What cloud services are supported for AWS?

Holm Security Cloud Scanner can verify security best practices and security misconfigurations that contribute to the most common causes of security breaches within a vast list of AWS services.

There is also a set of plugins highlighting unused or misused services that could help save monthly AWS costs. Read more about these plugins in this article:

https://support.holmsecurity.com/hc/en-us/articles/7261159521436

Supported services

Here's the list of services that we currently support:

ACM
API Gateway
AWS Glue
App Mesh
App Runner
AppFlow
Athena
Audit Manager
AutoScaling
Backup
CloudFormation
CloudFront
CloudTrail
CloudWatch
CloudWatchLogs
CodeArtifact
CodeBuild
CodePipeline
CodeStar
Cognito
Comprehend
Compute Optimizer
ConfigService
Connect
DMS
DevOpsGuru
DocumentDB
DynamoDB
EC2
ECR
ECS
EFS
EKS
ELB
ELBv2
EMR
ES
ElastiCache
Elastic Transcoder
ElasticBeanstalk
EventBridge
FSx
FinSpace
Firehose
Forecast
Fraud Detector
Glacier
Glue
Glue DataBrew
GuardDuty
HealthLake
IAM
Image Builder
IoT SiteWise
KMS
Kendra
Kinesis
Kinesis Video Streams
Lambda
Lex
Location
Lookout
LookoutEquipment
LookoutMetrics
MQ
MSK
MWAA
Managed Blockchain
MemoryDB
Neptune
OpenSearch
Organizations
Proton
QLDB
RDS
Redshift
Route53
S3
SES
SNS
SQS
SSM
SageMaker
Secrets Manager
SecurityHub
Shield
Timestream
Transfer
Translate
WAF
WorkSpaces
Workspaces
XRay

Supported policies
Across the services, the following policies are scanned for:

ACM - ACM Certificate Expiry
ACM - ACM Certificate Has Tags
ACM - ACM Certificate Validation
ACM - ACM Single Domain Name Certificates
API Gateway - API Gateway Authorization
API Gateway - API Gateway Certificate Rotation
API Gateway - API Gateway Client Certificate
API Gateway - API Gateway CloudWatch Logs
API Gateway - API Gateway Content Encoding
API Gateway - API Gateway Default Endpoint Disabled
API Gateway - API Gateway Detailed CloudWatch Metrics
API Gateway - API Gateway Private Endpoints
API Gateway - API Gateway Response Caching
API Gateway - API Gateway Tracing Enabled
API Gateway - API Gateway WAF Enabled
API Gateway - API Stage-Level Cache Encryption
API Gateway - Custom Domain TLS Version
AWS Glue - AWS Glue CloudWatch Encrypted Logs
App Mesh - App Mesh Restrict External Traffic
App Mesh - App Mesh TLS Required
App Mesh - App Mesh VG Access Logging
App Runner - Service Encrypted
AppFlow - AppFlow Flow Encrypted
Athena - Workgroup Encrypted
Athena - Workgroup Enforce Configuration
Audit Manager - Audit Manager Data Encrypted
AutoScaling - ASG Multiple AZ
AutoScaling - App-Tier ASG Launch Configurations Approved AMIs
AutoScaling - App-Tier Auto Scaling Group CloudWatch Logs Enabled
AutoScaling - App-Tier Launch Configurations IAM Roles
AutoScaling - Auto Scaling Group Cooldown Period
AutoScaling - Auto Scaling Group Missing ELB
AutoScaling - Auto Scaling Notifications Active
AutoScaling - Auto Scaling Unused Launch Configuration
AutoScaling - AutoScaling ELB Same Availability Zone
AutoScaling - ELB Health Check Active
AutoScaling - Empty AutoScaling Group
AutoScaling - Launch Configuration Referencing Missing Security Groups
