diff --git a/config/_default/menus.yml b/config/_default/menus.yml
index aa65d07f2e30..5237b9da5844 100644
--- a/config/_default/menus.yml
+++ b/config/_default/menus.yml
@@ -353,18 +353,22 @@ reference:
     parent: reference-pre-built-policy-packs
     identifier: reference-pre-built-policy-packs-hitrust
     weight: 3
+  - name: ISO/IEC 27001
+    parent: reference-pre-built-policy-packs
+    identifier: reference-pre-built-policy-packs-iso-27001
+    weight: 4
   - name: NIST
     parent: reference-pre-built-policy-packs
     identifier: reference-pre-built-policy-packs-nist
-    weight: 4
+    weight: 5
   - name: PCI DSS
     parent: reference-pre-built-policy-packs
     identifier: reference-pre-built-policy-packs-pci-dss
-    weight: 5
+    weight: 6
   - name: Pulumi Best Practices
     parent: reference-pre-built-policy-packs
     identifier: reference-pre-built-policy-packs-pulumi-best-practices
-    weight: 6
+    weight: 7
 
 # -------------------------------------
 # Insights Policy Menu Section Headers
diff --git a/content/docs/insights/policy/policy-packs/pre-built-packs.md b/content/docs/insights/policy/policy-packs/pre-built-packs.md
index de651984b8ae..bc3e03091143 100644
--- a/content/docs/insights/policy/policy-packs/pre-built-packs.md
+++ b/content/docs/insights/policy/policy-packs/pre-built-packs.md
@@ -36,6 +36,7 @@ The following pre-built policy packs are available out of the box in Pulumi Clou
 | **CIS 8.1** | [AWS](/docs/reference/pre-built-policy-packs/cis/aws/), [Azure](/docs/reference/pre-built-policy-packs/cis/azure/), [Google Cloud](/docs/reference/pre-built-policy-packs/cis/google-cloud/) | Enforces CIS 8.1 controls to help organizations implement industry-recognized security best practices and benchmarks across multiple cloud providers. |
 | **CIS Kubernetes** | [AWS (EKS)](/docs/reference/pre-built-policy-packs/cis-kubernetes/aws/), [Azure (AKS)](/docs/reference/pre-built-policy-packs/cis-kubernetes/azure/), [Google Cloud (GKE)](/docs/reference/pre-built-policy-packs/cis-kubernetes/google-cloud/) | Enforces CIS Kubernetes Benchmark controls for managed Kubernetes services, helping organizations secure their container orchestration platforms with industry-recognized best practices. |
 | **HITRUST CSF 11.5** | [AWS](/docs/reference/pre-built-policy-packs/hitrust/aws/), [Azure](/docs/reference/pre-built-policy-packs/hitrust/azure/), [Google Cloud](/docs/reference/pre-built-policy-packs/hitrust/google-cloud/) | Provides predefined controls that align cloud resources with HITRUST CSF requirements, helping organizations enforce security and compliance baselines across multiple providers. |
+| **ISO/IEC 27001:2022** | [AWS](/docs/reference/pre-built-policy-packs/iso-27001/aws/) | Enforces ISO/IEC 27001:2022 Annex A controls for AWS resources, helping organizations align their cloud infrastructure with the international standard for information security management. |
 | **NIST SP 800-53** | [AWS](/docs/reference/pre-built-policy-packs/nist/aws/) | Enforces NIST SP 800-53 rev. 5 security and privacy controls for AWS resources, helping federal agencies and organizations meet rigorous compliance requirements. |
 | **PCI DSS v4.0.1** | [AWS](/docs/reference/pre-built-policy-packs/pci-dss/aws/) | Enforces PCI DSS v4.0.1 compliance controls for AWS resources, ensuring payment card data security and helping organizations meet payment card industry standards. |
 | **Pulumi Best Practices** | [AWS](/docs/reference/pre-built-policy-packs/pulumi-best-practices/aws/), [Azure](/docs/reference/pre-built-policy-packs/pulumi-best-practices/azure/), [Google Cloud](/docs/reference/pre-built-policy-packs/pulumi-best-practices/google-cloud/) | Offers a foundational set of recommended governance and security controls, serving as a strong starting point for organizations seeking comprehensive security coverage. |
diff --git a/content/docs/reference/pre-built-policy-packs/iso-27001/aws.md b/content/docs/reference/pre-built-policy-packs/iso-27001/aws.md
new file mode 100644
index 000000000000..88b361297c39
--- /dev/null
+++ b/content/docs/reference/pre-built-policy-packs/iso-27001/aws.md
@@ -0,0 +1,253 @@
+---
+title: "AWS"
+meta_desc: Complete list of ISO/IEC 27001:2022 compliance policies for AWS.
+h1: "ISO/IEC 27001 - AWS"
+menu:
+  reference:
+    identifier: reference-pre-built-policy-packs-iso-27001-aws
+    parent: reference-pre-built-policy-packs-iso-27001
+    weight: 1
+---
+
+This page lists all 238 policies in the **ISO/IEC 27001:2022** pack for **AWS**.
