"Attached EBS volumes should be encrypted at-rest","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"EC2.4","Title":"Stopped EC2 instances should be removed after a specified time period","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"EC2.6","Title":"VPC flow logging should be enabled in all VPCs","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"EC2.7","Title":"EBS default encryption should be enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"EC2.8","Title":"EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"EC2.9","Title":"EC2 instances should not have a public IPv4 address","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"EC2.10","Title":"Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"EC2.12","Title":"Unused EC2 EIPs should be removed","LinkedStandards":["PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"EC2.13","Title":"Security groups should not allow ingress from 0.0.0.0/0 to port 22","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"EC2.14","Title":"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"EC2.15","Title":"EC2 subnets should not automatically assign public IP addresses","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"EC2.16","Title":"Unused Network Access Control Lists should be removed","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"EC2.17","Title":"EC2 instances should not use multiple ENIs","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"EC2.18","Title":"Security groups should only allow unrestricted incoming traffic for authorized ports","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"EC2.19","Title":"Security groups should not allow unrestricted access to ports with high risk","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
-{"Id":"EC2.20","Title":"Both VPN tunnels for an AWS Site-to-Site VPN connection should be up","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"EC2.21","Title":"Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"EC2.22","Title":"Unused EC2 security groups should be removed","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"EC2.23","Title":"EC2 Transit Gateways should not automatically accept VPC attachment requests","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"EC2.24","Title":"EC2 paravirtual instance types should not be used","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"EC2.25","Title":"EC2 launch templates should not assign public IPs to network interfaces","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"EC2.28","Title":"EBS volumes should be in a backup plan","LinkedStandards":["NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"EC2.29","Title":"EC2 instances should be inside of a VPC","LinkedStandards":["NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"ECR.1","Title":"ECR private repositories should have image scanning configured","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"ECR.2","Title":"ECR private repositories should have tag immutability configured","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ECR.3","Title":"ECR repositories should have at least one lifecycle policy configured","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ECS.1","Title":"Amazon ECS task definitions should have secure networking modes and user definitions.","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"ECS.2","Title":"ECS services should not have public IP addresses assigned to them automatically","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"ECS.3","Title":"ECS task definitions should not share the host's process namespace","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"ECS.4","Title":"ECS containers should run as non-privileged","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"ECS.5","Title":"ECS containers should be limited to read-only access to root filesystems","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"ECS.8","Title":"Secrets should not be passed as container environment variables","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"ECS.10","Title":"ECS Fargate services should run on the latest Fargate platform version","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ECS.12","Title":"ECS clusters should use Container Insights","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"EFS.1","Title":"Elastic File System should be configured to encrypt file data at-rest using AWS KMS","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"EFS.2","Title":"Amazon EFS volumes should be in backup plans","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"EFS.3","Title":"EFS access points should enforce a root directory","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"EFS.4","Title":"EFS access points should enforce a user identity","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"EKS.1","Title":"EKS cluster endpoints should not be publicly accessible","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
-{"Id":"EKS.2","Title":"EKS clusters should run on a supported Kubernetes version","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"ElastiCache.1","Title":"ElastiCache Redis clusters should have automatic backup enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
-{"Id":"ElastiCache.2","Title":"ElastiCache for Redis cache clusters should have auto minor version upgrades enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
-{"Id":"ElastiCache.3","Title":"ElastiCache replication groups should have automatic failover enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"ElastiCache.4","Title":"ElastiCache replication groups should have encryption-at-rest enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"ElastiCache.5","Title":"ElastiCache replication groups should have encryption-in-transit enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"ElastiCache.6","Title":"ElastiCache replication groups of earlier Redis versions should have Redis AUTH enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"ElastiCache.7","Title":"ElastiCache clusters should not use the default subnet group","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
-{"Id":"ElasticBeanstalk.1","Title":"Elastic Beanstalk environments should have enhanced health reporting enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"ElasticBeanstalk.2","Title":"Elastic Beanstalk managed platform updates should be enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"ElasticBeanstalk.3","Title":"Elastic Beanstalk should stream logs to CloudWatch","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"ELB.1","Title":"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"ELB.2","Title":"Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ELB.3","Title":"Classic Load Balancer listeners should be configured with HTTPS or TLS termination","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ELB.4","Title":"Application Load Balancer should be configured to drop http headers","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ELB.5","Title":"Application and Classic Load Balancers logging should be enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ELB.6","Title":"Application Load Balancer deletion protection should be enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ELB.7","Title":"Classic Load Balancers should have connection draining enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ELB.8","Title":"Classic Load Balancers with SSL listeners should use a predefined security policy that has strong configuration","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ELB.9","Title":"Classic Load Balancers should have cross-zone load balancing enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ELB.10","Title":"Classic Load Balancer should span multiple Availability Zones","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ELB.12","Title":"Application Load Balancer should be configured with defensive or strictest desync mitigation mode","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ELB.13","Title":"Application, Network and Gateway Load Balancers should span multiple Availability Zones","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ELB.14","Title":"Classic Load Balancer should be configured with defensive or strictest desync mitigation mode","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ELB.16","Title":"Application Load Balancers should be associated with an AWS WAF web ACL","LinkedStandards":["NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"EMR.1","Title":"Amazon Elastic MapReduce cluster master nodes should not have public IP addresses","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