AutoScaling - Suspended AutoScaling Groups
AutoScaling - Web-Tier ASG Launch Configurations Approved AMIs
AutoScaling - Web-Tier Auto Scaling Group Associated ELB
AutoScaling - Web-Tier Auto Scaling Group CloudWatch Logs Enabled
AutoScaling - Web-Tier Launch Configurations IAM Roles
Backup - AWS Backup Compliant Lifecycle Configured
Backup - Backup Deletion Protection Enabled
Backup - Backup Failure Notification Enabled
Backup - Backup In Use For RDS Snapshots
Backup - Backup Resource Protection
Backup - Backup Vault Encrypted
Backup - Backup Vault Has Tags
Backup - Backup Vault Policies
CloudFormation - AWS CloudFormation In Use
CloudFormation - CloudFormation Admin Priviliges
CloudFormation - CloudFormation Drift Detection
CloudFormation - CloudFormation Plaintext Parameters
CloudFormation - CloudFormation Stack Failed Status
CloudFormation - CloudFormation Stack SNS Notifications
CloudFormation - CloudFormation Stack Termination Protection Enabled
CloudFront - CloudFront Compress Objects Automatically
CloudFront - CloudFront Custom Origin HTTPS Only
CloudFront - CloudFront Distribution Field-Level Encryption
CloudFront - CloudFront Distribution Origins TLS Version
CloudFront - CloudFront Enable Origin Failover
CloudFront - CloudFront Enabled
CloudFront - CloudFront Geo Restriction
CloudFront - CloudFront HTTPS Only
CloudFront - CloudFront Logging Enabled
CloudFront - CloudFront TLS Deprecated Protocols
CloudFront - CloudFront TLS Insecure Cipher
CloudFront - CloudFront WAF Enabled
CloudFront - Insecure CloudFront Protocols
CloudFront - Public S3 CloudFront Origin
CloudFront - Secure CloudFront Origin
CloudTrail - CloudTrail Data Events
CloudTrail - CloudTrail Delivery Failing
CloudTrail - CloudTrail Enabled
CloudTrail - CloudTrail Encryption
CloudTrail - CloudTrail File Validation
CloudTrail - CloudTrail Global Services Logging Duplicated
CloudTrail - CloudTrail Has Tags
CloudTrail - CloudTrail Management Events
CloudTrail - CloudTrail Notifications Enabled
CloudTrail - CloudTrail S3 Bucket
CloudTrail - CloudTrail To CloudWatch
CloudTrail - Object Lock Enabled
CloudWatch - VPC Flow Logs Metric Alarm
CloudWatchLogs - CloudWatch Log Groups Encrypted
CloudWatchLogs - CloudWatch Log Retention Period
CloudWatchLogs - CloudWatch Monitoring Metrics
CodeArtifact - CodeArtifact Domain Encrypted
CodeBuild - CodeBuild Valid Source Providers
CodeBuild - Project Artifacts Encrypted
CodePipeline - Pipeline Artifacts Encrypted
CodeStar - CodeStar Valid Repository Providers
Cognito - Cognito User Pool MFA enabled
Cognito - Cognito User Pool WAF Enabled
Comprehend - Amazon Comprehend Output Result Encryption
Comprehend - Amazon Comprehend Volume Encryption
Compute Optimizer - Auto Scaling Group Optimized
Compute Optimizer - Compute Optimizer Recommendations Enabled
Compute Optimizer - EBS Volumes Optimized
Compute Optimizer - EC2 Instances Optimized
Compute Optimizer - Lambda Function Optimized
ConfigService - AWS Config Complaint Rules
ConfigService - AWS Services In Use
ConfigService - Config Delivery Failing
ConfigService - Config Service Enabled
ConfigService - Config Service Missing Bucket
