CloudWiki
Compliance

AWS Well-Architected Framework

resize
Visit website

The AWS Well-Architected Framework helps understand how your decisions will affect your systems as you build on AWS by learning architectural best practices for designing and operating reliable, secure, efficient, and cost-effective systems in the cloud.

Compliance checks for Amazon Web Services

Low
Ensure Amazon MQ brokers Log Exports feature is enabled
APRA
CSA CCM
GDPR
HITRUST
ISO 27001
Low
Ensure Amazon MQ brokers are using the active/standby deployment mode
CCPA
ISO 27001
NIST4
NIST 800-53
AWS Well-Architected Framework
Medium
Ensure Amazon MQ brokers are not publicly accessible
APRA
CCPA
CIS 8
GDPR
HIPAA
Medium
Ensure Amazon MQ broker instances are using desired instance types
AWS Well-Architected Framework
Critical
Ensure Amazon MQ brokers are not publicly accessible
APRA
CCPA
CIS 8
GDPR
HIPAA
Low
Ensure Redshift clusters are not using default endpoint port
APRA
CCPA
GDPR
HITRUST
ISO 27001
Low
Ensure Redshift clusters automated snapshot retention period is enabled
CCPA
CIS 8
CSA CCM
GDPR
HITRUST
Low
Ensure Redshift clusters are using a custom master user name instead of the default master user name
APRA
CCPA
CIS 8
GDPR
HITRUST
Medium
Ensure Redshift clusters nodes has not reached the limit quota established by your organization
AWS Well-Architected Framework
Medium
Ensure Redshift clusters are using the latest generation of nodes
AWS Well-Architected Framework
Medium
Ensure Redshift clusters are using desired node types
APRA
AWS Well-Architected Framework
Medium
Ensure Redshift clusters are provisioned within a VPC
APRA
CCPA
GDPR
HIPAA
HITRUST
High
Ensure Redshift clusters are not publicly accessible
APRA
GDPR
HIPAA
MAS
NIST4
High
Ensure Redshift clusters are encrypted at-rest
APRA
HIPAA
MAS
NIST4
PCI-DSS
Medium
Ensure AWS Config is configured to include global resources
APRA
GDPR
MAS
NIST4
AWS Well-Architected Framework
High
AWS Config configuration changes alarm
APRA
MAS
NIST4
AWS Well-Architected Framework
High
Ensure Database Migration Service (DMS) are not publicly accessible
APRA
GDPR
HIPAA
NIST4
PCI-DSS
Critical
Ensure DMS instances are not accessible via Internet (Network and API)
CIS
SOC2
PCI-DSS
FedRAMP
AWS Well-Architected Framework
Medium
Ensure CloudFormation stacks are sending event notifications to an SNS topic
APRA
MAS
NIST4
AWS Well-Architected Framework
Medium
Ensure CloudFormation stacks Termination Protection feature is enabled
APRA
MAS
AWS Well-Architected Framework
Low
CloudTrail changes alarm
CIS
CISAWSF
APRA
MAS
NIST4
Medium
Ensure CloudWatch Logs service is configured to monitor CloudTrail trail logs
CISAWSF
PCI-DSS
GDPR
APRA
MAS
High
Ensure CloudTrail trails record global service events
APRA
PCI-DSS
GDPR
NIST4
MAS
High
Ensure CloudTrail trails have multi-region enabled
APRA
MAS
CISAWSF
PCI-DSS
HIPAA
High
Ensure EFS file systems are encrypted using KMS CMK customer-managed keys
APRA
MAS
NIST4
GDPR
AWS Well-Architected Framework
High
Ensure EFS file systems are encrypted
APRA
MAS
NIST4
GDPR
HIPAA
High
Ensure Simple Email Service (SES) identities are not exposed
APRA
MAS
NIST4
GDPR
AWS Well-Architected Framework
Medium
Ensure DocumentDB database clusters have a minimum backup retention period
NIST4
AWS Well-Architected Framework
High
Ensure DocumentDB volumes are of type gp3 (General Purpose SSD) instead of gp2
AWS Well-Architected Framework
Critical
Ensure access keys are rotated every 90 days or less
CIS
APRA
MAS
NIST4
NIST 800-53
Medium
Ensure Kinesis Data Stream encryption is enabled
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
Medium
Ensure IAM policies that allow over privileges access to data are not created
AWS Well-Architected Framework
CISAWSF
GDPR
FTR
ISO 27001
Low
EC2 large instance create alarm
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Ensure there are no EBS snapshots older than a month
AWS Well-Architected Framework
Low
Internet Gateway (IGW) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Medium
Ensure OpenSearch nodes are using General Purpose SSD storage
AWS Well-Architected Framework
Critical
Ensure there is no unrestricted inbound access to TCP port 23 (Telnet)
APRA
AWS Well-Architected Framework
CISAWSF
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to TCP port 22 (SSH)
ISO 27001
PCI-DSS
HITRUST
NIST 800-53
CIS
Critical
Ensure there is no unrestricted inbound access to TCP port 3389 (RDP)
ISO 27001
GDPR
PCI-DSS
CIS
CISAWSF
Critical
Ensure there is no unrestricted inbound access to TCP port 80 (HTTP)
CIS
PCI-DSS
APRA
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to UDP port 11211 (Memcached)
AWS Well-Architected Framework
CSA CCM
Critical
Ensure there is no unrestricted inbound access to UDP port 53 (DNS)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 27017 (MongoDB)
APRA
AWS Well-Architected Framework
CSA CCM
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to TCP port 27018 (MongoDB)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 27019 (MongoDB)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 135 (RPC)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 8080 (HTTP proxy)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 8000 (HTTP)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 5432 (PostgreSQL)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 137 (NetBios)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 139 (NetBios)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 1433 (MSSQL)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 53 (DNS)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 20 (FTP)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 21 (FTP)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 9200 (ElasticSearch)
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Critical
Ensure there is no unrestricted inbound access to TCP port 6379 (Redis)
AWS Well-Architected Framework
CSA CCM
HITRUST
NIST 800-53
CIS 8
Critical
Ensure there is no unrestricted inbound access to TCP port 1521 (OracleDB)
APRA
AWS Well-Architected Framework
CSA CCM
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to TCP port 3020 (SMB / CIFS)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 11211 (Memcached)
AWS Well-Architected Framework
CSA CCM
CIS 8
ISO 27701
Critical
Ensure there is no unrestricted inbound access to TCP port 25 (SMTP)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 3306 (MySQL)
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Route Table changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
IAM Policy changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
S3 Bucket changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
Security Group (SG) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Critical
Ensure SageMaker Notebook Data is Encrypted
APRA
GDPR
HIPAA
MAS
NIST4
Low
VPC Peering changes alarm
CIS
PCI-DSS
APRA
MAS
NIST4
Low
Transit Gateway (TGW) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
NAT Gateway changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
VPC changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Medium
Ensure Amazon SageMaker Notebook Instance is in VPC
APRA
AWS Well-Architected Framework
MAS
PCI-DSS
Critical
IAM Role with inline Admin access (*:*)
CIS
CISAWSF
APRA
AWS Well-Architected Framework
NIST 800-53
Medium
IAM user inline policy is over permissive
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Ensure Internet Gateway is attached to a VPC
APRA
AWS Well-Architected Framework
MAS
Medium
Unused NAT Resources
APRA
AWS Well-Architected Framework
MAS
Medium
AMI (Amazon Machine Images) not in use (12 months)
APRA
AWS Well-Architected Framework
MAS
Critical
Ensure EBS snapshots are not publicly accessible
GDPR
NIST4
PCI-DSS
AWS Well-Architected Framework
HITRUST
Medium
EBS snapshots not in use
AWS Well-Architected Framework
Medium
AMI (Amazon Machine Images) not in use
APRA
AWS Well-Architected Framework
MAS
Medium
Ensure Lambda environment variables are encrypted using customer-managed Customer Master Keys (CMKs)
AWS Well-Architected Framework
Medium
Ensure EMR clusters are encrypted in-transit and at-rest
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
Low
Ensure EMR cluster archive log files to S3
APRA
AWS Well-Architected Framework
GDPR
MAS
NIST4
Low
Ensure DynamoDB Tables are encrypted with customer managed key
APRA
AWS Well-Architected Framework
GDPR
NIST4
HITRUST
Critical
Ensure IAM password policy expires passwords within 90 days or less
ISO 27001
CSA CCM
SOC2
PCI-DSS
APRA
Medium
Ensure IAM password policy require at least one symbol
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
GDPR
Medium
Ensure IAM password policy requires at least one uppercase letter
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
HIPAA
Medium
Ensure IAM password policy require at least one number
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
GDPR
Medium
Ensure IAM password policy require at least one lowercase letter
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
ISO 27001
Medium
Ensure EBS volumes are of type gp3 (General Purpose SSD) instead of gp2
AWS Well-Architected Framework
Critical
IAM Role with Admin access (*:*)
CISAWSF
APRA
MAS
NIST4
AWS Well-Architected Framework
Medium
Ensure IAM Role has no inline policy
APRA
AWS Well-Architected Framework
MAS
NIST4
FedRAMP
Critical
Ensure IAM policies that allow full "*:*" administrative privileges are not created
APRA
AWS Well-Architected Framework
CISAWSF
GDPR
FTR
Low
Ensure RDS is not using the default port 1433
APRA
AWS Well-Architected Framework
NIST4
PCI-DSS
NIST 800-53
Medium
Ensure security groups do not have ingress open to any (0.0.0.0/0)
CIS
PCI-DSS
APRA
MAS
NIST4
Medium
Ensure security groups do not have all ports open
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
HIPAA
HITRUST
Medium
EBS volume not in use
MAS
NIST4
AWS Well-Architected Framework
Medium
Ensure IAM users receive permissions only through groups
AWS Well-Architected Framework
CIS
CISAWSF
SOC2
PCI-DSS
Medium
Ensure S3 object versioning is enabled
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Medium
Ensure VPC flow logging is enabled in all VPCs
CIS
SOC2
GDPR
ISO 27001
PCI-DSS
All Compliances
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
CCPA
CIS
CIS 8
CIS EKS
CISAWSF
CSA CCM
FTR
FedRAMP
GDPR
HIPAA
HITRUST
ISO 27001
ISO 27701
MAS
NIST 800-53
NIST4
PCI-DSS
SOC2