-{"Id":"ES.1","Title":"Elasticsearch domains should have encryption at-rest enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"ES.2","Title":"Elasticsearch domains should be in a VPC","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic"}
-{"Id":"ES.3","Title":"Elasticsearch domains should encrypt data sent between nodes","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ES.4","Title":"Elasticsearch domain error logging to CloudWatch Logs should be enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ES.5","Title":"Elasticsearch domains should have audit logging enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ES.6","Title":"Elasticsearch domains should have at least three data nodes","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ES.7","Title":"Elasticsearch domains should be configured with at least three dedicated master nodes","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"ES.8","Title":"Connections to Elasticsearch domains should be encrypted using TLS 1.2","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"GuardDuty.1","Title":"GuardDuty should be enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
-{"Id":"IAM.1","Title":"IAM policies should not allow full \"*\" administrative privileges","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"IAM.2","Title":"IAM users should not have IAM policies attached","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"IAM.3","Title":"IAM users' access keys should be rotated every 90 days or less","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"IAM.4","Title":"IAM root user access key should not exist","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic"}
-{"Id":"IAM.5","Title":"MFA should be enabled for all IAM users that have a console password","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"IAM.6","Title":"Hardware MFA should be enabled for the root user","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic"}
-{"Id":"IAM.7","Title":"Password policies for IAM users should have strong configurations","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"IAM.8","Title":"Unused IAM user credentials should be removed","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"IAM.9","Title":"Virtual MFA should be enabled for the root user","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic"}
-{"Id":"IAM.10","Title":"Password policies for IAM users should have strong configurations","LinkedStandards":["PCI DSS v3.2.1"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"IAM.11","Title":"Ensure IAM password policy requires at least one uppercase letter","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"IAM.12","Title":"Ensure IAM password policy requires at least one lowercase letter","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"IAM.13","Title":"Ensure IAM password policy requires at least one symbol","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"IAM.14","Title":"Ensure IAM password policy requires at least one number","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"IAM.15","Title":"Ensure IAM password policy requires minimum password length of 14 or greater","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"IAM.16","Title":"Ensure IAM password policy prevents password reuse","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"IAM.17","Title":"Ensure IAM password policy expires passwords within 90 days or less","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"IAM.18","Title":"Ensure a support role has been created to manage incidents with AWS Support","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"IAM.19","Title":"MFA should be enabled for all IAM users","LinkedStandards":["PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"IAM.20","Title":"Avoid the use of the root user","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"IAM.21","Title":"IAM customer managed policies that you create should not allow wildcard actions for services","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"IAM.22","Title":"IAM user credentials unused for 45 days should be removed","LinkedStandards":["CIS AWS Foundations Benchmark v1.4.0"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"Kinesis.1","Title":"Kinesis streams should be encrypted at rest","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"KMS.1","Title":"IAM customer managed policies should not allow decryption actions on all KMS keys","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"KMS.2","Title":"IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"KMS.3","Title":"AWS KMS keys should not be deleted unintentionally","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic"}
-{"Id":"KMS.4","Title":"AWS KMS key rotation should be enabled","LinkedStandards":["CIS AWS Foundations Benchmark v1.2.0","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"Lambda.1","Title":"Lambda function policies should prohibit public access","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
-{"Id":"Lambda.2","Title":"Lambda functions should use supported runtimes","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"Lambda.3","Title":"Lambda functions should be in a VPC","LinkedStandards":["PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"Lambda.5","Title":"VPC Lambda functions should operate in more than one Availability Zone","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"NetworkFirewall.3","Title":"Network Firewall policies should have at least one rule group associated","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"NetworkFirewall.4","Title":"The default stateless action for Network Firewall policies should be drop or forward for full packets","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"NetworkFirewall.5","Title":"The default stateless action for Network Firewall policies should be drop or forward for fragmented packets","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"NetworkFirewall.6","Title":"Stateless network firewall rule group should not be empty","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"Opensearch.1","Title":"OpenSearch domains should have encryption at rest enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"Opensearch.2","Title":"OpenSearch domains should be in a VPC","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
