diff --git a/cid/builtin/core/data/queries/shared/ta_descriptions.sql b/cid/builtin/core/data/queries/shared/ta_descriptions.sql
index bdfe62d9..53e1a633 100644
--- a/cid/builtin/core/data/queries/shared/ta_descriptions.sql
+++ b/cid/builtin/core/data/queries/shared/ta_descriptions.sql
@@ -3,492 +3,506 @@ SELECT *
 FROM
   (
 VALUES 
-  ROW('c18d2gz134', 'en', 'Amazon Redshift cluster audit logging', 'Checks if your Amazon Redshift clusters have database audit logging turned on.')
-, ROW('rSs93HQwa1', 'en', 'Amazon RDS Public Snapshots', 'Checks the permission settings for your Amazon Relational Database Service (Amazon RDS) DB snapshots and alerts you if any snapshots are marked as public.')
-, ROW('c18d2gz131', 'en', 'Amazon Aurora MySQL cluster backtracking not enabled', 'Checks if an Amazon Aurora MySQL cluster has backtracking enabled.')
-, ROW('dx3xfbjfMr', 'en', 'Route 53 Traffic Policies', 'Checks for usage that is more than 80% of the Route 53 Traffic Policies Limit per account.')
-, ROW('gH5CC0e3J9', 'en', 'EBS Cold HDD (sc1) Volume Storage', 'Checks for usage that is more than 80% of the EBS Cold HDD (sc1) Volume Storage Limit.')
-, ROW('c18d2gz138', 'en', 'Amazon DynamoDB Point-in-time Recovery', 'Checks if point-in time-recovery is enabled for your Amazon DynamoDB tables.')
-, ROW('c18d2gz135', 'en', 'Amazon Redshift cluster automated snapshots', 'Checks if automated snapshots are enabled for your Amazon Redshift clusters.')
-, ROW('c18d2gz136', 'en', 'Amazon DynamoDB Auto Scaling Not Enabled', 'Checks if your Amazon DynamoDB tables and global secondary indexes have auto scaling or on-demand enabled.')
-, ROW('cF171Db240', 'en', 'Amazon Route 53 Name Server Delegations', 'Checks for Amazon Route 53 hosted zones for which your domain registrar or DNS is not using the correct Route 53 name servers.')
-, ROW('c18d2gz122', 'en', 'Amazon VPC Without Flow Logs', 'Checks if Amazon VPC Flow Logs are created for a VPC.')
-, ROW('c18d2gz123', 'en', 'AWS Site-to-Site VPN has at least one Tunnel in DOWN Status', 'Checks the number of tunnels that are active for each of your AWS Site-to-Site VPNs.')
-, ROW('cG7HH0l7J9', 'en', 'EBS Magnetic (standard) Volume Storage', 'Checks for usage that is more than 80% of the EBS Magnetic (standard) Volume Storage Limit.')
-, ROW('c18d2gz121', 'en', 'Amazon SNS Topics Not Logging Message Delivery Status', 'Checks if Amazon Simple Notification Service (SNS) topics have message delivery status logging turned on.')
-, ROW('sU7XX0l7J9', 'en', 'IAM Group', 'Checks for usage that is more than 80% of the IAM Group Limit.')
-, ROW('c18d2gz128', 'en', 'Amazon ECR Repository Without Lifecycle Policy Configured', 'Checks if a private Amazon ECR repository has at least one lifecycle policy configured.')
-, ROW('c18d2gz129', 'en', 'Amazon ECR Repository With Tag Immutability Disabled', 'Checks if a private Amazon ECR repository has image tag immutability turned on.')
-, ROW('c18d2gz126', 'en', 'Amazon API Gateway REST APIs Without X-Ray Tracing Enabled', 'Checks if Amazon API Gateway REST APIs have AWS X-Ray tracing turned on.')
-, ROW('c18d2gz127', 'en', 'AWS Account Not Part of AWS Organizations', 'Checks if an AWS account is part of AWS Organizations under the appropriate management account.')
-, ROW('c18d2gz124', 'en', 'Amazon VPC Peering Connections With DNS Resolution Disabled', 'Checks if your VPC peering connections have DNS resolution turned on for both the acceptor and requester VPCs.')
-, ROW('c18d2gz125', 'en', 'Amazon API Gateway Not Logging Execution Logs', 'Checks if Amazon API Gateway has Amazon CloudWatch Logs turned on.')
-, ROW('COr6dfpM04', 'en', 'Amazon EBS under-provisioned volumes', 'Checks the Amazon Elastic Block Storage (Amazon EBS) volumes that were running at any time during the lookback period.')
-, ROW('COr6dfpM03', 'en', 'Amazon EBS over-provisioned volumes', 'Checks the Amazon Elastic Block Storage (Amazon EBS) volumes that were running at any time during the lookback period.')
-, ROW('jtlIMO3qZM', 'en', 'RDS Cluster Parameter Groups', 'Checks for usage that is more than 80% of the RDS Cluster Parameter Groups Limit.')
-, ROW('COr6dfpM06', 'en', 'AWS Lambda under-provisioned functions for memory size', 'Checks the AWS Lambda functions that were invoked at least once during the lookback period.')
-, ROW('COr6dfpM05', 'en', 'AWS Lambda over-provisioned functions for memory size', 'Checks the AWS Lambda functions that were invoked at least once during the lookback period.')
-, ROW('f2iK5R6Dep', 'en', 'Amazon RDS Multi-AZ', 'Checks for DB instances that are deployed in a single Availability Zone.')
-, ROW('jEhCtdJKOY', 'en', 'RDS Subnets per Subnet Group', 'Checks for usage that is more than 80% of the RDS Subnets per Subnet Group Limit.')
-, ROW('a2sEc6ILx', 'en', 'ELB Listener Security', 'Checks for load balancers with listeners that do not use recommended security configurations for encrypted communication.')
-, ROW('c18d2gz111', 'en', 'AWS CloudFormation Stack Notification', 'Checks if all of your AWS CloudFormation stacks use Amazon SNS to receive notifications when an event occurs.')
-, ROW('ePs02jT06w', 'en', 'Amazon EBS Public Snapshots', 'Checks the permission settings for your Amazon Elastic Block Store (Amazon EBS) volume snapshots and alerts you if any snapshots are publicly accessible.')
-, ROW('c18d2gz112', 'en', 'Amazon CloudFront Origin Failover', 'Checks that an origin group is configured for distributions that include two origins in Amazon CloudFront.')
-, ROW('R365s2Qddf', 'en', 'Amazon S3 Bucket Versioning', 'Checks for Amazon Simple Storage Service buckets that do not have versioning enabled, or have versioning suspended.')
-, ROW('c18d2gz110', 'en', 'Amazon CloudFront Access Log Configured', 'Checks if Amazon CloudFront distributions are configured to capture information from Amazon S3server access logs.')
