Amazon Web services (AWS)

What cloud services are supported for AWS?

Holm Security Cloud Scanner can verify security best practices and security misconfigurations that contribute to the most common causes of security breaches within a vast list of AWS services.

There is also a set of plugins highlighting unused or misused services that could help save monthly AWS costs. Read more about these plugins in this article:

Supported services

Here's the list of services that we currently support:
  • ACM
  • API Gateway
  • AWS Glue
  • App Mesh
  • App Runner
  • AppFlow
  • Athena
  • Audit Manager
  • AutoScaling
  • Backup
  • CloudFormation
  • CloudFront
  • CloudTrail
  • CloudWatch
  • CloudWatchLogs
  • CodeArtifact
  • CodeBuild
  • CodePipeline
  • CodeStar
  • Cognito
  • Comprehend
  • Compute Optimizer
  • ConfigService
  • Connect
  • DMS
  • DevOpsGuru
  • DocumentDB
  • DynamoDB
  • EC2
  • ECR
  • ECS
  • EFS
  • EKS
  • ELB
  • ELBv2
  • EMR
  • ES
  • ElastiCache
  • Elastic Transcoder
  • ElasticBeanstalk
  • EventBridge
  • FSx
  • FinSpace
  • Firehose
  • Forecast
  • Fraud Detector
  • Glacier
  • Glue
  • Glue DataBrew
  • GuardDuty
  • HealthLake
  • IAM
  • Image Builder
  • IoT SiteWise
  • KMS
  • Kendra
  • Kinesis
  • Kinesis Video Streams
  • Lambda
  • Lex
  • Location
  • Lookout
  • LookoutEquipment
  • LookoutMetrics
  • MQ
  • MSK
  • MWAA
  • Managed Blockchain
  • MemoryDB
  • Neptune
  • OpenSearch
  • Organizations
  • Proton
  • QLDB
  • RDS
  • Redshift
  • Route53
  • S3
  • SES
  • SNS
  • SQS
  • SSM
  • SageMaker
  • Secrets Manager
  • SecurityHub
  • Shield
  • Timestream
  • Transfer
  • Translate
  • WAF
  • WorkSpaces
  • Workspaces
  • XRay

Supported policies
Across the services, the following policies are scanned for: 

  • ACM - ACM Certificate Expiry
  • ACM - ACM Certificate Has Tags
  • ACM - ACM Certificate Validation
  • ACM - ACM Single Domain Name Certificates
  • API Gateway - API Gateway Authorization
  • API Gateway - API Gateway Certificate Rotation
  • API Gateway - API Gateway Client Certificate
  • API Gateway - API Gateway CloudWatch Logs
  • API Gateway - API Gateway Content Encoding
  • API Gateway - API Gateway Default Endpoint Disabled
  • API Gateway - API Gateway Detailed CloudWatch Metrics
  • API Gateway - API Gateway Private Endpoints
  • API Gateway - API Gateway Response Caching
  • API Gateway - API Gateway Tracing Enabled
  • API Gateway - API Gateway WAF Enabled
  • API Gateway - API Stage-Level Cache Encryption
  • API Gateway - Custom Domain TLS Version
  • AWS Glue - AWS Glue CloudWatch Encrypted Logs
  • App Mesh - App Mesh Restrict External Traffic
  • App Mesh - App Mesh TLS Required
  • App Mesh - App Mesh VG Access Logging
  • App Runner - Service Encrypted
  • AppFlow - AppFlow Flow Encrypted
  • Athena - Workgroup Encrypted
  • Athena - Workgroup Enforce Configuration
  • Audit Manager - Audit Manager Data Encrypted
  • AutoScaling - ASG Multiple AZ
  • AutoScaling - App-Tier ASG Launch Configurations Approved AMIs