-{"Id":"Opensearch.3","Title":"OpenSearch domains should encrypt data sent between nodes","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"Opensearch.4","Title":"OpenSearch domain error logging to CloudWatch Logs should be enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"Opensearch.5","Title":"OpenSearch domains should have audit logging enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"Opensearch.6","Title":"OpenSearch domains should have at least three data nodes","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"Opensearch.7","Title":"OpenSearch domains should have fine-grained access control enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"Opensearch.8","Title":"Connections to OpenSearch domains should be encrypted using TLS 1.2","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"RDS.1","Title":"RDS snapshot should be private","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
-{"Id":"RDS.2","Title":"RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
-{"Id":"RDS.3","Title":"RDS DB instances should have encryption at-rest enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"RDS.4","Title":"RDS cluster snapshots and database snapshots should be encrypted at rest","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"RDS.5","Title":"RDS DB instances should be configured with multiple Availability Zones","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"RDS.6","Title":"Enhanced monitoring should be configured for RDS DB instances","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"RDS.7","Title":"RDS clusters should have deletion protection enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"RDS.8","Title":"RDS DB instances should have deletion protection enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"RDS.9","Title":"Database logging should be enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"RDS.10","Title":"IAM authentication should be configured for RDS instances","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"RDS.11","Title":"RDS instances should have automatic backups enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"RDS.12","Title":"IAM authentication should be configured for RDS clusters","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"RDS.13","Title":"RDS automatic minor version upgrades should be enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"RDS.14","Title":"Amazon Aurora clusters should have backtracking enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"RDS.15","Title":"RDS DB clusters should be configured for multiple Availability Zones","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"RDS.16","Title":"RDS DB clusters should be configured to copy tags to snapshots","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"RDS.17","Title":"RDS DB instances should be configured to copy tags to snapshots","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"RDS.18","Title":"RDS instances should be deployed in a VPC","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"RDS.19","Title":"An RDS event notifications subscription should be configured for critical cluster events","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"RDS.20","Title":"An RDS event notifications subscription should be configured for critical database instance events","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"RDS.21","Title":"An RDS event notifications subscription should be configured for critical database parameter group events","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"RDS.22","Title":"An RDS event notifications subscription should be configured for critical database security group events","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"RDS.23","Title":"RDS instances should not use a database engine default port","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"RDS.24","Title":"RDS Database Clusters should use a custom administrator username","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"RDS.25","Title":"RDS database instances should use a custom administrator username","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"RDS.26","Title":"RDS DB instances should be protected by a backup plan","LinkedStandards":["NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"Redshift.1","Title":"Amazon Redshift clusters should prohibit public access","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
-{"Id":"Redshift.2","Title":"Connections to Amazon Redshift clusters should be encrypted in transit","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"Redshift.3","Title":"Amazon Redshift clusters should have automatic snapshots enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"Redshift.4","Title":"Amazon Redshift clusters should have audit logging enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"Redshift.6","Title":"Amazon Redshift should have automatic upgrades to major versions enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"Redshift.7","Title":"Redshift clusters should use enhanced VPC routing","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"Redshift.8","Title":"Amazon Redshift clusters should not use the default Admin username","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"Redshift.9","Title":"Redshift clusters should not use the default database name","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"Redshift.10","Title":"Redshift clusters should be encrypted at rest","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"S3.1","Title":"S3 Block Public Access setting should be enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"S3.2","Title":"S3 buckets should prohibit public read access","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic and change triggered"}
-{"Id":"S3.3","Title":"S3 buckets should prohibit public write access","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic and change triggered"}
-{"Id":"S3.4","Title":"S3 buckets should have server-side encryption enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"S3.5","Title":"S3 buckets should require requests to use Secure Socket Layer","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"S3.6","Title":"S3 permissions granted to other AWS accounts in bucket policies should be restricted","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"S3.7","Title":"S3 buckets should have cross-Region replication enabled","LinkedStandards":["PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"S3.8","Title":"S3 Block Public Access setting should be enabled at the bucket-level","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"S3.9","Title":"S3 bucket server access logging should be enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"S3.10","Title":"S3 buckets with versioning enabled should have lifecycle policies configured","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"S3.11","Title":"S3 buckets should have event notifications enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"S3.12","Title":"S3 access control lists (ACLs) should not be used to manage user access to buckets","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"S3.13","Title":"S3 buckets should have lifecycle policies configured","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"S3.14","Title":"S3 buckets should have versioning enabled","LinkedStandards":["NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"S3.15","Title":"S3 buckets should be configured to use Object Lock","LinkedStandards":["NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"S3.17","Title":"S3 buckets should be encrypted at rest with AWS KMS keys","LinkedStandards":["NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"SageMaker.1","Title":"Amazon SageMaker notebook instances should not have direct internet access","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
