AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.

Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).

•AWS-Account-Security-Onboarding: Enabled security services, Create analyzers in each active regions, Verify that events are present in SecurityHub aggregated view •CIS-1.4: 1.20 •CIS-1.5: 1.20 •CIS-2.0: 1.20 •CIS-3.0: 1.20 •CIS-4.0.1: 1.20 •CIS-5.0: 1.19 •ISO27001-2022: A.8.3 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •NIS2: 3.2.3.e, 11.1.1, 11.2.1, 11.2.2.e •ProwlerThreatScore-1.0: 1.2.6

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.

Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).

•AWS-Account-Security-Onboarding: Enabled security services, Create analyzers in each active regions, Verify that events are present in SecurityHub aggregated view •CIS-1.4: 1.20 •CIS-1.5: 1.20 •CIS-2.0: 1.20 •CIS-3.0: 1.20 •CIS-4.0.1: 1.20 •CIS-5.0: 1.19 •ISO27001-2022: A.8.3 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •NIS2: 3.2.3.e, 11.1.1, 11.2.1, 11.2.2.e •ProwlerThreatScore-1.0: 1.2.6

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.

Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).

•AWS-Account-Security-Onboarding: Enabled security services, Create analyzers in each active regions, Verify that events are present in SecurityHub aggregated view •CIS-1.4: 1.20 •CIS-1.5: 1.20 •CIS-2.0: 1.20 •CIS-3.0: 1.20 •CIS-4.0.1: 1.20 •CIS-5.0: 1.19 •ISO27001-2022: A.8.3 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •NIS2: 3.2.3.e, 11.1.1, 11.2.1, 11.2.2.e •ProwlerThreatScore-1.0: 1.2.6

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.

Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).

•AWS-Account-Security-Onboarding: Enabled security services, Create analyzers in each active regions, Verify that events are present in SecurityHub aggregated view •CIS-1.4: 1.20 •CIS-1.5: 1.20 •CIS-2.0: 1.20 •CIS-3.0: 1.20 •CIS-4.0.1: 1.20 •CIS-5.0: 1.19 •ISO27001-2022: A.8.3 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •NIS2: 3.2.3.e, 11.1.1, 11.2.1, 11.2.2.e •ProwlerThreatScore-1.0: 1.2.6

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.

Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).

•AWS-Account-Security-Onboarding: Enabled security services, Create analyzers in each active regions, Verify that events are present in SecurityHub aggregated view •CIS-1.4: 1.20 •CIS-1.5: 1.20 •CIS-2.0: 1.20 •CIS-3.0: 1.20 •CIS-4.0.1: 1.20 •CIS-5.0: 1.19 •ISO27001-2022: A.8.3 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •NIS2: 3.2.3.e, 11.1.1, 11.2.1, 11.2.2.e •ProwlerThreatScore-1.0: 1.2.6

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.

Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).

•AWS-Account-Security-Onboarding: Enabled security services, Create analyzers in each active regions, Verify that events are present in SecurityHub aggregated view •CIS-1.4: 1.20 •CIS-1.5: 1.20 •CIS-2.0: 1.20 •CIS-3.0: 1.20 •CIS-4.0.1: 1.20 •CIS-5.0: 1.19 •ISO27001-2022: A.8.3 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •NIS2: 3.2.3.e, 11.1.1, 11.2.1, 11.2.2.e •ProwlerThreatScore-1.0: 1.2.6

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.

Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).

•AWS-Account-Security-Onboarding: Enabled security services, Create analyzers in each active regions, Verify that events are present in SecurityHub aggregated view •CIS-1.4: 1.20 •CIS-1.5: 1.20 •CIS-2.0: 1.20 •CIS-3.0: 1.20 •CIS-4.0.1: 1.20 •CIS-5.0: 1.19 •ISO27001-2022: A.8.3 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •NIS2: 3.2.3.e, 11.1.1, 11.2.1, 11.2.2.e •ProwlerThreatScore-1.0: 1.2.6

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.

Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).

•AWS-Account-Security-Onboarding: Enabled security services, Create analyzers in each active regions, Verify that events are present in SecurityHub aggregated view •CIS-1.4: 1.20 •CIS-1.5: 1.20 •CIS-2.0: 1.20 •CIS-3.0: 1.20 •CIS-4.0.1: 1.20 •CIS-5.0: 1.19 •ISO27001-2022: A.8.3 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •NIS2: 3.2.3.e, 11.1.1, 11.2.1, 11.2.2.e •ProwlerThreatScore-1.0: 1.2.6

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.

Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).

•AWS-Account-Security-Onboarding: Enabled security services, Create analyzers in each active regions, Verify that events are present in SecurityHub aggregated view •CIS-1.4: 1.20 •CIS-1.5: 1.20 •CIS-2.0: 1.20 •CIS-3.0: 1.20 •CIS-4.0.1: 1.20 •CIS-5.0: 1.19 •ISO27001-2022: A.8.3 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •NIS2: 3.2.3.e, 11.1.1, 11.2.1, 11.2.2.e •ProwlerThreatScore-1.0: 1.2.6

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.

Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).

•AWS-Account-Security-Onboarding: Enabled security services, Create analyzers in each active regions, Verify that events are present in SecurityHub aggregated view •CIS-1.4: 1.20 •CIS-1.5: 1.20 •CIS-2.0: 1.20 •CIS-3.0: 1.20 •CIS-4.0.1: 1.20 •CIS-5.0: 1.19 •ISO27001-2022: A.8.3 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •NIS2: 3.2.3.e, 11.1.1, 11.2.1, 11.2.2.e •ProwlerThreatScore-1.0: 1.2.6

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.

Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).

•AWS-Account-Security-Onboarding: Enabled security services, Create analyzers in each active regions, Verify that events are present in SecurityHub aggregated view •CIS-1.4: 1.20 •CIS-1.5: 1.20 •CIS-2.0: 1.20 •CIS-3.0: 1.20 •CIS-4.0.1: 1.20 •CIS-5.0: 1.19 •ISO27001-2022: A.8.3 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •NIS2: 3.2.3.e, 11.1.1, 11.2.1, 11.2.2.e •ProwlerThreatScore-1.0: 1.2.6

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.

Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).

•AWS-Account-Security-Onboarding: Enabled security services, Create analyzers in each active regions, Verify that events are present in SecurityHub aggregated view •CIS-1.4: 1.20 •CIS-1.5: 1.20 •CIS-2.0: 1.20 •CIS-3.0: 1.20 •CIS-4.0.1: 1.20 •CIS-5.0: 1.19 •ISO27001-2022: A.8.3 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •NIS2: 3.2.3.e, 11.1.1, 11.2.1, 11.2.2.e •ProwlerThreatScore-1.0: 1.2.6

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.

Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).

•AWS-Account-Security-Onboarding: Enabled security services, Create analyzers in each active regions, Verify that events are present in SecurityHub aggregated view •CIS-1.4: 1.20 •CIS-1.5: 1.20 •CIS-2.0: 1.20 •CIS-3.0: 1.20 •CIS-4.0.1: 1.20 •CIS-5.0: 1.19 •ISO27001-2022: A.8.3 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •NIS2: 3.2.3.e, 11.1.1, 11.2.1, 11.2.2.e •ProwlerThreatScore-1.0: 1.2.6

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.

Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).

•AWS-Account-Security-Onboarding: Enabled security services, Create analyzers in each active regions, Verify that events are present in SecurityHub aggregated view •CIS-1.4: 1.20 •CIS-1.5: 1.20 •CIS-2.0: 1.20 •CIS-3.0: 1.20 •CIS-4.0.1: 1.20 •CIS-5.0: 1.19 •ISO27001-2022: A.8.3 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •NIS2: 3.2.3.e, 11.1.1, 11.2.1, 11.2.2.e •ProwlerThreatScore-1.0: 1.2.6

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.

Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).

•AWS-Account-Security-Onboarding: Enabled security services, Create analyzers in each active regions, Verify that events are present in SecurityHub aggregated view •CIS-1.4: 1.20 •CIS-1.5: 1.20 •CIS-2.0: 1.20 •CIS-3.0: 1.20 •CIS-4.0.1: 1.20 •CIS-5.0: 1.19 •ISO27001-2022: A.8.3 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •NIS2: 3.2.3.e, 11.1.1, 11.2.1, 11.2.2.e •ProwlerThreatScore-1.0: 1.2.6

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.

Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).

•AWS-Account-Security-Onboarding: Enabled security services, Create analyzers in each active regions, Verify that events are present in SecurityHub aggregated view •CIS-1.4: 1.20 •CIS-1.5: 1.20 •CIS-2.0: 1.20 •CIS-3.0: 1.20 •CIS-4.0.1: 1.20 •CIS-5.0: 1.19 •ISO27001-2022: A.8.3 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •NIS2: 3.2.3.e, 11.1.1, 11.2.1, 11.2.2.e •ProwlerThreatScore-1.0: 1.2.6

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.

Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).

•AWS-Account-Security-Onboarding: Enabled security services, Create analyzers in each active regions, Verify that events are present in SecurityHub aggregated view •CIS-1.4: 1.20 •CIS-1.5: 1.20 •CIS-2.0: 1.20 •CIS-3.0: 1.20 •CIS-4.0.1: 1.20 •CIS-5.0: 1.19 •ISO27001-2022: A.8.3 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •NIS2: 3.2.3.e, 11.1.1, 11.2.1, 11.2.2.e •ProwlerThreatScore-1.0: 1.2.6

Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy. If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question.

Using the Billing and Cost Management console complete contact details.

•ISO27001-2022: A.5.6 •KISA-ISMS-P-2023: 2.10.2 •KISA-ISMS-P-2023-korean: 2.10.2

Without an AWS Backup vault, an organization's critical data may be at risk of being lost in the event of an accidental deletion, system failures, or natural disasters.

Use AWS Backup to create backup vaults for your critical data and services.

•AWS-Foundational-Technical-Review: BAR-001 •ENS-RD2022: mp.info.6.aws.bcku.1 •ISO27001-2022: A.8.13 •KISA-ISMS-P-2023: 2.9.3, 2.12.1 •KISA-ISMS-P-2023-korean: 2.9.3, 2.12.1 •NIS2: 3.6.2, 4.1.2.f, 4.1.2.g, 4.2.2.b, 4.2.2.e, 12.1.2.c, 12.2.2.b

In Amazon Bedrock, model invocation logging enables you to collect the invocation request and response data, along with metadata, for all 'Converse', 'ConverseStream', 'InvokeModel', and 'InvokeModelWithResponseStream' API calls in your AWS account. Each log entry includes important details such as the timestamp, request ID, model ID, and token usage. Invocation logs can be utilized for troubleshooting, performance enhancements, abuse detection, and security auditing. By default, model invocation logging is disabled.

Enable model invocation logging for Amazon Bedrock service in order to collect metadata, requests, and responses for all model invocations in your AWS cloud account.

•ISO27001-2022: A.8.15 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 3.2.3.c •SOC2: cc_a_1_1

In Amazon Bedrock, model invocation logging enables you to collect the invocation request and response data, along with metadata, for all 'Converse', 'ConverseStream', 'InvokeModel', and 'InvokeModelWithResponseStream' API calls in your AWS account. Each log entry includes important details such as the timestamp, request ID, model ID, and token usage. Invocation logs can be utilized for troubleshooting, performance enhancements, abuse detection, and security auditing. By default, model invocation logging is disabled.

Enable model invocation logging for Amazon Bedrock service in order to collect metadata, requests, and responses for all model invocations in your AWS cloud account.

•ISO27001-2022: A.8.15 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 3.2.3.c •SOC2: cc_a_1_1

In Amazon Bedrock, model invocation logging enables you to collect the invocation request and response data, along with metadata, for all 'Converse', 'ConverseStream', 'InvokeModel', and 'InvokeModelWithResponseStream' API calls in your AWS account. Each log entry includes important details such as the timestamp, request ID, model ID, and token usage. Invocation logs can be utilized for troubleshooting, performance enhancements, abuse detection, and security auditing. By default, model invocation logging is disabled.

Enable model invocation logging for Amazon Bedrock service in order to collect metadata, requests, and responses for all model invocations in your AWS cloud account.

•ISO27001-2022: A.8.15 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 3.2.3.c •SOC2: cc_a_1_1

In Amazon Bedrock, model invocation logging enables you to collect the invocation request and response data, along with metadata, for all 'Converse', 'ConverseStream', 'InvokeModel', and 'InvokeModelWithResponseStream' API calls in your AWS account. Each log entry includes important details such as the timestamp, request ID, model ID, and token usage. Invocation logs can be utilized for troubleshooting, performance enhancements, abuse detection, and security auditing. By default, model invocation logging is disabled.

Enable model invocation logging for Amazon Bedrock service in order to collect metadata, requests, and responses for all model invocations in your AWS cloud account.

•ISO27001-2022: A.8.15 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 3.2.3.c •SOC2: cc_a_1_1

In Amazon Bedrock, model invocation logging enables you to collect the invocation request and response data, along with metadata, for all 'Converse', 'ConverseStream', 'InvokeModel', and 'InvokeModelWithResponseStream' API calls in your AWS account. Each log entry includes important details such as the timestamp, request ID, model ID, and token usage. Invocation logs can be utilized for troubleshooting, performance enhancements, abuse detection, and security auditing. By default, model invocation logging is disabled.

Enable model invocation logging for Amazon Bedrock service in order to collect metadata, requests, and responses for all model invocations in your AWS cloud account.

•ISO27001-2022: A.8.15 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 3.2.3.c •SOC2: cc_a_1_1

In Amazon Bedrock, model invocation logging enables you to collect the invocation request and response data, along with metadata, for all 'Converse', 'ConverseStream', 'InvokeModel', and 'InvokeModelWithResponseStream' API calls in your AWS account. Each log entry includes important details such as the timestamp, request ID, model ID, and token usage. Invocation logs can be utilized for troubleshooting, performance enhancements, abuse detection, and security auditing. By default, model invocation logging is disabled.

Enable model invocation logging for Amazon Bedrock service in order to collect metadata, requests, and responses for all model invocations in your AWS cloud account.

•ISO27001-2022: A.8.15 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 3.2.3.c •SOC2: cc_a_1_1

In Amazon Bedrock, model invocation logging enables you to collect the invocation request and response data, along with metadata, for all 'Converse', 'ConverseStream', 'InvokeModel', and 'InvokeModelWithResponseStream' API calls in your AWS account. Each log entry includes important details such as the timestamp, request ID, model ID, and token usage. Invocation logs can be utilized for troubleshooting, performance enhancements, abuse detection, and security auditing. By default, model invocation logging is disabled.

Enable model invocation logging for Amazon Bedrock service in order to collect metadata, requests, and responses for all model invocations in your AWS cloud account.

•ISO27001-2022: A.8.15 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 3.2.3.c •SOC2: cc_a_1_1

In Amazon Bedrock, model invocation logging enables you to collect the invocation request and response data, along with metadata, for all 'Converse', 'ConverseStream', 'InvokeModel', and 'InvokeModelWithResponseStream' API calls in your AWS account. Each log entry includes important details such as the timestamp, request ID, model ID, and token usage. Invocation logs can be utilized for troubleshooting, performance enhancements, abuse detection, and security auditing. By default, model invocation logging is disabled.

Enable model invocation logging for Amazon Bedrock service in order to collect metadata, requests, and responses for all model invocations in your AWS cloud account.

•ISO27001-2022: A.8.15 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 3.2.3.c •SOC2: cc_a_1_1

In Amazon Bedrock, model invocation logging enables you to collect the invocation request and response data, along with metadata, for all 'Converse', 'ConverseStream', 'InvokeModel', and 'InvokeModelWithResponseStream' API calls in your AWS account. Each log entry includes important details such as the timestamp, request ID, model ID, and token usage. Invocation logs can be utilized for troubleshooting, performance enhancements, abuse detection, and security auditing. By default, model invocation logging is disabled.

Enable model invocation logging for Amazon Bedrock service in order to collect metadata, requests, and responses for all model invocations in your AWS cloud account.

•ISO27001-2022: A.8.15 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 3.2.3.c •SOC2: cc_a_1_1

In Amazon Bedrock, model invocation logging enables you to collect the invocation request and response data, along with metadata, for all 'Converse', 'ConverseStream', 'InvokeModel', and 'InvokeModelWithResponseStream' API calls in your AWS account. Each log entry includes important details such as the timestamp, request ID, model ID, and token usage. Invocation logs can be utilized for troubleshooting, performance enhancements, abuse detection, and security auditing. By default, model invocation logging is disabled.

Enable model invocation logging for Amazon Bedrock service in order to collect metadata, requests, and responses for all model invocations in your AWS cloud account.

•ISO27001-2022: A.8.15 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 3.2.3.c •SOC2: cc_a_1_1

In Amazon Bedrock, model invocation logging enables you to collect the invocation request and response data, along with metadata, for all 'Converse', 'ConverseStream', 'InvokeModel', and 'InvokeModelWithResponseStream' API calls in your AWS account. Each log entry includes important details such as the timestamp, request ID, model ID, and token usage. Invocation logs can be utilized for troubleshooting, performance enhancements, abuse detection, and security auditing. By default, model invocation logging is disabled.

Enable model invocation logging for Amazon Bedrock service in order to collect metadata, requests, and responses for all model invocations in your AWS cloud account.

•ISO27001-2022: A.8.15 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 3.2.3.c •SOC2: cc_a_1_1

In Amazon Bedrock, model invocation logging enables you to collect the invocation request and response data, along with metadata, for all 'Converse', 'ConverseStream', 'InvokeModel', and 'InvokeModelWithResponseStream' API calls in your AWS account. Each log entry includes important details such as the timestamp, request ID, model ID, and token usage. Invocation logs can be utilized for troubleshooting, performance enhancements, abuse detection, and security auditing. By default, model invocation logging is disabled.

Enable model invocation logging for Amazon Bedrock service in order to collect metadata, requests, and responses for all model invocations in your AWS cloud account.

•ISO27001-2022: A.8.15 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 3.2.3.c •SOC2: cc_a_1_1

In Amazon Bedrock, model invocation logging enables you to collect the invocation request and response data, along with metadata, for all 'Converse', 'ConverseStream', 'InvokeModel', and 'InvokeModelWithResponseStream' API calls in your AWS account. Each log entry includes important details such as the timestamp, request ID, model ID, and token usage. Invocation logs can be utilized for troubleshooting, performance enhancements, abuse detection, and security auditing. By default, model invocation logging is disabled.

Enable model invocation logging for Amazon Bedrock service in order to collect metadata, requests, and responses for all model invocations in your AWS cloud account.

•ISO27001-2022: A.8.15 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 3.2.3.c •SOC2: cc_a_1_1

In Amazon Bedrock, model invocation logging enables you to collect the invocation request and response data, along with metadata, for all 'Converse', 'ConverseStream', 'InvokeModel', and 'InvokeModelWithResponseStream' API calls in your AWS account. Each log entry includes important details such as the timestamp, request ID, model ID, and token usage. Invocation logs can be utilized for troubleshooting, performance enhancements, abuse detection, and security auditing. By default, model invocation logging is disabled.

Enable model invocation logging for Amazon Bedrock service in order to collect metadata, requests, and responses for all model invocations in your AWS cloud account.

•ISO27001-2022: A.8.15 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 3.2.3.c •SOC2: cc_a_1_1

In Amazon Bedrock, model invocation logging enables you to collect the invocation request and response data, along with metadata, for all 'Converse', 'ConverseStream', 'InvokeModel', and 'InvokeModelWithResponseStream' API calls in your AWS account. Each log entry includes important details such as the timestamp, request ID, model ID, and token usage. Invocation logs can be utilized for troubleshooting, performance enhancements, abuse detection, and security auditing. By default, model invocation logging is disabled.

Enable model invocation logging for Amazon Bedrock service in order to collect metadata, requests, and responses for all model invocations in your AWS cloud account.

•ISO27001-2022: A.8.15 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 3.2.3.c •SOC2: cc_a_1_1

In Amazon Bedrock, model invocation logging enables you to collect the invocation request and response data, along with metadata, for all 'Converse', 'ConverseStream', 'InvokeModel', and 'InvokeModelWithResponseStream' API calls in your AWS account. Each log entry includes important details such as the timestamp, request ID, model ID, and token usage. Invocation logs can be utilized for troubleshooting, performance enhancements, abuse detection, and security auditing. By default, model invocation logging is disabled.

Enable model invocation logging for Amazon Bedrock service in order to collect metadata, requests, and responses for all model invocations in your AWS cloud account.

•ISO27001-2022: A.8.15 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 3.2.3.c •SOC2: cc_a_1_1

In Amazon Bedrock, model invocation logging enables you to collect the invocation request and response data, along with metadata, for all 'Converse', 'ConverseStream', 'InvokeModel', and 'InvokeModelWithResponseStream' API calls in your AWS account. Each log entry includes important details such as the timestamp, request ID, model ID, and token usage. Invocation logs can be utilized for troubleshooting, performance enhancements, abuse detection, and security auditing. By default, model invocation logging is disabled.

Enable model invocation logging for Amazon Bedrock service in order to collect metadata, requests, and responses for all model invocations in your AWS cloud account.

•ISO27001-2022: A.8.15 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 3.2.3.c •SOC2: cc_a_1_1

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

Ensure Logging is set to ON on all regions (even if they are not being used at the moment.