  • AutoScaling - App-Tier Auto Scaling Group CloudWatch Logs Enabled
  • AutoScaling - App-Tier Launch Configurations IAM Roles
  • AutoScaling - Auto Scaling Group Cooldown Period
  • AutoScaling - Auto Scaling Group Missing ELB
  • AutoScaling - Auto Scaling Notifications Active
  • AutoScaling - Auto Scaling Unused Launch Configuration
  • AutoScaling - AutoScaling ELB Same Availability Zone
  • AutoScaling - ELB Health Check Active
  • AutoScaling - Empty AutoScaling Group
  • AutoScaling - Launch Configuration Referencing Missing Security Groups
  • AutoScaling - Suspended AutoScaling Groups
  • AutoScaling - Web-Tier ASG Launch Configurations Approved AMIs
  • AutoScaling - Web-Tier Auto Scaling Group Associated ELB
  • AutoScaling - Web-Tier Auto Scaling Group CloudWatch Logs Enabled
  • AutoScaling - Web-Tier Launch Configurations IAM Roles
  • Backup - AWS Backup Compliant Lifecycle Configured
  • Backup - Backup Deletion Protection Enabled
  • Backup - Backup Failure Notification Enabled
  • Backup - Backup In Use For RDS Snapshots
  • Backup - Backup Resource Protection
  • Backup - Backup Vault Encrypted
  • Backup - Backup Vault Has Tags
  • Backup - Backup Vault Policies
  • CloudFormation - AWS CloudFormation In Use
  • CloudFormation - CloudFormation Admin Priviliges
  • CloudFormation - CloudFormation Drift Detection
  • CloudFormation - CloudFormation Plaintext Parameters
  • CloudFormation - CloudFormation Stack Failed Status
  • CloudFormation - CloudFormation Stack SNS Notifications
  • CloudFormation - CloudFormation Stack Termination Protection Enabled
  • CloudFront - CloudFront Compress Objects Automatically
  • CloudFront - CloudFront Custom Origin HTTPS Only
  • CloudFront - CloudFront Distribution Field-Level Encryption
  • CloudFront - CloudFront Distribution Origins TLS Version
  • CloudFront - CloudFront Enable Origin Failover
  • CloudFront - CloudFront Enabled
  • CloudFront - CloudFront Geo Restriction
  • CloudFront - CloudFront HTTPS Only
  • CloudFront - CloudFront Logging Enabled
  • CloudFront - CloudFront TLS Deprecated Protocols
  • CloudFront - CloudFront TLS Insecure Cipher
  • CloudFront - CloudFront WAF Enabled
  • CloudFront - Insecure CloudFront Protocols
  • CloudFront - Public S3 CloudFront Origin
  • CloudFront - Secure CloudFront Origin
  • CloudTrail - CloudTrail Data Events
  • CloudTrail - CloudTrail Delivery Failing
  • CloudTrail - CloudTrail Enabled
  • CloudTrail - CloudTrail Encryption
  • CloudTrail - CloudTrail File Validation
  • CloudTrail - CloudTrail Global Services Logging Duplicated
  • CloudTrail - CloudTrail Has Tags
  • CloudTrail - CloudTrail Management Events
  • CloudTrail - CloudTrail Notifications Enabled
  • CloudTrail - CloudTrail S3 Bucket
  • CloudTrail - CloudTrail To CloudWatch
  • CloudTrail - Object Lock Enabled
  • CloudWatch - VPC Flow Logs Metric Alarm
  • CloudWatchLogs - CloudWatch Log Groups Encrypted
  • CloudWatchLogs - CloudWatch Log Retention Period
  • CloudWatchLogs - CloudWatch Monitoring Metrics
  • CodeArtifact - CodeArtifact Domain Encrypted