-{"Id":"SageMaker.2","Title":"SageMaker notebook instances should be launched in a custom VPC","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"SageMaker.3","Title":"Users should not have root access to SageMaker notebook instances","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"SecretsManager.1","Title":"Secrets Manager secrets should have automatic rotation enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"SecretsManager.2","Title":"Secrets Manager secrets configured with automatic rotation should rotate successfully","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"SecretsManager.3","Title":"Remove unused Secrets Manager secrets","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"SecretsManager.4","Title":"Secrets Manager secrets should be rotated within a specified number of days","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"SNS.1","Title":"SNS topics should be encrypted at-rest using AWS KMS","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"SNS.2","Title":"Logging of delivery status should be enabled for notification messages sent to a topic","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"SQS.1","Title":"Amazon SQS queues should be encrypted at rest","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"SSM.1","Title":"EC2 instances should be managed by AWS Systems Manager","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"SSM.2","Title":"EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"SSM.3","Title":"EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
-{"Id":"SSM.4","Title":"SSM documents should not be public","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic"}
-{"Id":"StepFunctions.1","Title":"Step Functions state machines should have logging turned on","LinkedStandards":["AWS Foundational Security Best Practices"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"WAF.1","Title":"AWS WAF Classic Global Web ACL logging should be enabled","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"WAF.2","Title":"A WAF Regional rule should have at least one condition","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"WAF.3","Title":"A WAF Regional rule group should have at least one rule","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"WAF.4","Title":"A WAF Regional web ACL should have at least one rule or rule group","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"WAF.6","Title":"A WAF global rule should have at least one condition","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"WAF.7","Title":"A WAF global rule group should have at least one rule","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"WAF.8","Title":"A WAF global web ACL should have at least one rule or rule group","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"WAF.10","Title":"A WAFV2 web ACL should have at least one rule or rule group","LinkedStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"WAF.11","Title":"AWS WAFv2 web ACL logging should be enabled","LinkedStandards":["NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"Account.1","Title":"Security contact information should be provided for an AWS account","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"Account.2","Title":"AWS account should be part of an AWS Organizations organization","ApplicableStandards":["NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
+{"Id":"ACM.1","Title":"Imported and ACM-issued certificates should be renewed after a specified time period","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ACM.2","Title":"RSA certificates managed by ACM should use a key length of at least 2,048 bits","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"APIGateway.1","Title":"API Gateway REST and WebSocket API execution logging should be enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"APIGateway.2","Title":"API Gateway REST API stages should be configured to use SSL certificates for backend authentication","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"APIGateway.3","Title":"API Gateway REST API stages should have AWS X-Ray tracing enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"APIGateway.4","Title":"API Gateway should be associated with a WAF Web ACL","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"APIGateway.5","Title":"API Gateway REST API cache data should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"APIGateway.8","Title":"API Gateway routes should specify an authorization type","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"APIGateway.9","Title":"Access logging should be configured for API Gateway V2 Stages","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"AppSync.2","Title":"AWS AppSync should have request-level and field-level logging turned on","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"AutoScaling.1","Title":"Auto scaling groups associated with a Classic Load Balancer should use load balancer health checks","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"AutoScaling.2","Title":"Amazon EC2 Auto Scaling group should cover multiple Availability Zones","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"AutoScaling.3","Title":"Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"AutoScaling.4","Title":"Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"Autoscaling.5","Title":"Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"AutoScaling.6","Title":"Auto Scaling groups should use multiple instance types in multiple Availability Zones","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"AutoScaling.9","Title":"EC2 Auto Scaling groups should use EC2 launch templates","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"CloudFormation.1","Title":"CloudFormation stacks should be integrated with Simple Notification Service (SNS)","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"CloudFront.1","Title":"CloudFront distributions should have a default root object configured","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
+{"Id":"CloudFront.2","Title":"CloudFront distributions should have origin access identity enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"CloudFront.3","Title":"CloudFront distributions should require encryption in transit","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"CloudFront.4","Title":"CloudFront distributions should have origin failover configured","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"CloudFront.5","Title":"CloudFront distributions should have logging enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"CloudFront.6","Title":"CloudFront distributions should have WAF enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"CloudFront.7","Title":"CloudFront distributions should use custom SSL/TLS certificates","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"CloudFront.8","Title":"CloudFront distributions should use SNI to serve HTTPS requests","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"CloudFront.9","Title":"CloudFront distributions should encrypt traffic to custom origins","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"CloudFront.10","Title":"CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"CloudFront.12","Title":"CloudFront distributions should not point to non-existent S3 origins","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
+{"Id":"CloudFront.13","Title":"CloudFront distributions should use origin access control","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"CloudTrail.1","Title":"CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
+{"Id":"CloudTrail.2","Title":"CloudTrail should have encryption at-rest enabled","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"CloudTrail.3","Title":"CloudTrail should be enabled","ApplicableStandards":["PCI DSS v3.2.1"],"Severity":"HIGH","ScheduleType":"Periodic"}