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •AWS-Foundational-Security-Best-Practices: CloudTrail.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02, SEC04-BP03 •CISA: your-systems-3, your-data-2 •CIS-1.4: 3.1 •CIS-1.5: 3.1 •CIS-2.0: 3.1 •CIS-3.0: 3.1 •CIS-4.0.1: 3.1 •CIS-5.0: 3.1 •ENS-RD2022: op.acc.6.r5.aws.iam.1, op.exp.5.aws.ct.1, op.exp.8.aws.ct.1, op.exp.8.aws.ct.6, op.exp.9.aws.ct.1, op.mon.1.aws.ct.1 •FedRAMP-Low-Revision-4: ac-2, au-2, ca-7 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c, ca-7-a-b, si-4-16, si-4-2, si-4-4, si-4-5 •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-an-b-5, d3-dc-ev-b-1, d3-dc-ev-b-3, d3-pc-im-b-3, d3-pc-im-b-7, d5-dr-de-b-3 •GDPR: article_25, article_30 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k, 11.300-d •GxP-EU-Annex-11: 1-risk-management, 4.2-validation-documentation-change-control •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_e_2_i •ISO27001-2013: A.12.4 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2 •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_4_1, 3_6_1, 3_6_2, 3_13_1, 3_13_2, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2_4, ac_2, au_2, au_3, au_12, cm_2 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_1, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_1, ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, am_3, ac_6, ds_5, ma_2, pt_1 •PCI-3.2.1: 3.2, 3.2.3, 3.4, 3.4.d, 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •PCI-4.0: 10.2.1.1.22, 10.2.1.2.19, 10.2.1.3.19, 10.2.1.4.19, 10.2.1.5.19, 10.2.1.6.19, 10.2.1.7.19, 10.2.1.19, 10.2.2.19, 10.3.1.19, 10.6.3.24, 5.3.4.22, A1.2.1.23 •ProwlerThreatScore-1.0: 3.1.1 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_2_1, cc_7_2, cc_a_1_1

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

Ensure Logging is set to ON on all regions (even if they are not being used at the moment.

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •AWS-Foundational-Security-Best-Practices: CloudTrail.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02, SEC04-BP03 •CISA: your-systems-3, your-data-2 •CIS-1.4: 3.1 •CIS-1.5: 3.1 •CIS-2.0: 3.1 •CIS-3.0: 3.1 •CIS-4.0.1: 3.1 •CIS-5.0: 3.1 •ENS-RD2022: op.acc.6.r5.aws.iam.1, op.exp.5.aws.ct.1, op.exp.8.aws.ct.1, op.exp.8.aws.ct.6, op.exp.9.aws.ct.1, op.mon.1.aws.ct.1 •FedRAMP-Low-Revision-4: ac-2, au-2, ca-7 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c, ca-7-a-b, si-4-16, si-4-2, si-4-4, si-4-5 •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-an-b-5, d3-dc-ev-b-1, d3-dc-ev-b-3, d3-pc-im-b-3, d3-pc-im-b-7, d5-dr-de-b-3 •GDPR: article_25, article_30 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k, 11.300-d •GxP-EU-Annex-11: 1-risk-management, 4.2-validation-documentation-change-control •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_e_2_i •ISO27001-2013: A.12.4 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2 •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_4_1, 3_6_1, 3_6_2, 3_13_1, 3_13_2, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2_4, ac_2, au_2, au_3, au_12, cm_2 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_1, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_1, ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, am_3, ac_6, ds_5, ma_2, pt_1 •PCI-3.2.1: 3.2, 3.2.3, 3.4, 3.4.d, 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •PCI-4.0: 10.2.1.1.22, 10.2.1.2.19, 10.2.1.3.19, 10.2.1.4.19, 10.2.1.5.19, 10.2.1.6.19, 10.2.1.7.19, 10.2.1.19, 10.2.2.19, 10.3.1.19, 10.6.3.24, 5.3.4.22, A1.2.1.23 •ProwlerThreatScore-1.0: 3.1.1 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_2_1, cc_7_2, cc_a_1_1

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

Ensure Logging is set to ON on all regions (even if they are not being used at the moment.

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •AWS-Foundational-Security-Best-Practices: CloudTrail.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02, SEC04-BP03 •CISA: your-systems-3, your-data-2 •CIS-1.4: 3.1 •CIS-1.5: 3.1 •CIS-2.0: 3.1 •CIS-3.0: 3.1 •CIS-4.0.1: 3.1 •CIS-5.0: 3.1 •ENS-RD2022: op.acc.6.r5.aws.iam.1, op.exp.5.aws.ct.1, op.exp.8.aws.ct.1, op.exp.8.aws.ct.6, op.exp.9.aws.ct.1, op.mon.1.aws.ct.1 •FedRAMP-Low-Revision-4: ac-2, au-2, ca-7 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c, ca-7-a-b, si-4-16, si-4-2, si-4-4, si-4-5 •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-an-b-5, d3-dc-ev-b-1, d3-dc-ev-b-3, d3-pc-im-b-3, d3-pc-im-b-7, d5-dr-de-b-3 •GDPR: article_25, article_30 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k, 11.300-d •GxP-EU-Annex-11: 1-risk-management, 4.2-validation-documentation-change-control •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_e_2_i •ISO27001-2013: A.12.4 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2 •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_4_1, 3_6_1, 3_6_2, 3_13_1, 3_13_2, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2_4, ac_2, au_2, au_3, au_12, cm_2 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_1, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_1, ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, am_3, ac_6, ds_5, ma_2, pt_1 •PCI-3.2.1: 3.2, 3.2.3, 3.4, 3.4.d, 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •PCI-4.0: 10.2.1.1.22, 10.2.1.2.19, 10.2.1.3.19, 10.2.1.4.19, 10.2.1.5.19, 10.2.1.6.19, 10.2.1.7.19, 10.2.1.19, 10.2.2.19, 10.3.1.19, 10.6.3.24, 5.3.4.22, A1.2.1.23 •ProwlerThreatScore-1.0: 3.1.1 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_2_1, cc_7_2, cc_a_1_1

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

Ensure Logging is set to ON on all regions (even if they are not being used at the moment.

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •AWS-Foundational-Security-Best-Practices: CloudTrail.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02, SEC04-BP03 •CISA: your-systems-3, your-data-2 •CIS-1.4: 3.1 •CIS-1.5: 3.1 •CIS-2.0: 3.1 •CIS-3.0: 3.1 •CIS-4.0.1: 3.1 •CIS-5.0: 3.1 •ENS-RD2022: op.acc.6.r5.aws.iam.1, op.exp.5.aws.ct.1, op.exp.8.aws.ct.1, op.exp.8.aws.ct.6, op.exp.9.aws.ct.1, op.mon.1.aws.ct.1 •FedRAMP-Low-Revision-4: ac-2, au-2, ca-7 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c, ca-7-a-b, si-4-16, si-4-2, si-4-4, si-4-5 •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-an-b-5, d3-dc-ev-b-1, d3-dc-ev-b-3, d3-pc-im-b-3, d3-pc-im-b-7, d5-dr-de-b-3 •GDPR: article_25, article_30 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k, 11.300-d •GxP-EU-Annex-11: 1-risk-management, 4.2-validation-documentation-change-control •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_e_2_i •ISO27001-2013: A.12.4 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2 •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_4_1, 3_6_1, 3_6_2, 3_13_1, 3_13_2, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2_4, ac_2, au_2, au_3, au_12, cm_2 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_1, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_1, ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, am_3, ac_6, ds_5, ma_2, pt_1 •PCI-3.2.1: 3.2, 3.2.3, 3.4, 3.4.d, 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •PCI-4.0: 10.2.1.1.22, 10.2.1.2.19, 10.2.1.3.19, 10.2.1.4.19, 10.2.1.5.19, 10.2.1.6.19, 10.2.1.7.19, 10.2.1.19, 10.2.2.19, 10.3.1.19, 10.6.3.24, 5.3.4.22, A1.2.1.23 •ProwlerThreatScore-1.0: 3.1.1 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_2_1, cc_7_2, cc_a_1_1

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

Ensure Logging is set to ON on all regions (even if they are not being used at the moment.

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •AWS-Foundational-Security-Best-Practices: CloudTrail.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02, SEC04-BP03 •CISA: your-systems-3, your-data-2 •CIS-1.4: 3.1 •CIS-1.5: 3.1 •CIS-2.0: 3.1 •CIS-3.0: 3.1 •CIS-4.0.1: 3.1 •CIS-5.0: 3.1 •ENS-RD2022: op.acc.6.r5.aws.iam.1, op.exp.5.aws.ct.1, op.exp.8.aws.ct.1, op.exp.8.aws.ct.6, op.exp.9.aws.ct.1, op.mon.1.aws.ct.1 •FedRAMP-Low-Revision-4: ac-2, au-2, ca-7 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c, ca-7-a-b, si-4-16, si-4-2, si-4-4, si-4-5 •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-an-b-5, d3-dc-ev-b-1, d3-dc-ev-b-3, d3-pc-im-b-3, d3-pc-im-b-7, d5-dr-de-b-3 •GDPR: article_25, article_30 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k, 11.300-d •GxP-EU-Annex-11: 1-risk-management, 4.2-validation-documentation-change-control •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_e_2_i •ISO27001-2013: A.12.4 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2 •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_4_1, 3_6_1, 3_6_2, 3_13_1, 3_13_2, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2_4, ac_2, au_2, au_3, au_12, cm_2 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_1, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_1, ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, am_3, ac_6, ds_5, ma_2, pt_1 •PCI-3.2.1: 3.2, 3.2.3, 3.4, 3.4.d, 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •PCI-4.0: 10.2.1.1.22, 10.2.1.2.19, 10.2.1.3.19, 10.2.1.4.19, 10.2.1.5.19, 10.2.1.6.19, 10.2.1.7.19, 10.2.1.19, 10.2.2.19, 10.3.1.19, 10.6.3.24, 5.3.4.22, A1.2.1.23 •ProwlerThreatScore-1.0: 3.1.1 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_2_1, cc_7_2, cc_a_1_1

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

Ensure Logging is set to ON on all regions (even if they are not being used at the moment.

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •AWS-Foundational-Security-Best-Practices: CloudTrail.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02, SEC04-BP03 •CISA: your-systems-3, your-data-2 •CIS-1.4: 3.1 •CIS-1.5: 3.1 •CIS-2.0: 3.1 •CIS-3.0: 3.1 •CIS-4.0.1: 3.1 •CIS-5.0: 3.1 •ENS-RD2022: op.acc.6.r5.aws.iam.1, op.exp.5.aws.ct.1, op.exp.8.aws.ct.1, op.exp.8.aws.ct.6, op.exp.9.aws.ct.1, op.mon.1.aws.ct.1 •FedRAMP-Low-Revision-4: ac-2, au-2, ca-7 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c, ca-7-a-b, si-4-16, si-4-2, si-4-4, si-4-5 •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-an-b-5, d3-dc-ev-b-1, d3-dc-ev-b-3, d3-pc-im-b-3, d3-pc-im-b-7, d5-dr-de-b-3 •GDPR: article_25, article_30 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k, 11.300-d •GxP-EU-Annex-11: 1-risk-management, 4.2-validation-documentation-change-control •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_e_2_i •ISO27001-2013: A.12.4 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2 •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_4_1, 3_6_1, 3_6_2, 3_13_1, 3_13_2, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2_4, ac_2, au_2, au_3, au_12, cm_2 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_1, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_1, ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, am_3, ac_6, ds_5, ma_2, pt_1 •PCI-3.2.1: 3.2, 3.2.3, 3.4, 3.4.d, 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •PCI-4.0: 10.2.1.1.22, 10.2.1.2.19, 10.2.1.3.19, 10.2.1.4.19, 10.2.1.5.19, 10.2.1.6.19, 10.2.1.7.19, 10.2.1.19, 10.2.2.19, 10.3.1.19, 10.6.3.24, 5.3.4.22, A1.2.1.23 •ProwlerThreatScore-1.0: 3.1.1 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_2_1, cc_7_2, cc_a_1_1

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

Ensure Logging is set to ON on all regions (even if they are not being used at the moment.

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •AWS-Foundational-Security-Best-Practices: CloudTrail.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02, SEC04-BP03 •CISA: your-systems-3, your-data-2 •CIS-1.4: 3.1 •CIS-1.5: 3.1 •CIS-2.0: 3.1 •CIS-3.0: 3.1 •CIS-4.0.1: 3.1 •CIS-5.0: 3.1 •ENS-RD2022: op.acc.6.r5.aws.iam.1, op.exp.5.aws.ct.1, op.exp.8.aws.ct.1, op.exp.8.aws.ct.6, op.exp.9.aws.ct.1, op.mon.1.aws.ct.1 •FedRAMP-Low-Revision-4: ac-2, au-2, ca-7 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c, ca-7-a-b, si-4-16, si-4-2, si-4-4, si-4-5 •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-an-b-5, d3-dc-ev-b-1, d3-dc-ev-b-3, d3-pc-im-b-3, d3-pc-im-b-7, d5-dr-de-b-3 •GDPR: article_25, article_30 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k, 11.300-d •GxP-EU-Annex-11: 1-risk-management, 4.2-validation-documentation-change-control •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_e_2_i •ISO27001-2013: A.12.4 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2 •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_4_1, 3_6_1, 3_6_2, 3_13_1, 3_13_2, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2_4, ac_2, au_2, au_3, au_12, cm_2 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_1, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_1, ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, am_3, ac_6, ds_5, ma_2, pt_1 •PCI-3.2.1: 3.2, 3.2.3, 3.4, 3.4.d, 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •PCI-4.0: 10.2.1.1.22, 10.2.1.2.19, 10.2.1.3.19, 10.2.1.4.19, 10.2.1.5.19, 10.2.1.6.19, 10.2.1.7.19, 10.2.1.19, 10.2.2.19, 10.3.1.19, 10.6.3.24, 5.3.4.22, A1.2.1.23 •ProwlerThreatScore-1.0: 3.1.1 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_2_1, cc_7_2, cc_a_1_1

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

Ensure Logging is set to ON on all regions (even if they are not being used at the moment.

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •AWS-Foundational-Security-Best-Practices: CloudTrail.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02, SEC04-BP03 •CISA: your-systems-3, your-data-2 •CIS-1.4: 3.1 •CIS-1.5: 3.1 •CIS-2.0: 3.1 •CIS-3.0: 3.1 •CIS-4.0.1: 3.1 •CIS-5.0: 3.1 •ENS-RD2022: op.acc.6.r5.aws.iam.1, op.exp.5.aws.ct.1, op.exp.8.aws.ct.1, op.exp.8.aws.ct.6, op.exp.9.aws.ct.1, op.mon.1.aws.ct.1 •FedRAMP-Low-Revision-4: ac-2, au-2, ca-7 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c, ca-7-a-b, si-4-16, si-4-2, si-4-4, si-4-5 •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-an-b-5, d3-dc-ev-b-1, d3-dc-ev-b-3, d3-pc-im-b-3, d3-pc-im-b-7, d5-dr-de-b-3 •GDPR: article_25, article_30 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k, 11.300-d •GxP-EU-Annex-11: 1-risk-management, 4.2-validation-documentation-change-control •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_e_2_i •ISO27001-2013: A.12.4 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2 •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_4_1, 3_6_1, 3_6_2, 3_13_1, 3_13_2, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2_4, ac_2, au_2, au_3, au_12, cm_2 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_1, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_1, ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, am_3, ac_6, ds_5, ma_2, pt_1 •PCI-3.2.1: 3.2, 3.2.3, 3.4, 3.4.d, 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •PCI-4.0: 10.2.1.1.22, 10.2.1.2.19, 10.2.1.3.19, 10.2.1.4.19, 10.2.1.5.19, 10.2.1.6.19, 10.2.1.7.19, 10.2.1.19, 10.2.2.19, 10.3.1.19, 10.6.3.24, 5.3.4.22, A1.2.1.23 •ProwlerThreatScore-1.0: 3.1.1 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_2_1, cc_7_2, cc_a_1_1

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

Ensure Logging is set to ON on all regions (even if they are not being used at the moment.

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •AWS-Foundational-Security-Best-Practices: CloudTrail.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02, SEC04-BP03 •CISA: your-systems-3, your-data-2 •CIS-1.4: 3.1 •CIS-1.5: 3.1 •CIS-2.0: 3.1 •CIS-3.0: 3.1 •CIS-4.0.1: 3.1 •CIS-5.0: 3.1 •ENS-RD2022: op.acc.6.r5.aws.iam.1, op.exp.5.aws.ct.1, op.exp.8.aws.ct.1, op.exp.8.aws.ct.6, op.exp.9.aws.ct.1, op.mon.1.aws.ct.1 •FedRAMP-Low-Revision-4: ac-2, au-2, ca-7 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c, ca-7-a-b, si-4-16, si-4-2, si-4-4, si-4-5 •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-an-b-5, d3-dc-ev-b-1, d3-dc-ev-b-3, d3-pc-im-b-3, d3-pc-im-b-7, d5-dr-de-b-3 •GDPR: article_25, article_30 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k, 11.300-d •GxP-EU-Annex-11: 1-risk-management, 4.2-validation-documentation-change-control •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_e_2_i •ISO27001-2013: A.12.4 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2 •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_4_1, 3_6_1, 3_6_2, 3_13_1, 3_13_2, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2_4, ac_2, au_2, au_3, au_12, cm_2 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_1, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_1, ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, am_3, ac_6, ds_5, ma_2, pt_1 •PCI-3.2.1: 3.2, 3.2.3, 3.4, 3.4.d, 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •PCI-4.0: 10.2.1.1.22, 10.2.1.2.19, 10.2.1.3.19, 10.2.1.4.19, 10.2.1.5.19, 10.2.1.6.19, 10.2.1.7.19, 10.2.1.19, 10.2.2.19, 10.3.1.19, 10.6.3.24, 5.3.4.22, A1.2.1.23 •ProwlerThreatScore-1.0: 3.1.1 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_2_1, cc_7_2, cc_a_1_1

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

Ensure Logging is set to ON on all regions (even if they are not being used at the moment.

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •AWS-Foundational-Security-Best-Practices: CloudTrail.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02, SEC04-BP03 •CISA: your-systems-3, your-data-2 •CIS-1.4: 3.1 •CIS-1.5: 3.1 •CIS-2.0: 3.1 •CIS-3.0: 3.1 •CIS-4.0.1: 3.1 •CIS-5.0: 3.1 •ENS-RD2022: op.acc.6.r5.aws.iam.1, op.exp.5.aws.ct.1, op.exp.8.aws.ct.1, op.exp.8.aws.ct.6, op.exp.9.aws.ct.1, op.mon.1.aws.ct.1 •FedRAMP-Low-Revision-4: ac-2, au-2, ca-7 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c, ca-7-a-b, si-4-16, si-4-2, si-4-4, si-4-5 •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-an-b-5, d3-dc-ev-b-1, d3-dc-ev-b-3, d3-pc-im-b-3, d3-pc-im-b-7, d5-dr-de-b-3 •GDPR: article_25, article_30 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k, 11.300-d •GxP-EU-Annex-11: 1-risk-management, 4.2-validation-documentation-change-control •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_e_2_i •ISO27001-2013: A.12.4 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2 •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_4_1, 3_6_1, 3_6_2, 3_13_1, 3_13_2, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2_4, ac_2, au_2, au_3, au_12, cm_2 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_1, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_1, ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, am_3, ac_6, ds_5, ma_2, pt_1 •PCI-3.2.1: 3.2, 3.2.3, 3.4, 3.4.d, 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •PCI-4.0: 10.2.1.1.22, 10.2.1.2.19, 10.2.1.3.19, 10.2.1.4.19, 10.2.1.5.19, 10.2.1.6.19, 10.2.1.7.19, 10.2.1.19, 10.2.2.19, 10.3.1.19, 10.6.3.24, 5.3.4.22, A1.2.1.23 •ProwlerThreatScore-1.0: 3.1.1 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_2_1, cc_7_2, cc_a_1_1

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

Ensure Logging is set to ON on all regions (even if they are not being used at the moment.

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •AWS-Foundational-Security-Best-Practices: CloudTrail.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02, SEC04-BP03 •CISA: your-systems-3, your-data-2 •CIS-1.4: 3.1 •CIS-1.5: 3.1 •CIS-2.0: 3.1 •CIS-3.0: 3.1 •CIS-4.0.1: 3.1 •CIS-5.0: 3.1 •ENS-RD2022: op.acc.6.r5.aws.iam.1, op.exp.5.aws.ct.1, op.exp.8.aws.ct.1, op.exp.8.aws.ct.6, op.exp.9.aws.ct.1, op.mon.1.aws.ct.1 •FedRAMP-Low-Revision-4: ac-2, au-2, ca-7 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c, ca-7-a-b, si-4-16, si-4-2, si-4-4, si-4-5 •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-an-b-5, d3-dc-ev-b-1, d3-dc-ev-b-3, d3-pc-im-b-3, d3-pc-im-b-7, d5-dr-de-b-3 •GDPR: article_25, article_30 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k, 11.300-d •GxP-EU-Annex-11: 1-risk-management, 4.2-validation-documentation-change-control •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_e_2_i •ISO27001-2013: A.12.4 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2 •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_4_1, 3_6_1, 3_6_2, 3_13_1, 3_13_2, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2_4, ac_2, au_2, au_3, au_12, cm_2 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_1, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_1, ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, am_3, ac_6, ds_5, ma_2, pt_1 •PCI-3.2.1: 3.2, 3.2.3, 3.4, 3.4.d, 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •PCI-4.0: 10.2.1.1.22, 10.2.1.2.19, 10.2.1.3.19, 10.2.1.4.19, 10.2.1.5.19, 10.2.1.6.19, 10.2.1.7.19, 10.2.1.19, 10.2.2.19, 10.3.1.19, 10.6.3.24, 5.3.4.22, A1.2.1.23 •ProwlerThreatScore-1.0: 3.1.1 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_2_1, cc_7_2, cc_a_1_1

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

Ensure Logging is set to ON on all regions (even if they are not being used at the moment.