Connect - Connect Customer Profiles Domain Encrypted
Connect - Connect Instance Attachments Encrypted
Connect - Connect Instance Call Recording Encrypted
Connect - Connect Instance Chat Transcripts Encrypted
Connect - Connect Instance Exported Reports Encrypted
Connect - Connect Instance Media Streams Encrypted
Connect - Connect Voice ID Domain Encrypted
Connect - Connect Wisdom Domain Encrypted
DMS - DMS Auto Minor Version Upgrade
DMS - DMS Encryption Enabled
DMS - DMS Multi-AZ Feature Enabled
DMS - DMS Publicly Accessible Instances
DevOpsGuru - DevOps Guru Notifications Enabled
DocumentDB - DocumentDB Cluster Backup Retention
DocumentDB - DocumentDB Cluster Encrypted
DynamoDB - DynamoDB Accelerator Cluster Encryption
DynamoDB - DynamoDB Continuous Backups
DynamoDB - DynamoDB KMS Encryption
DynamoDB - DynamoDB Table Backup Exists
DynamoDB - DynamoDB Table Has Tags
DynamoDB - DynamoDB Unused Table
EC2 - AMI Has Tags
EC2 - Allowed Custom Ports
EC2 - Amazon EBS Public Snapshots
EC2 - App-Tier EC2 Instance IAM Role
EC2 - Automate EBS Snapshot Lifecycle
EC2 - Cross Organization VPC Peering Connections
EC2 - Cross VPC Public Private Communication
EC2 - Default Security Group
EC2 - Default Security Group In Use
EC2 - Default VPC Exists
EC2 - Default VPC In Use
EC2 - Detect EC2 Classic Instances
EC2 - EBS Backup Enabled
EC2 - EBS Encrypted Snapshots
EC2 - EBS Encryption Enabled
EC2 - EBS Encryption Enabled By Default
EC2 - EBS Snapshot Has Tags
EC2 - EBS Volume Snapshot Public
EC2 - EBS Volume has tags
EC2 - EBS Volumes Recent Snapshots
EC2 - EBS Volumes Too Old Snapshots
EC2 - EC2 CPU Alarm Threshold Exceeded
EC2 - EC2 Instance Key Based Login
EC2 - EC2 LaunchWizard Security Groups
EC2 - EC2 Max Instances
EC2 - EC2 Public Subnet
EC2 - EC2 has Tags
EC2 - Elastic IP Limit
EC2 - Encrypted AMI
EC2 - Excessive Security Groups
EC2 - Insecure EC2 Metadata Options
EC2 - Instance Detailed Monitoring
EC2 - Instance IAM Role
EC2 - Instance Limit
EC2 - Instance vCPU On-Demand Based Limits
EC2 - Internet Gateways In VPC
EC2 - Managed NAT Gateway In Use
EC2 - NAT Multiple AZ
EC2 - Network ACL has Tags
EC2 - Open All Ports Protocols
EC2 - Open All Ports Protocols Egress
EC2 - Open CIFS
EC2 - Open Cassandra Client
EC2 - Open Cassandra Internode
EC2 - Open Cassandra Monitoring
EC2 - Open Cassandra Thrift
EC2 - Open Custom Ports
EC2 - Open DNS
EC2 - Open Docker
EC2 - Open Elasticsearch
EC2 - Open FTP
EC2 - Open HTTP
EC2 - Open HTTPS
EC2 - Open Hadoop HDFS NameNode Metadata Service
EC2 - Open Hadoop HDFS NameNode WebUI
EC2 - Open Internal Web
EC2 - Open Kibana
EC2 - Open LDAP
EC2 - Open LDAPS
EC2 - Open Memcached
EC2 - Open MongoDB
EC2 - Open MySQL
EC2 - Open NetBIOS
EC2 - Open Oracle
EC2 - Open Oracle Auto Data Warehouse
EC2 - Open PostgreSQL
EC2 - Open RDP
EC2 - Open RFC 1918
EC2 - Open RPC
EC2 - Open Redis
EC2 - Open SMBoTCP
EC2 - Open SMTP
EC2 - Open SNMP
EC2 - Open SQL Server
EC2 - Open SSH
EC2 - Open Salt
EC2 - Open Telnet
EC2 - Open VNC Client
EC2 - Open VNC Server
EC2 - Outdated Amazon Machine Images
EC2 - Overlapping Security Groups
EC2 - Public AMI
EC2 - Public IP Address EC2 Instances
EC2 - SSM Agent Active All Instances