+{"Id":"CloudTrail.4","Title":"CloudTrail log file validation should be enabled","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"CloudTrail.5","Title":"CloudTrail trails should be integrated with Amazon CloudWatch Logs","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"CloudTrail.6","Title":"Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"CRITICAL","ScheduleType":"Periodic and change triggered"}
+{"Id":"CloudTrail.7","Title":"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"CloudWatch.1","Title":"A log metric filter and alarm should exist for usage of the \"root\" user","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"CloudWatch.2","Title":"Ensure a log metric filter and alarm exist for unauthorized API calls","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"CloudWatch.3","Title":"Ensure a log metric filter and alarm exist for Management Console sign-in without MFA","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"CloudWatch.4","Title":"Ensure a log metric filter and alarm exist for IAM policy changes","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"CloudWatch.5","Title":"Ensure a log metric filter and alarm exist for CloudTrail configuration changes","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"CloudWatch.6","Title":"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"CloudWatch.7","Title":"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"CloudWatch.8","Title":"Ensure a log metric filter and alarm exist for S3 bucket policy changes","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"CloudWatch.9","Title":"Ensure a log metric filter and alarm exist for AWS Config configuration changes","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"CloudWatch.10","Title":"Ensure a log metric filter and alarm exist for security group changes","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"CloudWatch.11","Title":"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"CloudWatch.12","Title":"Ensure a log metric filter and alarm exist for changes to network gateways","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"CloudWatch.13","Title":"Ensure a log metric filter and alarm exist for route table changes","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"CloudWatch.14","Title":"Ensure a log metric filter and alarm exist for VPC changes","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"CloudWatch.15","Title":"CloudWatch Alarms should have an action configured for theALARMstate","ApplicableStandards":["NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"CloudWatch.16","Title":"CloudWatch log groups should be retained for at least 1 year","ApplicableStandards":["NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"CloudWatch.17","Title":"CloudWatch alarm actions should be enabled","ApplicableStandards":["NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"CodeBuild.1","Title":"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
+{"Id":"CodeBuild.2","Title":"CodeBuild project environment variables should not contain clear text credentials","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
+{"Id":"CodeBuild.3","Title":"CodeBuild S3 logs should be encrypted","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"CodeBuild.4","Title":"CodeBuild project environments should have a logging configuration","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"CodeBuild.5","Title":"CodeBuild project environments should not have privileged mode enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"Config.1","Title":"AWS Config should be enabled","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"DMS.1","Title":"Database Migration Service replication instances should not be public","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic"}
+{"Id":"DynamoDB.1","Title":"DynamoDB tables should automatically scale capacity with demand","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"DynamoDB.2","Title":"DynamoDB tables should have point-in-time recovery enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"DynamoDB.3","Title":"DynamoDB Accelerator (DAX) clusters should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"DynamoDB.4","Title":"DynamoDB tables should be present in a backup plan","ApplicableStandards":["NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"EC2.1","Title":"EBS snapshots should not be publicly restorable","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic"}
+{"Id":"EC2.2","Title":"The VPC default security group should not allow inbound and outbound traffic","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"EC2.3","Title":"Attached EBS volumes should be encrypted at-rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"EC2.4","Title":"Stopped EC2 instances should be removed after a specified time period","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"EC2.6","Title":"VPC flow logging should be enabled in all VPCs","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"EC2.7","Title":"EBS default encryption should be enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"EC2.8","Title":"EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"EC2.9","Title":"EC2 instances should not have a public IPv4 address","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"EC2.10","Title":"Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"EC2.12","Title":"Unused EC2 EIPs should be removed","ApplicableStandards":["PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"EC2.13","Title":"Security groups should not allow ingress from 0.0.0.0/0 to port 22","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"EC2.14","Title":"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"EC2.15","Title":"EC2 subnets should not automatically assign public IP addresses","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"EC2.16","Title":"Unused Network Access Control Lists should be removed","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"EC2.17","Title":"EC2 instances should not use multiple ENIs","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"EC2.18","Title":"Security groups should only allow unrestricted incoming traffic for authorized ports","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"EC2.19","Title":"Security groups should not allow unrestricted access to ports with high risk","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
+{"Id":"EC2.20","Title":"Both VPN tunnels for an AWS Site-to-Site VPN connection should be up","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"EC2.21","Title":"Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"EC2.22","Title":"Unused EC2 security groups should be removed","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"EC2.23","Title":"EC2 Transit Gateways should not automatically accept VPC attachment requests","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"EC2.24","Title":"EC2 paravirtual instance types should not be used","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"EC2.25","Title":"EC2 launch templates should not assign public IPs to network interfaces","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"EC2.28","Title":"EBS volumes should be in a backup plan","ApplicableStandards":["NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"EC2.29","Title":"EC2 instances should be inside of a VPC","ApplicableStandards":["NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"ECR.1","Title":"ECR private repositories should have image scanning configured","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"ECR.2","Title":"ECR