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •AWS-Foundational-Security-Best-Practices: CloudTrail.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02, SEC04-BP03 •CISA: your-systems-3, your-data-2 •CIS-1.4: 3.1 •CIS-1.5: 3.1 •CIS-2.0: 3.1 •CIS-3.0: 3.1 •CIS-4.0.1: 3.1 •CIS-5.0: 3.1 •ENS-RD2022: op.acc.6.r5.aws.iam.1, op.exp.5.aws.ct.1, op.exp.8.aws.ct.1, op.exp.8.aws.ct.6, op.exp.9.aws.ct.1, op.mon.1.aws.ct.1 •FedRAMP-Low-Revision-4: ac-2, au-2, ca-7 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c, ca-7-a-b, si-4-16, si-4-2, si-4-4, si-4-5 •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-an-b-5, d3-dc-ev-b-1, d3-dc-ev-b-3, d3-pc-im-b-3, d3-pc-im-b-7, d5-dr-de-b-3 •GDPR: article_25, article_30 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k, 11.300-d •GxP-EU-Annex-11: 1-risk-management, 4.2-validation-documentation-change-control •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_e_2_i •ISO27001-2013: A.12.4 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2 •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_4_1, 3_6_1, 3_6_2, 3_13_1, 3_13_2, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2_4, ac_2, au_2, au_3, au_12, cm_2 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_1, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_1, ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, am_3, ac_6, ds_5, ma_2, pt_1 •PCI-3.2.1: 3.2, 3.2.3, 3.4, 3.4.d, 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •PCI-4.0: 10.2.1.1.22, 10.2.1.2.19, 10.2.1.3.19, 10.2.1.4.19, 10.2.1.5.19, 10.2.1.6.19, 10.2.1.7.19, 10.2.1.19, 10.2.2.19, 10.3.1.19, 10.6.3.24, 5.3.4.22, A1.2.1.23 •ProwlerThreatScore-1.0: 3.1.1 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_2_1, cc_7_2, cc_a_1_1

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

Ensure Logging is set to ON on all regions (even if they are not being used at the moment.

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •AWS-Foundational-Security-Best-Practices: CloudTrail.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02, SEC04-BP03 •CISA: your-systems-3, your-data-2 •CIS-1.4: 3.1 •CIS-1.5: 3.1 •CIS-2.0: 3.1 •CIS-3.0: 3.1 •CIS-4.0.1: 3.1 •CIS-5.0: 3.1 •ENS-RD2022: op.acc.6.r5.aws.iam.1, op.exp.5.aws.ct.1, op.exp.8.aws.ct.1, op.exp.8.aws.ct.6, op.exp.9.aws.ct.1, op.mon.1.aws.ct.1 •FedRAMP-Low-Revision-4: ac-2, au-2, ca-7 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c, ca-7-a-b, si-4-16, si-4-2, si-4-4, si-4-5 •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-an-b-5, d3-dc-ev-b-1, d3-dc-ev-b-3, d3-pc-im-b-3, d3-pc-im-b-7, d5-dr-de-b-3 •GDPR: article_25, article_30 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k, 11.300-d •GxP-EU-Annex-11: 1-risk-management, 4.2-validation-documentation-change-control •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_e_2_i •ISO27001-2013: A.12.4 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2 •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_4_1, 3_6_1, 3_6_2, 3_13_1, 3_13_2, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2_4, ac_2, au_2, au_3, au_12, cm_2 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_1, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_1, ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, am_3, ac_6, ds_5, ma_2, pt_1 •PCI-3.2.1: 3.2, 3.2.3, 3.4, 3.4.d, 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •PCI-4.0: 10.2.1.1.22, 10.2.1.2.19, 10.2.1.3.19, 10.2.1.4.19, 10.2.1.5.19, 10.2.1.6.19, 10.2.1.7.19, 10.2.1.19, 10.2.2.19, 10.3.1.19, 10.6.3.24, 5.3.4.22, A1.2.1.23 •ProwlerThreatScore-1.0: 3.1.1 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_2_1, cc_7_2, cc_a_1_1

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

Ensure Logging is set to ON on all regions (even if they are not being used at the moment.

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •AWS-Foundational-Security-Best-Practices: CloudTrail.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02, SEC04-BP03 •CISA: your-systems-3, your-data-2 •CIS-1.4: 3.1 •CIS-1.5: 3.1 •CIS-2.0: 3.1 •CIS-3.0: 3.1 •CIS-4.0.1: 3.1 •CIS-5.0: 3.1 •ENS-RD2022: op.acc.6.r5.aws.iam.1, op.exp.5.aws.ct.1, op.exp.8.aws.ct.1, op.exp.8.aws.ct.6, op.exp.9.aws.ct.1, op.mon.1.aws.ct.1 •FedRAMP-Low-Revision-4: ac-2, au-2, ca-7 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c, ca-7-a-b, si-4-16, si-4-2, si-4-4, si-4-5 •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-an-b-5, d3-dc-ev-b-1, d3-dc-ev-b-3, d3-pc-im-b-3, d3-pc-im-b-7, d5-dr-de-b-3 •GDPR: article_25, article_30 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k, 11.300-d •GxP-EU-Annex-11: 1-risk-management, 4.2-validation-documentation-change-control •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_e_2_i •ISO27001-2013: A.12.4 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2 •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_4_1, 3_6_1, 3_6_2, 3_13_1, 3_13_2, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2_4, ac_2, au_2, au_3, au_12, cm_2 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_1, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_1, ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, am_3, ac_6, ds_5, ma_2, pt_1 •PCI-3.2.1: 3.2, 3.2.3, 3.4, 3.4.d, 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •PCI-4.0: 10.2.1.1.22, 10.2.1.2.19, 10.2.1.3.19, 10.2.1.4.19, 10.2.1.5.19, 10.2.1.6.19, 10.2.1.7.19, 10.2.1.19, 10.2.2.19, 10.3.1.19, 10.6.3.24, 5.3.4.22, A1.2.1.23 •ProwlerThreatScore-1.0: 3.1.1 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_2_1, cc_7_2, cc_a_1_1

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

Ensure Logging is set to ON on all regions (even if they are not being used at the moment.

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •AWS-Foundational-Security-Best-Practices: CloudTrail.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02, SEC04-BP03 •CISA: your-systems-3, your-data-2 •CIS-1.4: 3.1 •CIS-1.5: 3.1 •CIS-2.0: 3.1 •CIS-3.0: 3.1 •CIS-4.0.1: 3.1 •CIS-5.0: 3.1 •ENS-RD2022: op.acc.6.r5.aws.iam.1, op.exp.5.aws.ct.1, op.exp.8.aws.ct.1, op.exp.8.aws.ct.6, op.exp.9.aws.ct.1, op.mon.1.aws.ct.1 •FedRAMP-Low-Revision-4: ac-2, au-2, ca-7 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c, ca-7-a-b, si-4-16, si-4-2, si-4-4, si-4-5 •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-an-b-5, d3-dc-ev-b-1, d3-dc-ev-b-3, d3-pc-im-b-3, d3-pc-im-b-7, d5-dr-de-b-3 •GDPR: article_25, article_30 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k, 11.300-d •GxP-EU-Annex-11: 1-risk-management, 4.2-validation-documentation-change-control •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_e_2_i •ISO27001-2013: A.12.4 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2 •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_4_1, 3_6_1, 3_6_2, 3_13_1, 3_13_2, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2_4, ac_2, au_2, au_3, au_12, cm_2 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_1, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_1, ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, am_3, ac_6, ds_5, ma_2, pt_1 •PCI-3.2.1: 3.2, 3.2.3, 3.4, 3.4.d, 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •PCI-4.0: 10.2.1.1.22, 10.2.1.2.19, 10.2.1.3.19, 10.2.1.4.19, 10.2.1.5.19, 10.2.1.6.19, 10.2.1.7.19, 10.2.1.19, 10.2.2.19, 10.3.1.19, 10.6.3.24, 5.3.4.22, A1.2.1.23 •ProwlerThreatScore-1.0: 3.1.1 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_2_1, cc_7_2, cc_a_1_1

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

Ensure Logging is set to ON on all regions (even if they are not being used at the moment.

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •AWS-Foundational-Security-Best-Practices: CloudTrail.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02, SEC04-BP03 •CISA: your-systems-3, your-data-2 •CIS-1.4: 3.1 •CIS-1.5: 3.1 •CIS-2.0: 3.1 •CIS-3.0: 3.1 •CIS-4.0.1: 3.1 •CIS-5.0: 3.1 •ENS-RD2022: op.acc.6.r5.aws.iam.1, op.exp.5.aws.ct.1, op.exp.8.aws.ct.1, op.exp.8.aws.ct.6, op.exp.9.aws.ct.1, op.mon.1.aws.ct.1 •FedRAMP-Low-Revision-4: ac-2, au-2, ca-7 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c, ca-7-a-b, si-4-16, si-4-2, si-4-4, si-4-5 •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-an-b-5, d3-dc-ev-b-1, d3-dc-ev-b-3, d3-pc-im-b-3, d3-pc-im-b-7, d5-dr-de-b-3 •GDPR: article_25, article_30 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k, 11.300-d •GxP-EU-Annex-11: 1-risk-management, 4.2-validation-documentation-change-control •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_e_2_i •ISO27001-2013: A.12.4 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2 •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_4_1, 3_6_1, 3_6_2, 3_13_1, 3_13_2, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2_4, ac_2, au_2, au_3, au_12, cm_2 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_1, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_1, ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, am_3, ac_6, ds_5, ma_2, pt_1 •PCI-3.2.1: 3.2, 3.2.3, 3.4, 3.4.d, 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •PCI-4.0: 10.2.1.1.22, 10.2.1.2.19, 10.2.1.3.19, 10.2.1.4.19, 10.2.1.5.19, 10.2.1.6.19, 10.2.1.7.19, 10.2.1.19, 10.2.2.19, 10.3.1.19, 10.6.3.24, 5.3.4.22, A1.2.1.23 •ProwlerThreatScore-1.0: 3.1.1 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_2_1, cc_7_2, cc_a_1_1

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

Ensure Logging is set to ON on all regions (even if they are not being used at the moment.

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •AWS-Foundational-Security-Best-Practices: CloudTrail.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02, SEC04-BP03 •CISA: your-systems-3, your-data-2 •CIS-1.4: 3.1 •CIS-1.5: 3.1 •CIS-2.0: 3.1 •CIS-3.0: 3.1 •CIS-4.0.1: 3.1 •CIS-5.0: 3.1 •ENS-RD2022: op.acc.6.r5.aws.iam.1, op.exp.5.aws.ct.1, op.exp.8.aws.ct.1, op.exp.8.aws.ct.6, op.exp.9.aws.ct.1, op.mon.1.aws.ct.1 •FedRAMP-Low-Revision-4: ac-2, au-2, ca-7 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c, ca-7-a-b, si-4-16, si-4-2, si-4-4, si-4-5 •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-an-b-5, d3-dc-ev-b-1, d3-dc-ev-b-3, d3-pc-im-b-3, d3-pc-im-b-7, d5-dr-de-b-3 •GDPR: article_25, article_30 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k, 11.300-d •GxP-EU-Annex-11: 1-risk-management, 4.2-validation-documentation-change-control •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_e_2_i •ISO27001-2013: A.12.4 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2 •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_4_1, 3_6_1, 3_6_2, 3_13_1, 3_13_2, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2_4, ac_2, au_2, au_3, au_12, cm_2 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_1, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_1, ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, am_3, ac_6, ds_5, ma_2, pt_1 •PCI-3.2.1: 3.2, 3.2.3, 3.4, 3.4.d, 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •PCI-4.0: 10.2.1.1.22, 10.2.1.2.19, 10.2.1.3.19, 10.2.1.4.19, 10.2.1.5.19, 10.2.1.6.19, 10.2.1.7.19, 10.2.1.19, 10.2.2.19, 10.3.1.19, 10.6.3.24, 5.3.4.22, A1.2.1.23 •ProwlerThreatScore-1.0: 3.1.1 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_2_1, cc_7_2, cc_a_1_1

AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. To meet FTR requirements, you must have management events enabled for all AWS accounts and in all regions and aggregate these logs into an Amazon Simple Storage Service (Amazon S3) bucket owned by a separate AWS account.

Enable CloudTrail logging management events in All Regions

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •NIS2: 3.1.2.a, 3.2.3.c, 3.4.2.c

AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. To meet FTR requirements, you must have management events enabled for all AWS accounts and in all regions and aggregate these logs into an Amazon Simple Storage Service (Amazon S3) bucket owned by a separate AWS account.

Enable CloudTrail logging management events in All Regions

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •NIS2: 3.1.2.a, 3.2.3.c, 3.4.2.c

AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. To meet FTR requirements, you must have management events enabled for all AWS accounts and in all regions and aggregate these logs into an Amazon Simple Storage Service (Amazon S3) bucket owned by a separate AWS account.

Enable CloudTrail logging management events in All Regions

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •NIS2: 3.1.2.a, 3.2.3.c, 3.4.2.c

AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. To meet FTR requirements, you must have management events enabled for all AWS accounts and in all regions and aggregate these logs into an Amazon Simple Storage Service (Amazon S3) bucket owned by a separate AWS account.

Enable CloudTrail logging management events in All Regions

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •NIS2: 3.1.2.a, 3.2.3.c, 3.4.2.c

AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. To meet FTR requirements, you must have management events enabled for all AWS accounts and in all regions and aggregate these logs into an Amazon Simple Storage Service (Amazon S3) bucket owned by a separate AWS account.

Enable CloudTrail logging management events in All Regions

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •NIS2: 3.1.2.a, 3.2.3.c, 3.4.2.c

AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. To meet FTR requirements, you must have management events enabled for all AWS accounts and in all regions and aggregate these logs into an Amazon Simple Storage Service (Amazon S3) bucket owned by a separate AWS account.

Enable CloudTrail logging management events in All Regions

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •NIS2: 3.1.2.a, 3.2.3.c, 3.4.2.c

AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. To meet FTR requirements, you must have management events enabled for all AWS accounts and in all regions and aggregate these logs into an Amazon Simple Storage Service (Amazon S3) bucket owned by a separate AWS account.

Enable CloudTrail logging management events in All Regions

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •NIS2: 3.1.2.a, 3.2.3.c, 3.4.2.c

AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. To meet FTR requirements, you must have management events enabled for all AWS accounts and in all regions and aggregate these logs into an Amazon Simple Storage Service (Amazon S3) bucket owned by a separate AWS account.

Enable CloudTrail logging management events in All Regions

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •NIS2: 3.1.2.a, 3.2.3.c, 3.4.2.c

AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. To meet FTR requirements, you must have management events enabled for all AWS accounts and in all regions and aggregate these logs into an Amazon Simple Storage Service (Amazon S3) bucket owned by a separate AWS account.

Enable CloudTrail logging management events in All Regions

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •NIS2: 3.1.2.a, 3.2.3.c, 3.4.2.c

AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. To meet FTR requirements, you must have management events enabled for all AWS accounts and in all regions and aggregate these logs into an Amazon Simple Storage Service (Amazon S3) bucket owned by a separate AWS account.

Enable CloudTrail logging management events in All Regions

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •NIS2: 3.1.2.a, 3.2.3.c, 3.4.2.c

AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. To meet FTR requirements, you must have management events enabled for all AWS accounts and in all regions and aggregate these logs into an Amazon Simple Storage Service (Amazon S3) bucket owned by a separate AWS account.

Enable CloudTrail logging management events in All Regions

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •NIS2: 3.1.2.a, 3.2.3.c, 3.4.2.c

AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. To meet FTR requirements, you must have management events enabled for all AWS accounts and in all regions and aggregate these logs into an Amazon Simple Storage Service (Amazon S3) bucket owned by a separate AWS account.

Enable CloudTrail logging management events in All Regions

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •NIS2: 3.1.2.a, 3.2.3.c, 3.4.2.c

AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. To meet FTR requirements, you must have management events enabled for all AWS accounts and in all regions and aggregate these logs into an Amazon Simple Storage Service (Amazon S3) bucket owned by a separate AWS account.

Enable CloudTrail logging management events in All Regions

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •NIS2: 3.1.2.a, 3.2.3.c, 3.4.2.c

AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. To meet FTR requirements, you must have management events enabled for all AWS accounts and in all regions and aggregate these logs into an Amazon Simple Storage Service (Amazon S3) bucket owned by a separate AWS account.

Enable CloudTrail logging management events in All Regions

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •NIS2: 3.1.2.a, 3.2.3.c, 3.4.2.c

AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. To meet FTR requirements, you must have management events enabled for all AWS accounts and in all regions and aggregate these logs into an Amazon Simple Storage Service (Amazon S3) bucket owned by a separate AWS account.

Enable CloudTrail logging management events in All Regions

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •NIS2: 3.1.2.a, 3.2.3.c, 3.4.2.c

AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. To meet FTR requirements, you must have management events enabled for all AWS accounts and in all regions and aggregate these logs into an Amazon Simple Storage Service (Amazon S3) bucket owned by a separate AWS account.

Enable CloudTrail logging management events in All Regions

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •NIS2: 3.1.2.a, 3.2.3.c, 3.4.2.c

AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. To meet FTR requirements, you must have management events enabled for all AWS accounts and in all regions and aggregate these logs into an Amazon Simple Storage Service (Amazon S3) bucket owned by a separate AWS account.

Enable CloudTrail logging management events in All Regions

•AWS-Account-Security-Onboarding: Enable as part of Organization trail •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •NIS2: 3.1.2.a, 3.2.3.c, 3.4.2.c

If logs are not enabled, monitoring of service use and threat analysis is not possible.

Enable logs. Create an S3 lifecycle policy. Define use cases, metrics and automated responses where applicable.

•AWS-Account-Security-Onboarding: Confirm that logs are present in S3 bucket and SIEM •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP01 •CISA: your-systems-3, your-data-2 •CIS-1.4: 3.11 •CIS-1.5: 3.11 •CIS-2.0: 3.11 •CIS-3.0: 3.9 •CIS-4.0.1: 3.9 •CIS-5.0: 3.9 •ENS-RD2022: op.exp.8.r1.aws.ct.2, op.exp.8.r1.aws.ct.3, op.exp.8.r1.aws.ct.4 •FedRAMP-Low-Revision-4: ac-2, au-2, ca-7 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c, ca-7-a-b, si-4-16, si-4-2, si-4-4, si-4-5 •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-ev-b-1, d5-dr-de-b-3 •GDPR: article_30 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k •GxP-EU-Annex-11: 8.2-printouts-data-changes, 9-audit-trails, 12.4-security-audit-trail •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_a_2_i, 164_312_b, 164_312_e_2_i •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •NIS2: 3.2.3.c, 3.2.3.g, 3.4.2.c •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_13_1, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2, au_2, au_3, au_12 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, ds_5 •PCI-3.2.1: 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •ProwlerThreatScore-1.0: 3.1.6 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_2_1, cc_7_2

If logs are not enabled, monitoring of service use and threat analysis is not possible.

Enable logs. Create an S3 lifecycle policy. Define use cases, metrics and automated responses where applicable.

•AWS-Account-Security-Onboarding: Send S3 access logs for critical buckets to separate S3 bucket, Confirm that logs are present in S3 bucket and SIEM •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP01 •CISA: your-systems-3, your-data-2 •CIS-1.4: 3.10 •CIS-1.5: 3.10 •CIS-2.0: 3.10 •CIS-3.0: 3.8 •CIS-4.0.1: 3.8 •CIS-5.0: 3.8 •ENS-RD2022: op.exp.8.aws.ct.4, op.exp.8.r1.aws.ct.2, op.exp.8.r1.aws.ct.3, op.exp.8.r1.aws.ct.4 •FedRAMP-Low-Revision-4: ac-2, au-2, ca-7 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c, ca-7-a-b, si-4-16, si-4-2, si-4-4, si-4-5 •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-ev-b-1, d5-dr-de-b-3 •GDPR: article_30 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k •GxP-EU-Annex-11: 8.2-printouts-data-changes, 9-audit-trails, 12.4-security-audit-trail •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_a_2_i, 164_312_b, 164_312_e_2_i •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •NIS2: 3.2.3.c, 3.2.3.g •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_13_1, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2, au_2, au_3, au_12 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, ds_5 •PCI-4.0: 10.2.1.1.7, 10.2.1.2.7, 10.2.1.3.7, 10.2.1.4.7, 10.2.1.5.7, 10.2.1.6.7, 10.2.1.7.7, 10.2.1.7, 10.2.2.7, 10.3.1.7, 10.6.3.7, 5.3.4.7, A1.2.1.7 •ProwlerThreatScore-1.0: 3.1.5 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_2_1, cc_7_2

Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.

It is recommended that a metric filter and alarm be established for unauthorized requests.

•AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP04 •CIS-1.4: 4.11 •CIS-1.5: 4.11 •CIS-2.0: 4.11 •CIS-3.0: 4.11 •CIS-4.0.1: 4.11 •CIS-5.0: 4.11 •FedRAMP-Low-Revision-4: ac-2, ca-7, ir-4 •FedRamp-Moderate-Revision-4: ac-2-4, au-6-1-3, au-7-1, ca-7-a-b, ir-4-1, ir-4-1, si-4-2, si-4-4, si-4-5, si-4-a-b-c •FFIEC: d5-dr-de-b-1, d5-dr-de-b-3 •HIPAA: 164_308_a_6_i •ISO27001-2013: A.12.4 •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •MITRE-ATTACK: T1496 •NIS2: 2.2.3, 3.2.3.a, 3.2.3.c, 3.2.3.f, 6.4.1 •NIST-800-171-Revision-2: 3_6_1, 3_6_2, 3_12_4 •NIST-800-53-Revision-4: ac_2_4, au_6_1, au_6_3, au_7_1, ca_7, ir_4_1, si_4_2, si_4_4, si_4_5, si_4 •NIST-800-53-Revision-5: au_6_1, au_6_5, au_12_3, au_14_a, au_14_b, ca_2_2, ca_7, ca_7_b, pm_14_a_1, pm_14_b, pm_31, sc_36_1_a, si_2_a, si_4_12, si_5_1, si_5_b •NIST-CSF-1.1: ae_5, cm_2, cm_5, cp_4, ra_5 •ProwlerThreatScore-1.0: 3.3.12 •SOC2: cc_5_2, cc_7_2, cc_7_3, cc_7_4

Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.

It is recommended that a metric filter and alarm be established for unauthorized requests.

•AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP04 •CIS-1.4: 4.12 •CIS-1.5: 4.12 •CIS-2.0: 4.12 •CIS-3.0: 4.12 •CIS-4.0.1: 4.12 •CIS-5.0: 4.12 •FedRAMP-Low-Revision-4: ir-4 •FedRamp-Moderate-Revision-4: ac-2-4, au-6-1-3, au-7-1, ca-7-a-b, ir-4-1, ir-4-1, si-4-2, si-4-4, si-4-5, si-4-a-b-c •FFIEC: d5-dr-de-b-1, d5-dr-de-b-3 •HIPAA: 164_308_a_6_i •ISO27001-2013: A.12.4 •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •MITRE-ATTACK: T1496 •NIS2: 2.2.3, 3.2.3.a, 3.2.3.c, 3.2.3.f, 3.2.4, 6.4.1 •NIST-800-171-Revision-2: 3_6_1, 3_6_2, 3_12_4 •NIST-800-53-Revision-4: ac_2_4, au_6_1, au_6_3, au_7_1, ca_7, ir_4_1, si_4_2, si_4_4, si_4_5, si_4 •NIST-800-53-Revision-5: au_6_1, au_6_5, au_12_3, au_14_a, au_14_b, ca_2_2, ca_7, ca_7_b, pm_14_a_1, pm_14_b, pm_31, sc_36_1_a, si_2_a, si_4_12, si_5_1, si_5_b •NIST-CSF-1.1: ae_5, cm_2, cm_5, cp_4, ra_5 •ProwlerThreatScore-1.0: 3.3.13 •SOC2: cc_5_2, cc_7_2, cc_7_3, cc_7_4

CloudWatch is an AWS native service that allows you to ob serve and monitor resources and applications. CloudTrail Logs can also be sent to an external Security informationand event management (SIEM) environment for monitoring and alerting.Monitoring changes to route tables will help ensure that all VPC traffic flows through anexpected path and prevent any accidental or intentional modifications that may lead touncontrolled network traffic. An alarm should be triggered every time an AWS API call isperformed to create, replace, delete, or disassociate a Route Table.

If you are using CloudTrails and CloudWatch, perform the following to setup the metric filter, alarm, SNS topic, and subscription: 1. Create a metric filter based on filter pattern provided which checks for route table changes and the <cloudtrail_log_group_name> taken from audit step 1. aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> -- filter-name `<route_table_changes_metric>` --metric-transformations metricName= `<route_table_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = ec2.amazonaws.com) && (($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable)) }' Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. 2. Create an SNS topic that the alarm will notify aws sns create-topic --name <sns_topic_name> Note: you can execute this command once and then re-use the same topic for all monitoring alarms. 3. Create an SNS subscription to the topic created in step 2 aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> - -notification-endpoint <sns_subscription_endpoints> Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms. 4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 aws cloudwatch put-metric-alarm --alarm-name `<route_table_changes_alarm>` --metric-name `<route_table_changes_metric>` --statistic Sum --period 300 - -threshold 1 --comparison-operator GreaterThanOrEqualToThreshold -- evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>

•AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP04 •CIS-1.4: 4.13 •CIS-1.5: 4.13 •CIS-2.0: 4.13 •CIS-3.0: 4.13 •CIS-4.0.1: 4.13 •CIS-5.0: 4.13 •FedRAMP-Low-Revision-4: ir-4 •FedRamp-Moderate-Revision-4: ac-2-4, au-6-1-3, au-7-1, ca-7-a-b, ir-4-1, ir-4-1, si-4-2, si-4-4, si-4-5, si-4-a-b-c •FFIEC: d5-dr-de-b-1, d5-dr-de-b-3 •HIPAA: 164_308_a_6_i •ISO27001-2013: A.12.4 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •MITRE-ATTACK: T1496 •NIS2: 2.2.3, 3.2.3.a, 3.2.3.f, 3.2.4, 6.4.1 •NIST-800-171-Revision-2: 3_6_1, 3_6_2, 3_12_4 •NIST-800-53-Revision-4: ac_2_4, au_6_1, au_6_3, au_7_1, ca_7, ir_4_1, si_4_2, si_4_4, si_4_5, si_4 •NIST-800-53-Revision-5: au_6_1, au_6_5, au_12_3, au_14_a, au_14_b, ca_2_2, ca_7, ca_7_b, pm_14_a_1, pm_14_b, pm_31, sc_36_1_a, si_2_a, si_4_12, si_5_1, si_5_b •NIST-CSF-1.1: ae_5, cm_2, cm_5, cp_4, ra_5 •ProwlerThreatScore-1.0: 3.3.14 •SOC2: cc_5_2, cc_7_2, cc_7_3, cc_7_4

Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.

It is recommended that a metric filter and alarm be established for unauthorized requests.

•AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP04 •CIS-1.4: 4.14 •CIS-1.5: 4.14 •CIS-2.0: 4.14 •CIS-3.0: 4.14 •CIS-4.0.1: 4.14 •CIS-5.0: 4.14 •FedRAMP-Low-Revision-4: ir-4 •FedRamp-Moderate-Revision-4: ac-2-4, au-6-1-3, au-7-1, ca-7-a-b, ir-4-1, ir-4-1, si-4-2, si-4-4, si-4-5, si-4-a-b-c •FFIEC: d5-dr-de-b-1, d5-dr-de-b-3 •HIPAA: 164_308_a_6_i •ISO27001-2013: A.12.4 •ISO27001-2022: A.8.15, A.8.16, A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.1, 2.10.2, 2.11.3 •MITRE-ATTACK: T1496 •NIS2: 2.2.3, 3.2.3.c, 3.2.3.f, 3.2.4, 6.4.1 •NIST-800-171-Revision-2: 3_6_1, 3_6_2, 3_12_4 •NIST-800-53-Revision-4: ac_2_4, au_6_1, au_6_3, au_7_1, ca_7, ir_4_1, si_4_2, si_4_4, si_4_5, si_4 •NIST-800-53-Revision-5: au_6_1, au_6_5, au_12_3, au_14_a, au_14_b, ca_2_2, ca_7, ca_7_b, pm_14_a_1, pm_14_b, pm_31, sc_36_1_a, si_2_a, si_4_12, si_5_1, si_5_b •NIST-CSF-1.1: ae_5, cm_2, cm_5, cp_4, ra_5 •ProwlerThreatScore-1.0: 3.3.15 •SOC2: cc_5_2, cc_7_2, cc_7_3, cc_7_4

Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.

It is recommended that a metric filter and alarm be established for unauthorized requests.

•AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP04 •CIS-1.4: 4.9 •CIS-1.5: 4.9 •CIS-2.0: 4.9 •CIS-3.0: 4.9 •CIS-4.0.1: 4.9 •CIS-5.0: 4.9 •GDPR: article_25 •ISO27001-2013: A.12.4 •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.1, 2.10.2, 2.11.3 •MITRE-ATTACK: T1496 •NIS2: 2.2.3, 3.2.3.c, 3.2.3.f, 3.2.3.g, 3.5.4, 7.2.b •NIST-CSF-1.1: cm_2, ra_5, sc_4 •ProwlerThreatScore-1.0: 3.3.10 •SOC2: cc_5_2

Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.

It is recommended that a metric filter and alarm be established for unauthorized requests.

•AWS-Account-Security-Onboarding: Critical alert on cloudtrail settings changes •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP04 •CISA: your-data-2 •CIS-1.4: 4.5 •CIS-1.5: 4.5 •CIS-2.0: 4.5 •CIS-3.0: 4.5 •CIS-4.0.1: 4.5 •CIS-5.0: 4.5 •ENS-RD2022: op.exp.8.aws.ct.2, op.exp.8.r1.aws.ct.2, op.exp.8.r1.aws.ct.3 •GDPR: article_25 •ISO27001-2013: A.12.4 •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.1, 2.10.2, 2.11.3 •MITRE-ATTACK: T1496 •NIS2: 2.2.3, 3.2.3.c, 3.2.3.f, 3.2.3.g, 3.2.4, 3.5.4, 7.2.b •NIST-CSF-1.1: cm_2, ra_5, sc_4 •ProwlerThreatScore-1.0: 3.3.6 •SOC2: cc_5_2

Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.

It is recommended that a metric filter and alarm be established for unauthorized requests.

•AWS-Account-Security-Onboarding: Alert on rise of ConsoleLoginFailures events •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP04 •CIS-1.4: 4.6 •CIS-1.5: 4.6 •CIS-2.0: 4.6 •CIS-3.0: 4.6 •CIS-4.0.1: 4.6 •CIS-5.0: 4.6 •ENS-RD2022: op.exp.8.aws.ct.5 •GDPR: article_25 •HIPAA: 164_308_a_5_ii_c, 164_308_a_6_i, 164_308_a_6_ii •ISO27001-2013: A.12.4 •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.1, 2.10.2, 2.11.3 •MITRE-ATTACK: T1496 •NIS2: 3.2.3.c, 3.2.3.d, 3.2.3.g, 3.5.4, 7.2.b •NIST-CSF-1.1: cm_2, ra_5, sc_4 •ProwlerThreatScore-1.0: 3.3.7

Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.

It is recommended that a metric filter and alarm be established for unauthorized requests.

•AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP04 •CIS-1.4: 4.15 •CIS-1.5: 4.15 •CIS-2.0: 4.15 •CIS-3.0: 4.15 •CIS-4.0.1: 4.15 •CIS-5.0: 4.15 •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.1, 2.10.2, 2.11.3 •MITRE-ATTACK: T1496 •NIS2: 2.2.3, 3.2.2, 3.2.3.b, 3.2.3.c, 3.2.3.f, 3.2.3.g, 3.5.4, 7.2.b, 11.5.2.d •ProwlerThreatScore-1.0: 3.3.16 •SOC2: cc_5_2

Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.

It is recommended that a metric filter and alarm be established for unauthorized requests.

•AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP04 •CIS-1.4: 4.7 •CIS-1.5: 4.7 •CIS-2.0: 4.7 •CIS-3.0: 4.7 •CIS-4.0.1: 4.7 •CIS-5.0: 4.7 •ENS-RD2022: op.exp.10.aws.cmk.4, op.exp.10.aws.cmk.5 •GDPR: article_25 •ISO27001-2013: A.10.1, A.12.4 •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.1, 2.10.2, 2.11.3 •MITRE-ATTACK: T1485, T1496 •NIS2: 3.2.3.c, 3.2.3.g, 3.5.4, 7.2.b •NIST-CSF-1.1: cm_2, ra_5, sc_4 •ProwlerThreatScore-1.0: 3.3.8

Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.

It is recommended that a metric filter and alarm be established for unauthorized requests.

•AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP04 •CIS-1.4: 4.8 •CIS-1.5: 4.8 •CIS-2.0: 4.8 •CIS-3.0: 4.8 •CIS-4.0.1: 4.8 •CIS-5.0: 4.8 •GDPR: article_25 •ISO27001-2013: A.12.4 •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.1, 2.10.2, 2.11.3 •MITRE-ATTACK: T1496 •NIS2: 2.2.3, 3.2.3.b, 3.2.3.c, 3.2.3.f, 3.2.3.g, 3.5.4, 7.2.b •NIST-CSF-1.1: cm_2, ra_5, sc_4 •ProwlerThreatScore-1.0: 3.3.9 •SOC2: cc_5_2

Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.

It is recommended that a metric filter and alarm be established for unauthorized requests.

•AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP04 •CIS-1.4: 4.4 •CIS-1.5: 4.4 •CIS-2.0: 4.4 •CIS-3.0: 4.4 •CIS-4.0.1: 4.4 •CIS-5.0: 4.4 •ENS-RD2022: op.exp.8.aws.ct.5 •GDPR: article_25 •ISO27001-2013: A.12.4 •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.1, 2.10.2, 2.11.3 •MITRE-ATTACK: T1496 •NIS2: 2.2.3, 3.2.2, 3.2.3.b, 3.2.3.c, 3.2.3.f, 3.2.3.g, 3.5.4, 7.2.b, 11.5.2.d •NIST-CSF-1.1: cm_2, ra_5, sc_4 •PCI-3.2.1: 8.1, 8.1.2 •ProwlerThreatScore-1.0: 3.3.5 •SOC2: cc_5_2

Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.

It is recommended that a metric filter and alarm be established for unauthorized requests.

•AWS-Account-Security-Onboarding: Critical alert on every root user activity •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP04 •CIS-1.4: 4.3 •CIS-1.5: 4.3 •CIS-2.0: 4.3 •CIS-3.0: 4.3 •CIS-4.0.1: 4.3 •CIS-5.0: 4.3 •ENS-RD2022: op.exp.8.aws.ct.5, op.exp.8.aws.cw.1 •GDPR: article_25 •HIPAA: 164_308_a_6_i, 164_308_a_6_ii •ISO27001-2013: A.12.4 •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.1, 2.10.2, 2.11.3 •MITRE-ATTACK: T1496 •NIS2: 2.3.1, 3.2.1, 3.2.2, 3.2.3.c, 3.2.3.e, 3.2.3.g, 3.5.4, 7.2.b, 9.2.c.vii •NIST-CSF-1.1: cm_2, ra_5, sc_4 •PCI-3.2.1: 7.2, 7.2.1 •ProwlerThreatScore-1.0: 3.3.4

Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.

It is recommended that a metric filter and alarm be established for unauthorized requests.

•AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP04 •CIS-1.4: 4.10 •CIS-1.5: 4.10 •CIS-2.0: 4.10 •CIS-3.0: 4.10 •CIS-4.0.1: 4.10 •CIS-5.0: 4.10 •GDPR: article_25 •ISO27001-2013: A.12.4 •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.1, 2.10.2, 2.11.3 •MITRE-ATTACK: T1496 •NIS2: 2.2.3, 3.2.2, 3.2.3.b, 3.2.3.c, 3.2.3.f, 3.2.3.g, 3.5.4, 11.5.2.d •NIST-CSF-1.1: cm_2, ra_5, sc_4 •ProwlerThreatScore-1.0: 3.3.11 •SOC2: cc_5_2

Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.

It is recommended that a metric filter and alarm be established for unauthorized requests.

•AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP04 •CIS-1.4: 4.2 •CIS-1.5: 4.2 •CIS-2.0: 4.2 •CIS-3.0: 4.2 •CIS-4.0.1: 4.2 •CIS-5.0: 4.2 •ENS-RD2022: op.exp.8.aws.ct.5 •GDPR: article_25 •ISO27001-2013: A.12.4 •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.1, 2.10.2, 2.11.3 •MITRE-ATTACK: T1496 •NIS2: 3.2.3.c, 3.2.3.d, 3.2.3.g, 3.5.4, 9.2.c.vii, 11.7.2 •NIST-CSF-1.1: cm_2, ra_5, sc_4 •ProwlerThreatScore-1.0: 3.3.3

Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.

It is recommended that a metric filter and alarm be established for unauthorized requests.

•AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP04 •CIS-1.4: 4.1 •CIS-1.5: 4.1 •CIS-2.0: 4.1 •CIS-3.0: 4.1 •CIS-4.0.1: 4.1 •CIS-5.0: 4.1 •ENS-RD2022: op.exp.8.aws.ct.5 •GDPR: article_25 •ISO27001-2013: A.12.4 •ISO27001-2022: A.8.15, A.8.16 •KISA-ISMS-P-2023: 2.10.1, 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.1, 2.10.2, 2.11.3 •MITRE-ATTACK: T1496 •NIS2: 3.2.3.c, 3.2.3.g, 3.2.4, 3.4.2.c, 3.5.4 •NIST-CSF-1.1: cm_2, ra_5, sc_4 •ProwlerThreatScore-1.0: 3.3.2

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking and compliance auditing.

It is recommended to enable AWS Config in all regions.

•AWS-Account-Security-Onboarding: Enable continuous recording for most of the resources, Confirm that records are present in central aggregator •AWS-Foundational-Security-Best-Practices: Config.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02 •CIS-1.4: 3.5 •CIS-1.5: 3.5 •CIS-2.0: 3.5 •CIS-3.0: 3.3 •CIS-4.0.1: 3.3 •CIS-5.0: 3.3 •ENS-RD2022: op.exp.1.aws.cfg.1, op.exp.1.aws.cfg.2, op.exp.3.aws.cfg.1, op.exp.3.r3.aws.cfg.1, op.mon.3.r2.aws.cfg.1, op.mon.3.r6.aws.cfg.1 •GDPR: article_25, article_30 •GxP-EU-Annex-11: 10-change-and-configuration-management, 4.5-validation-development-quality, 4.6-validation-quality-performance •HIPAA: 164_308_a_1_ii_a •ISO27001-2013: A.12.4 •ISO27001-2022: A.5.16, A.5.22 •KISA-ISMS-P-2023: 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.3 •MITRE-ATTACK: T1190, T1078, T1204, T1098, T1136, T1525, T1562, T1110, T1040, T1119, T1530, T1485, T1486, T1491, T1499, T1496, T1498 •NIST-CSF-1.1: cm_2, am_1, ra_5, sc_4, ip_12 •PCI-3.2.1: 2.4, 2.4.a, 10.5, 10.5.2, 11.5, 11.5.a, 11.5.b •ProwlerThreatScore-1.0: 3.3.1 •SOC2: cc_2_1, cc_3_1, cc_3_4, cc_8_1

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking and compliance auditing.

It is recommended to enable AWS Config in all regions.

•AWS-Account-Security-Onboarding: Enable continuous recording for most of the resources, Confirm that records are present in central aggregator •AWS-Foundational-Security-Best-Practices: Config.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02 •CIS-1.4: 3.5 •CIS-1.5: 3.5 •CIS-2.0: 3.5 •CIS-3.0: 3.3 •CIS-4.0.1: 3.3 •CIS-5.0: 3.3 •ENS-RD2022: op.exp.1.aws.cfg.1, op.exp.1.aws.cfg.2, op.exp.3.aws.cfg.1, op.exp.3.r3.aws.cfg.1, op.mon.3.r2.aws.cfg.1, op.mon.3.r6.aws.cfg.1 •GDPR: article_25, article_30 •GxP-EU-Annex-11: 10-change-and-configuration-management, 4.5-validation-development-quality, 4.6-validation-quality-performance •HIPAA: 164_308_a_1_ii_a •ISO27001-2013: A.12.4 •ISO27001-2022: A.5.16, A.5.22 •KISA-ISMS-P-2023: 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.3 •MITRE-ATTACK: T1190, T1078, T1204, T1098, T1136, T1525, T1562, T1110, T1040, T1119, T1530, T1485, T1486, T1491, T1499, T1496, T1498 •NIST-CSF-1.1: cm_2, am_1, ra_5, sc_4, ip_12 •PCI-3.2.1: 2.4, 2.4.a, 10.5, 10.5.2, 11.5, 11.5.a, 11.5.b •ProwlerThreatScore-1.0: 3.3.1 •SOC2: cc_2_1, cc_3_1, cc_3_4, cc_8_1

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking and compliance auditing.

It is recommended to enable AWS Config in all regions.

•AWS-Account-Security-Onboarding: Enable continuous recording for most of the resources, Confirm that records are present in central aggregator •AWS-Foundational-Security-Best-Practices: Config.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02 •CIS-1.4: 3.5 •CIS-1.5: 3.5 •CIS-2.0: 3.5 •CIS-3.0: 3.3 •CIS-4.0.1: 3.3 •CIS-5.0: 3.3 •ENS-RD2022: op.exp.1.aws.cfg.1, op.exp.1.aws.cfg.2, op.exp.3.aws.cfg.1, op.exp.3.r3.aws.cfg.1, op.mon.3.r2.aws.cfg.1, op.mon.3.r6.aws.cfg.1 •GDPR: article_25, article_30 •GxP-EU-Annex-11: 10-change-and-configuration-management, 4.5-validation-development-quality, 4.6-validation-quality-performance •HIPAA: 164_308_a_1_ii_a •ISO27001-2013: A.12.4 •ISO27001-2022: A.5.16, A.5.22 •KISA-ISMS-P-2023: 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.3 •MITRE-ATTACK: T1190, T1078, T1204, T1098, T1136, T1525, T1562, T1110, T1040, T1119, T1530, T1485, T1486, T1491, T1499, T1496, T1498 •NIST-CSF-1.1: cm_2, am_1, ra_5, sc_4, ip_12 •PCI-3.2.1: 2.4, 2.4.a, 10.5, 10.5.2, 11.5, 11.5.a, 11.5.b •ProwlerThreatScore-1.0: 3.3.1 •SOC2: cc_2_1, cc_3_1, cc_3_4, cc_8_1

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking and compliance auditing.

It is recommended to enable AWS Config in all regions.

•AWS-Account-Security-Onboarding: Enable continuous recording for most of the resources, Confirm that records are present in central aggregator •AWS-Foundational-Security-Best-Practices: Config.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02 •CIS-1.4: 3.5 •CIS-1.5: 3.5 •CIS-2.0: 3.5 •CIS-3.0: 3.3 •CIS-4.0.1: 3.3 •CIS-5.0: 3.3 •ENS-RD2022: op.exp.1.aws.cfg.1, op.exp.1.aws.cfg.2, op.exp.3.aws.cfg.1, op.exp.3.r3.aws.cfg.1, op.mon.3.r2.aws.cfg.1, op.mon.3.r6.aws.cfg.1 •GDPR: article_25, article_30 •GxP-EU-Annex-11: 10-change-and-configuration-management, 4.5-validation-development-quality, 4.6-validation-quality-performance •HIPAA: 164_308_a_1_ii_a •ISO27001-2013: A.12.4 •ISO27001-2022: A.5.16, A.5.22 •KISA-ISMS-P-2023: 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.3 •MITRE-ATTACK: T1190, T1078, T1204, T1098, T1136, T1525, T1562, T1110, T1040, T1119, T1530, T1485, T1486, T1491, T1499, T1496, T1498 •NIST-CSF-1.1: cm_2, am_1, ra_5, sc_4, ip_12 •PCI-3.2.1: 2.4, 2.4.a, 10.5, 10.5.2, 11.5, 11.5.a, 11.5.b •ProwlerThreatScore-1.0: 3.3.1 •SOC2: cc_2_1, cc_3_1, cc_3_4, cc_8_1

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking and compliance auditing.