-, ROW('Wxdfp4B1L2', 'en', 'AWS Well-Architected high risk issues for performance efficiency', 'Checks for high risk issues (HRIs) for your workloads in the performance pillar.')
-, ROW('c18d2gz119', 'en', 'Amazon S3 Bucket Replication Not Enabled', 'Checks if your Amazon S3 buckets have replication rules enabled for Cross-Region Replication, Same-Region Replication, or both.')
-, ROW('Wxdfp4B1L3', 'en', 'AWS Well-Architected high risk issues for security', 'Checks for high risk issues (HRIs) for your workloads in the security pillar.')
-, ROW('Wxdfp4B1L4', 'en', 'AWS Well-Architected high risk issues for reliability', 'Checks for high risk issues (HRIs) for your workloads in the Reliability pillar.')
-, ROW('c18d2gz117', 'en', 'Amazon EFS not in AWS Backup Plan', 'Checks if Amazon EFS file systems are included in backup plans with AWS Backup.')
-, ROW('c18d2gz115', 'en', 'AWS CodeDeploy Lambda is using all at-once deployment configuration', 'Checks if the AWS CodeDeploy deployment group for AWS Lambda compute platform is using all-at-once deployment configuration.')
-, ROW('c18d2gz113', 'en', 'AWS CodeBuild Project Logging', 'Checks If the AWS CodeBuild project environment uses logging.')
-, ROW('Wxdfp4B1L1', 'en', 'AWS Well-Architected high risk issues for cost optimization', 'Checks for high risk issues (HRIs) for your workloads in the cost optimization pillar.')
-, ROW('c18d2gz114', 'en', 'AWS CodeDeploy Auto Rollback and Monitor Enabled', 'Checks if the deployment group is configured with automatic deployment rollback and deployment monitoring with alarms attached.')
-, ROW('opQPADkZvH', 'en', 'Amazon RDS Backups', 'Checks for automated backups of Amazon RDS DB instances.')
-, ROW('vjafUGJ9H0', 'en', 'AWS CloudTrail Logging', 'Checks for your use of AWS CloudTrail.')
-, ROW('7fuccf1Mx7', 'en', 'RDS Cluster Roles', 'Checks for usage that is more than 80% of the RDS Cluster Roles Limit.')
-, ROW('c18d2gz100', 'en', 'Amazon S3 Bucket Lifecycle Policy Configured', 'Checks if an Amazon S3 bucket has a lifecycle policy configured.')
-, ROW('c18d2gz101', 'en', 'Amazon EC2 AutoScaling Group Multiple Availability Zone', 'Checks if the Amazon EC2 Auto Scaling group is deployed in multiple Availability Zones or the minimum number of Avalability Zones specified.')
-, ROW('c18d2gz108', 'en', 'AWS Elastic Beanstalk Enhanced Health Reporting Is Not Configured', 'Checks if an AWS Elastic Beanstalk environment is configured for enhanced health reporting.')
-, ROW('c18d2gz109', 'en', 'Amazon CloudWatch Alarm action is disabled', 'Checks if your Amazon CloudWatch alarm action is in a disabled state.')
-, ROW('c18d2gz106', 'en', 'Amazon EBS Not Included in AWS Backup Plan', 'Check if Amazon Elastic Block Store (Amazon EBS) volumes are present in backup plans of AWS Backup.')
-, ROW('c18d2gz107', 'en', 'Amazon DynamoDB Table Not Included in Backup Plan', 'Checks whether Amazon DynamoDB table is part of AWS Backup plan.')
-, ROW('c18d2gz104', 'en', 'Amazon EC2 Auto Scaling Group does not have ELB Health Check Enabled', 'Checks if your Amazon EC2 Auto Scaling groups that are associated with a Classic Load Balancer are using Elastic Load Balancing (ELB) health checks.')
-, ROW('c18d2gz105', 'en', 'Network Load Balancers Cross Load Balancing', 'Checks if cross-zone load balancing is enabled on Network Load Balancers (NLBs) <br><br>Cross-zone load balancing ensures even distribution of incoming traffic across instances in different Availability Zones.')
-, ROW('hc0dfs7601', 'en', 'AWS CloudHSM clusters running HSM instances in a single AZ', 'Checks your clusters that run HSM instances in a single Availability Zone (AZ).')
-, ROW('c18d2gz102', 'en', 'Amazon EC2 Auto Scaling Group is not Associated with a Launch Template', 'Checks if an Amazon EC2 Auto Scaling group is created from an EC2 launch template.')
-, ROW('c18d2gz103', 'en', 'Amazon EC2 Auto Scaling Group has Capacity Rebalancing Enabled', 'Checks if Capacity Rebalancing is enabled for Amazon EC2 Auto Scaling groups that use multiple instance types.')
-, ROW('7DAFEmoDos', 'en', 'MFA on Root Account', 'Checks the root account and warns if multi-factor authentication (MFA) is not enabled.')
-, ROW('Hs4Ma3G191', 'en', 'RDS cluster snapshots and database snapshots should be encrypted at rest', 'Checks if Amazon RDS cluster snapshots and database snapshots are encrypted.')
-, ROW('Hs4Ma3G192', 'en', 'RDS DB Instances should prohibit public access, determined by the PubliclyAccessible configuration', 'Checks if RDS instances are publicly accessible by evaluating the publiclyAccessible field in the instance configuration item.')
-, ROW('Hs4Ma3G193', 'en', 'RDS DB instances should have encryption at-rest enabled', 'Checks if storage encryption is enabled for your RDS DB instances.')
-, ROW('Hs4Ma3G194', 'en', 'RDS snapshot should be private', 'Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public.')
-, ROW('B913Ef6fb4', 'en', 'Amazon Route 53 Alias Resource Record Sets', 'Checks for resource record sets that can be changed to alias resource record sets to improve performance and save money.')
-, ROW('Hs4Ma3G196', 'en', 'AWS Config should be enabled', 'Checks if the Config service is enabled in the account for the local region and is recording all resources.')
-, ROW('Chrv231ch1', 'en', 'Amazon Route53 Resolver Endpoint Availability Zone Redundancy', 'Checks to see if your service configuration has IP addresses specified in at least two Availability Zones (AZs) for redundancy.')
-, ROW('Hs4Ma3G197', 'en', 'Amazon Elasticsearch Service domains should have encryption at-rest enabled', 'Checks whether Amazon Elasticsearch Service domains have encryption at rest configuration enabled.')
-, ROW('Hs4Ma3G198', 'en', 'RDS DB instances should have deletion protection enabled', 'Checks if RDS DB instances have deletion protection enabled.')
-, ROW('1iG5NDGVre', 'en', 'Security Groups - Unrestricted Access', 'Checks security groups for rules that allow unrestricted access to a resource.')