+
+| Policy Name | Description | Framework Reference | Framework Specification |
+| ----- | ----- | ----- | ----- |
+| resource-tagging | Ensures all AWS resources must include tags for proper change tracking | A.5.9 Inventory of information and other associated assets | An inventory of information and other associated assets, including owners, shall be developed and maintained. |
+| dms-endpoint-redis-tls | DMS Redis endpoints must use TLS for transmission | A.5.14 Information transfer | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties. |
+| dax-cluster-endpoint-encryption | Require DAX clusters to use TLS endpoint encryption in transit | A.5.14 Information transfer | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties. |
+| elasticache-replicationgroup-encryption-in-transit | ElastiCache replication groups must have encryption in transit enabled | A.5.14 Information transfer | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties. |
+| dms-endpoint-ssl | DMS endpoints must require SSL/TLS connections | A.5.14 Information transfer | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties. |
+| msk-cluster-encryption-in-transit | MSK clusters must have in-cluster encryption in transit enabled | A.5.14 Information transfer | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties. |
+| cloudfront-distribution-disallow-default-certificate | CloudFront distributions must use a custom SSL certificate rather than the default CloudFront certificate. | A.5.14 Information transfer | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties. |
+| elb-load-balancer-disallow-unencrypted-traffic | Check that ELB Load Balancers do not allow unencrypted (HTTP) traffic. | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| api-gateway-ssl-certificate-required | Ensures API Gateway REST API stages have client certificates configured for SSL/TLS authentication to protect data in transit. | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| redshift-ssl-required | Ensures Redshift clusters have encryption in transit enabled through SSL parameter configuration. | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| elasticsearch-https-required | Elasticsearch domains must require HTTPS for client connections | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| opensearch-https-required | OpenSearch domains must require HTTPS for client connections | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| elasticsearch-node-to-node-encryption-enabled | Elasticsearch domains must have node-to-node encryption enabled | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| opensearch-node-to-node-encryption-enabled | OpenSearch domains must have node-to-node encryption enabled | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| s3-bucket-ssl-enforcement-required | S3 buckets must enforce SSL/TLS for all requests to ensure encryption in transit | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| rds-instance-ssl-encryption | Ensures RDS instances have SSL/TLS encryption enabled through parameter group configuration | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| rds-clusterinstance-ssl-encryption | Ensures RDS cluster instances have SSL/TLS encryption enabled through parameter group configuration | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| cloudfront-distribution-disallow-unencrypted-traffic | Checks that CloudFront distributions only allow encypted ingress traffic. | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| cloudfront-distribution-configure-secure-tls | Checks that CloudFront distributions uses secure/modern TLS encryption. | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| cloudfront-distribution-enable-tls-to-origin | Checks that CloudFront distributions communicate with custom origins using TLS encryption. | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| api-gateway-domain-name-configure-security-policy | Checks that ApiGateway Domain Name Security Policy uses secure/modern TLS encryption. | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| api-gateway-v2-domain-name-configure-domain-name-security-policy | Checks that any ApiGatewayV2 Domain Name Security Policy uses secure/modern TLS encryption. | A.5.14 Information transfer; A.8.20 Networks security; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| ec2-security-group-disallow-inbound-http-traffic | Check that EC2 Security Groups do not allow inbound HTTP traffic. | A.5.14 Information transfer; A.8.20 Networks security | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
+| api-gateway-v2-domain-name-enable-domain-name-configuration | Checks that any ApiGatewayV2 Domain Name Configuration is enabled. | A.5.14 Information transfer | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties. |
+| cloudfront-distribution-configure-secure-tls-to-origin | Checks that CloudFront distributions communicate with custom origins using TLS 1.2 encryption only. | A.5.14 Information transfer; A.8.24 Use of cryptography | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| alb-http-to-https-redirection-check | Ensure ALB HTTP listeners redirect to HTTPS for secure data transmission. | A.5.14 Information transfer | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties. |
+| elb-acm-certificate-required | Ensure ELB Classic Load Balancers use ACM certificates for HTTPS/SSL listeners. | A.5.14 Information transfer | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties. |
+| s3-bucket-public-access-block | Ensures each S3 bucket has a public access block with all settings enabled | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| s3-bucket-acl-prohibited | Prohibit user-permission ACLs on S3 buckets; use bucket policies and Block Public Access instead. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| ec2-instance-disallow-public-ip | Checks that EC2 instances do not have a public IP address. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| rds-instance-disallow-public-access | Checks that RDS Instance public access is not enabled. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| rds-cluster-instance-disallow-public-access | Checks that RDS Cluster Instances public access is not enabled. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| neptune-clusterinstance-no-public-access | Checks that Neptune Cluster Instances public access is not enabled. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| dms-no-public-access | Ensures DMS replication instances are not publicly accessible to maintain security. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| emr-no-default-subnet | EMR clusters must specify explicit subnet configuration to prevent default subnet usage | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| emr-no-public-ip | EMR clusters must not be deployed in public subnets that auto-assign public IP addresses | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| redshift-public-access-prohibited | Ensures Redshift clusters prohibit public access to prevent unauthorized connections. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| sagemaker-notebook-internet-access-disabled | Ensures SageMaker notebook instances have direct internet access disabled. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| vpc-subnet-auto-assign-public-ip-disabled | Ensures VPC subnets have auto-assign public IP disabled to prevent unintended internet exposure. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| ec2-imdsv2-required | EC2 instances must use IMDSv2 | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| ec2-iam-profile-required | EC2 instances must have IAM profile attached | A.5.15 Access control | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements. |