It is recommended to enable AWS Config in all regions.

•AWS-Account-Security-Onboarding: Enable continuous recording for most of the resources, Confirm that records are present in central aggregator •AWS-Foundational-Security-Best-Practices: Config.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02 •CIS-1.4: 3.5 •CIS-1.5: 3.5 •CIS-2.0: 3.5 •CIS-3.0: 3.3 •CIS-4.0.1: 3.3 •CIS-5.0: 3.3 •ENS-RD2022: op.exp.1.aws.cfg.1, op.exp.1.aws.cfg.2, op.exp.3.aws.cfg.1, op.exp.3.r3.aws.cfg.1, op.mon.3.r2.aws.cfg.1, op.mon.3.r6.aws.cfg.1 •GDPR: article_25, article_30 •GxP-EU-Annex-11: 10-change-and-configuration-management, 4.5-validation-development-quality, 4.6-validation-quality-performance •HIPAA: 164_308_a_1_ii_a •ISO27001-2013: A.12.4 •ISO27001-2022: A.5.16, A.5.22 •KISA-ISMS-P-2023: 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.3 •MITRE-ATTACK: T1190, T1078, T1204, T1098, T1136, T1525, T1562, T1110, T1040, T1119, T1530, T1485, T1486, T1491, T1499, T1496, T1498 •NIST-CSF-1.1: cm_2, am_1, ra_5, sc_4, ip_12 •PCI-3.2.1: 2.4, 2.4.a, 10.5, 10.5.2, 11.5, 11.5.a, 11.5.b •ProwlerThreatScore-1.0: 3.3.1 •SOC2: cc_2_1, cc_3_1, cc_3_4, cc_8_1

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking and compliance auditing.

It is recommended to enable AWS Config in all regions.

•AWS-Account-Security-Onboarding: Enable continuous recording for most of the resources, Confirm that records are present in central aggregator •AWS-Foundational-Security-Best-Practices: Config.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02 •CIS-1.4: 3.5 •CIS-1.5: 3.5 •CIS-2.0: 3.5 •CIS-3.0: 3.3 •CIS-4.0.1: 3.3 •CIS-5.0: 3.3 •ENS-RD2022: op.exp.1.aws.cfg.1, op.exp.1.aws.cfg.2, op.exp.3.aws.cfg.1, op.exp.3.r3.aws.cfg.1, op.mon.3.r2.aws.cfg.1, op.mon.3.r6.aws.cfg.1 •GDPR: article_25, article_30 •GxP-EU-Annex-11: 10-change-and-configuration-management, 4.5-validation-development-quality, 4.6-validation-quality-performance •HIPAA: 164_308_a_1_ii_a •ISO27001-2013: A.12.4 •ISO27001-2022: A.5.16, A.5.22 •KISA-ISMS-P-2023: 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.3 •MITRE-ATTACK: T1190, T1078, T1204, T1098, T1136, T1525, T1562, T1110, T1040, T1119, T1530, T1485, T1486, T1491, T1499, T1496, T1498 •NIST-CSF-1.1: cm_2, am_1, ra_5, sc_4, ip_12 •PCI-3.2.1: 2.4, 2.4.a, 10.5, 10.5.2, 11.5, 11.5.a, 11.5.b •ProwlerThreatScore-1.0: 3.3.1 •SOC2: cc_2_1, cc_3_1, cc_3_4, cc_8_1

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking and compliance auditing.

It is recommended to enable AWS Config in all regions.

•AWS-Account-Security-Onboarding: Enable continuous recording for most of the resources, Confirm that records are present in central aggregator •AWS-Foundational-Security-Best-Practices: Config.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02 •CIS-1.4: 3.5 •CIS-1.5: 3.5 •CIS-2.0: 3.5 •CIS-3.0: 3.3 •CIS-4.0.1: 3.3 •CIS-5.0: 3.3 •ENS-RD2022: op.exp.1.aws.cfg.1, op.exp.1.aws.cfg.2, op.exp.3.aws.cfg.1, op.exp.3.r3.aws.cfg.1, op.mon.3.r2.aws.cfg.1, op.mon.3.r6.aws.cfg.1 •GDPR: article_25, article_30 •GxP-EU-Annex-11: 10-change-and-configuration-management, 4.5-validation-development-quality, 4.6-validation-quality-performance •HIPAA: 164_308_a_1_ii_a •ISO27001-2013: A.12.4 •ISO27001-2022: A.5.16, A.5.22 •KISA-ISMS-P-2023: 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.3 •MITRE-ATTACK: T1190, T1078, T1204, T1098, T1136, T1525, T1562, T1110, T1040, T1119, T1530, T1485, T1486, T1491, T1499, T1496, T1498 •NIST-CSF-1.1: cm_2, am_1, ra_5, sc_4, ip_12 •PCI-3.2.1: 2.4, 2.4.a, 10.5, 10.5.2, 11.5, 11.5.a, 11.5.b •ProwlerThreatScore-1.0: 3.3.1 •SOC2: cc_2_1, cc_3_1, cc_3_4, cc_8_1

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking and compliance auditing.

It is recommended to enable AWS Config in all regions.

•AWS-Account-Security-Onboarding: Enable continuous recording for most of the resources, Confirm that records are present in central aggregator •AWS-Foundational-Security-Best-Practices: Config.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02 •CIS-1.4: 3.5 •CIS-1.5: 3.5 •CIS-2.0: 3.5 •CIS-3.0: 3.3 •CIS-4.0.1: 3.3 •CIS-5.0: 3.3 •ENS-RD2022: op.exp.1.aws.cfg.1, op.exp.1.aws.cfg.2, op.exp.3.aws.cfg.1, op.exp.3.r3.aws.cfg.1, op.mon.3.r2.aws.cfg.1, op.mon.3.r6.aws.cfg.1 •GDPR: article_25, article_30 •GxP-EU-Annex-11: 10-change-and-configuration-management, 4.5-validation-development-quality, 4.6-validation-quality-performance •HIPAA: 164_308_a_1_ii_a •ISO27001-2013: A.12.4 •ISO27001-2022: A.5.16, A.5.22 •KISA-ISMS-P-2023: 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.3 •MITRE-ATTACK: T1190, T1078, T1204, T1098, T1136, T1525, T1562, T1110, T1040, T1119, T1530, T1485, T1486, T1491, T1499, T1496, T1498 •NIST-CSF-1.1: cm_2, am_1, ra_5, sc_4, ip_12 •PCI-3.2.1: 2.4, 2.4.a, 10.5, 10.5.2, 11.5, 11.5.a, 11.5.b •ProwlerThreatScore-1.0: 3.3.1 •SOC2: cc_2_1, cc_3_1, cc_3_4, cc_8_1

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking and compliance auditing.

It is recommended to enable AWS Config in all regions.

•AWS-Account-Security-Onboarding: Enable continuous recording for most of the resources, Confirm that records are present in central aggregator •AWS-Foundational-Security-Best-Practices: Config.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02 •CIS-1.4: 3.5 •CIS-1.5: 3.5 •CIS-2.0: 3.5 •CIS-3.0: 3.3 •CIS-4.0.1: 3.3 •CIS-5.0: 3.3 •ENS-RD2022: op.exp.1.aws.cfg.1, op.exp.1.aws.cfg.2, op.exp.3.aws.cfg.1, op.exp.3.r3.aws.cfg.1, op.mon.3.r2.aws.cfg.1, op.mon.3.r6.aws.cfg.1 •GDPR: article_25, article_30 •GxP-EU-Annex-11: 10-change-and-configuration-management, 4.5-validation-development-quality, 4.6-validation-quality-performance •HIPAA: 164_308_a_1_ii_a •ISO27001-2013: A.12.4 •ISO27001-2022: A.5.16, A.5.22 •KISA-ISMS-P-2023: 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.3 •MITRE-ATTACK: T1190, T1078, T1204, T1098, T1136, T1525, T1562, T1110, T1040, T1119, T1530, T1485, T1486, T1491, T1499, T1496, T1498 •NIST-CSF-1.1: cm_2, am_1, ra_5, sc_4, ip_12 •PCI-3.2.1: 2.4, 2.4.a, 10.5, 10.5.2, 11.5, 11.5.a, 11.5.b •ProwlerThreatScore-1.0: 3.3.1 •SOC2: cc_2_1, cc_3_1, cc_3_4, cc_8_1

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking and compliance auditing.

It is recommended to enable AWS Config in all regions.

•AWS-Account-Security-Onboarding: Enable continuous recording for most of the resources, Confirm that records are present in central aggregator •AWS-Foundational-Security-Best-Practices: Config.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02 •CIS-1.4: 3.5 •CIS-1.5: 3.5 •CIS-2.0: 3.5 •CIS-3.0: 3.3 •CIS-4.0.1: 3.3 •CIS-5.0: 3.3 •ENS-RD2022: op.exp.1.aws.cfg.1, op.exp.1.aws.cfg.2, op.exp.3.aws.cfg.1, op.exp.3.r3.aws.cfg.1, op.mon.3.r2.aws.cfg.1, op.mon.3.r6.aws.cfg.1 •GDPR: article_25, article_30 •GxP-EU-Annex-11: 10-change-and-configuration-management, 4.5-validation-development-quality, 4.6-validation-quality-performance •HIPAA: 164_308_a_1_ii_a •ISO27001-2013: A.12.4 •ISO27001-2022: A.5.16, A.5.22 •KISA-ISMS-P-2023: 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.3 •MITRE-ATTACK: T1190, T1078, T1204, T1098, T1136, T1525, T1562, T1110, T1040, T1119, T1530, T1485, T1486, T1491, T1499, T1496, T1498 •NIST-CSF-1.1: cm_2, am_1, ra_5, sc_4, ip_12 •PCI-3.2.1: 2.4, 2.4.a, 10.5, 10.5.2, 11.5, 11.5.a, 11.5.b •ProwlerThreatScore-1.0: 3.3.1 •SOC2: cc_2_1, cc_3_1, cc_3_4, cc_8_1

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking and compliance auditing.

It is recommended to enable AWS Config in all regions.

•AWS-Account-Security-Onboarding: Enable continuous recording for most of the resources, Confirm that records are present in central aggregator •AWS-Foundational-Security-Best-Practices: Config.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02 •CIS-1.4: 3.5 •CIS-1.5: 3.5 •CIS-2.0: 3.5 •CIS-3.0: 3.3 •CIS-4.0.1: 3.3 •CIS-5.0: 3.3 •ENS-RD2022: op.exp.1.aws.cfg.1, op.exp.1.aws.cfg.2, op.exp.3.aws.cfg.1, op.exp.3.r3.aws.cfg.1, op.mon.3.r2.aws.cfg.1, op.mon.3.r6.aws.cfg.1 •GDPR: article_25, article_30 •GxP-EU-Annex-11: 10-change-and-configuration-management, 4.5-validation-development-quality, 4.6-validation-quality-performance •HIPAA: 164_308_a_1_ii_a •ISO27001-2013: A.12.4 •ISO27001-2022: A.5.16, A.5.22 •KISA-ISMS-P-2023: 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.3 •MITRE-ATTACK: T1190, T1078, T1204, T1098, T1136, T1525, T1562, T1110, T1040, T1119, T1530, T1485, T1486, T1491, T1499, T1496, T1498 •NIST-CSF-1.1: cm_2, am_1, ra_5, sc_4, ip_12 •PCI-3.2.1: 2.4, 2.4.a, 10.5, 10.5.2, 11.5, 11.5.a, 11.5.b •ProwlerThreatScore-1.0: 3.3.1 •SOC2: cc_2_1, cc_3_1, cc_3_4, cc_8_1

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking and compliance auditing.

It is recommended to enable AWS Config in all regions.

•AWS-Account-Security-Onboarding: Enable continuous recording for most of the resources, Confirm that records are present in central aggregator •AWS-Foundational-Security-Best-Practices: Config.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02 •CIS-1.4: 3.5 •CIS-1.5: 3.5 •CIS-2.0: 3.5 •CIS-3.0: 3.3 •CIS-4.0.1: 3.3 •CIS-5.0: 3.3 •ENS-RD2022: op.exp.1.aws.cfg.1, op.exp.1.aws.cfg.2, op.exp.3.aws.cfg.1, op.exp.3.r3.aws.cfg.1, op.mon.3.r2.aws.cfg.1, op.mon.3.r6.aws.cfg.1 •GDPR: article_25, article_30 •GxP-EU-Annex-11: 10-change-and-configuration-management, 4.5-validation-development-quality, 4.6-validation-quality-performance •HIPAA: 164_308_a_1_ii_a •ISO27001-2013: A.12.4 •ISO27001-2022: A.5.16, A.5.22 •KISA-ISMS-P-2023: 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.3 •MITRE-ATTACK: T1190, T1078, T1204, T1098, T1136, T1525, T1562, T1110, T1040, T1119, T1530, T1485, T1486, T1491, T1499, T1496, T1498 •NIST-CSF-1.1: cm_2, am_1, ra_5, sc_4, ip_12 •PCI-3.2.1: 2.4, 2.4.a, 10.5, 10.5.2, 11.5, 11.5.a, 11.5.b •ProwlerThreatScore-1.0: 3.3.1 •SOC2: cc_2_1, cc_3_1, cc_3_4, cc_8_1

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking and compliance auditing.

It is recommended to enable AWS Config in all regions.

•AWS-Account-Security-Onboarding: Enable continuous recording for most of the resources, Confirm that records are present in central aggregator •AWS-Foundational-Security-Best-Practices: Config.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02 •CIS-1.4: 3.5 •CIS-1.5: 3.5 •CIS-2.0: 3.5 •CIS-3.0: 3.3 •CIS-4.0.1: 3.3 •CIS-5.0: 3.3 •ENS-RD2022: op.exp.1.aws.cfg.1, op.exp.1.aws.cfg.2, op.exp.3.aws.cfg.1, op.exp.3.r3.aws.cfg.1, op.mon.3.r2.aws.cfg.1, op.mon.3.r6.aws.cfg.1 •GDPR: article_25, article_30 •GxP-EU-Annex-11: 10-change-and-configuration-management, 4.5-validation-development-quality, 4.6-validation-quality-performance •HIPAA: 164_308_a_1_ii_a •ISO27001-2013: A.12.4 •ISO27001-2022: A.5.16, A.5.22 •KISA-ISMS-P-2023: 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.3 •MITRE-ATTACK: T1190, T1078, T1204, T1098, T1136, T1525, T1562, T1110, T1040, T1119, T1530, T1485, T1486, T1491, T1499, T1496, T1498 •NIST-CSF-1.1: cm_2, am_1, ra_5, sc_4, ip_12 •PCI-3.2.1: 2.4, 2.4.a, 10.5, 10.5.2, 11.5, 11.5.a, 11.5.b •ProwlerThreatScore-1.0: 3.3.1 •SOC2: cc_2_1, cc_3_1, cc_3_4, cc_8_1

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking and compliance auditing.

It is recommended to enable AWS Config in all regions.

•AWS-Account-Security-Onboarding: Enable continuous recording for most of the resources, Confirm that records are present in central aggregator •AWS-Foundational-Security-Best-Practices: Config.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02 •CIS-1.4: 3.5 •CIS-1.5: 3.5 •CIS-2.0: 3.5 •CIS-3.0: 3.3 •CIS-4.0.1: 3.3 •CIS-5.0: 3.3 •ENS-RD2022: op.exp.1.aws.cfg.1, op.exp.1.aws.cfg.2, op.exp.3.aws.cfg.1, op.exp.3.r3.aws.cfg.1, op.mon.3.r2.aws.cfg.1, op.mon.3.r6.aws.cfg.1 •GDPR: article_25, article_30 •GxP-EU-Annex-11: 10-change-and-configuration-management, 4.5-validation-development-quality, 4.6-validation-quality-performance •HIPAA: 164_308_a_1_ii_a •ISO27001-2013: A.12.4 •ISO27001-2022: A.5.16, A.5.22 •KISA-ISMS-P-2023: 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.3 •MITRE-ATTACK: T1190, T1078, T1204, T1098, T1136, T1525, T1562, T1110, T1040, T1119, T1530, T1485, T1486, T1491, T1499, T1496, T1498 •NIST-CSF-1.1: cm_2, am_1, ra_5, sc_4, ip_12 •PCI-3.2.1: 2.4, 2.4.a, 10.5, 10.5.2, 11.5, 11.5.a, 11.5.b •ProwlerThreatScore-1.0: 3.3.1 •SOC2: cc_2_1, cc_3_1, cc_3_4, cc_8_1

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking and compliance auditing.

It is recommended to enable AWS Config in all regions.

•AWS-Account-Security-Onboarding: Enable continuous recording for most of the resources, Confirm that records are present in central aggregator •AWS-Foundational-Security-Best-Practices: Config.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02 •CIS-1.4: 3.5 •CIS-1.5: 3.5 •CIS-2.0: 3.5 •CIS-3.0: 3.3 •CIS-4.0.1: 3.3 •CIS-5.0: 3.3 •ENS-RD2022: op.exp.1.aws.cfg.1, op.exp.1.aws.cfg.2, op.exp.3.aws.cfg.1, op.exp.3.r3.aws.cfg.1, op.mon.3.r2.aws.cfg.1, op.mon.3.r6.aws.cfg.1 •GDPR: article_25, article_30 •GxP-EU-Annex-11: 10-change-and-configuration-management, 4.5-validation-development-quality, 4.6-validation-quality-performance •HIPAA: 164_308_a_1_ii_a •ISO27001-2013: A.12.4 •ISO27001-2022: A.5.16, A.5.22 •KISA-ISMS-P-2023: 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.3 •MITRE-ATTACK: T1190, T1078, T1204, T1098, T1136, T1525, T1562, T1110, T1040, T1119, T1530, T1485, T1486, T1491, T1499, T1496, T1498 •NIST-CSF-1.1: cm_2, am_1, ra_5, sc_4, ip_12 •PCI-3.2.1: 2.4, 2.4.a, 10.5, 10.5.2, 11.5, 11.5.a, 11.5.b •ProwlerThreatScore-1.0: 3.3.1 •SOC2: cc_2_1, cc_3_1, cc_3_4, cc_8_1

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking and compliance auditing.

It is recommended to enable AWS Config in all regions.

•AWS-Account-Security-Onboarding: Enable continuous recording for most of the resources, Confirm that records are present in central aggregator •AWS-Foundational-Security-Best-Practices: Config.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02 •CIS-1.4: 3.5 •CIS-1.5: 3.5 •CIS-2.0: 3.5 •CIS-3.0: 3.3 •CIS-4.0.1: 3.3 •CIS-5.0: 3.3 •ENS-RD2022: op.exp.1.aws.cfg.1, op.exp.1.aws.cfg.2, op.exp.3.aws.cfg.1, op.exp.3.r3.aws.cfg.1, op.mon.3.r2.aws.cfg.1, op.mon.3.r6.aws.cfg.1 •GDPR: article_25, article_30 •GxP-EU-Annex-11: 10-change-and-configuration-management, 4.5-validation-development-quality, 4.6-validation-quality-performance •HIPAA: 164_308_a_1_ii_a •ISO27001-2013: A.12.4 •ISO27001-2022: A.5.16, A.5.22 •KISA-ISMS-P-2023: 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.3 •MITRE-ATTACK: T1190, T1078, T1204, T1098, T1136, T1525, T1562, T1110, T1040, T1119, T1530, T1485, T1486, T1491, T1499, T1496, T1498 •NIST-CSF-1.1: cm_2, am_1, ra_5, sc_4, ip_12 •PCI-3.2.1: 2.4, 2.4.a, 10.5, 10.5.2, 11.5, 11.5.a, 11.5.b •ProwlerThreatScore-1.0: 3.3.1 •SOC2: cc_2_1, cc_3_1, cc_3_4, cc_8_1

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking and compliance auditing.

It is recommended to enable AWS Config in all regions.

•AWS-Account-Security-Onboarding: Enable continuous recording for most of the resources, Confirm that records are present in central aggregator •AWS-Foundational-Security-Best-Practices: Config.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP02 •CIS-1.4: 3.5 •CIS-1.5: 3.5 •CIS-2.0: 3.5 •CIS-3.0: 3.3 •CIS-4.0.1: 3.3 •CIS-5.0: 3.3 •ENS-RD2022: op.exp.1.aws.cfg.1, op.exp.1.aws.cfg.2, op.exp.3.aws.cfg.1, op.exp.3.r3.aws.cfg.1, op.mon.3.r2.aws.cfg.1, op.mon.3.r6.aws.cfg.1 •GDPR: article_25, article_30 •GxP-EU-Annex-11: 10-change-and-configuration-management, 4.5-validation-development-quality, 4.6-validation-quality-performance •HIPAA: 164_308_a_1_ii_a •ISO27001-2013: A.12.4 •ISO27001-2022: A.5.16, A.5.22 •KISA-ISMS-P-2023: 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.3 •MITRE-ATTACK: T1190, T1078, T1204, T1098, T1136, T1525, T1562, T1110, T1040, T1119, T1530, T1485, T1486, T1491, T1499, T1496, T1498 •NIST-CSF-1.1: cm_2, am_1, ra_5, sc_4, ip_12 •PCI-3.2.1: 2.4, 2.4.a, 10.5, 10.5.2, 11.5, 11.5.a, 11.5.b •ProwlerThreatScore-1.0: 3.3.1 •SOC2: cc_2_1, cc_3_1, cc_3_4, cc_8_1

If not enabled sensitive information at rest is not protected.

Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.