  • CodeBuild - CodeBuild Valid Source Providers
  • CodeBuild - Project Artifacts Encrypted
  • CodePipeline - Pipeline Artifacts Encrypted
  • CodeStar - CodeStar Valid Repository Providers
  • Cognito - Cognito User Pool MFA enabled
  • Cognito - Cognito User Pool WAF Enabled
  • Comprehend - Amazon Comprehend Output Result Encryption
  • Comprehend - Amazon Comprehend Volume Encryption
  • Compute Optimizer - Auto Scaling Group Optimized
  • Compute Optimizer - Compute Optimizer Recommendations Enabled
  • Compute Optimizer - EBS Volumes Optimized
  • Compute Optimizer - EC2 Instances Optimized
  • Compute Optimizer - Lambda Function Optimized
  • ConfigService - AWS Config Complaint Rules
  • ConfigService - AWS Services In Use
  • ConfigService - Config Delivery Failing
  • ConfigService - Config Service Enabled
  • ConfigService - Config Service Missing Bucket
  • Connect - Connect Customer Profiles Domain Encrypted
  • Connect - Connect Instance Attachments Encrypted
  • Connect - Connect Instance Call Recording Encrypted
  • Connect - Connect Instance Chat Transcripts Encrypted
  • Connect - Connect Instance Exported Reports Encrypted
  • Connect - Connect Instance Media Streams Encrypted
  • Connect - Connect Voice ID Domain Encrypted
  • Connect - Connect Wisdom Domain Encrypted
  • DMS - DMS Auto Minor Version Upgrade
  • DMS - DMS Encryption Enabled
  • DMS - DMS Multi-AZ Feature Enabled
  • DMS - DMS Publicly Accessible Instances
  • DevOpsGuru - DevOps Guru Notifications Enabled
  • DocumentDB - DocumentDB Cluster Backup Retention
  • DocumentDB - DocumentDB Cluster Encrypted
  • DynamoDB - DynamoDB Accelerator Cluster Encryption
  • DynamoDB - DynamoDB Continuous Backups
  • DynamoDB - DynamoDB KMS Encryption
  • DynamoDB - DynamoDB Table Backup Exists
  • DynamoDB - DynamoDB Table Has Tags
  • DynamoDB - DynamoDB Unused Table
  • EC2 - AMI Has Tags
  • EC2 - Allowed Custom Ports
  • EC2 - Amazon EBS Public Snapshots
  • EC2 - App-Tier EC2 Instance IAM Role
  • EC2 - Automate EBS Snapshot Lifecycle
  • EC2 - Cross Organization VPC Peering Connections
  • EC2 - Cross VPC Public Private Communication
  • EC2 - Default Security Group
  • EC2 - Default Security Group In Use
  • EC2 - Default VPC Exists
  • EC2 - Default VPC In Use
  • EC2 - Detect EC2 Classic Instances
  • EC2 - EBS Backup Enabled
  • EC2 - EBS Encrypted Snapshots
  • EC2 - EBS Encryption Enabled
  • EC2 - EBS Encryption Enabled By Default
  • EC2 - EBS Snapshot Has Tags
  • EC2 - EBS Volume Snapshot Public
  • EC2 - EBS Volume has tags
  • EC2 - EBS Volumes Recent Snapshots
  • EC2 - EBS Volumes Too Old Snapshots
  • EC2 - EC2 CPU Alarm Threshold Exceeded
  • EC2 - EC2 Instance Key Based Login
  • EC2 - EC2 LaunchWizard Security Groups
  • EC2 - EC2 Max Instances
  • EC2 - EC2 Public Subnet
  • EC2 - EC2 has Tags
  • EC2 - Elastic IP Limit
  • EC2 - Encrypted AMI
  • EC2 - Excessive Security Groups
  • EC2 - Insecure EC2 Metadata Options
  • EC2 - Instance Detailed Monitoring
  • EC2 - Instance IAM Role
  • EC2 - Instance Limit