EC2 - SSM Agent Auto Update Enabled
EC2 - SSM Agent Latest Version
EC2 - SSM Managed Instances
EC2 - SSM Session Duration
EC2 - Security Group Has Tags
EC2 - Subnet IP Availability
EC2 - Unassociated Elastic IP Addresses
EC2 - Unrestricted Network ACL Inbound Traffic
EC2 - Unrestricted Network ACL Outbound Traffic
EC2 - Unused Amazon Machine Images
EC2 - Unused EBS Volumes
EC2 - Unused Elastic Network Interfaces
EC2 - Unused Security Groups
EC2 - Unused VPC Internet Gateways
EC2 - Unused Virtual Private Gateway
EC2 - VPC Elastic IP Limit
EC2 - VPC Endpoint Cross Account Access
EC2 - VPC Endpoint Exposed
EC2 - VPC Flow Logs Enabled
EC2 - VPC Has Tags
EC2 - VPC Multiple Subnets
EC2 - VPC PrivateLink Endpoint Acceptance Required
EC2 - VPC Subnet Instances Present
EC2 - VPN Tunnel State
EC2 - Virtual Private Gateway In VPC
EC2 - Web-Tier EC2 Instance IAM Role
ECR - Amazon ECR Scan on Push
ECR - ECR Repository Encrypted
ECR - ECR Repository Has Tags
ECR - ECR Repository Policy
ECR - ECR Repository Tag Immutability
ECS - Container Insights Enabled
ECS - ECS Cluster Active Services
ECS - ECS Cluster Has Tags
ECS - ECS Cluster Service Active Tasks
EFS - EFS CMK Encrypted
EFS - EFS Encryption Enabled
EFS - EFS Has Tags
EKS - EKS Cluster Has Tags
EKS - EKS Kubernetes Version
EKS - EKS Latest Platform Version
EKS - EKS Logging Enabled
EKS - EKS Private Endpoint
EKS - EKS Secrets Encrypted
EKS - EKS Security Groups
ELB - App-Tier ELB Security Policy
ELB - Classic Load Balancers In Use
ELB - ELB Connection Draining Enabled
ELB - ELB Cross-Zone Load Balancing
ELB - ELB HTTPS Only
ELB - ELB Has Tags
ELB - ELB Logging Enabled
ELB - ELB No Instances
ELB - ELB Unhealthy Instances
ELB - Insecure Ciphers
ELBv2 - ELB SSL Termination
ELBv2 - ELBv2 Cross-Zone Load Balancing
ELBv2 - ELBv2 Deletion Protection
ELBv2 - ELBv2 Deprecated SSL Policies
ELBv2 - ELBv2 Deregistration Delay
ELBv2 - ELBv2 HTTPS Only
ELBv2 - ELBv2 Has Tags
ELBv2 - ELBv2 Insecure Ciphers
ELBv2 - ELBv2 Logging Enabled
ELBv2 - ELBv2 Minimum Number of EC2 Target Instances
ELBv2 - ELBv2 NLB Listener Security
ELBv2 - ELBv2 No Instances
ELBv2 - ELBv2 TLS Version and Cipher Header Enabled
ELBv2 - ELBv2 Unhealthy Instances
ELBv2 - ELBv2 WAF Enabled
EMR - EMR Cluster Desired Instance Type
EMR - EMR Cluster Has Tags
EMR - EMR Cluster In VPC
EMR - EMR Cluster Logging
EMR - EMR Encryption At Rest
EMR - EMR Encryption In Transit
EMR - EMR Instances Counts
ES - ElasticSearch Dedicated Master Enabled
ES - ElasticSearch Public Service Domain
ES - ElasticSearch TLS Version
ES - ElasticSearch Upgrade Available
ES - OpenSearch Encryption Enabled
ElastiCache - ElastiCache Cluster Has Tags
ElastiCache - ElastiCache Cluster In VPC
ElastiCache - ElastiCache Default Ports
ElastiCache - ElastiCache Desired Node Type
ElastiCache - ElastiCache Engine Versions for Redis
ElastiCache - ElastiCache Instance Generation
ElastiCache - ElastiCache Nodes Count
ElastiCache - ElastiCache Redis Cluster Encryption At-Rest
ElastiCache - ElastiCache Redis Cluster Encryption In-Transit
ElastiCache - ElastiCache Redis Cluster Have Multi-AZ