-, ROW('Hs4Ma3G190', 'en', 'RDS clusters should have deletion protection enabled', 'Checks if RDS clusters have deletion protection enabled.')
-, ROW('nNauJisYIT', 'en', 'Amazon RDS Security Group Access Risk', 'Checks security group configurations for Amazon Relational Database Service (Amazon RDS) and warns when a security group rule might grant overly permissive access to your database.')
-, ROW('Hs4Ma3G188', 'en', 'GuardDuty should be enabled', 'Checks if Amazon GuardDuty is enabled in your AWS account and region.')
-, ROW('Hs4Ma3G189', 'en', 'Enhanced monitoring should be configured for RDS DB instances', 'Checks if enhanced monitoring is enabled for your RDS DB instances.')
-, ROW('1e93e4c0b5', 'en', 'Amazon EC2 Reserved Instance Lease Expiration', 'Checks for Amazon EC2 Reserved Instances that are scheduled to expire within the next 30 days or have expired in the preceding 30 days.')
-, ROW('C056F80cR3', 'en', 'Amazon Route 53 High TTL Resource Record Sets', 'Checks for resource record sets that can benefit from having a lower time-to-live (TTL) value.')
-, ROW('6gtQddfEw6', 'en', 'DynamoDB Read Capacity', 'Checks for usage that is more than 80% of the DynamoDB Provisioned Throughput Limit for Reads per Account.')
-, ROW('Hs4Ma3G199', 'en', 'Database logging should be enabled', 'Checks if the following Amazon RDS logs are enabled and sent to CloudWatch Logs: Oracle: (Alert, Audit, Trace, Listener), PostgreSQL: (Postgresql, Upgrade), MySQL: (Audit, Error, General, SlowQuery), MariaDB: (Audit, Error, General, SlowQuery), SQL Server: (Error, Agent), Aurora: (Audit, Error, General, SlowQuery), Aurora-MySQL: (Audit, Error, General, SlowQuery), Aurora-PostgreSQL: (Postgresql).')
-, ROW('c1dfptbg10', 'en', 'NAT Gateway AZ Independence', 'Checks if your NAT Gateways are configured with Availability Zone (AZ) independence.')
-, ROW('c1dfptbg11', 'en', 'Single AZ Application Check', 'Checks through network patterns if your egress network traffic is routing through a single Availability Zone (AZ).')
-, ROW('XG0aXHpIEt', 'en', 'RDS DB Instances', 'Checks for usage that is more than 80% of the RDS DB Instances Limit.')
-, ROW('Hs4Ma3G290', 'en', 'ElastiCache clusters should not use the default subnet group', 'Checks if ElastiCache clusters are configured with a custom subnet group.')
-, ROW('Hs4Ma3G170', 'en', 'S3 Block Public Access setting should be enabled', 'Checks if the following public access block settings are configured from account level: ignorePublicAcls: True, blockPublicPolicy: True, blockPublicAcls: True, restrictPublicBuckets: True.')
-, ROW('Hs4Ma3G291', 'en', 'Elastic Beanstalk should stream logs to CloudWatch', 'Checks if an AWS Elastic Beanstalk environment is configured to send logs to CloudWatch Logs.')
-, ROW('Hs4Ma3G171', 'en', 'S3 buckets should prohibit public read access', 'Checks if your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access check list (ACL).')
-, ROW('Hs4Ma3G292', 'en', 'Redshift clusters should be encrypted at rest', 'Checks if an Amazon Redshift cluster is encrypted at rest.')
-, ROW('Hs4Ma3G172', 'en', 'S3 buckets should prohibit public write access', 'Checks if your S3 buckets allow public write access by evaluating the Block Public Access settings, the bucket policy, and the bucket access check list (ACL).')
-, ROW('Hs4Ma3G293', 'en', 'Step Functions state machines should have logging turned on', 'This controls assesses if an AWS Step Functions state machine has logging turned on.')
-, ROW('Hs4Ma3G173', 'en', 'S3 Block Public Access setting should be enabled at the bucket-level', 'Checks if Amazon S3 buckets have bucket level public access blocks applied.')
-, ROW('Hs4Ma3G294', 'en', 'Athena workgroups should be encrypted at rest', 'Checks if an Athena workgroup is encrypted at rest.')
-, ROW('c1z7dfpz01', 'en', 'Amazon ECS service using a single AZ', 'Checks that your service configuration uses a single Availability Zone (AZ).')
-, ROW('Hs4Ma3G174', 'en', 'CodeBuild GitHub or Bitbucket source repository URLs should use OAuth', 'Checks if the GitHub or Bitbucket source repository URL contains either personal access tokens or user name and password.')
-, ROW('Hs4Ma3G295', 'en', 'Amazon DocumentDB clusters should be encrypted at rest', 'Checks if an Amazon DocumentDB cluster is encrypted at rest.')
-, ROW('c1z7dfpz02', 'en', 'Amazon ECS Multi-AZ placement strategy', 'Checks that your Amazon ECS service uses the spread placement strategy based on availability zone.')
-, ROW('Hs4Ma3G175', 'en', 'CodeBuild project environment variables should not contain clear text credentials', 'Checks if the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.')
-, ROW('Hs4Ma3G296', 'en', 'Neptune DB clusters should be encrypted at rest', 'Checks if a Neptune DB cluster is encrypted at rest.')
-, ROW('CLOG40CDO8', 'en', 'Auto Scaling Group Health Check', 'Examines the health check configuration for Auto Scaling groups.')
-, ROW('Hs4Ma3G176', 'en', 'ACM certificates should be renewed after a specified time period', 'Checks if ACM Certificates in your account are marked for expiration within a specified time period.')
-, ROW('Hs4Ma3G297', 'en', 'Neptune DB clusters should publish audit logs to CloudWatch Logs', 'Checks if a Neptune DB cluster publishes audit logs to Amazon CloudWatch Logs.')
-, ROW('aW9HH0l8J6', 'en', 'EC2-Classic Elastic IP Addresses', 'Checks for usage that is more than 80% of the EC2-Classic Elastic IP Addresses Limit.')
-, ROW('iK7OO0l7J9', 'en', 'ELB Classic Load Balancers', 'Checks for usage that is more than 80% of the ELB Classic Load Balancers.')
-, ROW('wH7DD0l3J9', 'en', 'EBS Throughput Optimized HDD (st1) Volume Storage', 'Checks for usage that is more than 80% of the EBS Throughput Optimized HDD (st1) Volume Storage Limit.')
-, ROW('Hs4Ma3G166', 'en', 'An RDS event notifications subscription should be configured for critical cluster events', 'Checks if an Amazon RDS Event subscription for RDS clusters is configured to notify on event categories of both "maintenance" and "failure".')
-, ROW('Hs4Ma3G287', 'en', 'ElastiCache replication groups should have encryption-at-rest enabled', 'Checks if ElastiCache replication groups have encryption-at-rest enabled.')