+| iam-policy-least-privilege | Ensures IAM policies follow least privilege principles | A.5.15 Access control; A.8.2 Privileged access rights | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; The allocation and use of privileged access rights shall be restricted and managed. |
+| iam-role-least-privilege | Ensures IAM roles follow least privilege principles | A.5.15 Access control; A.8.2 Privileged access rights | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; The allocation and use of privileged access rights shall be restricted and managed. |
+| iam-role-policy-least-privilege | Ensures IAM role policies follow least privilege principles | A.5.15 Access control; A.8.2 Privileged access rights | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; The allocation and use of privileged access rights shall be restricted and managed. |
+| iam-user-policy-least-privilege | Ensures IAM user policies follow least privilege principles | A.5.15 Access control; A.8.2 Privileged access rights | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; The allocation and use of privileged access rights shall be restricted and managed. |
+| iam-group-policy-least-privilege | Ensures IAM group policies follow least privilege principles | A.5.15 Access control; A.8.2 Privileged access rights | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; The allocation and use of privileged access rights shall be restricted and managed. |
+| pubsub-least-privilege-iam | Ensures IAM policies follow least privilege principles for Pub/Sub services (SNS, SQS, Kinesis) | A.5.15 Access control; A.8.2 Privileged access rights | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; The allocation and use of privileged access rights shall be restricted and managed. |
+| s3-bucket-least-privilege | Prevents overly permissive S3 bucket policies | A.5.15 Access control; A.8.2 Privileged access rights | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; The allocation and use of privileged access rights shall be restricted and managed. |
+| ecs-task-non-privileged-required | ECS task definitions must use non-privileged user for host mode | A.5.15 Access control; A.8.2 Privileged access rights | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; The allocation and use of privileged access rights shall be restricted and managed. |
+| api-gateway-authorization | Ensures API Gateway methods use strong authorization instead of NONE | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| lambda-permission-configure-source-arn | Checks that lambda function permissions have a source arn specified. | A.5.15 Access control; A.8.3 Information access restriction | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.; Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| ebs-snapshot-not-publicly-restorable | Ensure EBS snapshots are not publicly restorable to prevent unauthorized data access. | A.5.15 Access control | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements. |
+| s3-bucket-policy-grantee-check | Ensure S3 bucket policies do not grant access to inappropriate principals for proper access control. | A.5.15 Access control | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements. |
+| iam-user-group-membership-required | IAM users must be members of groups for proper access management | A.5.16 Identity management; A.5.18 Access rights | The full life cycle of identities shall be managed.; Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control. |
+| iam-user-mfa-console-access | Ensures IAM users with console access have MFA devices | A.5.16 Identity management; A.8.5 Secure authentication | The full life cycle of identities shall be managed.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
+| iam-role-assume-role-mfa-enforcement | Ensures IAM roles require MFA when assumed by human users (not AWS services) | A.5.16 Identity management; A.8.5 Secure authentication | The full life cycle of identities shall be managed.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
+| iam-role-mfa-enforcement | IAM roles must require MFA for privileged actions | A.5.16 Identity management; A.8.5 Secure authentication | The full life cycle of identities shall be managed.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
+| iam-role-policy-mfa-enforcement | IAM role policies must require MFA for privileged actions | A.5.16 Identity management; A.8.5 Secure authentication | The full life cycle of identities shall be managed.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
+| iam-policy-mfa-enforcement | IAM policies must require MFA for privileged actions | A.5.16 Identity management; A.8.5 Secure authentication | The full life cycle of identities shall be managed.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
+| no-direct-user-access-keys | Prevents creation of direct IAM user access keys for human users | A.5.17 Authentication information; A.8.5 Secure authentication | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
+| secrets-manager-rotation-required | Ensures Secrets Manager secrets have automatic rotation enabled with proper scheduling and frequency limits. | A.5.17 Authentication information | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information. |
+| iam-password-policy-minimum-password-length | Ensure IAM password policy requires minimum length of 14 or greater. | A.5.17 Authentication information; A.8.5 Secure authentication | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
+| iam-password-policy-prevent-reuse | Ensure IAM password policy prevents password reuse. | A.5.17 Authentication information; A.8.5 Secure authentication | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
+| iam-password-expiration | IAM password policy must expire passwords | A.5.17 Authentication information; A.8.5 Secure authentication | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
+| iam-password-complexity | IAM password policy must require character complexity (lowercase, uppercase, numbers, symbols) | A.5.17 Authentication information; A.8.5 Secure authentication | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
+| no-hardcoded-secrets | Ensures EC2 instance userData does not contain hardcoded secrets | A.5.17 Authentication information | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information. |
+| rds-secure-master-credentials | Ensures RDS instances use secure credential management instead of hardcoded passwords | A.5.17 Authentication information | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information. |
+| rds-cluster-secure-master-credentials | Ensures RDS clusters use secure credential management instead of hardcoded passwords | A.5.17 Authentication information | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information. |