private repositories should have tag immutability configured","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ECR.3","Title":"ECR repositories should have at least one lifecycle policy configured","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ECS.1","Title":"Amazon ECS task definitions should have secure networking modes and user definitions.","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"ECS.2","Title":"ECS services should not have public IP addresses assigned to them automatically","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"ECS.3","Title":"ECS task definitions should not share the host's process namespace","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"ECS.4","Title":"ECS containers should run as non-privileged","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"ECS.5","Title":"ECS containers should be limited to read-only access to root filesystems","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"ECS.8","Title":"Secrets should not be passed as container environment variables","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"ECS.10","Title":"ECS Fargate services should run on the latest Fargate platform version","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ECS.12","Title":"ECS clusters should use Container Insights","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"EFS.1","Title":"Elastic File System should be configured to encrypt file data at-rest using AWS KMS","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"EFS.2","Title":"Amazon EFS volumes should be in backup plans","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"EFS.3","Title":"EFS access points should enforce a root directory","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"EFS.4","Title":"EFS access points should enforce a user identity","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"EKS.1","Title":"EKS cluster endpoints should not be publicly accessible","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
+{"Id":"EKS.2","Title":"EKS clusters should run on a supported Kubernetes version","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"ElastiCache.1","Title":"ElastiCache Redis clusters should have automatic backup enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
+{"Id":"ElastiCache.2","Title":"ElastiCache for Redis cache clusters should have auto minor version upgrades enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
+{"Id":"ElastiCache.3","Title":"ElastiCache replication groups should have automatic failover enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"ElastiCache.4","Title":"ElastiCache replication groups should have encryption-at-rest enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"ElastiCache.5","Title":"ElastiCache replication groups should have encryption-in-transit enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"ElastiCache.6","Title":"ElastiCache replication groups of earlier Redis versions should have Redis AUTH enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"ElastiCache.7","Title":"ElastiCache clusters should not use the default subnet group","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
+{"Id":"ElasticBeanstalk.1","Title":"Elastic Beanstalk environments should have enhanced health reporting enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"ElasticBeanstalk.2","Title":"Elastic Beanstalk managed platform updates should be enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"ElasticBeanstalk.3","Title":"Elastic Beanstalk should stream logs to CloudWatch","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"ELB.1","Title":"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"ELB.2","Title":"Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ELB.3","Title":"Classic Load Balancer listeners should be configured with HTTPS or TLS termination","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ELB.4","Title":"Application Load Balancer should be configured to drop http headers","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ELB.5","Title":"Application and Classic Load Balancers logging should be enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ELB.6","Title":"Application Load Balancer deletion protection should be enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ELB.7","Title":"Classic Load Balancers should have connection draining enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ELB.8","Title":"Classic Load Balancers with SSL listeners should use a predefined security policy that has strong configuration","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ELB.9","Title":"Classic Load Balancers should have cross-zone load balancing enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ELB.10","Title":"Classic Load Balancer should span multiple Availability Zones","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ELB.12","Title":"Application Load Balancer should be configured with defensive or strictest desync mitigation mode","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ELB.13","Title":"Application, Network and Gateway Load Balancers should span multiple Availability Zones","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ELB.14","Title":"Classic Load Balancer should be configured with defensive or strictest desync mitigation mode","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ELB.16","Title":"Application Load Balancers should be associated with an AWS WAF web ACL","ApplicableStandards":["NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"EMR.1","Title":"Amazon Elastic MapReduce cluster master nodes should not have public IP addresses","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
+{"Id":"ES.1","Title":"Elasticsearch domains should have encryption at-rest enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"ES.2","Title":"Elasticsearch domains should be in a VPC","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic"}
+{"Id":"ES.3","Title":"Elasticsearch domains should encrypt data sent between nodes","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ES.4","Title":"Elasticsearch domain error logging to CloudWatch Logs should be enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ES.5","Title":"Elasticsearch domains should have audit logging enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ES.6","Title":"Elasticsearch domains should have at least three data nodes","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ES.7","Title":"Elasticsearch domains should be configured with at least three dedicated master nodes","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ES.8","Title":"Connections to Elasticsearch domains should be encrypted using TLS 1.2","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"GuardDuty.1","Title":"GuardDuty should be enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
+{"Id":"IAM.1","Title":"IAM policies should not allow full \"*\" administrative privileges","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"IAM.2","Title":"IAM users should not have IAM policies attached","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"IAM.3","Title":"IAM users' access keys should be rotated every 90 days or less","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"IAM.4","Title":"IAM root user access key should not exist","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic"}
+{"Id":"IAM.5","Title":"MFA should be enabled for all IAM users that have a console password","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"IAM.6","Title":"Hardware MFA should be enabled for the root user","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic"}
+{"Id":"IAM.7","Title":"Password policies for IAM users should have strong configurations","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"IAM.8","Title":"Unused IAM user credentials should be removed","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"IAM.9","Title":"Virtual MFA should be enabled for the root user","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic"}
+{"Id":"IAM.10","Title":"Password policies for IAM users should have strong configurations","ApplicableStandards":["PCI DSS v3.2.1"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"IAM.11","Title":"Ensure IAM password policy requires at least one uppercase letter","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"IAM.12","Title":"Ensure IAM password policy requires at least one lowercase letter","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"IAM.13","Title":"Ensure IAM password policy requires at least one symbol","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"IAM.14","Title":"Ensure IAM password policy requires at least one number","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"IAM.15","Title":"Ensure IAM password policy requires minimum password length of 14 or greater","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"IAM.16","Title":"Ensure IAM password policy prevents password reuse","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"IAM.17","Title":"Ensure IAM password policy expires passwords within 90 days or less","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"IAM.18","Title":"Ensure a support role has been created to manage incidents with AWS Support","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"IAM.19","Title":"MFA should be enabled for all IAM users","ApplicableStandards":["PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"IAM.20","Title":"Avoid the use of the root user","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0"],"Severity":"LOW","ScheduleType":"Periodic"}
+{"Id":"IAM.21","Title":"IAM customer managed policies that you create should not allow wildcard actions for services","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"IAM.22","Title":"IAM user credentials unused for 45 days should be removed","ApplicableStandards":["CIS AWS Foundations Benchmark v1.4.0"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"Kinesis.1","Title":"Kinesis streams should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"KMS.1","Title":"IAM customer managed policies should not allow decryption actions on all KMS keys","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"KMS.2","Title":"IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"KMS.3","Title":"AWS KMS keys should not be deleted unintentionally","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic"}
+{"Id":"KMS.4","Title":"AWS KMS key rotation should be enabled","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"Lambda.1","Title":"Lambda function policies should prohibit public access","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
+{"Id":"Lambda.2","Title":"Lambda functions should use supported runtimes","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"Lambda.3","Title":"Lambda functions should be in a VPC","ApplicableStandards":["PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"Lambda.5","Title":"VPC Lambda functions should operate in more than one Availability Zone","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"NetworkFirewall.3","Title":"Network Firewall policies should have at least one rule group associated","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"NetworkFirewall.4","Title":"The default stateless action for Network Firewall policies should be drop or forward for full packets","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"NetworkFirewall.5","Title":"The default stateless action for Network Firewall policies should be drop or forward for fragmented packets","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"NetworkFirewall.6","Title":"Stateless network firewall rule group should not be empty","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"Opensearch.1","Title":"OpenSearch domains should have encryption at rest enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"Opensearch.2","Title":"OpenSearch domains should be in a VPC","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
+{"Id":"Opensearch.3","Title":"OpenSearch domains should encrypt data sent between nodes","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"Opensearch.4","Title":"OpenSearch domain error logging to CloudWatch Logs should be enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"Opensearch.5","Title":"OpenSearch domains should have audit logging enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"Opensearch.6","Title":"OpenSearch domains should have at least three data nodes","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"Opensearch.7","Title":"OpenSearch domains should have fine-grained access control enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"Opensearch.8","Title":"Connections to OpenSearch domains should be encrypted using TLS 1.2","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"RDS.1","Title":"RDS snapshot should be private","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
+{"Id":"RDS.2","Title":"RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
+{"Id":"RDS.3","Title":"RDS DB instances should have encryption at-rest enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"RDS.4","Title":"RDS cluster snapshots and database snapshots should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"RDS.5","Title":"RDS DB instances should be configured with multiple Availability Zones","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"RDS.6","Title":"Enhanced monitoring should be configured for RDS DB instances","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"RDS.7","Title":"RDS clusters should have deletion protection enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"RDS.8","Title":"RDS DB instances should have deletion protection enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"RDS.9","Title":"Database logging should be enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"RDS.10","Title":"IAM authentication should be configured for RDS instances","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"RDS.11","Title":"RDS instances should have automatic backups enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"RDS.12","Title":"IAM authentication should be configured for RDS clusters","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"RDS.13","Title":"RDS automatic minor version upgrades should be enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"RDS.14","Title":"Amazon Aurora clusters should have backtracking enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"RDS.15","Title":"RDS DB clusters should be configured for multiple Availability Zones","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"RDS.16","Title":"RDS DB clusters should be configured to copy tags to snapshots","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"RDS.17","Title":"RDS DB instances should be configured to copy tags to snapshots","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"RDS.18","Title":"RDS instances should be deployed in a VPC","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"RDS.19","Title":"An RDS event notifications subscription should be configured for critical cluster events","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"RDS.20","Title":"An RDS event notifications subscription