  • EC2 - Instance vCPU On-Demand Based Limits
  • EC2 - Internet Gateways In VPC
  • EC2 - Managed NAT Gateway In Use
  • EC2 - NAT Multiple AZ
  • EC2 - Network ACL has Tags
  • EC2 - Open All Ports Protocols
  • EC2 - Open All Ports Protocols Egress
  • EC2 - Open CIFS
  • EC2 - Open Cassandra Client
  • EC2 - Open Cassandra Internode
  • EC2 - Open Cassandra Monitoring
  • EC2 - Open Cassandra Thrift
  • EC2 - Open Custom Ports
  • EC2 - Open DNS
  • EC2 - Open Docker
  • EC2 - Open Elasticsearch
  • EC2 - Open FTP
  • EC2 - Open HTTP
  • EC2 - Open HTTPS
  • EC2 - Open Hadoop HDFS NameNode Metadata Service
  • EC2 - Open Hadoop HDFS NameNode WebUI
  • EC2 - Open Internal Web
  • EC2 - Open Kibana
  • EC2 - Open LDAP
  • EC2 - Open LDAPS
  • EC2 - Open Memcached
  • EC2 - Open MongoDB
  • EC2 - Open MySQL
  • EC2 - Open NetBIOS
  • EC2 - Open Oracle
  • EC2 - Open Oracle Auto Data Warehouse
  • EC2 - Open PostgreSQL
  • EC2 - Open RDP
  • EC2 - Open RFC 1918
  • EC2 - Open RPC
  • EC2 - Open Redis
  • EC2 - Open SMBoTCP
  • EC2 - Open SMTP
  • EC2 - Open SNMP
  • EC2 - Open SQL Server
  • EC2 - Open SSH
  • EC2 - Open Salt
  • EC2 - Open Telnet
  • EC2 - Open VNC Client
  • EC2 - Open VNC Server
  • EC2 - Outdated Amazon Machine Images
  • EC2 - Overlapping Security Groups
  • EC2 - Public AMI
  • EC2 - Public IP Address EC2 Instances
  • EC2 - SSM Agent Active All Instances
  • EC2 - SSM Agent Auto Update Enabled
  • EC2 - SSM Agent Latest Version
  • EC2 - SSM Managed Instances
  • EC2 - SSM Session Duration
  • EC2 - Security Group Has Tags
  • EC2 - Subnet IP Availability
  • EC2 - Unassociated Elastic IP Addresses
  • EC2 - Unrestricted Network ACL Inbound Traffic
  • EC2 - Unrestricted Network ACL Outbound Traffic
  • EC2 - Unused Amazon Machine Images
  • EC2 - Unused EBS Volumes
  • EC2 - Unused Elastic Network Interfaces
  • EC2 - Unused Security Groups
  • EC2 - Unused VPC Internet Gateways
  • EC2 - Unused Virtual Private Gateway
  • EC2 - VPC Elastic IP Limit
  • EC2 - VPC Endpoint Cross Account Access
  • EC2 - VPC Endpoint Exposed
  • EC2 - VPC Flow Logs Enabled
  • EC2 - VPC Has Tags
  • EC2 - VPC Multiple Subnets
  • EC2 - VPC PrivateLink Endpoint Acceptance Required
  • EC2 - VPC Subnet Instances Present
  • EC2 - VPN Tunnel State
  • EC2 - Virtual Private Gateway In VPC
  • EC2 - Web-Tier EC2 Instance IAM Role
  • ECR - Amazon ECR Scan on Push
  • ECR - ECR Repository Encrypted
  • ECR - ECR Repository Has Tags
  • ECR - ECR Repository Policy
  • ECR - ECR Repository Tag Immutability
  • ECS - Container Insights Enabled
  • ECS - ECS Cluster Active Services
  • ECS - ECS Cluster Has Tags
  • ECS - ECS Cluster Service Active Tasks
  • EFS - EFS CMK Encrypted
  • EFS - EFS Encryption Enabled
  • EFS - EFS Has Tags
  • EKS - EKS Cluster Has Tags
  • EKS - EKS Kubernetes Version
  • EKS - EKS Latest Platform Version
  • EKS - EKS Logging Enabled
  • EKS - EKS Private Endpoint
  • EKS - EKS Secrets Encrypted
  • EKS - EKS Security Groups
  • ELB - App-Tier ELB Security Policy