+| rds-iam-authentication | Ensures RDS instances have IAM database authentication enabled | A.5.17 Authentication information; A.8.5 Secure authentication | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.; Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
+| codebuild-project-envvar-awscred-check | Ensure CodeBuild project environment variables do not contain AWS credentials. | A.5.17 Authentication information | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information. |
+| iam-role-inline-policy-restriction | IAM roles must not have inline policies | A.5.18 Access rights; A.8.2 Privileged access rights | Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control.; The allocation and use of privileged access rights shall be restricted and managed. |
+| iam-role-policy-restriction | IAM role policies (inline policy attachments) should not be used | A.5.18 Access rights; A.8.2 Privileged access rights | Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control.; The allocation and use of privileged access rights shall be restricted and managed. |
+| iam-group-policy-restriction | IAM group policies (inline policy attachments) should not be used | A.5.18 Access rights; A.8.2 Privileged access rights | Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control.; The allocation and use of privileged access rights shall be restricted and managed. |
+| iam-user-no-policies-check | Ensure IAM users follow best practices by using groups and roles instead of direct policy attachments. | A.5.18 Access rights | Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control. |
+| cloudwatch-alarms-actions-required | Ensures CloudWatch alarms have actions enabled and configured for proper incident response. | A.5.25 Assessment and decision on information security events; A.5.26 Response to information security incidents; A.8.16 Monitoring activities | The organization shall assess information security events and decide if they are to be categorized as information security incidents.; Information security incidents shall be responded to in accordance with the documented procedures.; Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. |
+| cloudwatch-log-retention | Ensures CloudWatch log groups have appropriate retention periods for compliance. | A.5.28 Collection of evidence; A.8.15 Logging | The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.; Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| s3-bucket-replication | Ensures S3 buckets have replication configured for enhanced availability | A.5.29 Information security during disruption; A.8.13 Information backup; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
+| rds-instance-enable-backup-retention | Checks that RDS Instances backup retention policy is enabled. | A.5.29 Information security during disruption; A.8.13 Information backup; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
+| rds-cluster-enable-backup-retention | Checks that RDS Clusters backup retention policy is enabled. | A.5.29 Information security during disruption; A.8.13 Information backup; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
+| elasticache-backup-retention | ElastiCache Redis clusters must have automatic backup retention for 15 days | A.5.29 Information security during disruption; A.8.13 Information backup; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
+| redshift-automatic-snapshots-required | Ensures Redshift clusters have automatic snapshots enabled with minimum 7-day retention period. | A.5.29 Information security during disruption; A.8.13 Information backup; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
+| dynamodb-point-in-time-recovery-enabled | DynamoDB tables must have point-in-time recovery enabled | A.5.29 Information security during disruption; A.8.13 Information backup; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
+| rds-instance-high-availability | Ensures RDS instances have Multi-AZ deployment enabled for high availability | A.5.29 Information security during disruption; A.8.14 Redundancy of information processing facilities; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
+| rds-cluster-disallow-single-availability-zone | Check that RDS Cluster doesn't use single availability zone. | A.5.29 Information security during disruption; A.8.14 Redundancy of information processing facilities; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
+| elb-load-balancer-configure-multi-availability-zone | Check that ELB Load Balancers uses more than one availability zone. | A.5.29 Information security during disruption; A.8.14 Redundancy of information processing facilities; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
+| elb-load-balancer-enable-health-check | Check that ELB Load Balancers have a health check enabled. | A.5.29 Information security during disruption; A.8.14 Redundancy of information processing facilities; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
+| rds-deletion-protection | RDS database instances must have deletion protection enabled to prevent accidental deletion and ensure data availability | A.5.29 Information security during disruption; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
+| elb-deletion-protection | Load balancers must have deletion protection enabled | A.5.29 Information security during disruption; A.5.30 ICT readiness for business continuity | The organization shall plan how to maintain information security at an appropriate level during disruption.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
+| backup-vault-encryption | AWS Backup vaults must be encrypted with a customer-managed KMS key | A.5.33 Protection of records; A.8.13 Information backup | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. |
+| dax-cluster-encryption-at-rest | Require DAX clusters to enable server-side encryption at rest | A.5.33 Protection of records | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release. |
+| docdb-cluster-encryption-at-rest | Require DocumentDB clusters to enable storage encryption at rest | A.5.33 Protection of records | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release. |
+| neptune-cluster-encryption-at-rest | Neptune clusters must have storage encryption at rest enabled. | A.5.33 Protection of records | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release. |
+| elasticache-replicationgroup-encryption-at-rest | ElastiCache replication groups must have encryption at rest enabled | A.5.33 Protection of records | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release. |
+| kinesis-stream-encryption | Kinesis streams must have KMS server-side encryption enabled | A.5.33 Protection of records | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release. |
+| codebuild-project-artifact-encryption | Ensure CodeBuild project build artifacts are encrypted. | A.5.33 Protection of records | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release. |
+| codebuild-project-s3-logs-encryption | Ensure CodeBuild project S3 build logs are encrypted. | A.5.33 Protection of records | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release. |