should be configured for critical database instance events","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"RDS.21","Title":"An RDS event notifications subscription should be configured for critical database parameter group events","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"RDS.22","Title":"An RDS event notifications subscription should be configured for critical database security group events","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"RDS.23","Title":"RDS instances should not use a database engine default port","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"RDS.24","Title":"RDS Database Clusters should use a custom administrator username","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"RDS.25","Title":"RDS database instances should use a custom administrator username","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"RDS.26","Title":"RDS DB instances should be protected by a backup plan","ApplicableStandards":["NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"Redshift.1","Title":"Amazon Redshift clusters should prohibit public access","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
+{"Id":"Redshift.2","Title":"Connections to Amazon Redshift clusters should be encrypted in transit","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"Redshift.3","Title":"Amazon Redshift clusters should have automatic snapshots enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"Redshift.4","Title":"Amazon Redshift clusters should have audit logging enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"Redshift.6","Title":"Amazon Redshift should have automatic upgrades to major versions enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"Redshift.7","Title":"Redshift clusters should use enhanced VPC routing","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"Redshift.8","Title":"Amazon Redshift clusters should not use the default Admin username","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"Redshift.9","Title":"Redshift clusters should not use the default database name","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"Redshift.10","Title":"Redshift clusters should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"S3.1","Title":"S3 Block Public Access setting should be enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"S3.2","Title":"S3 buckets should prohibit public read access","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic and change triggered"}
+{"Id":"S3.3","Title":"S3 buckets should prohibit public write access","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic and change triggered"}
+{"Id":"S3.4","Title":"S3 buckets should have server-side encryption enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"S3.5","Title":"S3 buckets should require requests to use Secure Socket Layer","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"S3.6","Title":"S3 permissions granted to other AWS accounts in bucket policies should be restricted","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"S3.7","Title":"S3 buckets should have cross-Region replication enabled","ApplicableStandards":["PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"S3.8","Title":"S3 Block Public Access setting should be enabled at the bucket-level","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"S3.9","Title":"S3 bucket server access logging should be enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"S3.10","Title":"S3 buckets with versioning enabled should have lifecycle policies configured","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"S3.11","Title":"S3 buckets should have event notifications enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"S3.12","Title":"S3 access control lists (ACLs) should not be used to manage user access to buckets","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"S3.13","Title":"S3 buckets should have lifecycle policies configured","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"S3.14","Title":"S3 buckets should have versioning enabled","ApplicableStandards":["NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"S3.15","Title":"S3 buckets should be configured to use Object Lock","ApplicableStandards":["NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"S3.17","Title":"S3 buckets should be encrypted at rest with AWS KMS keys","ApplicableStandards":["NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"SageMaker.1","Title":"Amazon SageMaker notebook instances should not have direct internet access","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
+{"Id":"SageMaker.2","Title":"SageMaker notebook instances should be launched in a custom VPC","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"SageMaker.3","Title":"Users should not have root access to SageMaker notebook instances","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"SecretsManager.1","Title":"Secrets Manager secrets should have automatic rotation enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"SecretsManager.2","Title":"Secrets Manager secrets configured with automatic rotation should rotate successfully","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"SecretsManager.3","Title":"Remove unused Secrets Manager secrets","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"SecretsManager.4","Title":"Secrets Manager secrets should be rotated within a specified number of days","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"SNS.1","Title":"SNS topics should be encrypted at-rest using AWS KMS","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"SNS.2","Title":"Logging of delivery status should be enabled for notification messages sent to a topic","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"SQS.1","Title":"Amazon SQS queues should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"SSM.1","Title":"EC2 instances should be managed by AWS Systems Manager","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"SSM.2","Title":"EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"SSM.3","Title":"EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
+{"Id":"SSM.4","Title":"SSM documents should not be public","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic"}
+{"Id":"StepFunctions.1","Title":"Step Functions state machines should have logging turned on","ApplicableStandards":["AWS Foundational Security Best Practices"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"WAF.1","Title":"AWS WAF Classic Global Web ACL logging should be enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
+{"Id":"WAF.2","Title":"A WAF Regional rule should have at least one condition","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"WAF.3","Title":"A WAF Regional rule group should have at least one rule","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"WAF.4","Title":"A WAF Regional web ACL should have at least one rule or rule group","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"WAF.6","Title":"A WAF global rule should have at least one condition","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"WAF.7","Title":"A WAF global rule group should have at least one rule","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"WAF.8","Title":"A WAF global web ACL should have at least one rule or rule group","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"WAF.10","Title":"A WAFV2 web ACL should have at least one rule or rule group","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"WAF.11","Title":"AWS WAFv2 web ACL logging should be enabled","ApplicableStandards":["NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Periodic"}