-, ROW('Hs4Ma3G288', 'en', 'ElastiCache replication groups should have encryption-in-transit enabled', 'Checks if ElastiCache replication groups have encryption-in-transit enabled.')
-, ROW('Hs4Ma3G168', 'en', 'S3 buckets should require requests to use Secure Socket Layer', 'Checks if S3 buckets have policies that require requests to use Secure Socket Layer (SSL).')
-, ROW('Hs4Ma3G289', 'en', 'ElastiCache replication groups of earlier Redis versions should have Redis AUTH enabled', 'Checks if ElastiCache replication groups have Redis AUTH enabled.')
-, ROW('Hs4Ma3G169', 'en', 'S3 permissions granted to other AWS accounts in bucket policies should be restricted', 'Checks if the S3 bucket policy allows sensitive bucket-level or object-level actions from a principal in another AWS account.')
-, ROW('Hs4Ma3G180', 'en', 'Amazon Elasticsearch Service domain error logging to CloudWatch Logs should be enabled', 'Checks whether Amazon Elasticsearch Service domains are configured to send error logs to CloudWatch Logs.')
-, ROW('Hs4Ma3G181', 'en', 'Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager', 'Checks if a Classic Load Balancer uses HTTPS/SSL certificates provided by AWS Certificate Manager.')
-, ROW('1qazXsw23e', 'en', 'Amazon Relational Database Service (RDS) Reserved Instance Optimization', 'Checks your usage of RDS and provides recommendations on purchase of Reserved Instances to help reduce costs incurred from using RDS On-Demand.')
-, ROW('Hs4Ma3G182', 'en', 'Classic Load Balancer listeners should be configured with HTTPS or TLS termination', 'Checks if your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections.')
-, ROW('Hs4Ma3G183', 'en', 'Application load balancer should be configured to drop http headers', 'This check evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop http headers.')
-, ROW('Hs4Ma3G184', 'en', 'Application and Classic Load Balancers logging should be enabled', 'Checks if the Application Load Balancer and the Classic Load Balancer have logging enabled.')
-, ROW('Hs4Ma3G185', 'en', 'IAM customer managed policies that you create should not allow wildcard actions for services', 'Checks if the IAM identity-based custom policies have Allow statements that grant permissions for all actions on a service.')
-, ROW('Hs4Ma3G186', 'en', 'AWS WAF Classic Global Web ACL logging should be enabled', 'Checks if logging is enabled for a WAF global Web ACL.')
-, ROW('Hs4Ma3G187', 'en', 'Connections to Amazon Elasticsearch Service domains should be encrypted using TLS 1.', '')
-, ROW('Cmsvnj8db1', 'en', 'Amazon RDS ReplicaLag', 'Checks to see if the ReplicaLag CloudWatch metric for an RDS database instance has increased above an operationally reasonable threshold over the past day.')
-, ROW('Cmsvnj8db2', 'en', 'Amazon RDS FreeStorageSpace', 'Checks to see if the FreeStorageSpace CloudWatch metric for an RDS database instance has increased above an operationally reasonable threshold.')
-, ROW('Cmsvnj8db3', 'en', 'Amazon RDS DiskQueueDepth', 'Checks to see if the CloudWatch metric DiskQueueDepth shows that number of queued writes to the RDS Instance database storage has grown to a level where an operational investigation should be suggested.')
-, ROW('hjLMh88uM8', 'en', 'Idle Load Balancers', 'Checks your Elastic Load Balancing configuration for load balancers that are not actively used.')
-, ROW('Hs4Ma3G177', 'en', 'Auto scaling groups associated with a load balancer should use load balancer health checks', 'Checks if your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.')
-, ROW('Hs4Ma3G298', 'en', 'Neptune DB cluster snapshots should not be public', 'Checks if a Neptune manual DB cluster snapshot is public.')
-, ROW('Hs4Ma3G178', 'en', 'Security groups should only allow unrestricted incoming traffic for authorized ports', 'Checks if the security groups allow unrestricted incoming traffic.')
-, ROW('Hs4Ma3G299', 'en', 'Neptune DB clusters should have deletion protection enabled', 'Checks if a Neptune DB cluster has deletion protection enabled.')
-, ROW('Cmsvnj8vf1', 'en', 'Amazon MSK brokers hosting too many partitions', 'Checks that the brokers of a Managed Streaming for Kafka (MSK) Cluster do not have more than the recommended number of partitions assigned.')
-, ROW('Hs4Ma3G179', 'en', 'SNS topics should be encrypted at-rest using AWS KMS', 'Checks if an Amazon SNS topic is encrypted at rest using AWS KMS.')
-, ROW('gI7MM0l7J2', 'en', 'EBS Provisioned IOPS SSD (io2) Volume Storage', 'Checks for usage that is more than 80% of the EBS Provisioned IOPS SSD (io2) Volume Storage Limit.')
-, ROW('EM8b3yLRTr', 'en', 'ELB Application Load Balancers', 'Checks for usage that is more than 80% of the ELB Application Load Balancers Limit.')
-, ROW('gI7MM0l7J9', 'en', 'EBS Provisioned IOPS SSD (io1) Volume Storage', 'Checks for usage that is more than 80% of the EBS Provisioned IOPS SSD (io1) Volume Storage Limit.')
-, ROW('Ti39halfu8', 'en', 'Amazon RDS Idle DB Instances', 'Checks the configuration of your Amazon Relational Database Service (Amazon RDS) for any DB instances that appear to be idle.')
-, ROW('1qw23er45t', 'en', 'Amazon Redshift Reserved Node Optimization', 'Checks your usage of Redshift and provides recommendations on purchase of Reserved Nodes to help reduce costs incurred from using Redshift On-Demand.')
-, ROW('Cb877eB72b', 'en', 'Amazon Route 53 Deleted Health Checks', 'Checks for resource record sets that are associated with health checks that have been deleted.')
-, ROW('796d6f3D83', 'en', 'CloudFront Content Delivery Optimization', 'Checks for cases where data transfer from Amazon Simple Storage Service (Amazon S3) buckets could be accelerated by using Amazon CloudFront, the AWS global content delivery service.')
-, ROW('c15vnddn2x', 'en', 'Amazon DocumentDB Single-AZ clusters', 'Checks if there are Amazon DocumentDB clusters configured as Single-AZ.')
-, ROW('Cm24dfsM13', 'en', 'Amazon Comprehend Endpoint Access Risk', 'Checks the AWS Key Management Service (AWS KMS) key permissions for an endpoint where the underlying model was encrypted by using customer managed keys.')
-, ROW('Cm24dfsM12', 'en', 'Amazon Comprehend Underutilized Endpoints', 'Checks the throughput configuration of your endpoints.')