+| cloudtrail-kms-encryption-enabled | Ensures CloudTrail trails have encryption enabled using KMS keys. | A.5.33 Protection of records; A.8.15 Logging | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| cloudwatch-log-group-kms-encryption-enabled | Ensures CloudWatch log groups have encryption enabled using KMS keys. | A.5.33 Protection of records; A.8.15 Logging | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| s3-bucket-object-lock-enabled | S3 buckets must have object lock enabled to protect audit information and prevent unauthorized deletion | A.5.33 Protection of records; A.8.15 Logging | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| cloudtrail-log-file-validation-enabled | Ensures CloudTrail trails have log file validation enabled to protect audit log integrity. | A.5.33 Protection of records; A.8.15 Logging | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| s3-bucket-encryption | S3 buckets must have server-side encryption configured using BucketServerSideEncryptionConfiguration resource | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| rds-instance-disallow-unencrypted-storage | Checks that RDS instance storage is encrypted. | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| rds-cluster-disallow-unencrypted-storage | Checks that RDS Clusters storage is encrypted. | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| sqs-encryption | Ensures SQS queues have server-side encryption enabled | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| api-gateway-cache-encryption-enabled | Ensures API Gateway method settings have cache data encryption enabled when caching is configured. | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| dynamodb-kms-encryption-enabled | Ensures DynamoDB tables have encryption enabled using KMS keys. | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| redshift-kms-encryption-enabled | Ensures Redshift clusters have encryption enabled using KMS keys. | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| sns-kms-encryption-enabled | Ensures SNS topics have encryption enabled using KMS keys. | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| elasticsearch-encryption-enabled | Elasticsearch domains must have encryption at rest enabled | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| opensearch-encryption-enabled | OpenSearch domains must have encryption at rest enabled | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| s3-bucket-versioning | S3 buckets must have versioning enabled using BucketVersioning resource | A.5.33 Protection of records; A.8.13 Information backup | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. |
+| athena-database-disallow-unencrypted-database | Checks that Athena Databases storage is encrypted. | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| athena-workgroup-disallow-unencrypted-workgroup | Checks that Athena Workgroups are encrypted. | A.5.33 Protection of records; A.8.24 Use of cryptography | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.; Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| security-hub-enabled | Ensures AWS Security Hub is enabled for continuous monitoring and security assessment. | A.5.36 Compliance with policies, rules and standards for information security; A.8.16 Monitoring activities | Compliance with the organization's information security policy, topic-specific policies, rules and standards shall be regularly reviewed.; Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. |
+| security-group-default-deny | Ensures Security Groups follow default deny with explicit allow principle | A.6.7 Remote working; A.8.20 Networks security; A.8.22 Segregation of networks | Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization's premises.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Groups of information services, users and information systems shall be segregated in the organization's networks. |
+| sagemaker-notebook-root-access | SageMaker notebook instances must disable root access to enforce least privilege for notebook users. | A.8.2 Privileged access rights | The allocation and use of privileged access rights shall be restricted and managed. |
+| codebuild-project-privileged-mode | Ensure CodeBuild projects do not run in privileged mode. | A.8.2 Privileged access rights | The allocation and use of privileged access rights shall be restricted and managed. |
+| restrict-default-iam-user-creation | Ensures that default IAM user accounts are not allowed to be created | A.8.2 Privileged access rights | The allocation and use of privileged access rights shall be restricted and managed. |
+| iam-role-session-duration | Enforces maximum session duration for IAM roles | A.8.2 Privileged access rights | The allocation and use of privileged access rights shall be restricted and managed. |
+| eventbridge-eventbus-policy-attached | Ensure custom EventBridge event buses have a resource-based policy attached to control cross-account and cross-service access. | A.8.3 Information access restriction | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| eventbridge-schema-registry-policy-attached | Ensure EventBridge schema registries have a resource-based policy attached to control cross-account and cross-service access. | A.8.3 Information access restriction | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| efs-accesspoint-posix-user | EFS access points must enforce a POSIX user identity so all file system requests are made with a defined user. | A.8.3 Information access restriction | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| opensearch-access-control-enabled | OpenSearch domains must have fine-grained access control enabled | A.8.3 Information access restriction | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| lambda-public-access-restricted | Lambda functions must restrict public access through resource-based policies | A.8.3 Information access restriction | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| eks-cluster-disallow-api-endpoint-public-access | Check that EKS Clusters API Endpoint are not publicly accessible. | A.8.3 Information access restriction | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| ec2-launch-template-disallow-public-ip | Checks that EC2 Launch Templates do not have public IP addresses. | A.8.3 Information access restriction | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| ec2-launch-configuration-disallow-public-ip | Checks that EC2 Launch Configurations do not have a public IP address. | A.8.3 Information access restriction | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| rds-private-subnet-validation | Validates that RDS DB subnet groups contain only private subnets | A.8.3 Information access restriction | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
+| database-strict-network-access | Ensures RDS instances have strict network access controls | A.8.3 Information access restriction; A.8.20 Networks security | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.; Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
+| neptune-cluster-iam-authentication | Neptune clusters must have IAM database authentication enabled. | A.8.5 Secure authentication | Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