•AWS-Audit-Manager-Control-Tower-Guardrails: 1.0.3 •AWS-Foundational-Security-Best-Practices: EC2.7 •AWS-Well-Architected-Framework-Security-Pillar: SEC08-BP02 •CISA: your-systems-3, your-data-1 •FFIEC: d3-pc-am-b-12 •GxP-21-CFR-Part-11: 11.10-g, 11.30 •GxP-EU-Annex-11: 7.1-data-storage-damage-protection •HIPAA: 164_308_a_1_ii_b, 164_308_a_4_ii_a, 164_312_a_2_iv, 164_312_e_2_ii •ISO27001-2022: A.8.11, A.8.24 •KISA-ISMS-P-2023: 2.7.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.7.1, 2.10.2 •MITRE-ATTACK: T1119 •NIST-800-53-Revision-4: sc_28 •NIST-800-53-Revision-5: au_9_3, cm_6_a, cm_9_b, cp_9_d, sc_8_3, sc_8_4, sc_13_a, sc_28_1, si_19_4 •PCI-3.2.1: 3.4, 3.4.1, 3.4.1.a, 3.4.1.c, 3.4.a, 3.4.b, 8.2, 8.2.1, 8.2.1.a •RBI-Cyber-Security-Framework: annex_i_1_3

Data encryption at rest prevents data visibility in the event of its unauthorized access or theft.

Encrypt all EBS volumes and Enable Encryption by default You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example, Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot.

•AWS-Audit-Manager-Control-Tower-Guardrails: 1.0.3 •AWS-Foundational-Security-Best-Practices: EC2.3 •AWS-Well-Architected-Framework-Security-Pillar: SEC08-BP02 •CISA: your-systems-3, your-data-1, your-data-2 •CIS-1.4: 2.2.1 •CIS-1.5: 2.2.1 •CIS-2.0: 2.2.1 •CIS-3.0: 2.2.1 •CIS-4.0.1: 5.1.1 •CIS-5.0: 5.1.1 •ENS-RD2022: mp.si.2.aws.kms.1 •FedRamp-Moderate-Revision-4: sc-28 •FFIEC: d3-pc-am-b-12 •GDPR: article_32 •GxP-21-CFR-Part-11: 11.10-g, 11.30 •GxP-EU-Annex-11: 7.1-data-storage-damage-protection •HIPAA: 164_308_a_1_ii_b, 164_308_a_4_ii_a, 164_312_a_2_iv, 164_312_c_1, 164_312_c_2, 164_312_e_2_ii •ISO27001-2022: A.8.11, A.8.24 •KISA-ISMS-P-2023: 2.7.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.7.1, 2.10.2 •MITRE-ATTACK: T1119 •NIST-800-171-Revision-2: 3_5_10, 3_13_11, 3_13_16 •NIST-800-53-Revision-4: sc_28 •NIST-800-53-Revision-5: au_9_3, cm_6_a, cm_9_b, cp_9_d, sc_8_3, sc_8_4, sc_13_a, sc_28_1, si_19_4 •NIST-CSF-1.1: ds_1 •PCI-3.2.1: 3.4, 3.4.1, 3.4.1.a, 3.4.1.c, 3.4.a, 3.4.b, 8.2, 8.2.1, 8.2.1.a •PCI-4.0: 3.5.1.20, 8.3.2.34 •ProwlerThreatScore-1.0: 4.2.1 •RBI-Cyber-Security-Framework: annex_i_1_3

Without backup coverage, Amazon EBS volumes are vulnerable to data loss or deletion, reducing the resilience of your systems and making recovery from incidents more difficult.

Ensure that all in-use Amazon EBS volumes are included in a backup plan, and consider using AWS Backup Vault Lock for additional protection.

•AWS-Foundational-Security-Best-Practices: EC2.28 •ISO27001-2022: A.8.14 •KISA-ISMS-P-2023: 2.9.3, 2.12.1 •KISA-ISMS-P-2023-korean: 2.9.3, 2.12.1 •NIS2: 3.6.2, 4.1.2.g, 12.1.2.c, 12.2.2.b •PCI-3.2.1: 3.1, 3.1.c •PCI-4.0: 10.3.3.12, 10.3.3.13, 10.3.3.14, 10.3.3.24

Ensure that your EBS volumes (available or in-use) have recent snapshots (taken weekly) available for point-in-time recovery for a better, more reliable data backup strategy.

Creating point-in-time EBS snapshots periodically will allow you to handle efficiently your data recovery process in the event of a failure, to save your data before shutting down an EC2 instance, to back up data for geographical expansion and to maintain your disaster recovery stack up to date.

•AWS-Audit-Manager-Control-Tower-Guardrails: 1.0.2 •KISA-ISMS-P-2023: 2.9.3, 2.12.1 •KISA-ISMS-P-2023-korean: 2.9.3, 2.12.1 •PCI-4.0: 10.5.1.7, 3.2.1.6, 3.3.1.1.6, 3.3.1.3.6, 3.3.2.6, 3.3.3.6 •SOC2: cc_7_5

EC2 instances that use IMDSv1 are vulnerable to SSRF attacks.

Enable Instance Metadata Service Version 2 (IMDSv2) on the EC2 instances. Apply this configuration at the account level for each AWS Region to set the default instance metadata version.

•CIS-2.0: 5.6 •ISO27001-2022: A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.6.2, 2.10.2 •KISA-ISMS-P-2023-korean: 2.6.2, 2.10.2 •NIS2: 6.7.2.i

Enabling detailed monitoring provides enhanced monitoring and granular insights into EC2 instance metrics. Not having detailed monitoring enabled may limit the ability to troubleshoot performance issues effectively.

Enable detailed monitoring for EC2 instances to gain better insights into performance metrics.

•KISA-ISMS-P-2023: 2.9.2 •KISA-ISMS-P-2023-korean: 2.9.2 •NIS2: 3.2.3.h •PCI-4.0: 10.2.1.1.15, 10.4.1.1.4, 10.4.1.3, 10.4.2.4, 10.6.3.15, 10.7.1.5, 10.7.2.5, A3.3.1.7, A3.5.1.7

AWS Config provides AWS Managed Rules, which are predefined, customizable rules that AWS Config uses to evaluate whether your AWS resource configurations comply with common best practices.

Verify and apply Systems Manager Prerequisites.

•AWS-Foundational-Security-Best-Practices: SSM.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC01-BP06, SEC06-BP04, SEC06-BP05 •CISA: your-systems-1 •ENS-RD2022: op.acc.4.aws.iam.6, op.acc.4.aws.sys.1, op.exp.1.aws.sys.1, op.exp.4.aws.sys.2, op.exp.4.r2.aws.sys.1, op.exp.9.aws.img.1, op.acc.4.aws.iam.3 •FedRAMP-Low-Revision-4: cm-8, sa-3 •FedRamp-Moderate-Revision-4: cm-2, cm-7-a, cm-8-1, cm-8-3-a, sa-3-a, sa-10, si-2-2, si-7-1 •FFIEC: d1-g-it-b-1, d3-pc-im-b-5 •GxP-21-CFR-Part-11: 11.10-a, 11.10-h •HIPAA: 164_308_a_5_ii_b •ISO27001-2022: A.5.26 •KISA-ISMS-P-2023: 2.6.2, 2.10.2 •KISA-ISMS-P-2023-korean: 2.6.2, 2.10.2 •NIST-800-171-Revision-2: 3_4_1, 3_4_2, 3_4_6, 3_4_9, 3_14_2 •NIST-800-53-Revision-4: cm_2, cm_7, cm_8_1, cm_8_3, sa_3, sa_10, si_2_2, si_7_1 •NIST-800-53-Revision-5: cm_2_a, cm_2_b, cm_2_b_1, cm_2_b_2, cm_2_b_3, cm_2_2, cm_3_3, cm_6, cm_8_1, cm_8_2, cm_8_3_a, cm_8_6, cm_8_a, cm_8_a_1, cm_8_a_2, cm_8_a_3, cm_8_a_4, cm_8_a_5, cm_8_b, si_3_c_2 •NIST-CSF-1.1: am_1, am_2, ds_3, ds_7, ds_8, ip_1, ip_2, ip_12 •RBI-Cyber-Security-Framework: annex_i_1_1 •SOC2: cc_3_2, cc_7_1

SSH is a common target for brute force attacks. If an EC2 instance allows ingress from the internet to TCP port 22, it is at risk of being compromised.

Modify the security group associated with the EC2 instance to remove the rule that allows ingress from the internet to TCP port 22.

•ISO27001-2022: A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.6.1, 2.6.2, 2.6.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.6.1, 2.6.2, 2.6.6, 2.10.2 •NIS2: 6.7.2.g •ProwlerThreatScore-1.0: 2.1.6 •SOC2: cc_6_6

AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account.

Create an IAM instance role if necessary and attach it to the corresponding EC2 instance..

•AWS-Well-Architected-Framework-Security-Pillar: SEC03-BP01, SEC03-BP02, SEC06-BP04, SEC06-BP05 •CIS-1.4: 1.18 •CIS-1.5: 1.18 •CIS-2.0: 1.18 •CIS-3.0: 1.18 •CIS-4.0.1: 1.18 •CIS-5.0: 1.17 •FFIEC: d3-pc-am-b-1 •GxP-21-CFR-Part-11: 11.10-d, 11.10-g •ISO27001-2022: A.8.2, A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.5.1, 2.5.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.6, 2.10.2 •NIS2: 11.1.1, 11.2.2.d •NIST-800-171-Revision-2: 3_1_1, 3_1_2 •NIST-800-53-Revision-5: ac_3, cm_5_1_a, cm_6_a •PCI-4.0: 7.2.1.5, 7.2.2.5, 7.2.5.3, 7.3.1.3, 7.3.2.3, 7.3.3.3, 8.2.7.3, 8.2.8.5, 8.3.4.3 •ProwlerThreatScore-1.0: 1.2.4

Exposing an EC2 directly to internet increases the attack surface and therefore the risk of compromise.

Use an ALB and apply WAF ACL.

•AWS-Foundational-Security-Best-Practices: EC2.9 •AWS-Foundational-Technical-Review: NETSEC-001 •AWS-Well-Architected-Framework-Security-Pillar: SEC03-BP07 •CISA: your-systems-3, your-data-2 •FedRAMP-Low-Revision-4: ac-3, ac-17, cm-2, sc-7 •FedRamp-Moderate-Revision-4: ac-3, ac-4, ac-6, ac-17-1, ac-21-b, cm-2, sc-7-3, sc-7 •FFIEC: d3-pc-im-b-1 •GxP-21-CFR-Part-11: 11.10-d, 11.10-g •HIPAA: 164_308_a_1_ii_b, 164_308_a_3_i, 164_312_a_1 •ISO27001-2022: A.8.1, A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.6.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.6.1, 2.10.2 •MITRE-ATTACK: T1190 •NIST-800-171-Revision-2: 3_1_1, 3_1_2, 3_1_3, 3_1_14, 3_13_2, 3_13_5 •NIST-800-53-Revision-4: ac_4, ac_6, ac_21, sc_7_3, sc_7 •NIST-800-53-Revision-5: ac_2_6, ac_3, ac_3_7, ac_4_21, ac_6, ac_17_b, ac_17_1, ac_17_4_a, ac_17_9, ac_17_10, mp_2, sc_7_2, sc_7_3, sc_7_7, sc_7_9_a, sc_7_11, sc_7_12, sc_7_16, sc_7_20, sc_7_21, sc_7_24_b, sc_7_25, sc_7_26, sc_7_27, sc_7_28, sc_7_a, sc_7_b, sc_7_c, sc_25 •NIST-CSF-1.1: ac_3, ac_5, ip_8 •PCI-3.2.1: 1.3, 2.2, 2.2.2, 7.2, 7.2.1 •RBI-Cyber-Security-Framework: annex_i_1_3 •SOC2: cc_6_6

Even having a perimeter firewall, having network acls open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.

Apply Zero Trust approach. Implement a process to scan and remediate unrestricted or overly permissive network acls. Recommended best practices is to narrow the definition for the minimum ports required.

•AWS-Well-Architected-Framework-Security-Pillar: SEC05-BP03 •CISA: your-data-2 •CIS-1.4: 5.1 •CIS-1.5: 5.1 •CIS-2.0: 5.1 •CIS-3.0: 5.1 •CIS-4.0.1: 5.2 •CIS-5.0: 5.2 •FedRAMP-Low-Revision-4: ac-17, cm-2, sc-7 •FedRamp-Moderate-Revision-4: ac-4, ac-17-1, ac-21-b, cm-2, sc-4, sc-7-3, sc-7 •FFIEC: d3-pc-am-b-10, d3-pc-im-b-1, d3-pc-im-b-2, d3-pc-im-b-6, d4-c-co-b-2 •GxP-21-CFR-Part-11: 11.10-d, 11.10-g, 11.10-k •HIPAA: 164_308_a_1_ii_b, 164_312_e_1 •ISO27001-2022: A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.6.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.6.1, 2.10.2 •MITRE-ATTACK: T1199, T1048, T1499, T1498, T1046 •NIST-800-171-Revision-2: 3_1_1, 3_1_2, 3_1_3, 3_1_14, 3_1_20, 3_4_1, 3_4_7, 3_13_1, 3_13_2, 3_13_5, 3_13_6 •NIST-800-53-Revision-4: ac_4, cm_2, sc_7_3, sc_7 •NIST-800-53-Revision-5: ac_4_21, ac_17_b, ac_17_1, ac_17_4_a, ac_17_9, ac_17_10, cm_2_a, cm_2_2, cm_6_a, cm_7_b, cm_8_6, cm_9_b, sc_7_5, sc_7_7, sc_7_11, sc_7_12, sc_7_16, sc_7_21, sc_7_24_b, sc_7_25, sc_7_26, sc_7_27, sc_7_28, sc_7_a, sc_7_c •NIST-CSF-1.1: ae_1, ac_3, ac_5, pt_4 •ProwlerThreatScore-1.0: 2.1.3 •RBI-Cyber-Security-Framework: annex_i_1_3, annex_i_5_1 •SOC2: cc_6_6

Even having a perimeter firewall, having network acls open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.

Apply Zero Trust approach. Implement a process to scan and remediate unrestricted or overly permissive network acls. Recommended best practices is to narrow the definition for the minimum ports required.

•AWS-Foundational-Security-Best-Practices: EC2.21 •AWS-Well-Architected-Framework-Security-Pillar: SEC05-BP02, SEC05-BP03 •CIS-1.4: 5.1 •CIS-1.5: 5.1 •CIS-2.0: 5.1 •CIS-3.0: 5.1 •CIS-4.0.1: 5.2 •CIS-5.0: 5.2 •ISO27001-2022: A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.6.1, 2.6.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.6.1, 2.6.6, 2.10.2 •MITRE-ATTACK: T1199, T1048, T1499, T1498, T1046 •NIS2: 6.7.2.g •PCI-3.2.1: 1.2, 1.2.1, 1.2.1.a, 1.2.1.b, 1.2.1.c, 1.2.3, 1.2.3.b, 1.3, 1.3.2 •ProwlerThreatScore-1.0: 2.1.3 •SOC2: cc_6_6

Even having a perimeter firewall, having network acls open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.

Apply Zero Trust approach. Implement a process to scan and remediate unrestricted or overly permissive network acls. Recommended best practices is to narrow the definition for the minimum ports required.

•AWS-Foundational-Security-Best-Practices: EC2.21 •AWS-Well-Architected-Framework-Security-Pillar: SEC05-BP03 •CIS-1.4: 5.1 •CIS-1.5: 5.1 •CIS-2.0: 5.1 •CIS-3.0: 5.1 •CIS-4.0.1: 5.2 •CIS-5.0: 5.2 •ISO27001-2022: A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.6.1, 2.6.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.6.1, 2.6.6, 2.10.2 •MITRE-ATTACK: T1199, T1048, T1499, T1498, T1046 •NIS2: 6.7.2.g •PCI-3.2.1: 1.2, 1.2.1, 1.2.1.a, 1.2.1.b, 1.2.1.c, 1.2.3, 1.2.3.b, 1.3, 1.3.2 •PCI-4.0: 1.2.8.21, 1.3.1.24, 1.3.2.24, 1.4.2.22, 1.5.1.21, A1.1.3.21 •ProwlerThreatScore-1.0: 2.1.3 •SOC2: cc_6_6

The security group allows all traffic from the internet to any port. This could allow an attacker to access the instance.

Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.

•ISO27001-2022: A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.6.1, 2.6.2, 2.6.4, 2.6.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.6.1, 2.6.2, 2.6.4, 2.6.6, 2.10.2 •PCI-4.0: 1.2.5.17, 1.2.8.41, 1.3.1.45, 1.3.2.45, 1.4.2.43, 1.5.1.40, 2.2.5.17, A1.1.3.40 •SOC2: cc_6_6

If Security groups are not properly configured the attack surface is increased.

Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.

•AWS-Audit-Manager-Control-Tower-Guardrails: 2.0.2 •AWS-Foundational-Security-Best-Practices: EC2.13 •AWS-Foundational-Technical-Review: NETSEC-001 •AWS-Well-Architected-Framework-Security-Pillar: SEC05-BP03 •CISA: your-systems-3, your-data-2 •CIS-1.4: 5.2 •CIS-1.5: 5.2, 5.3 •CIS-2.0: 5.2, 5.3 •CIS-3.0: 5.2, 5.3 •CIS-4.0.1: 5.3, 5.4 •CIS-5.0: 5.3, 5.4 •FedRAMP-Low-Revision-4: ac-17, cm-2, sc-7 •FedRamp-Moderate-Revision-4: ac-4, ac-17-1, cm-2, sc-4, sc-7-3, sc-7 •FFIEC: d3-pc-am-b-10, d3-pc-im-b-1, d3-pc-im-b-2, d3-pc-im-b-6, d4-c-co-b-2 •GxP-21-CFR-Part-11: 11.10-d, 11.10-g •HIPAA: 164_308_a_1_ii_b, 164_312_e_1 •ISO27001-2013: A.12.6, A.13.1 •ISO27001-2022: A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.6.1, 2.6.2, 2.6.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.6.1, 2.6.2, 2.6.6, 2.10.2 •MITRE-ATTACK: T1199, T1048, T1499, T1498, T1046 •NIST-800-171-Revision-2: 3_1_1, 3_1_2, 3_1_3, 3_1_14, 3_1_20, 3_4_7, 3_13_1, 3_13_2, 3_13_5, 3_13_6 •NIST-800-53-Revision-4: ac_4, sc_7_3, sc_7 •NIST-800-53-Revision-5: ac_17_b, ac_17_1, ac_17_9, ac_17_10, cm_9_b, sc_7_7, sc_7_11, sc_7_12, sc_7_16, sc_7_21, sc_7_24_b, sc_7_25, sc_7_26, sc_7_27, sc_7_28, sc_7_a, sc_7_c •NIST-CSF-1.1: ae_1, ac_3, ac_5, ds_7, pt_4 •PCI-3.2.1: 1.2, 1.2.1, 1.2.1.a, 1.2.1.b, 1.2.1.c, 1.3, 1.3.1, 2.2, 2.2.2 •PCI-4.0: 1.2.8.17, 1.3.1.19, 1.3.2.19, 1.4.2.18, 1.5.1.17, A1.1.3.17 •ProwlerThreatScore-1.0: 2.1.4, 2.1.7 •RBI-Cyber-Security-Framework: annex_i_5_1, annex_i_7_3 •SOC2: cc_6_6, cc_7_2

Security Groups Created on the AWS Console using the EC2 wizard may allow port 22 from 0.0.0.0/0.

Apply Zero Trust approach. Implement a process to scan and remediate security groups created by the EC2 Wizard. Recommended best practices is to use an authorized security group.

•AWS-Well-Architected-Framework-Security-Pillar: SEC05-BP03 •ENS-RD2022: mp.com.1.aws.sg.1 •ISO27001-2022: A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.10.2 •KISA-ISMS-P-2023-korean: 2.10.2

Security Groups Created on the AWS Console using the EC2 wizard may allow port 22 from 0.0.0.0/0.

Apply Zero Trust approach. Implement a process to scan and remediate security groups created by the EC2 Wizard. Recommended best practices is to use an authorized security group.

•AWS-Well-Architected-Framework-Security-Pillar: SEC05-BP03 •ENS-RD2022: mp.com.1.aws.sg.1 •ISO27001-2022: A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.10.2 •KISA-ISMS-P-2023-korean: 2.10.2

Security Groups Created on the AWS Console using the EC2 wizard may allow port 22 from 0.0.0.0/0.

Apply Zero Trust approach. Implement a process to scan and remediate security groups created by the EC2 Wizard. Recommended best practices is to use an authorized security group.

•AWS-Well-Architected-Framework-Security-Pillar: SEC05-BP03 •ENS-RD2022: mp.com.1.aws.sg.1 •ISO27001-2022: A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.10.2 •KISA-ISMS-P-2023-korean: 2.10.2

Having clear definition and scope for Security Groups creates a better administration environment.

List all the security groups and then use the cli to check if they are attached to an instance.

•AWS-Foundational-Security-Best-Practices: EC2.22 •AWS-Foundational-Technical-Review: NETSEC-001 •AWS-Well-Architected-Framework-Security-Pillar: SEC05-BP03 •ENS-RD2022: mp.com.1.aws.sg.3 •ISO27001-2022: A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.10.2 •KISA-ISMS-P-2023-korean: 2.10.2

Having clear definition and scope for Security Groups creates a better administration environment.

List all the security groups and then use the cli to check if they are attached to an instance.

•AWS-Foundational-Security-Best-Practices: EC2.22 •AWS-Foundational-Technical-Review: NETSEC-001 •AWS-Well-Architected-Framework-Security-Pillar: SEC05-BP03 •ENS-RD2022: mp.com.1.aws.sg.3 •ISO27001-2022: A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.10.2 •KISA-ISMS-P-2023-korean: 2.10.2

If FMS policies are not compliant, means there are resources unprotected by the policies

Ensure FMS is enabled and all the policies are compliant across your AWS accounts

•ENS-RD2022: mp.com.1.aws.nfw.2 •KISA-ISMS-P-2023: 2.10.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.10.1, 2.10.2

The root account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.

Follow the remediation instructions of the Ensure IAM policies are attached only to groups or roles recommendation.