-, ROW('bW7HH0l7J9', 'en', 'Kinesis Shards per Region', 'Checks for usage that is more than 80% of the Kinesis Shards per Region Limit.')
-, ROW('dx3xfcdfMr', 'en', 'Route 53 Hosted Zones', 'Checks for usage that is more than 80% of the Route 53 Hosted Zones Limit per account.')
-, ROW('PPkZrjsH2q', 'en', 'Amazon EBS Provisioned IOPS (SSD) Volume Attachment Configuration', 'Checks for Provisioned IOPS (SSD) volumes that are attached to an Amazon EBS-optimizable Amazon Elastic Compute Cloud (Amazon EC2) instance that is not EBS-optimized.')
-, ROW('lN7RR0l7J9', 'en', 'EC2-VPC Elastic IP Address', 'Checks for usage that is more than 80% of the EC2-VPC Elastic IP Address Limit.')
-, ROW('Z4AUBRNSmz', 'en', 'Unassociated Elastic IP Addresses', 'Checks for Elastic IP addresses (EIPs) that are not associated with a running Amazon Elastic Compute Cloud (Amazon EC2) instance.')
-, ROW('Qch7DwouX1', 'en', 'Low Utilization Amazon EC2 Instances', 'Checks the Amazon Elastic Compute Cloud (Amazon EC2) instances that were running at any time during the last 14 days and alerts you if the daily CPU utilization was 10% or less and network I/O was 5 MB or less on 4 or more days.')
-, ROW('G31sQ1E9U', 'en', 'Underutilized Amazon Redshift Clusters', 'Checks your Amazon Redshift configuration for clusters that appear to be underutilized.')
-, ROW('h3L1otH3re', 'en', 'Amazon ElastiCache Reserved Node Optimization', 'Checks your usage of ElastiCache and provides recommendations on purchase of Reserved Nodes to help reduce costs incurred from using ElastiCache On-Demand.')
-, ROW('N430c450f2', 'en', 'CloudFront SSL Certificate on the Origin Server', 'Checks your origin server for SSL certificates that are expired, about to expire, missing, or that use outdated encryption.')
-, ROW('3Njm0DJQO9', 'en', 'RDS Option Groups', 'Checks for usage that is more than 80% of the RDS Option Groups Limit.')
-, ROW('tV7YY0l7J9', 'en', 'EBS Provisioned IOPS (SSD) Volume Aggregate IOPS', 'Checks for usage that is more than 80% of the EBS Provisioned IOPS (SSD) Volume Aggregate IOPS Limit.')
-, ROW('cIdfp1js9r', 'en', 'Number of AWS Regions in an Incident Manager replication set', 'Checks that an Incident Manager replication set"s configuration uses more than one AWS Region to support regional failover and response.')
-, ROW('7qGXsKIUw', 'en', 'CLB Connection Draining', 'Checks for Classic load balancers that do not have connection draining enabled.')
-, ROW('c1qf5bt010', 'en', 'Amazon RDS DB instances in the clusters with heterogeneous parameter groups', 'We recommend that all of the DB instances in the DB cluster use the same DB parameter group.')
-, ROW('c1qf5bt014', 'en', 'Amazon RDS resources major versions update is required', 'Databases with the current major version for the DB engine  won"t be supported.')
-, ROW('c1qf5bt013', 'en', 'Amazon RDS DB instances have storage autoscaling turned off', 'Amazon RDS storage autoscaling isn"t turned on for your DB instance.')
-, ROW('c1qf5bt012', 'en', 'Amazon RDS Performance Insights is turned off', 'Amazon RDS Performance Insights monitors your DB instance load to help you analyze and resolve database performance issues.')
-, ROW('c1qf5bt011', 'en', 'Amazon RDS DB clusters have one DB instance', 'Add at least another DB instance to the DB cluster, to improve availability and performance.')
-, ROW('UUDvOa5r34', 'en', 'RDS Reserved Instances', 'Checks for usage that is more than 80% of the RDS Reserved Instances Limit.')
-, ROW('oQ7TT0l7J9', 'en', 'IAM Roles', 'Checks for usage that is more than 80% of the IAM Roles Limit.')
-, ROW('c1dvkm4z6b', 'en', 'Amazon ECS AWSLogs driver in blocking mode', 'Checks for Amazon ECS task definitions configured with the AWSLogs logging driver in blocking mode.')
-, ROW('c1dfprch05', 'en', 'AWS Lambda On Failure Event Destinations', 'Checks that Lambda functions in your account have On Failure event destination or Dead Letter Queue (DLQ) configured for asynchronous invocations, so that records from failed invocations can be routed to a destination for further investigation or processing.')
-, ROW('c1qf5bt018', 'en', 'Amazon RDS DB clusters with all reader instances in the same Availability Zone', 'Your DB cluster has all the reader instances in the same Availability Zone.')
-, ROW('c1qf5bt017', 'en', 'Amazon RDS DB clusters support only up to 64 TiB volume', 'Your DB clusters support volumes up to 64 TiB.')
-, ROW('c1dfprch07', 'en', 'Lambda Code Storage Usage', 'Checks for code storage usage that is more than 80% of the account limit.')
-, ROW('c1qf5bt016', 'en', 'Amazon RDS resources using end of support engine edition under license-included', 'We recommend that you upgrade the major version to the latest engine version supported by Amazon RDS to continue with the current license support.')
-, ROW('c1dfprch08', 'en', 'ALB Multi-AZ', 'Checks whether your Application Load Balancers (ALB) are configured to use more than one Availability Zone (AZ).')
-, ROW('c1qf5bt015', 'en', 'Amazon RDS resources instance class update is required', 'Your database is running a previous generation DB instance class.')
-, ROW('c1dfprch01', 'en', 'Amazon EFS No Mount Target Redundancy', 'Checks if mount targets exist in multiple Availability Zones for an Amazon EFS file system.')
-, ROW('c1dfprch02', 'en', 'Amazon EFS Throughput Mode Optimization', 'Checks whether the customer"s Amazon EFS file system is currently configured to use Bursting Throughput mode.')
-, ROW('c1qf5bt019', 'en', 'Amazon RDS DB instances not using Multi-AZ deployment', 'We recommend that you use Multi-AZ deployment.')
-, ROW('c1dfprch09', 'en', 'NLB Multi-AZ', 'Checks whether your Network Load Balancers (NLB) are configured to use more than one Availability Zone (AZ).')
-, ROW('c1qf5bt003', 'en', 'Amazon RDS engine minor version upgrade is required', 'Your database resources aren"t running the latest minor DB engine version.')
-, ROW('S45wrEXrLz', 'en', 'VPN Tunnel Redundancy', 'Checks the number of tunnels that are active for each of your VPNs.')
-, ROW('c1qf5bt001', 'en', 'Amazon RDS resource Automated backups is turned off', 'Automated backups are disabled on your DB resources.')