+| rds-cluster-iam-authentication | RDS clusters must have IAM database authentication enabled | A.8.5 Secure authentication | Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
+| emr-kerberos-enabled | Ensure EMR clusters have Kerberos authentication enabled for enhanced security. | A.8.5 Secure authentication | Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
+| autoscaling-group-capacity-rebalancing | Auto Scaling groups must enable capacity rebalancing to proactively replace Spot Instances at risk of interruption. | A.8.6 Capacity management | The use of resources shall be monitored and adjusted in line with current and expected capacity requirements. |
+| dynamodb-autoscaling-enabled | Ensures DynamoDB tables have auto-scaling or on-demand mode enabled for capacity management. | A.8.6 Capacity management | The use of resources shall be monitored and adjusted in line with current and expected capacity requirements. |
+| guardduty-malware-detection-enabled | Ensures AWS GuardDuty is enabled with malware detection capabilities for threat protection. | A.8.7 Protection against malware; A.8.16 Monitoring activities | Protection against malware shall be implemented and supported by appropriate user awareness.; Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. |
+| anti-malware-edr | Ensures EC2 instances have anti-malware/EDR agents deployed | A.8.7 Protection against malware | Protection against malware shall be implemented and supported by appropriate user awareness. |
+| rds-instance-managed-service-patching | Ensures RDS instances have automated minor version upgrades enabled | A.8.8 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems in use shall be obtained, the organization's exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken. |
+| rds-clusterinstance-managed-service-patching | Ensures RDS cluster instances have automated minor version upgrades enabled | A.8.8 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems in use shall be obtained, the organization's exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken. |
+| neptune-clusterinstance-managed-service-patching | Ensures Neptune cluster instances have automated minor version upgrades enabled | A.8.8 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems in use shall be obtained, the organization's exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken. |
+| docdb-clusterinstance-managed-service-patching | Ensures DocumentDB cluster instances have automated minor version upgrades enabled | A.8.8 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems in use shall be obtained, the organization's exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken. |
+| elasticbeanstalk-managed-updates-enabled | Elastic Beanstalk environments must have managed platform updates enabled | A.8.8 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems in use shall be obtained, the organization's exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken. |
+| ecr-image-scanning | Ensures ECR repositories have image scanning enabled for vulnerability management | A.8.8 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems in use shall be obtained, the organization's exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken. |
+| ecs-task-definition-image-scanning | Ensures ECS task definitions use images from repositories with vulnerability scanning | A.8.8 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems in use shall be obtained, the organization's exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken. |
+| lambda-runtime-restrictions | Ensures that AWS Lambda functions are created only with approved runtime versions | A.8.8 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems in use shall be obtained, the organization's exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken. |
+| redshift-maintenance-required | Ensures Redshift clusters have proper maintenance settings configured for automated updates. | A.8.8 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems in use shall be obtained, the organization's exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken. |
+| config-recorder-enabled | Ensures AWS Config configuration recorders are enabled for tracking and auditing resource changes. | A.8.9 Configuration management | Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed. |
+| config-snapshot-retention | Ensures AWS Config retention configuration meets minimum 7-year requirement for compliance auditing. | A.8.9 Configuration management | Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed. |
+| athena-workgroup-enforce-configuration | Checks that Athena Workgroups enforce their configuration to their clients. | A.8.9 Configuration management | Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed. |
+| vpc-security-group-associated-to-eni | Ensure VPC security groups are associated to ENI (network interfaces) to maintain proper network security asset management. | A.8.9 Configuration management | Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed. |
+| vpc-network-acl-unused | Ensure VPC network ACLs are not unused to maintain proper network security asset management. | A.8.9 Configuration management | Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed. |
+| s3-bucket-lifecycle | Ensures each S3 bucket has lifecycle rules configured for retention/disposal | A.8.10 Information deletion | Information stored in information systems, devices or in any other storage media shall be deleted when no longer required. |
+| s3-bucket-macie-access | Ensures S3 buckets allow AWS Macie access for data classification and discovery | A.8.12 Data leakage prevention | Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information. |
+| docdb-cluster-backup-retention | Require DocumentDB clusters to retain automated backups for a minimum period | A.8.13 Information backup | Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. |
+| neptune-cluster-backup-retention | Neptune clusters must retain automated backups for at least the configured minimum number of days. | A.8.13 Information backup | Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. |
+| ebs-volume-in-backup-plan | Ensure EBS volumes are included in AWS Backup plans for automated backup and recovery capabilities. | A.8.13 Information backup | Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. |
+| eventbridge-global-endpoint-replication | EventBridge global endpoints must enable event replication | A.8.14 Redundancy of information processing facilities | Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. |
+| lb-multi-az | ELBv2 load balancers must span at least two Availability Zones. | A.8.14 Redundancy of information processing facilities | Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. |
+| lb-cross-zone-load-balancing | Network Load Balancers must enable cross-zone load balancing. | A.8.14 Redundancy of information processing facilities | Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. |
+| subnet-multi-az | Ensures subnets are distributed across multiple availability zones | A.8.14 Redundancy of information processing facilities; A.5.30 ICT readiness for business continuity | Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.; ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