ElastiCache - ElastiCache Reserved Cache Node Lease Expiration
ElastiCache - ElastiCache Reserved Cache Node Payment Failed
ElastiCache - ElastiCache Reserved Cache Node Payment Pending
ElastiCache - ElastiCache idle Cluster Status
ElastiCache - Unused ElastiCache Reserved Cache Nodes
Elastic Transcoder - Elastic Transcoder Job Outputs Encrypted
Elastic Transcoder - Elastic Transcoder Pipeline Data Encrypted
ElasticBeanstalk - ElasticBeanstalk Managed Platform Updates
ElasticBeanstalk - Enhanced Health Reporting
ElasticBeanstalk - Environment Access Logs
ElasticBeanstalk - Environment Persistent Logs
EventBridge - Event Bus Cross Account Access
EventBridge - Event Bus Public Access
EventBridge - EventBridge Event Rules In Use
FSx - FSx File System Encrypted
FinSpace - FinSpace Environment Encrypted
Firehose - Firehose Delivery Streams CMK Encrypted
Firehose - Firehose Delivery Streams Encrypted
Forecast - Forecast Dataset Encrypted
Forecast - Forecast Dataset Export Encrypted
Fraud Detector - Fraud Detector Data Encrypted
Glacier - S3 Glacier Vault Public Access
Glue - AWS Glue Data Catalog CMK Encrypted
Glue - AWS Glue Data Catalog Encryption Enabled
Glue - AWS Glue Job Bookmark Encryption Enabled
Glue - AWS Glue S3 Encryption Enabled
Glue DataBrew - AWS Glue DataBrew Job Output Encrypted
GuardDuty - Exported Findings Encrypted
GuardDuty - GuardDuty Master Account
GuardDuty - GuardDuty No Active Findings
GuardDuty - GuardDuty is Enabled
GuardDuty - S3 GuardDuty Enabled
HealthLake - HealthLake Data Store Encrypted
IAM - Access Analyzer Active Findings
IAM - Access Analyzer Enabled
IAM - Access Keys Extra
IAM - Access Keys Last Used
IAM - Access Keys Rotated
IAM - Canary Keys Used
IAM - Certificate Expiry
IAM - Cross-Account Access External ID and MFA
IAM - Empty Groups
IAM - Group Inline Policies
IAM - IAM Master and IAM Manager Roles
IAM - IAM Policies Present
IAM - IAM Role Has Tags
IAM - IAM Role Last Used
IAM - IAM Role Policies
IAM - IAM Role Policy Unused Services
IAM - IAM Support Policy
IAM - IAM User Account In Use
IAM - IAM User Account Not In Use
IAM - IAM User Admins
IAM - IAM User Has Tags
IAM - IAM User Present
IAM - IAM User Unauthorized to Edit
IAM - IAM User Without Permissions
IAM - IAM Username Matches Regex
IAM - Maximum Password Age
IAM - Minimum Password Length
IAM - No User IAM Policies
IAM - Password Expiration
IAM - Password Policy Allows To Change Password
IAM - Password Requires Lowercase
IAM - Password Requires Numbers
IAM - Password Requires Symbols
IAM - Password Requires Uppercase
IAM - Password Reuse Prevention
IAM - Root Access Keys
IAM - Root Account Active Signing Certificates
IAM - Root Account In Use
IAM - Root Hardware MFA
IAM - Root MFA Enabled
IAM - SSH Keys Rotated
IAM - Trusted Cross Account Roles
IAM - Users MFA Enabled
IAM - Users Password And Keys
IAM - Users Password Last Used
Image Builder - Dockerfile Template Encrypted
Image Builder - Enhanced Metadata Collection Enabled
Image Builder - Image Builder Components Encrypted
Image Builder - Image Recipe Storage Volumes Encrypted
Image Builder - Infrastructure Configuration Notification Enabled
IoT SiteWise - IoT SiteWise Data Encrypted
KMS - App-Tier KMS Customer Master Key (CMK)
KMS - KMS Default Key Usage
KMS - KMS Duplicate Grants
KMS - KMS Grant Least Privilege
KMS - KMS Key Policy
KMS - KMS Key Rotation
KMS - KMS Scheduled Deletion
Kendra - Kendra Index Encrypted
Kinesis - Kinesis Data Streams Encrypted
Kinesis - Kinesis Streams Encrypted
Kinesis Video Streams - Video Stream Data Encrypted
Lambda - Lambda Admin Privileges
Lambda - Lambda Environment Variables Client Side Encryption
Lambda - Lambda Has Tags
Lambda - Lambda Log Groups
Lambda - Lambda Old Runtimes
Lambda - Lambda Public Access
Lambda - Lambda Tracing Enabled
Lambda - Lambda Unique Execution Role
Lambda - Lambda VPC Config
Lex - Audio Logs Encrypted
Location - Geofence Collection Data Encrypted
Location - Tracker Data Encrypted
Lookout - Model Data Encrypted
LookoutEquipment - LookoutEquipment Dataset Encrypted
LookoutMetrics - LookoutMetrics Anomaly Detector Encrypted
MQ - MQ Auto Minor Version Upgrade
MQ - MQ Broker Encrypted
MQ - MQ Deployment Mode
MQ - MQ Desired Broker Instance Type
MQ - MQ Log Exports Enabled
MSK - MSK Cluster Client Broker Encryption
MSK - MSK Cluster Encryption At-Rest
MSK - MSK Cluster Encryption In-Transit
MSK - MSK Cluster Public Access
MSK - MSK Cluster Unauthenticated Access
MWAA - Environment Admin Privileges
MWAA - Environment Data Encrypted
MWAA - Web Server Public Access
Managed Blockchain - Managed Blockchain Network Member Data Encrypted
MemoryDB - MemoryDB Cluster Encrypted
Neptune - Neptune Database Instance Encrypted
OpenSearch - OpenSearch Access From IP Addresses
OpenSearch - OpenSearch Cluster Status
OpenSearch - OpenSearch Collection CMK Encryption
OpenSearch - OpenSearch Collection Public Access
OpenSearch - OpenSearch Dedicated Master Enabled
OpenSearch - OpenSearch Desired Instance Type
OpenSearch - OpenSearch Domain Cross Account access
OpenSearch - OpenSearch Encrypted Domain
OpenSearch - OpenSearch Exposed Domain
OpenSearch - OpenSearch HTTPS Only
OpenSearch - OpenSearch IAM Authentication
OpenSearch - OpenSearch Logging Enabled
OpenSearch - OpenSearch Node To Node Encryption
OpenSearch - OpenSearch Public Service Domain
OpenSearch - OpenSearch TLS Version
OpenSearch - OpenSearch Upgrade Available
OpenSearch - OpenSearch Version
OpenSearch - OpenSearch Zone Awareness Enabled
Organizations - Enable All Organization Features
Organizations - Organization Invite
Proton - Environment Template Encrypted
QLDB - Ledger Encrypted
RDS - RDS Automated Backups
RDS - RDS CMK Encryption
RDS - RDS Deletion Protection Enabled
RDS - RDS DocumentDB Minor Version Upgrade
RDS - RDS Encryption Enabled
RDS - RDS IAM Database Authentication Enabled
RDS - RDS Instance Default Master Username
RDS - RDS Instance Generation
RDS - RDS Instance Has Tags
RDS - RDS Logging Enabled
RDS - RDS Multiple AZ
RDS - RDS MySQL Vulnerability Check
RDS - RDS Publicly Accessible
RDS - RDS Restorable
RDS - RDS Snapshot Encryption
RDS - RDS Snapshot Publicly Accessible
RDS - RDS Transport Encryption Enabled
RDS - SQL Server TLS Version
Redshift - Redshift Automated Snapshot Retention Period
Redshift - Redshift Cluster Allow Version Upgrade
Redshift - Redshift Cluster Audit Logging Enabled
Redshift - Redshift Cluster CMK Encryption
Redshift - Redshift Cluster Default Master Username
Redshift - Redshift Cluster Default Port
Redshift - Redshift Cluster In VPC
Redshift - Redshift Desired Node Type
Redshift - Redshift Encryption Enabled
Redshift - Redshift Nodes Count
Redshift - Redshift Parameter Group SSL Required
Redshift - Redshift Publicly Accessible
Redshift - Redshift Unused Reserved Nodes
Redshift - Redshift User Activity Logging Enabled
Redshift - Underutilized Redshift Cluster Check
Route53 - Domain Auto Renew
Route53 - Domain Expiry
Route53 - Domain Privacy Protection
Route53 - Domain Transfer Lock
Route53 - Route53 Dangling DNS Records
Route53 - Sender Policy Framework In Use
Route53 - Sender Privacy Framework Record Present
S3 - CloudTrail Bucket Access Logging
S3 - CloudTrail Bucket Delete Policy
S3 - CloudTrail Bucket Private
S3 - S3 Bucket All Users ACL
S3 - S3 Bucket All Users Policy
S3 - S3 Bucket Encryption
S3 - S3 Bucket Encryption Enforcement
S3 - S3 Bucket Encryption In Transit
S3 - S3 Bucket Enforce Object Encryption
S3 - S3 Bucket Has Tags
S3 - S3 Bucket Lifecycle Configuration
S3 - S3 Bucket Logging
S3 - S3 Bucket MFA Delete Status
S3 - S3 Bucket Policy CloudFront OAC
S3 - S3 Bucket Policy CloudFront OAI
S3 - S3 Bucket Public Access Block
S3 - S3 Bucket Versioning
S3 - S3 Bucket Website Enabled
S3 - S3 DNS Compliant Bucket Names
S3 - S3 Object Read Logging
S3 - S3 Object Write Logging
S3 - S3 Secure Transport Enabled
S3 - S3 Transfer Acceleration Enabled
S3 - S3 Versioned Buckets Lifecycle Configuration
SES - Email DKIM Enabled
SES - SES Email Messages Encrypted
SNS - SNS Cross Account Access
SNS - SNS Subscription HTTPS Only
SNS - SNS Topic CMK Encryption
SNS - SNS Topic Encrypted
SNS - SNS Topic HTTP Protocol Restriction
SNS - SNS Topic Has Tags
SNS - SNS Topic Policies
SNS - SNS Valid Subscribers
SQS - SQS Cross Account Access
SQS - SQS Dead Letter Queue
SQS - SQS Encrypted
SQS - SQS Encryption Enabled
SQS - SQS Public Access
SQS - SQS Queue Unprocessed Messages
SSM - SSM Documents Public Access
SSM - SSM Encrypted Parameters
SageMaker - Notebook Data Encrypted
SageMaker - Notebook Direct Internet Access
SageMaker - Notebook instance in VPC
Secrets Manager - Secret Has Tags
Secrets Manager - Secrets Manager Encrypted Secrets
Secrets Manager - Secrets Manager In Use
Secrets Manager - Secrets Manager Secret Rotation Enabled
SecurityHub - Security Hub Enabled
Shield - Shield Advanced Enabled
Shield - Shield Emergency Contacts
Shield - Shield Protections
Timestream - Timestream Database Encrypted
Transfer - PrivateLink in Use for Transfer for SFTP Server Endpoints
Transfer - Transfer Logging Enabled
Translate - Translate Job Output Encrypted
WAF - AWS WAF In Use
WAF - AWS WAFV2 Cloudwatch Metrics Enabled
WAF - AWS WAFV2 In Use
WAF - Web ACL Rules Default Action
WorkSpaces - Unused WorkSpaces
WorkSpaces - WorkSpaces Desired Bundle Type
WorkSpaces - WorkSpaces Instance Count
WorkSpaces - WorkSpaces Volume Encryption
Workspaces - Workspaces IP Access Control
XRay - XRay Encryption Enabled