-, ROW('c1qf5bt000', 'en', 'Amazon RDS magnetic volume is in use', 'Your DB instances are using magnetic storage.')
-, ROW('c1dfprch10', 'en', 'VPC interface endpoint network interfaces in multiple-AZs', 'Checks whether your AWS PrivateLink VPC interface endpoints are configured to use more than one Availability Zone (AZ).')
-, ROW('c1qf5bt007', 'en', 'Amazon RDS DB clusters with all instances in the same Availability Zone', 'The DB clusters are currently in a single Availability Zone.')
-, ROW('c1qf5bt006', 'en', 'Amazon RDS storage encryption is turned off', 'Amazon RDS supports encryption at rest for all the database engines by using the keys which you manage in AWS Key Management Service (KMS).')
-, ROW('c1qf5bt005', 'en', 'Amazon RDS Aurora storage encryption is turned off', 'Amazon RDS supports encryption at rest for all the database engines by using the keys that you manage in AWS Key Management Service (AWS KMS).')
-, ROW('c1qf5bt004', 'en', 'Amazon RDS Enhanced Monitoring is turned off', 'Your database resources don"t have Enhanced Monitoring turned on.')
-, ROW('c1t3k8mqv1', 'en', 'ActiveMQ Availability Zone Redundancy', 'Checks that Amazon MQ for ActiveMQ brokers are configured for high availability with an active/standby broker in multiple Availability Zones.')
-, ROW('Cjxm268ch1', 'en', 'Auto Scaling Available IPs in Subnets', 'Checks that sufficient available IPs remain among targeted Subnets.')
-, ROW('jEECYg2YVU', 'en', 'RDS DB Parameter Groups', 'Checks for usage that is more than 80% of the RDS DB Parameter Groups Limit.')
-, ROW('c1qf5bt009', 'en', 'Amazon RDS DB instances in the clusters with heterogeneous instance classes', 'We recommend that you use the same DB instance class and size for all the DB instances in your DB cluster.')
-, ROW('c1dfprch15', 'en', 'Amazon EC2 instances with Ubuntu LTS end of standard support', 'This check alerts you if the versions are near or have reached the end of standard support.')
-, ROW('c1qf5bt008', 'en', 'Amazon RDS DB instances in the clusters with heterogeneous instance sizes', 'We recommend that you use the same DB instance class and size for all the DB instances in your DB cluster.')
-, ROW('c1t3k8mqv2', 'en', 'RabbitMQ Availability Zone Redundancy', 'Checks that Amazon MQ for RabbitMQ brokers are configured for high availability with cluster instances in multiple Availability Zones.')
-, ROW('c1qf5bt032', 'en', 'Amazon RDS innodb_stats_persistent parameter is turned off', 'Your DB instance isn"t configured to persist the InnoDB statistics to the disk.')
-, ROW('c1qf5bt031', 'en', 'Amazon RDS sync_binlog parameter is turned off', 'The synchronization of the binary log to disk isn"t enforced before the transaction commits are acknowledged in your DB instance.')
-, ROW('c1qf5bt030', 'en', 'Amazon RDS innodb_flush_log_at_trx parameter is turned off', 'The value of the innodb_flush_log_at_trx_commit parameter of your DB instance isn"t safe value.')
-, ROW('MDBdfsQ401', 'en', 'Amazon MemoryDB Multi-AZ clusters', 'Checks for MemoryDB clusters that deploy in a single Availability Zone (AZ).')
-, ROW('c1qf5bt036', 'en', 'Amazon RDS innodb_default_row_format parameter setting is unsafe', 'Your DB instance encounters a known issue: A table created in a MySQL version lower than 8.')
-, ROW('c1qf5bt035', 'en', 'Amazon RDS Read Replicas are open in writable mode', 'Your DB instance has a read replica in writable mode, which allows updates from clients.')
-, ROW('c1qf5bt034', 'en', 'Amazon RDS max_user_connections parameter is low', 'Your DB instance has a low value for the maximum number of simultaneous connections for each database account.')
-, ROW('c1qf5bt033', 'en', 'Amazon RDS innodb_open_files parameter is low', 'The innodb_open_files parameter controls the number of files InnoDB can open at one time.')
-, ROW('Bh2xRR2FGH', 'en', 'Amazon EC2 to EBS Throughput Optimization', 'Checks for Amazon EBS volumes whose performance might be affected by the maximum throughput capability of the Amazon EC2 instance they are attached to.')
-, ROW('c1qf5bt039', 'en', 'Amazon RDS instance under-provisioned for system capacity', 'Checks whether Amazon RDS instance or Amazon Aurora DB instance has the required system capacity to operate.')
-, ROW('iH7PP0l7J9', 'en', 'EC2 Reserved Instance Leases', 'Checks for usage that is more than 80% of the EC2 Reserved Instance Leases Limit.')
-, ROW('c1qf5bt038', 'en', 'Amazon Aurora DB cluster under-provisioned for read workload', 'Checks whether Amazon Aurora DB cluster has the resources to support a read workload.')
-, ROW('c1qf5bt037', 'en', 'Amazon RDS general_logging parameter is turned on', 'The general logging is turned on for your DB instance.')
-, ROW('51fC20e7I2', 'en', 'Amazon Route 53 Latency Resource Record Sets', 'Checks for Amazon Route 53 latency record sets that are configured inefficiently.')
-, ROW('c1qf5bt021', 'en', 'Amazon RDS InnoDB_Change_Buffering parameter using less than optimum value', 'Change buffering allows a MySQL DB instance to defer a few writes, which are required to maintain secondary indexes.')
-, ROW('hJ7NN0l7J9', 'en', 'SES Daily Sending Quota', 'Checks for usage that is more than 80% of the SES Daily Sending Quota Limit.')
-, ROW('c1qf5bt020', 'en', 'Amazon RDS DB memory parameters are diverging from default', 'The memory parameters of the DB instances are significantly different from the default values.')
-, ROW('c1qf5bt025', 'en', 'Amazon RDS autovacuum parameter is turned off', 'The autovacuum parameter is turned off for your DB instances.')
-, ROW('c1qf5bt024', 'en', 'Amazon RDS parameter groups not using huge pages', 'Large pages can increase database scalability, but your DB instance isn"t using large pages.')
-, ROW('c1qf5bt023', 'en', 'Amazon RDS log_output parameter is set to table', 'When log_output is set to TABLE, more storage is used than when log_output is set to FILE.')
-, ROW('c1qf5bt022', 'en', 'Amazon RDS query cache parameter is turned on', 'When changes require that your query cache is purged, your DB instance will appear to stall.')
-, ROW('Yw2K9puPzl', 'en', 'IAM Password Policy', 'Checks the password policy for your account and warns when a password policy is not enabled, or if password content requirements have not been enabled.')