+| elb-cross-zone-load-balancing-enabled | Classic Load Balancers must have cross-zone load balancing enabled | A.8.14 Redundancy of information processing facilities | Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. |
+| networkfirewall-logging-enabled | Ensure AWS Network Firewalls have a logging configuration for audit and monitoring purposes. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| ec2-clientvpn-connection-logging | Client VPN endpoints must enable connection logging to record client connection events. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| mq-broker-audit-logging | Amazon MQ brokers must enable audit logging to record user management actions. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| eks-cluster-logging | EKS clusters must enable control plane logging for all required log types. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| appsync-graphqlapi-logging | AppSync GraphQL APIs must have logging configured. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| sfn-statemachine-logging | Step Functions state machines must have execution logging enabled. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| apigateway-method-execution-logging | API Gateway method settings must enable execution logging. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| codebuild-project-logging | Ensure CodeBuild projects have an enabled log destination. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| lb-access-logging | ELBv2 load balancers must have access logging enabled. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| cloudtrail-enabled | Ensures CloudTrail is enabled with at least one active trail for audit logging. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| cloudtrail-multi-region-enabled | Ensures CloudTrail trails are configured as multi-region trails for comprehensive audit coverage. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| cloudtrail-s3-data-events-enabled | Ensures CloudTrail trails have S3 data events enabled for comprehensive object-level logging. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| cloudtrail-cloudwatch-logs-integration | Ensures CloudTrail trails have CloudWatch Logs integration enabled for real-time monitoring and analysis. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| api-gateway-access-logging | Ensures API Gateway stages have access logging enabled | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| api-gateway-v2-access-logging | Ensures API Gateway V2 stages have access logging enabled | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| s3-bucket-access-logging | Ensures each S3 bucket has access logging enabled | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| elb-load-balancer-configure-access-logging | Check that ELB Load Balancers uses access logging. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| elasticsearch-cloudwatch-logging-enabled | Elasticsearch domains must send logs to CloudWatch for audit tracking | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| redshift-logging-enabled | Ensures Redshift clusters have logging configurations enabled for audit and monitoring purposes. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| wafv2-logging-enabled | Ensures WAFv2 Web ACLs have logging configurations enabled for audit and monitoring purposes. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| rds-cluster-logging-enabled | Ensure RDS clusters have logging enabled for monitoring and audit compliance. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| cloudfront-distribution-enable-access-logging | Checks that any CloudFront distributions have access logging enabled. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| cloudfront-distribution-configure-access-logging | Checks that any CloudFront distributions have access logging configured. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| lambda-function-logging | Ensures that all AWS Lambda functions have logging enabled to track output data processing | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| centralized-os-app-logging | Ensures EC2 instances have logging agents configured to forward OS/application logs to central system | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| rds-instance-logging-enabled | Ensure RDS database instances have logging enabled for monitoring and audit compliance. | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| vpc-subnet-flow-logs | Ensures all VPCs and subnets have flow logs enabled | A.8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
+| ec2-monitoring-enabled | EC2 instances must have detailed monitoring enabled | A.8.16 Monitoring activities | Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. |
+| rds-instance-enhanced-monitoring | RDS database instances must have enhanced monitoring enabled to provide detailed system-level metrics | A.8.16 Monitoring activities | Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. |
+| rds-clusterinstance-enhanced-monitoring | RDS cluster instances must have enhanced monitoring enabled to provide detailed system-level metrics | A.8.16 Monitoring activities | Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. |
+| vpc-nacl-no-unrestricted-ssh-rdp | Network ACLs must not allow unrestricted SSH/RDP ingress from the internet | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
+| internet-gateway-authorized-vpc | Internet gateways must only attach to authorized VPCs | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
+| ssm-document-not-public | SSM documents must not be shared publicly | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
+| elb-desync-mitigation | Classic Load Balancers must use a defensive or strictest desync mitigation mode. | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
+| networkfirewall-multi-az | Network Firewalls must span at least two Availability Zones for resilience. | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
+| networkfirewall-policy-stateless-fragment-default-action | Network Firewall policies must drop or forward fragmented packets to the stateful engine. | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
+| networkfirewall-policy-stateless-default-action | Network Firewall policies must drop or forward unmatched packets to the stateful engine. | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
+| networkfirewall-policy-rule-group-associated | Network Firewall policies must reference at least one rule group. | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
+| networkfirewall-stateless-rule-group-not-empty | Stateless Network Firewall rule groups must contain at least one rule. | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
+| s3-accesspoint-public-access-block | S3 access points must block all public access | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
+| load-balancer-waf-association | Ensures public-facing Load Balancers have WAF associations | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
+| api-gateway-waf-association | Ensures public-facing API Gateways have WAF associations | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