•AWS-Account-Security-Onboarding: Block root user •AWS-Well-Architected-Framework-Security-Pillar: SEC02-BP01 •CIS-1.4: 1.7 •CIS-1.5: 1.7 •CIS-2.0: 1.7 •CIS-3.0: 1.7 •CIS-4.0.1: 1.7 •CIS-5.0: 1.6 •ENS-RD2022: op.acc.2.aws.iam.4, op.acc.4.aws.iam.7 •ISO27001-2013: A.9.2, A.9.4 •ISO27001-2022: A.5.15 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.10.2 •MITRE-ATTACK: T1078, T1098 •NIS2: 6.7.2.e, 11.3.2.b, 11.3.2.c, 11.4.2.a •ProwlerThreatScore-1.0: 1.2.5

Without SAML provider users with AWS CLI or AWS API access can use IAM static credentials. SAML helps users to assume role by default each time they authenticate.

Enable SAML provider and use temporary credentials. You can use temporary security credentials to make programmatic requests for AWS resources using the AWS CLI or AWS API (using the AWS SDKs ). The temporary credentials provide the same permissions that you have with use long-term security credentials such as IAM user credentials. In case of not having SAML provider capabilities prevent usage of long-lived credentials.

•CIS-1.4: 1.21 •CIS-1.5: 1.21 •CIS-2.0: 1.21 •CIS-3.0: 1.21 •CIS-4.0.1: 1.21 •CIS-5.0: 1.20 •ENS-RD2022: op.acc.1.aws.iam.2 •KISA-ISMS-P-2023: 2.5.3, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.3, 2.10.2 •ProwlerThreatScore-1.0: 1.2.7

The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. Removing access keys associated with the root account limits vectors by which the account can be compromised. Removing the root access keys encourages the creation and use of role based accounts that are least privileged.

Use the credential report to check the user and ensure the access_key_1_active and access_key_2_active fields are set to FALSE. If using AWS Organizations, consider enabling Centralized Root Management and removing individual root credentials.

•AWS-Account-Security-Onboarding: Block root user •AWS-Foundational-Security-Best-Practices: IAM.4 •AWS-Foundational-Technical-Review: ARC-004 •AWS-Well-Architected-Framework-Security-Pillar: SEC01-BP02 •CISA: your-systems-3, your-surroundings-3 •CIS-1.4: 1.4 •CIS-1.5: 1.4 •CIS-2.0: 1.4 •CIS-3.0: 1.4 •CIS-4.0.1: 1.4 •CIS-5.0: 1.3 •ENS-RD2022: op.acc.4.aws.iam.7 •FedRAMP-Low-Revision-4: ac-2, ac-3, ia-2 •FedRamp-Moderate-Revision-4: ac-2-1, ac-2-f, ac-2-j, ac-3, ac-5-c, ac-6-10, ac-6, ia-2 •FFIEC: d3-pc-am-b-1, d3-pc-am-b-3, d3-pc-am-b-8 •GDPR: article_25 •GxP-21-CFR-Part-11: 11.10-d, 11.10-g, 11.200 •HIPAA: 164_308_a_1_ii_b, 164_308_a_3_i, 164_308_a_3_ii_b, 164_308_a_4_ii_c, 164_312_a_2_i •ISO27001-2013: A.9.2, A.9.4 •ISO27001-2022: A.5.15 •KISA-ISMS-P-2023: 2.5.5, 2.7.2, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.5, 2.7.2, 2.10.2 •MITRE-ATTACK: T1078, T1550 •NIS2: 9.2.c •NIST-800-171-Revision-2: 3_1_1, 3_1_2, 3_1_4, 3_1_5, 3_1_6, 3_1_7, 3_4_6 •NIST-800-53-Revision-4: ac_2, ac_3, ac_6_10, ac_6 •NIST-800-53-Revision-5: ac_2_1, ac_2_6, ac_3_3, ac_3_3_a, ac_3_3_b_1, ac_3_3_b_2, ac_3_3_b_3, ac_3_3_b_4, ac_3_3_b_5, ac_3_3_c, ac_3_4, ac_3_4_a, ac_3_4_b, ac_3_4_c, ac_3_4_d, ac_3_4_e, ac_3_7, ac_3_8, ac_3_12_a, ac_3_13, ac_3_15_a, ac_3_15_b, ac_4_28, ac_6, ac_6_2, ac_6_10, ac_24, cm_5_1_a, cm_6_a, cm_9_b, ia_2, ia_4_b, ia_4_4, ia_4_8, ia_5_8, mp_2, sc_23_3, sc_25 •NIST-CSF-1.1: ac_1, ac_4, pt_3 •PCI-4.0: 7.2.1.17, 7.2.2.17, 7.2.3.8, 8.2.1.4, 8.2.2.6, 8.2.4.4, 8.2.5.4, 8.3.11.4 •ProwlerThreatScore-1.0: 1.1.13 •RBI-Cyber-Security-Framework: annex_i_7_1

Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.

Ensure Password expiration period (in days): is set to 90 or less.

•AWS-Foundational-Security-Best-Practices: IAM.7, IAM.10 •AWS-Foundational-Technical-Review: IAM-003 •AWS-Well-Architected-Framework-Security-Pillar: SEC03-BP06 •ENS-RD2022: op.acc.6.aws.iam.3 •ISO27001-2013: A.9.2, A.9.3, A.9.4 •ISO27001-2022: A.5.15 •KISA-ISMS-P-2023: 2.5.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.4, 2.10.2 •MITRE-ATTACK: T1078, T1110 •NIS2: 1.1.1.d, 1.1.2, 9.2.c.v, 11.6.2.a •NIST-800-171-Revision-2: 3_5_5, 3_5_6, 3_5_7, 3_5_8 •PCI-4.0: 8.3.6.1, 8.6.3.2 •ProwlerThreatScore-1.0: 1.1.12

Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter.

Ensure "Requires at least one lowercase letter" is checked under "Password Policy".

•AWS-Foundational-Security-Best-Practices: IAM.7, IAM.10 •AWS-Foundational-Technical-Review: IAM-003 •AWS-Well-Architected-Framework-Security-Pillar: SEC02-BP01 •CISA: your-systems-3, your-surroundings-4 •ENS-RD2022: op.acc.6.r1.aws.iam.1 •FFIEC: d3-pc-am-b-6, d3-pc-am-b-7 •GDPR: article_25 •GxP-21-CFR-Part-11: 11.10-d, 11.10-g, 11.200, 11.300-b •HIPAA: 164_308_a_5_ii_d •ISO27001-2013: A.9.2, A.9.3, A.9.4 •ISO27001-2022: A.5.15 •KISA-ISMS-P-2023: 2.5.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.4, 2.10.2 •MITRE-ATTACK: T1078, T1110 •NIS2: 9.2.c.v, 11.6.2.a •NIST-800-171-Revision-2: 3_5_7 •ProwlerThreatScore-1.0: 1.1.8

Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require minimum length of 14 or greater.

Ensure "Minimum password length" is checked under "Password Policy".

•AWS-Foundational-Security-Best-Practices: IAM.7, IAM.10 •AWS-Foundational-Technical-Review: IAM-003 •AWS-Well-Architected-Framework-Security-Pillar: SEC02-BP01 •CISA: your-systems-3, your-surroundings-4 •CIS-1.4: 1.8 •CIS-1.5: 1.8 •CIS-2.0: 1.8 •CIS-3.0: 1.8 •CIS-4.0.1: 1.8 •CIS-5.0: 1.7 •ENS-RD2022: op.acc.6.r1.aws.iam.1 •FedRAMP-Low-Revision-4: ac-2, ia-2 •FedRamp-Moderate-Revision-4: ac-2-1, ac-2-f, ac-2-j, ac-2-3, ac-5-c, ia-2, ia-5-1-a-d-e, ia-5-4 •FFIEC: d3-pc-am-b-6, d3-pc-am-b-7 •GDPR: article_25 •GxP-21-CFR-Part-11: 11.10-d, 11.10-g, 11.200, 11.300-b •HIPAA: 164_308_a_5_ii_d •ISO27001-2013: A.9.2, A.9.3, A.9.4 •ISO27001-2022: A.5.15 •KISA-ISMS-P-2023: 2.5.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.4, 2.10.2 •MITRE-ATTACK: T1078, T1110 •NIS2: 9.2.c.v •NIST-800-171-Revision-2: 3_5_7 •NIST-800-53-Revision-5: ac_2_1, ac_2_3_a, ac_2_3_b, ac_2_3_c, ac_2_3_d, ac_2_3, ac_2_d_1, ac_3_3, ac_3_3_a, ac_3_3_b_1, ac_3_3_b_2, ac_3_3_b_3, ac_3_3_b_4, ac_3_3_b_5, ac_3_3_c, ac_3_4, ac_3_4_a, ac_3_4_b, ac_3_4_c, ac_3_4_d, ac_3_4_e, ac_3_8, ac_3_12_a, ac_3_13, ac_3_15_a, ac_3_15_b, ac_4_28, ac_7_4, ac_7_4_a, ac_24, cm_5_1_a, cm_6_a, cm_9_b, cm_12_b, ia_4_d, ia_5, ia_5_b, ia_5_c, ia_5_d, ia_5_f, ia_5_h, ia_5_1_f, ia_5_1_g, ia_5_1_h, ia_5_1_h, ia_5_18_a, ia_5_18_b, ia_8_2_b, ma_4_c, sc_23_3 •ProwlerThreatScore-1.0: 1.1.4

Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number.

Ensure "Require at least one number" is checked under "Password Policy".

•AWS-Foundational-Security-Best-Practices: IAM.7, IAM.10 •AWS-Foundational-Technical-Review: IAM-003 •AWS-Well-Architected-Framework-Security-Pillar: SEC02-BP01 •CISA: your-systems-3, your-surroundings-4 •ENS-RD2022: op.acc.6.r1.aws.iam.1 •FFIEC: d3-pc-am-b-6, d3-pc-am-b-7 •GDPR: article_25 •GxP-21-CFR-Part-11: 11.10-d, 11.10-g, 11.200, 11.300-b •HIPAA: 164_308_a_5_ii_d •ISO27001-2013: A.9.2, A.9.3, A.9.4 •ISO27001-2022: A.5.15 •KISA-ISMS-P-2023: 2.5.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.4, 2.10.2 •MITRE-ATTACK: T1078, T1110 •NIS2: 9.2.c.v •NIST-800-171-Revision-2: 3_5_7 •ProwlerThreatScore-1.0: 1.1.6

Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy prevents at least password reuse of 24 or greater.

Ensure "Number of passwords to remember" is set to 24.

•AWS-Foundational-Security-Best-Practices: IAM.7, IAM.10 •AWS-Foundational-Technical-Review: IAM-003 •AWS-Well-Architected-Framework-Security-Pillar: SEC02-BP01 •CIS-1.4: 1.9 •CIS-1.5: 1.9 •CIS-2.0: 1.9 •CIS-3.0: 1.9 •CIS-4.0.1: 1.9 •CIS-5.0: 1.8 •ENS-RD2022: op.acc.6.r1.aws.iam.1 •GDPR: article_25 •HIPAA: 164_308_a_4_ii_c, 164_308_a_5_ii_d, 164_312_d •ISO27001-2013: A.9.2, A.9.3, A.9.4 •ISO27001-2022: A.5.15 •KISA-ISMS-P-2023: 2.5.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.4, 2.10.2 •MITRE-ATTACK: T1078, T1110 •NIS2: 9.2.c.v •NIST-800-171-Revision-2: 3_5_5, 3_5_6, 3_5_7, 3_5_8 •NIST-800-53-Revision-4: ac_2_1, ac_2, ia_2, ia_5_1, ia_5_4 •NIST-CSF-1.1: ac_1 •PCI-3.2.1: 8.1, 8.1.4, 8.2, 8.2.3, 8.2.3.a, 8.2.3.b, 8.2.4, 8.2.4.a, 8.2.4.b, 8.2.5, 8.2.5.a, 8.2.5.b •ProwlerThreatScore-1.0: 1.1.5 •RBI-Cyber-Security-Framework: annex_i_7_2

Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one non-alphanumeric character.

Ensure "Require at least one non-alphanumeric character" is checked under "Password Policy".

•AWS-Foundational-Security-Best-Practices: IAM.7, IAM.10 •AWS-Foundational-Technical-Review: IAM-003 •AWS-Well-Architected-Framework-Security-Pillar: SEC02-BP01 •CISA: your-systems-3, your-surroundings-4 •ENS-RD2022: op.acc.6.r1.aws.iam.1 •FFIEC: d3-pc-am-b-6, d3-pc-am-b-7 •GDPR: article_25 •GxP-21-CFR-Part-11: 11.10-d, 11.10-g, 11.200, 11.300-b •HIPAA: 164_308_a_5_ii_d •ISO27001-2013: A.9.2, A.9.3, A.9.4 •ISO27001-2022: A.5.15 •KISA-ISMS-P-2023: 2.5.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.4, 2.10.2 •MITRE-ATTACK: T1078, T1110 •NIS2: 9.2.c.v •NIST-800-171-Revision-2: 3_5_7 •ProwlerThreatScore-1.0: 1.1.7

Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.

Ensure "Requires at least one uppercase letter" is checked under "Password Policy".

•AWS-Foundational-Security-Best-Practices: IAM.7, IAM.10 •AWS-Foundational-Technical-Review: IAM-003 •AWS-Well-Architected-Framework-Security-Pillar: SEC02-BP01 •CISA: your-systems-3, your-surroundings-4 •ENS-RD2022: op.acc.6.r1.aws.iam.1 •FFIEC: d3-pc-am-b-6, d3-pc-am-b-7 •GDPR: article_25 •GxP-21-CFR-Part-11: 11.10-d, 11.10-g, 11.200, 11.300-b •HIPAA: 164_308_a_5_ii_d •ISO27001-2013: A.9.2, A.9.3, A.9.4 •ISO27001-2022: A.5.15 •KISA-ISMS-P-2023: 2.5.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.4, 2.10.2 •MITRE-ATTACK: T1078, T1110 •NIS2: 9.2.c.v •NIST-800-171-Revision-2: 3_5_7 •ProwlerThreatScore-1.0: 1.1.9

The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled when a user signs in to an AWS website they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2 it is recommended that the root account be protected with only a hardware MFA.

Using IAM console navigate to Dashboard and expand Activate MFA on your root account. If using AWS Organizations, consider enabling Centralized Root Management and removing individual root credentials.

•AWS-Account-Security-Onboarding: Root user - distribution email + MFA •AWS-Audit-Manager-Control-Tower-Guardrails: 3.0.3 •AWS-Foundational-Security-Best-Practices: IAM.6 •AWS-Foundational-Technical-Review: ARC-003, IAM-001, IAM-0012 •AWS-Well-Architected-Framework-Security-Pillar: SEC01-BP02 •CISA: your-systems-3, your-surroundings-2 •CIS-1.4: 1.6 •CIS-1.5: 1.6 •CIS-2.0: 1.6 •CIS-3.0: 1.6 •CIS-4.0.1: 1.6 •CIS-5.0: 1.5 •ENS-RD2022: op.acc.6.r4.aws.iam.1 •FedRAMP-Low-Revision-4: ac-2, ia-2 •FedRamp-Moderate-Revision-4: ac-2-1, ac-2-f, ia-2-1-2, ia-2-1 •FFIEC: d3-pc-am-b-15, d3-pc-am-b-3, d3-pc-am-b-6 •GDPR: article_25 •GxP-21-CFR-Part-11: 11.10-d, 11.10-g, 11.200 •HIPAA: 164_308_a_3_ii_a, 164_312_d •KISA-ISMS-P-2023: 2.5.3, 2.5.5, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.3, 2.5.5, 2.10.2 •MITRE-ATTACK: T1078, T1098, T1556, T1550, T1110, T1040 •NIS2: 11.6.1, 11.7.2 •NIST-800-171-Revision-2: 3_1_1, 3_1_2, 3_5_3 •NIST-800-53-Revision-4: ia_2_1, ia_2_11 •NIST-800-53-Revision-5: ac_2_1, ac_3_2, ac_3_3, ac_3_3_a, ac_3_3_b_1, ac_3_3_b_2, ac_3_3_b_3, ac_3_3_b_4, ac_3_3_b_5, ac_3_3_c, ac_3_4, ac_3_4_a, ac_3_4_b, ac_3_4_c, ac_3_4_d, ac_3_4_e, ac_3_8, ac_3_12_a, ac_3_13, ac_3_15_a, ac_3_15_b, ac_4_28, ac_7_4, ac_7_4_a, ac_24, cm_5_1_a, cm_6_a, cm_9_b, ia_2_1, ia_2_2, ia_2_6, ia_2_6_a, ia_2_8, sc_23_3 •NIST-CSF-1.1: ac_3, ac_7 •PCI-4.0: 8.4.1.3, 8.4.2.3, 8.4.3.3 •ProwlerThreatScore-1.0: 1.1.2

The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled when a user signs in to an AWS website they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. When virtual MFA is used for root accounts it is recommended that the device used is NOT a personal device but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. (non-personal virtual MFA) This lessens the risks of losing access to the MFA due to device loss / trade-in or if the individual owning the device is no longer employed at the company.

Using IAM console navigate to Dashboard and expand Activate MFA on your root account. If using AWS Organizations, consider enabling Centralized Root Management and removing individual root credentials.

•AWS-Account-Security-Onboarding: Root user - distribution email + MFA •AWS-Audit-Manager-Control-Tower-Guardrails: 3.0.1, 3.0.2, 3.0.3 •AWS-Foundational-Technical-Review: ARC-003, IAM-001, IAM-0012 •AWS-Well-Architected-Framework-Security-Pillar: SEC01-BP02 •CISA: your-systems-3, your-surroundings-2, booting-up-thing-to-do-first-2 •CIS-1.4: 1.5 •CIS-1.5: 1.5 •CIS-2.0: 1.5 •CIS-3.0: 1.5 •CIS-4.0.1: 1.5 •CIS-5.0: 1.4 •ENS-RD2022: op.acc.6.r2.aws.iam.1 •FedRAMP-Low-Revision-4: ac-2, ia-2 •FedRamp-Moderate-Revision-4: ac-2-1, ac-2-f, ac-2-j, ia-2-1-2, ia-2-1 •FFIEC: d3-pc-am-b-15, d3-pc-am-b-3, d3-pc-am-b-6 •GDPR: article_25 •GxP-21-CFR-Part-11: 11.10-d, 11.10-g, 11.200 •HIPAA: 164_308_a_3_ii_a, 164_312_d •ISO27001-2013: A.9.2, A.9.4 •ISO27001-2022: A.5.15, A.5.17, A.8.5 •KISA-ISMS-P-2023: 2.5.3, 2.5.5, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.3, 2.5.5, 2.10.2 •MITRE-ATTACK: T1078, T1098, T1556, T1550, T1110, T1040 •NIS2: 11.3.2.a, 11.6.1, 11.7.2 •NIST-800-171-Revision-2: 3_1_1, 3_1_2, 3_5_2, 3_5_3 •NIST-800-53-Revision-4: ac_2, ia_2_1, ia_2_11 •NIST-800-53-Revision-5: ac_2_1, ac_3_2, ac_3_3, ac_3_3_a, ac_3_3_b_1, ac_3_3_b_2, ac_3_3_b_3, ac_3_3_b_4, ac_3_3_b_5, ac_3_3_c, ac_3_4, ac_3_4_a, ac_3_4_b, ac_3_4_c, ac_3_4_d, ac_3_4_e, ac_3_8, ac_3_12_a, ac_3_13, ac_3_15_a, ac_3_15_b, ac_4_28, ac_7_4, ac_7_4_a, ac_24, cm_6_a, cm_9_b, ia_2_1, ia_2_2, ia_2_6, ia_2_6_a, ia_2_8, sc_23_3 •NIST-CSF-1.1: ac_3, ac_7 •PCI-4.0: 8.4.1.4, 8.4.2.4, 8.4.3.4 •ProwlerThreatScore-1.0: 1.1.1

Creating an IAM role with a security audit policy provides a clear separation of duties between the security team and other teams within the organization. This helps to ensure that security-related activities are performed by authorized individuals with the appropriate expertise and access permissions.

Create an IAM role for conduct security audits with AWS.

•ENS-RD2022: op.acc.3.r2.aws.iam.1 •ISO27001-2022: A.5.3 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.5.6, 2.10.2 •NIS2: 1.2.4, 2.1.1, 2.1.2.a, 2.1.2.e, 2.1.2.f, 2.2.1, 2.3.1, 3.1.2.c, 3.1.3, 6.2.2.a, 7.2.d, 7.2.e, 7.2.f

AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.

Create an IAM role for managing incidents with AWS.

•AWS-Account-Security-Onboarding: Predefine IAM Roles •AWS-Well-Architected-Framework-Security-Pillar: SEC10-BP01 •CIS-1.4: 1.17 •CIS-1.5: 1.17 •CIS-2.0: 1.17 •CIS-3.0: 1.17 •CIS-4.0.1: 1.17 •CIS-5.0: 1.16 •ENS-RD2022: op.acc.3.r1.aws.iam.1 •GDPR: article_25 •KISA-ISMS-P-2023: 2.5.1, 2.5.5, 2.5.6, 2.10.2, 2.11.1 •KISA-ISMS-P-2023-korean: 2.5.1, 2.5.5, 2.5.6, 2.10.2, 2.11.1 •NIS2: 2.1.1, 2.1.2.a, 2.2.1, 3.1.2.d, 4.3.2.a, 5.1.7.b •ProwlerThreatScore-1.0: 1.2.3

Without a network firewall, it can be difficult to monitor and control traffic within the VPC. This can make it harder to detect and prevent attacks or unauthorized access to resources.

Ensure all VPCs have Network Firewall enabled

•ENS-RD2022: mp.com.1.aws.nfw.1 •ISO27001-2022: A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.10.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.10.1, 2.10.2 •MITRE-ATTACK: T1048, T1530, T1499, T1498, T1046 •NIS2: 6.2.1, 6.7.2.b

The risk associated with not being part of an AWS Organizations is that it can lead to a lack of centralized management and control over the AWS accounts in an organization. This can make it difficult to enforce security policies consistently across all accounts, and can also result in increased costs due to inefficiencies in resource usage. Additionally, not being part of an AWS Organizations can make it harder to track and manage account usage and access.