-, ROW('dx8afcdfMr', 'en', 'Route 53 Traffic Policy Instances', 'Checks for usage that is more than 80% of the Route 53 Traffic Policy Instances Limit per account.')
-, ROW('c1qf5bt029', 'en', 'Amazon RDS enable_indexscan parameter is turned off', 'The query planner or optimizer can"t use the index scan plan type when it is turned off.')
-, ROW('c1qf5bt028', 'en', 'Amazon RDS enable_indexonlyscan parameter is turned off', 'The query planner or optimizer can"t use the index-only scan plan type when it is turned off.')
-, ROW('c1qf5bt027', 'en', 'Amazon RDS track_counts parameter is turned off', 'When the track_counts parameter is turned off, the database doesn"t collect the database activity statistics.')
-, ROW('c1qf5bt026', 'en', 'Amazon RDS synchronous_commit parameter is turned off', 'When synchronous_commit parameter is turned off, data can be lost in a database crash.')
-, ROW('aW7HH0l7J9', 'en', 'Auto Scaling Launch Configurations', 'Checks for usage that is more than 80% of the Auto Scaling Launch Configurations Limit.')
-, ROW('xSqX82fQu', 'en', 'Classic Load Balancer Security Groups', 'Checks for classic load balancers configured with a security group that allows access to ports that are not configured for the load balancer.')
-, ROW('b73EEdD790', 'en', 'Amazon Route 53 Failover Resource Record Sets', 'Checks for Amazon Route 53 failover resource record sets that are misconfigured.')
-, ROW('Hs4Ma3G306', 'en', 'Amazon DocumentDB manual cluster snapshots should not be public', 'Checks if an Amazon DocumentDB manual snapshot is public.')
-, ROW('N425c450f2', 'en', 'CloudFront Custom SSL Certificates in the IAM Certificate Store', 'Checks the SSL certificates for CloudFront alternate domain names in the IAM certificate store and alerts you if the certificate is expired, will soon expire, uses outdated encryption, or is not configured correctly for the distribution.')
-, ROW('Hs4Ma3G307', 'en', 'Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs', 'Checks if a DocumentDB cluster publishes audit logs to Amazon CloudWatch Logs.')
-, ROW('Hs4Ma3G308', 'en', 'Amazon DocumentDB clusters should have deletion protection enabled', 'Checks if an Amazon Document DB cluster has deletion protection enabled.')
-, ROW('Hs4Ma3G309', 'en', 'DMS replication instances should have automatic minor version upgrade enabled', 'Checks if automatic minor version upgrade is enabled for an AWS DMS replication instance.')
-, ROW('L4dfs2Q4C5', 'en', 'AWS Lambda Functions Using Deprecated Runtimes', 'Checks for Lambda functions whose $LATEST version is configured to use a runtime that is approaching deprecation, or is deprecated.')
-, ROW('L4dfs2Q4C6', 'en', 'AWS Lambda VPC-enabled Functions without Multi-AZ Redundancy', 'Checks the $LATEST version of VPC-enabled Lambda functions that are vulnerable to service interruption in a single Availability Zone.')
-, ROW('Hs4Ma3G300', 'en', 'Neptune DB cluster snapshots should be encrypted at rest', 'Checks if a Neptune DB cluster snapshot is encrypted at rest.')
-, ROW('Hs4Ma3G301', 'en', 'Neptune DB clusters should have IAM database authentication enabled', 'Checks if a Neptune DB cluster has IAM database authentication enabled.')
-, ROW('Hs4Ma3G302', 'en', 'Neptune DB clusters should be configured to copy tags to snapshots', 'Checks if a Neptune DB cluster is configured to copy tags to snapshots when the snapshots are created.')
-, ROW('Hs4Ma3G303', 'en', 'RDS DB clusters should be encrypted at rest', 'Checks if an RDS DB cluster is encrypted at rest.')
-, ROW('Hs4Ma3G304', 'en', 'ECS task definitions should have a logging configuration', 'Checks if the latest active Amazon ECS task definition has a logging configuration specified.')
-, ROW('Hs4Ma3G305', 'en', 'Network Firewall logging should be enabled', 'Checks if logging is enabled for an AWS Network Firewall firewall.')
-, ROW('N420c450f2', 'en', 'CloudFront Alternate Domain Names', 'Checks Amazon CloudFront distributions for alternate domain names (CNAMES) that have incorrectly configured DNS settings.')
-, ROW('Hs4Ma3G317', 'en', 'AWS AppSync GraphQL APIs should not be authenticated with API keys', 'Checks if your application uses an API key to interact with an AWS AppSync GraphQL API.')
-, ROW('Hs4Ma3G318', 'en', 'AWS Backup recovery points should be encrypted at rest', 'Checks if an AWS Backup recovery point is encrypted at rest.')
-, ROW('Hs4Ma3G319', 'en', 'Network Firewall firewalls should have deletion protection enabled', 'Checks if an AWS Network Firewall firewall has deletion protection enabled.')
-, ROW('Hs4Ma3G310', 'en', 'DMS replication tasks for the target database should have logging enabled', 'Checks if logging is enabled with the minimum severity level of LOGGER_SEVERITY_DEFAULT for DMS replication task events TARGET_APPLY and TARGET_LOAD.')
-, ROW('Hs4Ma3G311', 'en', 'DMS replication tasks for the source database should have logging enabled', 'The check assesses if logging is enabled with the minimum severity level of LOGGER_SEVERITY_DEFAULT for DMS replication task events SOURCE_CAPTURE and SOURCE_UNLOAD.')
-, ROW('Hs4Ma3G312', 'en', 'DMS endpoints should use SSL', 'Checks if an AWS DMS endpoint uses an SSL connection.')
-, ROW('Hs4Ma3G313', 'en', 'EventBridge custom event buses should have a resource-based policy attached', 'Checks if an Amazon EventBridge custom event bus has a resource policy attached.')
-, ROW('Hs4Ma3G314', 'en', 'Route 53 public hosted zones should log DNS queries', 'Checks if DNS query logging is enabled for an Amazon Route 53 public hosted zone.')
-, ROW('Hs4Ma3G315', 'en', 'Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs', 'Checks if an Amazon Aurora MySQL DB cluster is configured to publish audit logs to Amazon CloudWatch Logs.')
-, ROW('Hs4Ma3G316', 'en', 'RDS DB clusters should have automatic minor version upgrade enabled', 'Checks if automatic minor version upgrade is enabled for an Amazon RDS database cluster.')
-, ROW('8wIqYSt25K', 'en', 'ELB Network Load Balancers', 'Checks for usage that is more than 80% of the ELB Network Load Balancers Limit.')
-, ROW('L4dfs2Q3C2', 'en', 'AWS Lambda Functions with High Error Rates', 'Checks for Lambda functions with high error rates that may result in high cost.')