  • ELB - Classic Load Balancers In Use
  • ELB - ELB Connection Draining Enabled
  • ELB - ELB Cross-Zone Load Balancing
  • ELB - ELB HTTPS Only
  • ELB - ELB Has Tags
  • ELB - ELB Logging Enabled
  • ELB - ELB No Instances
  • ELB - ELB Unhealthy Instances
  • ELB - Insecure Ciphers
  • ELBv2 - ELB SSL Termination
  • ELBv2 - ELBv2 Cross-Zone Load Balancing
  • ELBv2 - ELBv2 Deletion Protection
  • ELBv2 - ELBv2 Deprecated SSL Policies
  • ELBv2 - ELBv2 Deregistration Delay
  • ELBv2 - ELBv2 HTTPS Only
  • ELBv2 - ELBv2 Has Tags
  • ELBv2 - ELBv2 Insecure Ciphers
  • ELBv2 - ELBv2 Logging Enabled
  • ELBv2 - ELBv2 Minimum Number of EC2 Target Instances
  • ELBv2 - ELBv2 NLB Listener Security
  • ELBv2 - ELBv2 No Instances
  • ELBv2 - ELBv2 TLS Version and Cipher Header Enabled
  • ELBv2 - ELBv2 Unhealthy Instances
  • ELBv2 - ELBv2 WAF Enabled
  • EMR - EMR Cluster Desired Instance Type
  • EMR - EMR Cluster Has Tags
  • EMR - EMR Cluster In VPC
  • EMR - EMR Cluster Logging
  • EMR - EMR Encryption At Rest
  • EMR - EMR Encryption In Transit
  • EMR - EMR Instances Counts
  • ES - ElasticSearch Dedicated Master Enabled
  • ES - ElasticSearch Public Service Domain
  • ES - ElasticSearch TLS Version
  • ES - ElasticSearch Upgrade Available
  • ES - OpenSearch Encryption Enabled
  • ElastiCache - ElastiCache Cluster Has Tags
  • ElastiCache - ElastiCache Cluster In VPC
  • ElastiCache - ElastiCache Default Ports
  • ElastiCache - ElastiCache Desired Node Type
  • ElastiCache - ElastiCache Engine Versions for Redis
  • ElastiCache - ElastiCache Instance Generation
  • ElastiCache - ElastiCache Nodes Count
  • ElastiCache - ElastiCache Redis Cluster Encryption At-Rest
  • ElastiCache - ElastiCache Redis Cluster Encryption In-Transit
  • ElastiCache - ElastiCache Redis Cluster Have Multi-AZ
  • ElastiCache - ElastiCache Reserved Cache Node Lease Expiration
  • ElastiCache - ElastiCache Reserved Cache Node Payment Failed
  • ElastiCache - ElastiCache Reserved Cache Node Payment Pending
  • ElastiCache - ElastiCache idle Cluster Status
  • ElastiCache - Unused ElastiCache Reserved Cache Nodes
  • Elastic Transcoder - Elastic Transcoder Job Outputs Encrypted
  • Elastic Transcoder - Elastic Transcoder Pipeline Data Encrypted
  • ElasticBeanstalk - ElasticBeanstalk Managed Platform Updates
  • ElasticBeanstalk - Enhanced Health Reporting
  • ElasticBeanstalk - Environment Access Logs
  • ElasticBeanstalk - Environment Persistent Logs
  • EventBridge - Event Bus Cross Account Access
  • EventBridge - Event Bus Public Access
  • EventBridge - EventBridge Event Rules In Use
  • FSx - FSx File System Encrypted
  • FinSpace - FinSpace Environment Encrypted
  • Firehose - Firehose Delivery Streams CMK Encrypted
  • Firehose - Firehose Delivery Streams Encrypted
  • Forecast - Forecast Dataset Encrypted
  • Forecast - Forecast Dataset Export Encrypted
  • Fraud Detector - Fraud Detector Data Encrypted
  • Glacier - S3 Glacier Vault Public Access
  • Glue - AWS Glue Data Catalog CMK Encrypted
  • Glue - AWS Glue Data Catalog Encryption Enabled
