[AppSync.2] AWS AppSync should have field-level logging enabled
[Backup.1] AWS Backup recovery points should be encrypted at rest
[CloudFront.1] CloudFront distributions should have a default root object configured
[CloudFront.3] CloudFront distributions should require encryption in transit
[CloudFront.4] CloudFront distributions should have origin failover configured
[CloudFront.5] CloudFront distributions should have logging enabled
[CloudFront.6] CloudFront distributions should have WAF enabled
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
[CloudFront.13] CloudFront distributions should use origin access control
[Config.1] AWS Config should be enabled and use the service-linked role for resource recording
[DataFirehose.1] Firehose delivery streams should be encrypted at rest
[DMS.6] DMS replication instances should have automatic minor version upgrade enabled
[DMS.7] DMS replication tasks for the target database should have logging enabled
[DMS.8] DMS replication tasks for the source database should have logging enabled
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
[DMS.12] DMS endpoints for Redis should have TLS enabled
[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
[DynamoDB.6] DynamoDB tables should have deletion protection enabled
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
[EC2.24] Amazon EC2 paravirtual instance types should not be used
[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled
[ECS.9] ECS task definitions should have a logging configuration
[EFS.6] EFS mount targets should not be associated with a public subnet
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
[EKS.8] EKS clusters should have audit logging enabled
[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled
[ElastiCache.2] ElastiCache for Redis cache clusters should have auto minor version upgrade enabled
[ElastiCache.7] ElastiCache clusters should not use the default subnet group
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
[EMR.2] Amazon EMR block public access setting should be enabled
[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups
[Macie.1] Amazon Macie should be enabled
[Macie.2] Macie automated sensitive data discovery should be enabled
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
[NetworkFirewall.2] Network Firewall logging should be enabled
[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled
[Opensearch.10] OpenSearch domains should have the latest software update installed
[PCA.1] AWS Private CA root certificate authority should be disabled
[Route53.2] Route 53 public hosted zones should log DNS queries
[RDS.7] RDS clusters should have deletion protection enabled
[RDS.14] Amazon Aurora clusters should have backtracking enabled
[RDS.16] RDS DB clusters should be configured to copy tags to snapshots
[RDS.24] RDS Database clusters should use a custom administrator username
[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs
[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled
[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins
[S3.19] S3 access points should have block public access settings enabled
[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1
[ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization only
[StepFunctions.1] Step Functions state machines should have logging turned on
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
[WAF.6] AWS WAF Classic global rules should have at least one condition
[WAF.7] AWS WAF Classic global rule groups should have at least one rule
[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group
[WAF.12] AWS WAF rules should have CloudWatch metrics enabled

[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
[EC2.22] Unused Amazon EC2 security groups should be removed
[KMS.4] AWS KMS key rotation should be enabled
[Lambda.3] Lambda functions should be in a VPC
[MQ.5] ActiveMQ brokers should use active/standby deployment mode
[MQ.6] RabbitMQ brokers should use cluster deployment mode
[S3.17] S3 general purpose buckets should be encrypted at rest with AWS KMS keys