Create or Join an AWS Organization

•AWS-Well-Architected-Framework-Security-Pillar: SEC01-BP01, SEC03-BP05, SEC08-BP04 •ENS-RD2022: op.acc.4.aws.iam.1, op.acc.4.aws.iam.8 •ISO27001-2022: A.8.3 •KISA-ISMS-P-2023: 2.10.2 •KISA-ISMS-P-2023-korean: 2.10.2 •MITRE-ATTACK: T1078, T1087, T1580, T1538 •PCI-4.0: 7.2.1.1, 7.2.2.1, 7.2.5.1, 7.3.1.1, 7.3.2.1, 7.3.3.1, 8.2.7.1, 8.2.8.1, 8.3.4.1 •RBI-Cyber-Security-Framework: annex_i_1_1

By default, AWS may be using your data to train its AI models. This may include data from your AWS CloudTrail logs, AWS Config rules, and AWS GuardDuty findings. If you opt out of AI services, AWS will not use your data to train its AI models.

Artificial Intelligence (AI) services opt-out policies enable you to control whether AWS AI services can store and use your content. Enable the AWS Organizations opt-out of AI services policy and disallow child-accounts to overwrite this policy.

•KISA-ISMS-P-2023: 2.10.2 •KISA-ISMS-P-2023-korean: 2.10.2

The risk associated with not restricting AWS Regions with Service Control Policies (SCPs) is that it can lead to unauthorized access or use of resources in regions that are not intended for use. This can result in increased costs due to inefficiencies in resource usage and can also expose sensitive data to unauthorized access or breaches. By restricting access to AWS Regions with SCP policies, organizations can help ensure that only authorized personnel have access to the resources they need, while minimizing the risk of security breaches and compliance violations.

Restrict AWS Regions using SCP policies.

•AWS-Account-Security-Onboarding: Block unused regions •ENS-RD2022: op.acc.4.aws.iam.1, op.acc.4.aws.iam.8 •KISA-ISMS-P-2023: 2.10.2 •KISA-ISMS-P-2023-korean: 2.10.2 •MITRE-ATTACK: T1078, T1535

If an AWS Organization tags policies are not enabled and attached, it is not possible to enforce tags on AWS resources.

Enable and attach AWS Organizations tags policies.

•ENS-RD2022: op.exp.1.aws.sys.2, op.exp.1.aws.tag.1, op.exp.10.aws.tag.1, mp.info.6.aws.tag.1 •ISO27001-2022: A.5.13 •KISA-ISMS-P-2023: 2.1.3 •KISA-ISMS-P-2023-korean: 2.1.3 •NIS2: 11.5.2.a

Not having Resource Explorer indexes can result in increased complexity and overhead in managing your resources, as well as increased risk of security and compliance issues.

Create indexes

•ENS-RD2022: op.exp.1.aws.re.1 •KISA-ISMS-P-2023: 2.9.2 •KISA-ISMS-P-2023-korean: 2.9.2

Public access policies may be applied to sensitive data buckets.

You can enable Public Access Block at the account level to prevent the exposure of your data stored in S3.

•AWS-Account-Security-Onboarding: S3 Block Public Access •AWS-Audit-Manager-Control-Tower-Guardrails: 4.1.1 •AWS-Foundational-Security-Best-Practices: S3.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC03-BP07 •CISA: your-systems-3, your-data-2 •CIS-1.4: 2.1.5 •CIS-1.5: 2.1.5 •CIS-2.0: 2.1.4 •CIS-3.0: 2.1.4 •CIS-4.0.1: 2.1.4 •CIS-5.0: 2.1.4 •FedRAMP-Low-Revision-4: ac-3, ac-17, cm-2, sc-7 •FedRamp-Moderate-Revision-4: ac-3, ac-6, ac-17-1, ac-21-b, cm-2, sc-4, sc-7-3, sc-7 •FFIEC: d3-pc-im-b-1 •GxP-21-CFR-Part-11: 11.10-d, 11.10-g •HIPAA: 164_308_a_1_ii_b, 164_308_a_3_i •ISO27001-2022: A.8.1 •KISA-ISMS-P-2023: 2.6.1, 2.6.2, 2.10.2 •KISA-ISMS-P-2023-korean: 2.6.1, 2.6.2, 2.10.2 •MITRE-ATTACK: T1530 •NIST-800-171-Revision-2: 3_1_1, 3_1_2, 3_1_3, 3_1_14, 3_1_20, 3_3_8, 3_4_6, 3_13_2, 3_13_5 •NIST-800-53-Revision-4: sc_7_3, sc_7 •NIST-800-53-Revision-5: ac_2_6, ac_3, ac_3_7, ac_4_21, ac_6, ac_17_b, ac_17_1, ac_17_4_a, ac_17_9, ac_17_10, cm_6_a, cm_9_b, mp_2, sc_7_2, sc_7_3, sc_7_7, sc_7_9_a, sc_7_11, sc_7_12, sc_7_16, sc_7_20, sc_7_21, sc_7_24_b, sc_7_25, sc_7_26, sc_7_27, sc_7_28, sc_7_a, sc_7_b, sc_7_c, sc_25 •NIST-CSF-1.1: ac_3, ac_5, ds_5, ip_8, pt_3 •PCI-3.2.1: 1.3, 2.2, 2.2.2, 7.2, 7.2.1 •PCI-4.0: 1.2.8.31, 1.2.8.32, 1.3.1.35, 1.3.1.36, 1.3.2.35, 1.3.2.36, 1.4.2.33, 1.4.2.34, 1.5.1.31, 1.5.1.32, 10.3.2.19, 10.3.2.20, 3.5.1.3.24, 3.5.1.3.25, A1.1.2.15, A1.1.2.16, A1.1.3.31, A1.1.3.32, A3.4.1.17, A3.4.1.18 •RBI-Cyber-Security-Framework: annex_i_1_3

Without cross-region replication in S3 buckets, data is at risk of being lost or inaccessible if an entire region goes down, leading to potential service disruptions and data unavailability.

Ensure that S3 buckets have cross region replication.

•ISO27001-2022: A.8.14 •KISA-ISMS-P-2023: 2.9.2 •KISA-ISMS-P-2023-korean: 2.9.2 •PCI-3.2.1: 2.2, 3.1, 3.1.c, 10.5, 10.5.3

Without event notifications, important actions on S3 buckets may go unnoticed, leading to missed opportunities for timely response to critical changes, such as object creation, deletion, or updates that could impact data security and availability.

Enable event notifications for all S3 general-purpose buckets to monitor important events such as object creation, deletion, tagging, and lifecycle events, ensuring visibility and quick action on relevant changes.

•KISA-ISMS-P-2023: 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.3 •PCI-4.0: 11.5.2.5, 11.6.1.5, 12.10.5.5, A3.3.1.8, A3.5.1.8

Amazon S3 KMS encryption provides a way to set the encryption behavior for an S3 bucket using a managed key. This will ensure data-at-rest is encrypted.

Ensure that S3 buckets have encryption at rest enabled using KMS.

•AWS-Foundational-Security-Best-Practices: S3.17 •AWS-Foundational-Technical-Review: S3-001 •ISO27001-2022: A.8.11, A.8.24 •KISA-ISMS-P-2023: 2.7.2, 2.10.2 •KISA-ISMS-P-2023-korean: 2.7.2, 2.10.2 •PCI-3.2.1: 3.4, 3.4.1, 3.4.1.a, 3.4.1.c, 3.4.a, 3.4.b, 3.4.d, 8.2, 8.2.1, 8.2.1.a •PCI-4.0: 3.5.1.31, 8.3.2.50

Public access policies may be applied to sensitive data buckets.

You can enable Public Access Block at the bucket level to prevent the exposure of your data stored in S3.

•AWS-Account-Security-Onboarding: S3 Block Public Access •AWS-Foundational-Security-Best-Practices: S3.8 •AWS-Foundational-Technical-Review: S3-001 •CIS-1.4: 2.1.5 •CIS-1.5: 2.1.5 •CIS-2.0: 2.1.4 •CIS-3.0: 2.1.4 •CIS-4.0.1: 2.1.4 •CIS-5.0: 2.1.4 •KISA-ISMS-P-2023: 2.6.1, 2.6.2, 2.10.2 •KISA-ISMS-P-2023-korean: 2.6.1, 2.6.2, 2.10.2 •MITRE-ATTACK: T1530

The risks of not having lifecycle management enabled for S3 buckets include higher storage costs, unmanaged data retention, and potential non-compliance with data policies.

Enable lifecycle policies on your S3 buckets to automatically manage the transition and expiration of data.

•AWS-Foundational-Security-Best-Practices: S3.13 •ISO27001-2022: A.8.10 •KISA-ISMS-P-2023: 2.9.3, 2.12.1 •KISA-ISMS-P-2023-korean: 2.9.3, 2.12.1 •NIS2: 12.2.2.a •PCI-3.2.1: 3.1, 3.1.a, 3.2, 3.2.c, 10.7, 10.7.a •PCI-4.0: 10.5.1.12, 10.5.1.13, 3.2.1.8, 3.2.1.9, 3.3.1.1.8, 3.3.1.1.9, 3.3.1.3.8, 3.3.1.3.9, 3.3.2.8, 3.3.2.9, 3.3.3.8, 3.3.3.9

Your security credentials are compromised or unauthorized access is granted.

Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete and object version adding another layer of security in the event your security credentials are compromised or unauthorized access is granted.

•AWS-Foundational-Security-Best-Practices: S3.20 •AWS-Well-Architected-Framework-Security-Pillar: SEC05-BP02 •CIS-1.4: 2.1.3 •CIS-1.5: 2.1.3 •CIS-2.0: 2.1.2 •CIS-3.0: 2.1.2 •CIS-4.0.1: 2.1.2 •CIS-5.0: 2.1.2 •KISA-ISMS-P-2023: 2.5.3, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.3, 2.10.2 •MITRE-ATTACK: T1485 •NIS2: 11.7.2 •PCI-4.0: 10.3.2.22, 3.5.1.3.27, 8.4.1.5, 8.4.2.5, 8.4.3.5, A1.1.2.18, A3.4.1.20 •ProwlerThreatScore-1.0: 2.2.1

Store objects using a write-once-read-many (WORM) model to help you prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. That helps to prevent ransomware attacks.

Ensure that your Amazon S3 buckets have Object Lock feature enabled in order to prevent the objects they store from being deleted.

•AWS-Foundational-Security-Best-Practices: S3.15 •AWS-Foundational-Technical-Review: S3-001 •KISA-ISMS-P-2023: 2.9.3, 2.12.1 •KISA-ISMS-P-2023-korean: 2.9.3, 2.12.1 •MITRE-ATTACK: T1485, T1486 •PCI-4.0: 10.3.4.7

With versioning, you can easily recover from both unintended user actions and application failures.

Configure versioning using the Amazon console or API for buckets with sensitive information that is changing frequently, and backup may not be enough to capture all the changes.

•AWS-Audit-Manager-Control-Tower-Guardrails: 5.1.1 •AWS-Foundational-Security-Best-Practices: S3.14 •AWS-Well-Architected-Framework-Security-Pillar: SEC08-BP04 •CISA: your-systems-3, your-data-4, booting-up-thing-to-do-first-1 •FedRAMP-Low-Revision-4: au-9, cp-9, cp-10, sc-5 •FedRamp-Moderate-Revision-4: au-9-2, cp-9-b, cp-10, sc-5, si-12 •FFIEC: d5-ir-pl-b-6 •GxP-21-CFR-Part-11: 11.10-a, 11.10-c •GxP-EU-Annex-11: 5-data, 7.1-data-storage-damage-protection, 7.2-data-storage-backups, 16-business-continuity, 17-archiving, 4.8-validation-data-transfer •HIPAA: 164_308_a_1_ii_b, 164_308_a_7_i, 164_308_a_7_ii_a, 164_308_a_7_ii_b, 164_308_a_7_ii_c, 164_312_a_2_ii, 164_312_c_1, 164_312_c_2 •ISO27001-2022: A.8.3, A.8.10 •KISA-ISMS-P-2023: 2.9.3, 2.12.1 •KISA-ISMS-P-2023-korean: 2.9.3, 2.12.1 •MITRE-ATTACK: T1485, T1486 •NIST-800-171-Revision-2: 3_3_8 •NIST-800-53-Revision-4: cp_10, si_12 •NIST-800-53-Revision-5: au_9_2, cp_1_2, cp_2_5, cp_6_a, cp_6_1, cp_6_2, cp_9_a, cp_9_b, cp_9_c, cp_10, cp_10_2, pm_11_b, pm_17_b, sc_5_2, sc_16_1, si_1_a_2, si_13_5 •NIST-CSF-1.1: be_5, ds_4, ip_4, ip_9, pt_5, rp_1, rp_1 •PCI-3.2.1: 3.1, 3.1.c, 10.5, 10.5.2, 10.5.3, 10.5.5 •PCI-4.0: 10.3.4.9 •RBI-Cyber-Security-Framework: annex_i_12 •SOC2: cc_7_4, cc_a_1_1, cc_c_1_2

If HTTPS is not enforced on the bucket policy, communication between clients and S3 buckets can use unencrypted HTTP. As a result, sensitive information could be transmitted in clear text over the network or internet.

Ensure that S3 buckets have encryption in transit enabled.

•AWS-Foundational-Security-Best-Practices: S3.5 •AWS-Foundational-Technical-Review: S3-001 •AWS-Well-Architected-Framework-Security-Pillar: SEC09-BP02 •CISA: your-systems-3, your-data-2 •CIS-1.4: 2.1.2 •CIS-1.5: 2.1.2 •CIS-2.0: 2.1.1 •CIS-3.0: 2.1.1 •CIS-4.0.1: 2.1.1 •CIS-5.0: 2.1.1 •ENS-RD2022: mp.com.1.aws.s3.1, mp.com.3.aws.s3.1 •FedRAMP-Low-Revision-4: ac-17, sc-7 •FedRamp-Moderate-Revision-4: ac-17-2, sc-7, sc-8-1, sc-8, sc-23 •FFIEC: d3-pc-am-b-12, d3-pc-am-b-13, d3-pc-am-b-15 •GDPR: article_32 •GxP-21-CFR-Part-11: 11.10-c, 11.30 •HIPAA: 164_308_a_1_ii_b, 164_312_a_2_iv, 164_312_c_1, 164_312_c_2, 164_312_e_1, 164_312_e_2_i, 164_312_e_2_ii •KISA-ISMS-P-2023: 2.7.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.7.1, 2.10.2 •MITRE-ATTACK: T1040 •NIST-800-171-Revision-2: 3_1_13, 3_5_10, 3_13_1, 3_13_5, 3_13_8, 3_13_11, 3_13_16 •NIST-800-53-Revision-4: ac_17_2, sc_7, sc_8_1, sc_8 •NIST-800-53-Revision-5: ac_4, ac_4_22, ac_17_2, ac_24_1, au_9_3, ca_9_b, cm_6_a, cm_9_b, ia_5_1_c, pm_11_b, pm_17_b, sc_7_4_b, sc_7_4_g, sc_7_5, sc_8, sc_8_1, sc_8_2, sc_8_3, sc_8_4, sc_8_5, sc_13_a, sc_16_1, sc_23, si_1_a_2 •NIST-CSF-1.1: ds_2 •PCI-4.0: 1.2.5.15, 2.2.5.15, 2.2.7.19, 4.2.1.1.27, 4.2.1.19, 8.3.2.49 •ProwlerThreatScore-1.0: 4.1.1 •RBI-Cyber-Security-Framework: annex_i_1_3

Server access logs can assist you in security and access audits, help you learn about your customer base, and understand your Amazon S3 bill.

Ensure that S3 buckets have Logging enabled. CloudTrail data events can be used in place of S3 bucket logging. If that is the case, this finding can be considered a false positive.

•AWS-Foundational-Security-Best-Practices: S3.9 •AWS-Foundational-Technical-Review: S3-001 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP01 •CISA: your-systems-3, your-data-2 •FedRAMP-Low-Revision-4: ac-2, au-2 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d5-dr-de-b-3 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_e_2_i •ISO27001-2022: A.8.15 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 1.1.1.h, 3.2.3.c, 11.2.2.f •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_6_1, 3_6_2, 3_13_1, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2, au_2, au_3, au_12 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_1, ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, am_3, ac_6, ds_5, pt_1 •PCI-3.2.1: 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •PCI-4.0: 10.2.1.1.30, 10.2.1.2.27, 10.2.1.3.27, 10.2.1.4.27, 10.2.1.5.27, 10.2.1.6.27, 10.2.1.7.27, 10.2.1.27, 10.2.2.27, 10.3.1.27, 10.6.3.34, 5.3.4.32, A1.2.1.32 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_7_2, cc_7_3, cc_a_1_1

Not having SSM Incidents enabled can increase the risk of delayed detection and response to security incidents, unauthorized access, limited visibility into incidents and vulnerabilities

Enable SSM Incidents and create response plans

•ENS-RD2022: op.exp.9.aws.img.1 •KISA-ISMS-P-2023: 2.10.2, 2.11.1 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.1 •NIS2: 2.1.1, 2.1.2.a, 2.1.2.i, 3.1.1, 3.1.2.a, 3.1.2.c, 3.1.2.d, 3.5.1, 3.6.1, 3.6.2, 3.6.3, 4.3.1, 5.1.7.b, 12.1.2.c, 12.2.2.b

Ensure that the appropriate support level is enabled for the necessary AWS accounts. For example, if an AWS account is being used to host production systems and environments, it is highly recommended that the minimum AWS Support Plan should be Business.

It is recommended that you subscribe to the AWS Business Support tier or higher for all of your AWS production accounts. If you don't have premium support, you must have an action plan to handle issues which require help from AWS Support. AWS Support provides a mix of tools and technology, people, and programs designed to proactively help you optimize performance, lower costs, and innovate faster.

Ensure there are VPCs in more than one region

•ENS-RD2022: mp.com.4.r1.aws.vpc.1, mp.com.4.r3.aws.vpc.1 •ISO27001-2022: A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.9.2 •KISA-ISMS-P-2023-korean: 2.9.2

Without VPC endpoints, network traffic between your VPC and Amazon EC2 may traverse the public internet, increasing the risk of unintended access or data exposure.

To improve the security posture of your VPC, configure Amazon EC2 to use an interface VPC endpoint powered by AWS PrivateLink.

•AWS-Foundational-Security-Best-Practices: EC2.10 •ISO27001-2022: A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.6.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.6.1, 2.10.2 •PCI-3.2.1: 1.3, 2.2, 2.2.2 •PCI-4.0: 1.2.8.18, 1.2.8.38, 1.3.1.21, 1.3.1.42, 1.3.2.21, 1.3.2.42, 1.4.1.5, 1.4.2.19, 1.4.2.40, 1.4.4.5, 1.5.1.18, 1.5.1.38, A1.1.3.18, A1.1.3.38

VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.

It is recommended that VPC Flow Logs be enabled for packet Rejects for VPCs.

•AWS-Account-Security-Onboarding: Send VPC Flow Logs (only DENYs) to S3 bucket •AWS-Foundational-Security-Best-Practices: EC2.6 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP01, SEC04-BP02, SEC04-BP03, SEC05-BP04, SEC09-BP04 •CISA: your-surroundings-1, your-data-2 •CIS-1.4: 3.9 •CIS-1.5: 3.9 •CIS-2.0: 3.9 •CIS-3.0: 3.7 •CIS-4.0.1: 3.7 •CIS-5.0: 3.7 •ENS-RD2022: op.mon.1.aws.flow.1 •FedRAMP-Low-Revision-4: au-2 •FedRamp-Moderate-Revision-4: au-2-a-d, au-3, au-6-1-3, au-12-a-c •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d3-dc-ev-b-1, d3-dc-ev-b-3, d3-pc-im-b-3 •GDPR: article_25, article_30 •GxP-21-CFR-Part-11: 11.10-e •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_c_2 •ISO27001-2013: A.12.4 •ISO27001-2022: A.8.15, A.8.16, A.8.20, A.8.21, A.8.22, A.8.23 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 3.2.3.c •NIST-800-171-Revision-2: 3_3_1, 3_3_3, 3_6_1, 3_6_2, 3_13_1, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: au_2, au_3, au_12 •NIST-800-53-Revision-5: ac_4_26, au_2_b, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, si_4_17, si_7_8 •NIST-CSF-1.1: ae_1, ae_3, cm_1, cm_7, am_3, ds_5, pt_1 •PCI-3.2.1: 4.1, 4.1.e, 4.1.f, 10.1 •PCI-4.0: 10.2.1.1.34, 10.2.1.2.29, 10.2.1.3.29, 10.2.1.4.29, 10.2.1.5.29, 10.2.1.6.29, 10.2.1.7.29, 10.2.1.29, 10.2.2.29, 10.3.1.29, 10.6.3.39, 5.3.4.34, A1.2.1.34 •ProwlerThreatScore-1.0: 3.1.4 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_7_2, cc_7_3

VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.

VPC subnets should not allow automatic public IP assignment

•AWS-Foundational-Security-Best-Practices: EC2.15 •AWS-Foundational-Technical-Review: NETSEC-002 •ISO27001-2022: A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.6.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.6.1, 2.10.2 •RBI-Cyber-Security-Framework: annex_i_1_3 •SOC2: cc_6_6

Ensure all VPC has public and private subnets defined

•AWS-Foundational-Technical-Review: NETSEC-002 •ENS-RD2022: mp.com.4.aws.vpc.1, mp.com.4.r1.aws.vpc.1 •ISO27001-2022: A.8.20, A.8.21, A.8.22 •KISA-ISMS-P-2023: 2.6.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.6.1, 2.10.2 •SOC2: cc_6_6