  • Glue - AWS Glue Job Bookmark Encryption Enabled
  • Glue - AWS Glue S3 Encryption Enabled
  • Glue DataBrew - AWS Glue DataBrew Job Output Encrypted
  • GuardDuty - Exported Findings Encrypted
  • GuardDuty - GuardDuty Master Account
  • GuardDuty - GuardDuty No Active Findings
  • GuardDuty - GuardDuty is Enabled
  • GuardDuty - S3 GuardDuty Enabled
  • HealthLake - HealthLake Data Store Encrypted
  • IAM - Access Analyzer Active Findings
  • IAM - Access Analyzer Enabled
  • IAM - Access Keys Extra
  • IAM - Access Keys Last Used
  • IAM - Access Keys Rotated
  • IAM - Canary Keys Used
  • IAM - Certificate Expiry
  • IAM - Cross-Account Access External ID and MFA
  • IAM - Empty Groups
  • IAM - Group Inline Policies
  • IAM - IAM Master and IAM Manager Roles
  • IAM - IAM Policies Present
  • IAM - IAM Role Has Tags
  • IAM - IAM Role Last Used
  • IAM - IAM Role Policies
  • IAM - IAM Role Policy Unused Services
  • IAM - IAM Support Policy
  • IAM - IAM User Account In Use
  • IAM - IAM User Account Not In Use
  • IAM - IAM User Admins
  • IAM - IAM User Has Tags
  • IAM - IAM User Present
  • IAM - IAM User Unauthorized to Edit
  • IAM - IAM User Without Permissions
  • IAM - IAM Username Matches Regex
  • IAM - Maximum Password Age
  • IAM - Minimum Password Length
  • IAM - No User IAM Policies
  • IAM - Password Expiration
  • IAM - Password Policy Allows To Change Password
  • IAM - Password Requires Lowercase
  • IAM - Password Requires Numbers
  • IAM - Password Requires Symbols
  • IAM - Password Requires Uppercase
  • IAM - Password Reuse Prevention
  • IAM - Root Access Keys
  • IAM - Root Account Active Signing Certificates
  • IAM - Root Account In Use
  • IAM - Root Hardware MFA
  • IAM - Root MFA Enabled
  • IAM - SSH Keys Rotated
  • IAM - Trusted Cross Account Roles
  • IAM - Users MFA Enabled
  • IAM - Users Password And Keys
  • IAM - Users Password Last Used
  • Image Builder - Dockerfile Template Encrypted
  • Image Builder - Enhanced Metadata Collection Enabled
  • Image Builder - Image Builder Components Encrypted
  • Image Builder - Image Recipe Storage Volumes Encrypted
  • Image Builder - Infrastructure Configuration Notification Enabled
  • IoT SiteWise - IoT SiteWise Data Encrypted
  • KMS - App-Tier KMS Customer Master Key (CMK)
  • KMS - KMS Default Key Usage
  • KMS - KMS Duplicate Grants
  • KMS - KMS Grant Least Privilege
  • KMS - KMS Key Policy
  • KMS - KMS Key Rotation
  • KMS - KMS Scheduled Deletion
  • Kendra - Kendra Index Encrypted
  • Kinesis - Kinesis Data Streams Encrypted
  • Kinesis - Kinesis Streams Encrypted
  • Kinesis Video Streams - Video Stream Data Encrypted
  • Lambda - Lambda Admin Privileges
  • Lambda - Lambda Environment Variables Client Side Encryption
  • Lambda - Lambda Has Tags
  • Lambda - Lambda Log Groups
  • Lambda - Lambda Old Runtimes
  • Lambda - Lambda Public Access
  • Lambda - Lambda Tracing Enabled
  • Lambda - Lambda Unique Execution Role
  • Lambda - Lambda VPC Config
  • Lex - Audio Logs Encrypted
  • Location - Geofence Collection Data Encrypted
  • Location - Tracker Data Encrypted
  • Lookout - Model Data Encrypted
  • LookoutEquipment - LookoutEquipment Dataset Encrypted
  • LookoutMetrics - LookoutMetrics Anomaly Detector Encrypted
  • MQ - MQ Auto Minor Version Upgrade
  • MQ - MQ Broker Encrypted
  • MQ - MQ Deployment Mode
  • MQ - MQ Desired Broker Instance Type
  • MQ - MQ Log Exports Enabled
  • MSK - MSK Cluster Client Broker Encryption
  • MSK - MSK Cluster Encryption At-Rest
  • MSK - MSK Cluster Encryption In-Transit
  • MSK - MSK Cluster Public Access
  • MSK - MSK Cluster Unauthenticated Access
  • MWAA - Environment Admin Privileges
  • MWAA - Environment Data Encrypted
  • MWAA - Web Server Public Access
  • Managed Blockchain - Managed Blockchain Network Member Data Encrypted
  • MemoryDB - MemoryDB Cluster Encrypted
  • Neptune - Neptune Database Instance Encrypted
  • OpenSearch - OpenSearch Access From IP Addresses
  • OpenSearch - OpenSearch Cluster Status
  • OpenSearch - OpenSearch Collection CMK Encryption
  • OpenSearch - OpenSearch Collection Public Access
  • OpenSearch - OpenSearch Dedicated Master Enabled
  • OpenSearch - OpenSearch Desired Instance Type
  • OpenSearch - OpenSearch Domain Cross Account access
  • OpenSearch - OpenSearch Encrypted Domain
  • OpenSearch - OpenSearch Exposed Domain
  • OpenSearch - OpenSearch HTTPS Only
  • OpenSearch - OpenSearch IAM Authentication
  • OpenSearch - OpenSearch Logging Enabled
  • OpenSearch - OpenSearch Node To Node Encryption
  • OpenSearch - OpenSearch Public Service Domain
  • OpenSearch - OpenSearch TLS Version
  • OpenSearch - OpenSearch Upgrade Available
  • OpenSearch - OpenSearch Version
  • OpenSearch - OpenSearch Zone Awareness Enabled
  • Organizations - Enable All Organization Features
  • Organizations - Organization Invite
  • Proton - Environment Template Encrypted
  • QLDB - Ledger Encrypted
  • RDS - RDS Automated Backups
  • RDS - RDS CMK Encryption
  • RDS - RDS Deletion Protection Enabled
  • RDS - RDS DocumentDB Minor Version Upgrade
  • RDS - RDS Encryption Enabled
  • RDS - RDS IAM Database Authentication Enabled
  • RDS - RDS Instance Default Master Username
  • RDS - RDS Instance Generation
  • RDS - RDS Instance Has Tags
  • RDS - RDS Logging Enabled
  • RDS - RDS Multiple AZ
  • RDS - RDS MySQL Vulnerability Check
  • RDS - RDS Publicly Accessible
  • RDS - RDS Restorable
  • RDS - RDS Snapshot Encryption
  • RDS - RDS Snapshot Publicly Accessible
  • RDS - RDS Transport Encryption Enabled
  • RDS - SQL Server TLS Version
  • Redshift - Redshift Automated Snapshot Retention Period
  • Redshift - Redshift Cluster Allow Version Upgrade
  • Redshift - Redshift Cluster Audit Logging Enabled
  • Redshift - Redshift Cluster CMK Encryption
  • Redshift - Redshift Cluster Default Master Username
  • Redshift - Redshift Cluster Default Port
  • Redshift - Redshift Cluster In VPC
  • Redshift - Redshift Desired Node Type
  • Redshift - Redshift Encryption Enabled
  • Redshift - Redshift Nodes Count
  • Redshift - Redshift Parameter Group SSL Required