+| cloudfront-waf-association | Ensures CloudFront distributions have WAF associations | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
+| appsync-waf-association | Ensures public-facing AppSync GraphQL APIs have WAF associations | A.8.20 Networks security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. |
+| lambda-vpc-placement-required | Lambda functions must be deployed in VPC for network isolation and security | A.8.20 Networks security; A.8.22 Segregation of networks | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Groups of information services, users and information systems shall be segregated in the organization's networks. |
+| ec2-vpc-placement-required | EC2 instances must be placed in VPC for network isolation | A.8.20 Networks security; A.8.22 Segregation of networks | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Groups of information services, users and information systems shall be segregated in the organization's networks. |
+| elasticsearch-vpc-required | Elasticsearch domains must be deployed in VPC for network isolation | A.8.20 Networks security; A.8.22 Segregation of networks | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Groups of information services, users and information systems shall be segregated in the organization's networks. |
+| opensearch-vpc-required | OpenSearch domains must be deployed in VPC for network isolation | A.8.20 Networks security; A.8.22 Segregation of networks | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Groups of information services, users and information systems shall be segregated in the organization's networks. |
+| redshift-enhanced-vpc-routing-enabled | Ensures Redshift clusters have enhanced VPC routing enabled for network isolation. | A.8.20 Networks security; A.8.22 Segregation of networks | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Groups of information services, users and information systems shall be segregated in the organization's networks. |
+| vpc-route-table-internet-gateway-restricted | Ensures VPC route tables restrict public access to internet gateways appropriately. | A.8.20 Networks security; A.8.22 Segregation of networks; A.8.21 Security of network services | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.; Groups of information services, users and information systems shall be segregated in the organization's networks.; Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored. |
+| vpc-endpoint-security-policy | Ensures that VPC endpoints are associated with security policies that limit access to specified resources | A.8.21 Security of network services | Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored. |
+| ebs-volume-disallow-unencrypted-volume | Checks that EBS volumes are encrypted. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| ec2-instance-disallow-unencrypted-block-device | Checks that EC2 instances do not have unencrypted block devices. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| ec2-instance-disallow-unencrypted-root-block-device | Checks that EC2 instances does not have unencrypted root volumes. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| efs-file-system-disallow-unencrypted-file-system | Checks that EFS File Systems do not have an unencrypted file system. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| secrets-manager-secret-configure-customer-managed-key | Check that Secrets Manager Secrets use a customer-manager KMS key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| sagemaker-endpoint-kms-encryption-enabled | Ensures SageMaker endpoint configurations have encryption enabled using KMS keys. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| sagemaker-notebook-kms-encryption-enabled | Ensures SageMaker notebook instances have encryption enabled using KMS keys. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| kms-key-enable-key-rotation | Checks that KMS Keys have key rotation enabled. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| kms-key-creation | Validates KMS key creation with appropriate specifications and origins | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| ecr-repository-disallow-unencrypted-repository | Checks that ECR Repositories are encrypted. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| eks-cluster-enable-cluster-encryption-config | Check that EKS Cluster Encryption Config is enabled. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| lambda-environment-variables-encryption | Ensures that all Lambda functions have their environment variables encrypted using AWS KMS | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| ec2-launch-template-disallow-unencrypted-block-device | Checks that EC2 Launch Templates do not have unencrypted block device. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| ec2-launch-configuration-disallow-unencrypted-block-device | Checks that EC2 Launch Configurations do not have unencrypted block devices. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| ec2-launch-configuration-disallow-unencrypted-root-block-device | Checks that EC2 launch configuration do not have unencrypted root block device. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| kms-grant-access-control | Validates KMS grants for least privilege access control | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| kms-key-policy-access-control | Validates KMS key policies for least privilege and separation of duties | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| appflow-connector-profile-configure-customer-managed-key | Check that AppFlow ConnectorProfile uses a customer-managed KMS key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| appflow-flow-configure-customer-managed-key | Check that AppFlow Flow uses a customer-managed KMS key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| athena-database-configure-customer-managed-key | Checks that Athena Databases storage uses a customer-managed-key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| athena-workgroup-configure-customer-managed-key | Checks that Athena Workgroups use a customer-managed-key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| ebs-volume-configure-customer-managed-key | Check that encrypted EBS volumes use a customer-managed KMS key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| ec2-launch-template-configure-customer-managed-key | Check that encrypted EBS volume uses a customer-managed KMS key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| ecr-repository-configure-customer-managed-key | Checks that ECR repositories use a customer-managed KMS key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| efs-file-system-configure-customer-managed-key | Check that encrypted EFS File system uses a customer-managed KMS key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| rds-cluster-configure-customer-managed-key | Checks that RDS Clusters storage uses a customer-managed KMS key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
+| rds-instance-configure-customer-managed-key | Checks that RDS Instance storage uses a customer-managed KMS key. | A.8.24 Use of cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |