acm_certificate_create_before_destroy_enabledacm_certificate_transparency_logging_enabledapigateway_deployment_create_before_destroy_enabledapigateway_domain_name_use_latest_tlsapigateway_method_restricts_open_accessapigateway_method_settings_cache_enabledapigateway_method_settings_cache_encryption_enabledapigateway_method_settings_data_trace_enabledapigateway_rest_api_create_before_destroy_enabledapigateway_rest_api_stage_use_ssl_certificateapigateway_rest_api_stage_xray_tracing_enabledapigateway_stage_cache_encryption_at_rest_enabledapigateway_stage_logging_enabledapigatewayv2_route_set_authorization_typeappflow_connector_profile_encrypted_with_kms_cmkappflow_flow_encrypted_with_kms_cmkappsync_api_cache_encryption_at_rest_enabledappsync_api_cache_encryption_in_transit_enabledappsync_graphql_api_cloudwatch_logs_enabledappsync_graphql_api_field_level_logs_enabledathena_database_encryption_at_rest_enabledathena_workgroup_encryption_at_rest_enabledathena_workgroup_enforce_workgroup_configurationautoscaling_group_tagging_enabledautoscaling_group_uses_launch_templateautoscaling_group_with_lb_use_health_checkautoscaling_launch_config_public_ip_disabledbackup_plan_min_retention_35_daysbackup_vault_encryption_at_rest_enabledcloudformation_stack_notifications_enabledcloudfront_distribution_configured_with_origin_failovercloudfront_distribution_default_root_object_configuredcloudfront_distribution_enabledcloudfront_distribution_encryption_in_transit_enabledcloudfront_distribution_logging_enabledcloudfront_distribution_origin_access_identity_enabledcloudfront_distribution_waf_enabledcloudfront_protocol_version_is_lowcloudfront_response_header_use_strict_transport_policy_settingcloudsearch_domain_enforced_https_enabledcloudsearch_domain_uses_latest_tls_versioncloudtrail_enabled_all_regionscloudtrail_event_data_store_encrypted_with_kms_cmkcloudtrail_trail_logs_encrypted_with_kms_cmkcloudtrail_trail_sns_topic_enabledcloudtrail_trail_validation_enabledcloudwatch_alarm_action_enabledcloudwatch_destination_policy_wildcardscloudwatch_log_group_retentioncloudwatch_log_group_retention_period_365codeartifact_domain_encrypted_with_kms_cmkcodebuild_project_encryption_at_rest_enabledcodebuild_project_logging_enabledcodebuild_project_plaintext_env_variables_no_sensitive_aws_valuescodebuild_project_privileged_mode_disabledcodebuild_project_s3_logs_encryption_enabledcodebuild_project_source_repo_oauth_configuredcodecommit_approval_rule_template_number_of_approval_2codepipeline_artifacts_encrypted_with_kms_cmkcomprehend_entity_recognizer_model_encrypted_with_kms_cmkcomprehend_entity_recognizer_volume_encrypted_with_kms_cmkconfig_aggregator_enabled_all_regionsconnect_instance_kinesis_video_stream_storage_config_encrypted_with_kms_cmkconnect_instance_s3_storage_config_encrypted_with_kms_cmkdatasync_location_object_storage_expose_secretdax_cluster_encryption_at_rest_enableddax_cluster_endpoint_encryption_tls_enableddlm_lifecycle_policy_events_cross_region_encrypted_with_kms_cmkdlm_lifecycle_policy_events_cross_region_encryption_enableddlm_schedule_cross_region_encrypted_with_kms_cmkdlm_schedule_cross_region_encryption_enableddms_replication_instance_automatic_minor_version_upgrade_enableddms_replication_instance_encrypted_with_kms_cmkdms_replication_instance_not_publicly_accessibledms_s3_endpoint_encrypted_with_kms_cmkdocdb_cluster_audit_logs_enableddocdb_cluster_backup_retention_period_7docdb_cluster_encrypted_with_kmsdocdb_cluster_log_exports_enableddocdb_cluster_paramater_group_logging_enableddocdb_cluster_parameter_group_tls_enableddocdb_global_cluster_encrypteddynamodb_table_encrypted_with_kms_cmkdynamodb_table_encryption_enableddynamodb_table_point_in_time_recovery_enableddynamodb_vpc_endpoint_routetable_associationebs_snapshot_copy_encrypted_with_kms_cmkebs_volume_encryption_at_rest_enabledec2_ami_copy_encrypted_with_kms_cmkec2_ami_copy_encryption_enabledec2_ami_encryption_enabledec2_ami_imagebuilder_component_encrypted_with_kms_cmkec2_ami_imagebuilder_distribution_configuration_encrypted_with_kms_cmkec2_ami_imagebuilder_image_recipe_encrypted_with_kms_cmkec2_ami_launch_permission_restrictedec2_classic_lb_connection_draining_enabledec2_ebs_default_encryption_enabledec2_instance_detailed_monitoring_enabledec2_instance_ebs_encryption_checkec2_instance_ebs_optimizedec2_instance_not_publicly_accessibleec2_instance_not_use_default_vpcec2_instance_not_use_multiple_enisec2_instance_termination_protection_enabledec2_instance_user_data_no_secretsec2_instance_uses_imdsv2ec2_launch_configuration_ebs_encryption_checkec2_launch_configuration_metadata_hop_limit_checkec2_launch_template_metadata_hop_limit_checkecr_repository_encrypted_with_kmsecr_repository_policy_prohibit_public_accessecr_repository_tags_immutableecr_repository_use_image_scanningecs_cluster_container_insights_enabledecs_cluster_logging_enabledecs_cluster_logging_encrypted_with_kms_cmkecs_service_fargate_uses_latest_versionecs_task_definition_container_non_privilegedecs_task_definition_container_readonly_root_filesystemecs_task_definition_encryption_in_transit_enabledecs_task_definition_no_host_pid_modeecs_task_definition_role_checkefs_access_point_has_root_directoryefs_access_point_has_user_identityefs_file_system_automatic_backups_enabledefs_file_system_encrypt_data_at_restefs_file_system_encrypted_with_kms_cmkeks_cluster_control_plane_logging_enabledeks_cluster_endpoint_restrict_public_accesseks_cluster_log_types_enabledeks_cluster_node_group_ssh_access_from_interneteks_cluster_run_on_supported_kubernetes_versioneks_cluster_secrets_encryptedelasticache_cluster_has_subnet_groupelasticache_redis_cluster_auto_minor_version_upgradeelasticache_redis_cluster_automatic_backup_retention_15_dayselasticache_replication_group_encrypted_with_kms_cmkelasticache_replication_group_encryption_at_rest_enabledelasticache_replication_group_encryption_in_transit_enabledelasticache_replication_group_encryption_in_transit_enabled_auth_tokenelasticbeanstalk_environment_use_enhanced_health_checkselasticbeanstalk_environment_use_managed_updateselb_application_classic_network_lb_logging_enabledelb_application_lb_deletion_protection_enabledelb_application_lb_drop_http_headerselb_application_lb_drop_invalid_header_fieldselb_application_lb_waf_enabledelb_application_network_gateway_lb_cross_zone_load_balancing_enabledelb_application_network_gateway_lb_use_desync_mitigation_modeelb_classic_lb_cross_zone_load_balancing_enabledelb_classic_lb_use_desync_mitigation_modeelb_classic_lb_use_ssl_certificateelb_classic_lb_use_tls_https_listenerselb_lb_target_group_use_health_checkelb_lb_use_secure_protocol_listeneremr_cluster_kerberos_enabledemr_cluster_security_configuration_ebs_encryption_enabledemr_cluster_security_configuration_encryption_in_transit_enabledemr_cluster_security_configuration_encryption_uses_sse_kmsemr_cluster_security_configuration_local_disk_encryption_enabledes_domain_audit_logging_enabledes_domain_data_nodes_min_3es_domain_dedicated_master_nodes_min_3es_domain_encrypted_using_tls_1_2es_domain_encrypted_with_kms_cmkes_domain_encryption_at_rest_enabledes_domain_enforce_httpses_domain_error_logging_enabledes_domain_in_vpces_domain_logs_to_cloudwatches_domain_node_to_node_encryption_enabledes_domain_use_default_security_groupeventbridge_scheduler_schedule_encrypted_with_kms_cmkfsx_lustre_file_system_encrypted_with_kms_cmkfsx_ontap_file_system_encrypted_with_kms_cmkfsx_openzfs_file_system_encrypted_with_kms_cmkfsx_windows_file_system_encrypted_with_kms_cmkglacier_vault_restrict_public_accessglobalaccelerator_flow_logs_enabledglue_crawler_security_configuration_enabledglue_data_catalog_encryption_enabledglue_dev_endpoint_security_configuration_enabledglue_job_security_configuration_enabledglue_security_configuration_encryption_enabledguardduty_enablediam_account_password_policy_min_length_14iam_account_password_policy_one_lowercase_letteriam_account_password_policy_one_numberiam_account_password_policy_one_symboliam_account_password_policy_one_uppercase_letteriam_account_password_policy_reuse_24iam_account_password_policy_strongiam_account_password_policy_strong_min_length_8iam_password_policy_expire_90kendra_index_server_side_encryption_uses_kms_cmkkeyspaces_table_encrypted_with_kms_cmkkinesis_firehose_delivery_stream_encrypted_with_kms_cmkkinesis_firehose_delivery_stream_server_side_encryption_enabledkinesis_stream_encrypted_with_kms_cmkkinesis_stream_encryption_at_rest_enabledkinesis_video_stream_encrypted_with_kms_cmkkms_cmk_rotation_enabledlambda_function_code_signing_configuredlambda_function_concurrent_execution_limit_configuredlambda_function_dead_letter_queue_configuredlambda_function_environment_encryption_enabledlambda_function_in_vpclambda_function_url_auth_type_configuredlambda_function_use_latest_runtimelambda_function_variables_no_sensitive_datalambda_function_xray_tracing_enabledlambda_permission_restricted_service_permissionlog_group_encryption_at_rest_enabledmemorydb_cluster_encrypted_with_kms_cmkmemorydb_cluster_transit_encryption_enabledmemorydb_snapshot_encrypted_with_kms_cmkmq_broker_audit_logging_enabledmq_broker_automatic_minor_upgrade_enabledmq_broker_currect_broker_versionmq_broker_encrypted_with_kms_cmkmq_broker_general_logging_enabledmq_broker_publicly_accessiblemsk_cluster_encrypted_with_kms_cmkmsk_cluster_encryption_in_transit_enabledmsk_cluster_logging_enabledmsk_cluster_nodes_publicly_accessiblemwaa_environment_scheduler_logs_enabledmwaa_environment_webserver_logs_enabledmwaa_environment_worker_logs_enabledneptune_cluster_backup_retention_period_7neptune_cluster_copy_tags_to_snapshot_enabledneptune_cluster_encrypted_with_kms_cmkneptune_cluster_encryption_at_rest_enabledneptune_cluster_iam_authentication_enabledneptune_cluster_instance_publicly_accessibleneptune_cluster_logging_enabledneptune_snapshot_encrypted_with_kms_cmkneptune_snapshot_storage_encryption_enabledopensearch_domain_encrpted_with_kms_cmkopensearch_domain_enforce_httpsopensearch_domain_use_default_security_groupqldb_ledger_deletion_protection_enabledqldb_ledger_permission_mode_set_to_standardrds_cluster_activity_stream_encrypted_with_kms_cmkrds_db_cluster_aurora_backtracking_enabledrds_db_cluster_copy_tags_to_snapshot_enabledrds_db_cluster_deletion_protection_enabledrds_db_cluster_encrypted_with_kms_cmkrds_db_cluster_encryption_enabledrds_db_cluster_events_subscriptionrds_db_cluster_iam_authentication_enabledrds_db_cluster_instance_automatic_minor_version_upgrade_enabledrds_db_cluster_instance_performance_insights_enabledrds_db_cluster_instance_performance_insights_encrypted_with_kms_cmkrds_db_cluster_multiple_az_enabledrds_db_instance_and_cluster_enhanced_monitoring_enabledrds_db_instance_and_cluster_no_default_portrds_db_instance_automatic_minor_version_upgrade_enabledrds_db_instance_backup_enabledrds_db_instance_copy_tags_to_snapshot_enabledrds_db_instance_deletion_protection_enabledrds_db_instance_encryption_at_rest_enabledrds_db_instance_events_subscriptionrds_db_instance_iam_authentication_enabledrds_db_instance_logging_enabledrds_db_instance_multiple_az_enabledrds_db_instance_performance_insights_enabledrds_db_instance_performance_insights_encrypted_with_kms_cmkrds_db_instance_prohibit_public_accessrds_db_instance_uses_recent_ca_certificaterds_db_parameter_group_events_subscriptionrds_db_security_group_events_subscriptionrds_db_snapshot_copy_encrypted_with_kms_cmkrds_db_snapshot_not_publicly_accesiblerds_global_cluster_encryption_enabledrds_mysql_db_cluster_audit_logging_enabledredshift_cluster_automatic_snapshots_min_7_daysredshift_cluster_automatic_upgrade_major_versions_enabledredshift_cluster_deployed_in_ec2_classic_moderedshift_cluster_encryption_enabledredshift_cluster_encryption_logging_enabledredshift_cluster_enhanced_vpc_routing_enabledredshift_cluster_kms_enabledredshift_cluster_logging_enabledredshift_cluster_maintenance_settings_checkredshift_cluster_no_default_database_nameredshift_cluster_prohibit_public_accessredshift_serverless_namespace_encrypted_with_kms_cmkredshift_snapshot_copy_grant_encrypted_with_kms_cmks3_bucket_abort_incomplete_multipart_upload_enableds3_bucket_block_public_policy_enableds3_bucket_cross_region_replication_enableds3_bucket_default_encryption_enableds3_bucket_default_encryption_enabled_kmss3_bucket_ignore_public_acls_enableds3_bucket_logging_enableds3_bucket_mfa_delete_enableds3_bucket_object_copy_encrypted_with_kms_cmks3_bucket_object_encrypted_with_kms_cmks3_bucket_object_lock_enableds3_bucket_public_access_blockeds3_bucket_versioning_enableds3_public_access_block_accountsagemaker_domain_encrypted_with_kms_cmksagemaker_endpoint_configuration_encryption_at_rest_enabledsagemaker_notebook_instance_direct_internet_access_disabledsagemaker_notebook_instance_encryption_at_rest_enabledsagemaker_notebook_instance_in_vpcsagemaker_notebook_instance_root_access_disabledsecretsmanager_secret_automatic_rotation_enabledsecretsmanager_secret_automatic_rotation_lambda_enabledsecretsmanager_secret_encrypted_with_kms_cmkses_configuration_set_tls_enforcedsfn_state_machine_execution_history_logging_enabledsfn_state_machine_xray_tracing_enabledsns_topic_encrypted_at_restsns_topic_policy_restrict_public_accesssqs_queue_encrypted_at_restsqs_queue_policy_no_action_starsqs_queue_policy_no_principal_starsqs_vpc_endpoint_without_dns_resolutionssm_document_prohibit_public_accessssm_parameter_encrypted_with_kms_cmktimestream_database_encrypted_with_kms_cmkvpc_default_security_group_restricts_all_trafficvpc_ec2_transit_gateway_auto_accept_attachment_requests_disabledvpc_eip_associatedvpc_endpoint_service_acceptance_enabledvpc_flow_logs_enabledvpc_igw_attached_to_authorized_vpcvpc_network_acl_allow_ftp_port_20_ingressvpc_network_acl_allow_ftp_port_21_ingressvpc_network_acl_allow_rdp_port_3389_ingressvpc_network_acl_allow_ssh_port_22_ingressvpc_network_acl_rule_restrict_ingress_ports_allvpc_network_acl_unusedvpc_network_firewall_deletion_protection_enabledvpc_network_firewall_encrypted_with_kms_cmkvpc_network_firewall_policy_encrypted_with_kms_cmkvpc_network_firewall_rule_group_encrypted_with_kms_cmkvpc_security_group_associated_to_enivpc_security_group_description_for_rulesvpc_security_group_restrict_ingress_rdp_allvpc_security_group_restrict_ingress_ssh_allvpc_security_group_rule_description_for_rulesvpc_subnet_auto_assign_public_ip_disabledvpc_transfer_server_allows_only_secure_protocolsvpc_transfer_server_not_publicly_accesiblewaf_regional_web_acl_logging_enabledwaf_regional_web_acl_rule_attachedwaf_regional_web_acl_rule_with_actionwaf_web_acl_logging_enabledwaf_web_acl_rule_attachedwaf_web_acl_rule_with_actionwafv2_web_acl_rule_attachedworkspace_root_volume_encryption_at_rest_enabledworkspace_user_volume_encryption_at_rest_enabled
Queries in Terraform AWS Compliance
The Terraform AWS Compliance mod includes 357 queries:
- acm_certificate_create_before_destroy_enabled
- acm_certificate_transparency_logging_enabled
- apigateway_deployment_create_before_destroy_enabled
- apigateway_domain_name_use_latest_tls
- apigateway_method_restricts_open_access
- apigateway_method_settings_cache_enabled
- apigateway_method_settings_cache_encryption_enabled
- apigateway_method_settings_data_trace_enabled
- apigateway_rest_api_create_before_destroy_enabled
- apigateway_rest_api_stage_use_ssl_certificate
- apigateway_rest_api_stage_xray_tracing_enabled
- apigateway_stage_cache_encryption_at_rest_enabled
- apigateway_stage_logging_enabled
- apigatewayv2_route_set_authorization_type
- appflow_connector_profile_encrypted_with_kms_cmk
- appflow_flow_encrypted_with_kms_cmk
- appsync_api_cache_encryption_at_rest_enabled
- appsync_api_cache_encryption_in_transit_enabled
- appsync_graphql_api_cloudwatch_logs_enabled
- appsync_graphql_api_field_level_logs_enabled
- athena_database_encryption_at_rest_enabled
- athena_workgroup_encryption_at_rest_enabled
- athena_workgroup_enforce_workgroup_configuration
- autoscaling_group_tagging_enabled
- autoscaling_group_uses_launch_template
- autoscaling_group_with_lb_use_health_check
- autoscaling_launch_config_public_ip_disabled
- backup_plan_min_retention_35_days
- backup_vault_encryption_at_rest_enabled
- cloudformation_stack_notifications_enabled
- cloudfront_distribution_configured_with_origin_failover
- cloudfront_distribution_default_root_object_configured
- cloudfront_distribution_enabled
- cloudfront_distribution_encryption_in_transit_enabled
- cloudfront_distribution_logging_enabled
- cloudfront_distribution_origin_access_identity_enabled
- cloudfront_distribution_waf_enabled
- cloudfront_protocol_version_is_low
- cloudfront_response_header_use_strict_transport_policy_setting
- cloudsearch_domain_enforced_https_enabled
- cloudsearch_domain_uses_latest_tls_version
- cloudtrail_enabled_all_regions
- cloudtrail_event_data_store_encrypted_with_kms_cmk
- cloudtrail_trail_logs_encrypted_with_kms_cmk
- cloudtrail_trail_sns_topic_enabled
- cloudtrail_trail_validation_enabled
- cloudwatch_alarm_action_enabled
- cloudwatch_destination_policy_wildcards
- cloudwatch_log_group_retention
- cloudwatch_log_group_retention_period_365
- codeartifact_domain_encrypted_with_kms_cmk
- codebuild_project_encryption_at_rest_enabled
- codebuild_project_logging_enabled
- codebuild_project_plaintext_env_variables_no_sensitive_aws_values
- codebuild_project_privileged_mode_disabled
- codebuild_project_s3_logs_encryption_enabled
- codebuild_project_source_repo_oauth_configured
- codecommit_approval_rule_template_number_of_approval_2
- codepipeline_artifacts_encrypted_with_kms_cmk
- comprehend_entity_recognizer_model_encrypted_with_kms_cmk
- comprehend_entity_recognizer_volume_encrypted_with_kms_cmk
- config_aggregator_enabled_all_regions
- connect_instance_kinesis_video_stream_storage_config_encrypted_with_kms_cmk
- connect_instance_s3_storage_config_encrypted_with_kms_cmk
- datasync_location_object_storage_expose_secret
- dax_cluster_encryption_at_rest_enabled
- dax_cluster_endpoint_encryption_tls_enabled
- dlm_lifecycle_policy_events_cross_region_encrypted_with_kms_cmk
- dlm_lifecycle_policy_events_cross_region_encryption_enabled
- dlm_schedule_cross_region_encrypted_with_kms_cmk
- dlm_schedule_cross_region_encryption_enabled
- dms_replication_instance_automatic_minor_version_upgrade_enabled
- dms_replication_instance_encrypted_with_kms_cmk
- dms_replication_instance_not_publicly_accessible
- dms_s3_endpoint_encrypted_with_kms_cmk
- docdb_cluster_audit_logs_enabled
- docdb_cluster_backup_retention_period_7
- docdb_cluster_encrypted_with_kms
- docdb_cluster_log_exports_enabled
- docdb_cluster_paramater_group_logging_enabled
- docdb_cluster_parameter_group_tls_enabled
- docdb_global_cluster_encrypted
- dynamodb_table_encrypted_with_kms_cmk
- dynamodb_table_encryption_enabled
- dynamodb_table_point_in_time_recovery_enabled
- dynamodb_vpc_endpoint_routetable_association
- ebs_snapshot_copy_encrypted_with_kms_cmk
- ebs_volume_encryption_at_rest_enabled
- ec2_ami_copy_encrypted_with_kms_cmk
- ec2_ami_copy_encryption_enabled
- ec2_ami_encryption_enabled
- ec2_ami_imagebuilder_component_encrypted_with_kms_cmk
- ec2_ami_imagebuilder_distribution_configuration_encrypted_with_kms_cmk
- ec2_ami_imagebuilder_image_recipe_encrypted_with_kms_cmk
- ec2_ami_launch_permission_restricted
- ec2_classic_lb_connection_draining_enabled
- ec2_ebs_default_encryption_enabled
- ec2_instance_detailed_monitoring_enabled
- ec2_instance_ebs_encryption_check
- ec2_instance_ebs_optimized
- ec2_instance_not_publicly_accessible
- ec2_instance_not_use_default_vpc
- ec2_instance_not_use_multiple_enis
- ec2_instance_termination_protection_enabled
- ec2_instance_user_data_no_secrets
- ec2_instance_uses_imdsv2
- ec2_launch_configuration_ebs_encryption_check
- ec2_launch_configuration_metadata_hop_limit_check
- ec2_launch_template_metadata_hop_limit_check
- ecr_repository_encrypted_with_kms
- ecr_repository_policy_prohibit_public_access
- ecr_repository_tags_immutable
- ecr_repository_use_image_scanning
- ecs_cluster_container_insights_enabled
- ecs_cluster_logging_enabled
- ecs_cluster_logging_encrypted_with_kms_cmk
- ecs_service_fargate_uses_latest_version
- ecs_task_definition_container_non_privileged
- ecs_task_definition_container_readonly_root_filesystem
- ecs_task_definition_encryption_in_transit_enabled
- ecs_task_definition_no_host_pid_mode
- ecs_task_definition_role_check
- efs_access_point_has_root_directory
- efs_access_point_has_user_identity
- efs_file_system_automatic_backups_enabled
- efs_file_system_encrypt_data_at_rest
- efs_file_system_encrypted_with_kms_cmk
- eks_cluster_control_plane_logging_enabled
- eks_cluster_endpoint_restrict_public_access
- eks_cluster_log_types_enabled
- eks_cluster_node_group_ssh_access_from_internet
- eks_cluster_run_on_supported_kubernetes_version
- eks_cluster_secrets_encrypted
- elasticache_cluster_has_subnet_group
- elasticache_redis_cluster_auto_minor_version_upgrade
- elasticache_redis_cluster_automatic_backup_retention_15_days
- elasticache_replication_group_encrypted_with_kms_cmk
- elasticache_replication_group_encryption_at_rest_enabled
- elasticache_replication_group_encryption_in_transit_enabled
- elasticache_replication_group_encryption_in_transit_enabled_auth_token
- elasticbeanstalk_environment_use_enhanced_health_checks
- elasticbeanstalk_environment_use_managed_updates
- elb_application_classic_network_lb_logging_enabled
- elb_application_lb_deletion_protection_enabled
- elb_application_lb_drop_http_headers
- elb_application_lb_drop_invalid_header_fields
- elb_application_lb_waf_enabled
- elb_application_network_gateway_lb_cross_zone_load_balancing_enabled
- elb_application_network_gateway_lb_use_desync_mitigation_mode
- elb_classic_lb_cross_zone_load_balancing_enabled
- elb_classic_lb_use_desync_mitigation_mode
- elb_classic_lb_use_ssl_certificate
- elb_classic_lb_use_tls_https_listeners
- elb_lb_target_group_use_health_check
- elb_lb_use_secure_protocol_listener
- emr_cluster_kerberos_enabled
- emr_cluster_security_configuration_ebs_encryption_enabled
- emr_cluster_security_configuration_encryption_in_transit_enabled
- emr_cluster_security_configuration_encryption_uses_sse_kms
- emr_cluster_security_configuration_local_disk_encryption_enabled
- es_domain_audit_logging_enabled
- es_domain_data_nodes_min_3
- es_domain_dedicated_master_nodes_min_3
- es_domain_encrypted_using_tls_1_2
- es_domain_encrypted_with_kms_cmk
- es_domain_encryption_at_rest_enabled
- es_domain_enforce_https
- es_domain_error_logging_enabled
- es_domain_in_vpc
- es_domain_logs_to_cloudwatch
- es_domain_node_to_node_encryption_enabled
- es_domain_use_default_security_group
- eventbridge_scheduler_schedule_encrypted_with_kms_cmk
- fsx_lustre_file_system_encrypted_with_kms_cmk
- fsx_ontap_file_system_encrypted_with_kms_cmk
- fsx_openzfs_file_system_encrypted_with_kms_cmk
- fsx_windows_file_system_encrypted_with_kms_cmk
- glacier_vault_restrict_public_access
- globalaccelerator_flow_logs_enabled
- glue_crawler_security_configuration_enabled
- glue_data_catalog_encryption_enabled
- glue_dev_endpoint_security_configuration_enabled
- glue_job_security_configuration_enabled
- glue_security_configuration_encryption_enabled
- guardduty_enabled
- iam_account_password_policy_min_length_14
- iam_account_password_policy_one_lowercase_letter
- iam_account_password_policy_one_number
- iam_account_password_policy_one_symbol
- iam_account_password_policy_one_uppercase_letter
- iam_account_password_policy_reuse_24
- iam_account_password_policy_strong
- iam_account_password_policy_strong_min_length_8
- iam_password_policy_expire_90
- kendra_index_server_side_encryption_uses_kms_cmk
- keyspaces_table_encrypted_with_kms_cmk
- kinesis_firehose_delivery_stream_encrypted_with_kms_cmk
- kinesis_firehose_delivery_stream_server_side_encryption_enabled
- kinesis_stream_encrypted_with_kms_cmk
- kinesis_stream_encryption_at_rest_enabled
- kinesis_video_stream_encrypted_with_kms_cmk
- kms_cmk_rotation_enabled
- lambda_function_code_signing_configured
- lambda_function_concurrent_execution_limit_configured
- lambda_function_dead_letter_queue_configured
- lambda_function_environment_encryption_enabled
- lambda_function_in_vpc
- lambda_function_url_auth_type_configured
- lambda_function_use_latest_runtime
- lambda_function_variables_no_sensitive_data
- lambda_function_xray_tracing_enabled
- lambda_permission_restricted_service_permission
- log_group_encryption_at_rest_enabled
- memorydb_cluster_encrypted_with_kms_cmk
- memorydb_cluster_transit_encryption_enabled
- memorydb_snapshot_encrypted_with_kms_cmk
- mq_broker_audit_logging_enabled
- mq_broker_automatic_minor_upgrade_enabled
- mq_broker_currect_broker_version
- mq_broker_encrypted_with_kms_cmk
- mq_broker_general_logging_enabled
- mq_broker_publicly_accessible
- msk_cluster_encrypted_with_kms_cmk
- msk_cluster_encryption_in_transit_enabled
- msk_cluster_logging_enabled
- msk_cluster_nodes_publicly_accessible
- mwaa_environment_scheduler_logs_enabled
- mwaa_environment_webserver_logs_enabled
- mwaa_environment_worker_logs_enabled
- neptune_cluster_backup_retention_period_7
- neptune_cluster_copy_tags_to_snapshot_enabled
- neptune_cluster_encrypted_with_kms_cmk
- neptune_cluster_encryption_at_rest_enabled
- neptune_cluster_iam_authentication_enabled
- neptune_cluster_instance_publicly_accessible
- neptune_cluster_logging_enabled
- neptune_snapshot_encrypted_with_kms_cmk
- neptune_snapshot_storage_encryption_enabled
- opensearch_domain_encrpted_with_kms_cmk
- opensearch_domain_enforce_https
- opensearch_domain_use_default_security_group
- qldb_ledger_deletion_protection_enabled
- qldb_ledger_permission_mode_set_to_standard
- rds_cluster_activity_stream_encrypted_with_kms_cmk
- rds_db_cluster_aurora_backtracking_enabled
- rds_db_cluster_copy_tags_to_snapshot_enabled
- rds_db_cluster_deletion_protection_enabled
- rds_db_cluster_encrypted_with_kms_cmk
- rds_db_cluster_encryption_enabled
- rds_db_cluster_events_subscription
- rds_db_cluster_iam_authentication_enabled
- rds_db_cluster_instance_automatic_minor_version_upgrade_enabled
- rds_db_cluster_instance_performance_insights_enabled
- rds_db_cluster_instance_performance_insights_encrypted_with_kms_cmk
- rds_db_cluster_multiple_az_enabled
- rds_db_instance_and_cluster_enhanced_monitoring_enabled
- rds_db_instance_and_cluster_no_default_port
- rds_db_instance_automatic_minor_version_upgrade_enabled
- rds_db_instance_backup_enabled
- rds_db_instance_copy_tags_to_snapshot_enabled
- rds_db_instance_deletion_protection_enabled
- rds_db_instance_encryption_at_rest_enabled
- rds_db_instance_events_subscription
- rds_db_instance_iam_authentication_enabled
- rds_db_instance_logging_enabled
- rds_db_instance_multiple_az_enabled
- rds_db_instance_performance_insights_enabled
- rds_db_instance_performance_insights_encrypted_with_kms_cmk
- rds_db_instance_prohibit_public_access
- rds_db_instance_uses_recent_ca_certificate
- rds_db_parameter_group_events_subscription
- rds_db_security_group_events_subscription
- rds_db_snapshot_copy_encrypted_with_kms_cmk
- rds_db_snapshot_not_publicly_accesible
- rds_global_cluster_encryption_enabled
- rds_mysql_db_cluster_audit_logging_enabled
- redshift_cluster_automatic_snapshots_min_7_days
- redshift_cluster_automatic_upgrade_major_versions_enabled
- redshift_cluster_deployed_in_ec2_classic_mode
- redshift_cluster_encryption_enabled
- redshift_cluster_encryption_logging_enabled
- redshift_cluster_enhanced_vpc_routing_enabled
- redshift_cluster_kms_enabled
- redshift_cluster_logging_enabled
- redshift_cluster_maintenance_settings_check
- redshift_cluster_no_default_database_name
- redshift_cluster_prohibit_public_access
- redshift_serverless_namespace_encrypted_with_kms_cmk
- redshift_snapshot_copy_grant_encrypted_with_kms_cmk
- s3_bucket_abort_incomplete_multipart_upload_enabled
- s3_bucket_block_public_policy_enabled
- s3_bucket_cross_region_replication_enabled
- s3_bucket_default_encryption_enabled
- s3_bucket_default_encryption_enabled_kms
- s3_bucket_ignore_public_acls_enabled
- s3_bucket_logging_enabled
- s3_bucket_mfa_delete_enabled
- s3_bucket_object_copy_encrypted_with_kms_cmk
- s3_bucket_object_encrypted_with_kms_cmk
- s3_bucket_object_lock_enabled
- s3_bucket_public_access_blocked
- s3_bucket_versioning_enabled
- s3_public_access_block_account
- sagemaker_domain_encrypted_with_kms_cmk
- sagemaker_endpoint_configuration_encryption_at_rest_enabled
- sagemaker_notebook_instance_direct_internet_access_disabled
- sagemaker_notebook_instance_encryption_at_rest_enabled
- sagemaker_notebook_instance_in_vpc
- sagemaker_notebook_instance_root_access_disabled
- secretsmanager_secret_automatic_rotation_enabled
- secretsmanager_secret_automatic_rotation_lambda_enabled
- secretsmanager_secret_encrypted_with_kms_cmk
- ses_configuration_set_tls_enforced
- sfn_state_machine_execution_history_logging_enabled
- sfn_state_machine_xray_tracing_enabled
- sns_topic_encrypted_at_rest
- sns_topic_policy_restrict_public_access
- sqs_queue_encrypted_at_rest
- sqs_queue_policy_no_action_star
- sqs_queue_policy_no_principal_star
- sqs_vpc_endpoint_without_dns_resolution
- ssm_document_prohibit_public_access
- ssm_parameter_encrypted_with_kms_cmk
- timestream_database_encrypted_with_kms_cmk
- vpc_default_security_group_restricts_all_traffic
- vpc_ec2_transit_gateway_auto_accept_attachment_requests_disabled
- vpc_eip_associated
- vpc_endpoint_service_acceptance_enabled
- vpc_flow_logs_enabled
- vpc_igw_attached_to_authorized_vpc
- vpc_network_acl_allow_ftp_port_20_ingress
- vpc_network_acl_allow_ftp_port_21_ingress
- vpc_network_acl_allow_rdp_port_3389_ingress
- vpc_network_acl_allow_ssh_port_22_ingress
- vpc_network_acl_rule_restrict_ingress_ports_all
- vpc_network_acl_unused
- vpc_network_firewall_deletion_protection_enabled
- vpc_network_firewall_encrypted_with_kms_cmk
- vpc_network_firewall_policy_encrypted_with_kms_cmk
- vpc_network_firewall_rule_group_encrypted_with_kms_cmk
- vpc_security_group_associated_to_eni
- vpc_security_group_description_for_rules
- vpc_security_group_restrict_ingress_rdp_all
- vpc_security_group_restrict_ingress_ssh_all
- vpc_security_group_rule_description_for_rules
- vpc_subnet_auto_assign_public_ip_disabled
- vpc_transfer_server_allows_only_secure_protocols
- vpc_transfer_server_not_publicly_accesible
- waf_regional_web_acl_logging_enabled
- waf_regional_web_acl_rule_attached
- waf_regional_web_acl_rule_with_action
- waf_web_acl_logging_enabled
- waf_web_acl_rule_attached
- waf_web_acl_rule_with_action
- wafv2_web_acl_rule_attached
- workspace_root_volume_encryption_at_rest_enabled
- workspace_user_volume_encryption_at_rest_enabled