  • Redshift - Redshift Publicly Accessible
  • Redshift - Redshift Unused Reserved Nodes
  • Redshift - Redshift User Activity Logging Enabled
  • Redshift - Underutilized Redshift Cluster Check
  • Route53 - Domain Auto Renew
  • Route53 - Domain Expiry
  • Route53 - Domain Privacy Protection
  • Route53 - Domain Transfer Lock
  • Route53 - Route53 Dangling DNS Records
  • Route53 - Sender Policy Framework In Use
  • Route53 - Sender Privacy Framework Record Present
  • S3 - CloudTrail Bucket Access Logging
  • S3 - CloudTrail Bucket Delete Policy
  • S3 - CloudTrail Bucket Private
  • S3 - S3 Bucket All Users ACL
  • S3 - S3 Bucket All Users Policy
  • S3 - S3 Bucket Encryption
  • S3 - S3 Bucket Encryption Enforcement
  • S3 - S3 Bucket Encryption In Transit
  • S3 - S3 Bucket Enforce Object Encryption
  • S3 - S3 Bucket Has Tags
  • S3 - S3 Bucket Lifecycle Configuration
  • S3 - S3 Bucket Logging
  • S3 - S3 Bucket MFA Delete Status
  • S3 - S3 Bucket Policy CloudFront OAC
  • S3 - S3 Bucket Policy CloudFront OAI
  • S3 - S3 Bucket Public Access Block
  • S3 - S3 Bucket Versioning
  • S3 - S3 Bucket Website Enabled
  • S3 - S3 DNS Compliant Bucket Names
  • S3 - S3 Object Read Logging
  • S3 - S3 Object Write Logging
  • S3 - S3 Secure Transport Enabled
  • S3 - S3 Transfer Acceleration Enabled
  • S3 - S3 Versioned Buckets Lifecycle Configuration
  • SES - Email DKIM Enabled
  • SES - SES Email Messages Encrypted
  • SNS - SNS Cross Account Access
  • SNS - SNS Subscription HTTPS Only
  • SNS - SNS Topic CMK Encryption
  • SNS - SNS Topic Encrypted
  • SNS - SNS Topic HTTP Protocol Restriction
  • SNS - SNS Topic Has Tags
  • SNS - SNS Topic Policies
  • SNS - SNS Valid Subscribers
  • SQS - SQS Cross Account Access
  • SQS - SQS Dead Letter Queue
  • SQS - SQS Encrypted
  • SQS - SQS Encryption Enabled
  • SQS - SQS Public Access
  • SQS - SQS Queue Unprocessed Messages
  • SSM - SSM Documents Public Access
  • SSM - SSM Encrypted Parameters
  • SageMaker - Notebook Data Encrypted
  • SageMaker - Notebook Direct Internet Access
  • SageMaker - Notebook instance in VPC
  • Secrets Manager - Secret Has Tags
  • Secrets Manager - Secrets Manager Encrypted Secrets
  • Secrets Manager - Secrets Manager In Use
  • Secrets Manager - Secrets Manager Secret Rotation Enabled
  • SecurityHub - Security Hub Enabled
  • Shield - Shield Advanced Enabled
  • Shield - Shield Emergency Contacts
  • Shield - Shield Protections
  • Timestream - Timestream Database Encrypted
  • Transfer - PrivateLink in Use for Transfer for SFTP Server Endpoints
  • Transfer - Transfer Logging Enabled
  • Translate - Translate Job Output Encrypted
  • WAF - AWS WAF In Use
  • WAF - AWS WAFV2 Cloudwatch Metrics Enabled
  • WAF - AWS WAFV2 In Use
  • WAF - Web ACL Rules Default Action
  • WorkSpaces - Unused WorkSpaces
  • WorkSpaces - WorkSpaces Desired Bundle Type
  • WorkSpaces - WorkSpaces Instance Count
  • WorkSpaces - WorkSpaces Volume Encryption
  • Workspaces - Workspaces IP Access Control
  • XRay - XRay Encryption Enabled