-, ROW('L4dfs2Q3C3', 'en', 'AWS Lambda Functions with Excessive Timeouts', 'Checks for Lambda functions with high timeout rates that may result in high cost.')
-, ROW('ru4xfcdfMr', 'en', 'Route 53 Max Health Checks', 'Checks for usage that is more than 80% of the Route 53 Health Checks Limit per account.')
-, ROW('dV84wpqRUs', 'en', 'RDS DB Manual Snapshots', 'Checks for usage that is more than 80% of the RDS DB Manual Snapshots Limit.')
-, ROW('xuy7H1avtl', 'en', 'Amazon Aurora DB Instance Accessibility', 'Checks for cases where an Amazon Aurora DB cluster has both private and public instances.')
-, ROW('RH23stmM01', 'en', 'AWS Resilience Hub resilience scores', 'Checks if you have run an assessment for your applications in Resilience Hub.')
-, ROW('RH23stmM02', 'en', 'AWS Resilience Hub policy breached', 'Checks Resilience Hub for applications that don"t meet the recovery time objective (RTO) and recovery point objective (RPO) that the policy defines.')
-, ROW('RH23stmM03', 'en', 'AWS Resilience Hub assessment age', 'Checks how long since you last ran an application assessment.')
-, ROW('RH23stmM04', 'en', 'AWS Resilience Hub Application Component check', 'Checks if an Application Component (AppComponent) in your application is unrecoverable.')
-, ROW('DqdJqYeRm5', 'en', 'IAM Access Key Rotation', 'Checks for active IAM access keys that have not been rotated in the last 90 days.')
-, ROW('kM7QQ0l7J9', 'en', 'VPC Internet Gateways', 'Checks for usage that is more than 80% of the VPC Internet Gateways Limit.')
-, ROW('HCP4007jGY', 'en', 'Security Groups - Specific Ports Unrestricted', 'Checks security groups for rules that allow unrestricted access (0.')
-, ROW('Pfx0RwqBli', 'en', 'Amazon S3 Bucket Permissions', 'Checks buckets in Amazon Simple Storage Service (Amazon S3) that have open access permissions or allow access to any authenticated AWS user.')
-, ROW('c1ng44jvbm', 'en', 'Amazon Route 53 mismatching CNAME records pointing directly to S3 buckets', 'Checks the Amazon Route 53 Hosted Zones with CNAME records pointing directly to Amazon S3 bucket hostnames and alerts if your CNAME does not match with your S3 bucket name.')
-, ROW('c1fd6b96l4', 'en', 'Amazon S3 Server Access Logs Enabled', 'Checks the logging configuration of Amazon Simple Storage Service (Amazon S3) buckets.')
-, ROW('c1cj39rr6v', 'en', 'S3 Incomplete Multipart Upload Abort Configuration', 'Checks that each S3 bucket is configured with a lifecycle rule to abort multipart uploads that remain incomplete after 7 days.')
-, ROW('wuy7G1zxql', 'en', 'Amazon EC2 Availability Zone Balance', 'Checks the distribution of Amazon Elastic Compute Cloud (Amazon EC2) instances across Availability Zones in a region.')
-, ROW('DAvU99Dc4C', 'en', 'Underutilized Amazon EBS Volumes', 'Checks Amazon Elastic Block Store (Amazon EBS) volume configurations and warns when volumes appear to be underused.')
-, ROW('pYW8UkYz2w', 'en', 'RDS Read Replicas per Master', 'Checks for usage that is more than 80% of the RDS Read Replicas per Master Limit.')
-, ROW('eI7KK0l7J9', 'en', 'EBS Active Snapshots', 'Checks for usage that is more than 80% of the EBS Active Snapshots Limit.')
-, ROW('pR7UU0l7J9', 'en', 'IAM Policies', 'Checks for usage that is more than 80% of the IAM Policies Limit.')
-, ROW('fW7HH0l7J9', 'en', 'Auto Scaling Groups', 'Checks for usage that is more than 80% of the Auto Scaling Groups Limit.')
-, ROW('P1jhKWEmLa', 'en', 'RDS Total Storage Quota', 'Checks for usage that is more than 80% of the RDS Total Storage Quota Limit.')
-, ROW('12Fnkpl8Y5', 'en', 'Exposed Access Keys', 'Checks popular code repositories for access keys that have been exposed to the public and for irregular Amazon Elastic Compute Cloud (Amazon EC2) usage that could be the result of a compromised access key.')
-, ROW('8CNsSllI5v', 'en', 'Auto Scaling Group Resources', 'Checks the availability of resources associated with launch configurations and your Auto Scaling groups.')
-, ROW('BueAdJ7NrP', 'en', 'Amazon S3 Bucket Logging', 'Checks the logging configuration of Amazon Simple Storage Service (Amazon S3) buckets.')
-, ROW('gW7HH0l7J9', 'en', 'CloudFormation Stacks', 'Checks for usage that is more than 80% of the CloudFormation Stacks Limit.')
-, ROW('Hs4Ma3G270', 'en', 'EC2 Auto Scaling groups should use EC2 launch templates', 'Checks if an Amazon EC2 Auto Scaling group is created from an EC2 launch template.')
-, ROW('Hs4Ma3G150', 'en', 'Elasticsearch domains should encrypt data sent between nodes', 'Checks if Elasticsearch domains have node-to-node encryption enabled.')
-, ROW('Hs4Ma3G271', 'en', 'API Gateway routes should specify an authorization type', 'Checks if Amazon API Gateway routes have an authorization type.')
-, ROW('Hs4Ma3G151', 'en', 'An RDS event notifications subscription should be configured for critical database parameter group events', 'Checks if an Amazon RDS Event subscription for RDS parameter groups is configured to notify on event category of "configuration change".')
-, ROW('Hs4Ma3G272', 'en', 'Users should not have root access to SageMaker notebook instances', 'Checks if root access is turned off for Amazon SageMaker notebook instances.')
-, ROW('Hs4Ma3G152', 'en', 'An RDS event notifications subscription should be configured for critical database instance events', 'Checks if an Amazon RDS Event subscription for RDS instances is configured to notify on event categories of both "maintenance", "configuration change", and "failure".')
-, ROW('Hs4Ma3G273', 'en', 'Security contact information should be provided for an AWS account', 'Checks if an Amazon Web Services (AWS) account has security contact information.')
-, ROW('Hs4Ma3G153', 'en', 'RDS instances should not use a database engine default port', 'Checks if RDS instances use the default port of that database engine.')
-, ROW('Hs4Ma3G274', 'en', 'SageMaker notebook instances should be launched in a custom VPC', 'Checks if an Amazon SageMaker notebook instance is launched within a custom VPC.')
-, ROW('rT7WW0l7J9', 'en', 'IAM Server Certificates', 'Checks for usage that is more than 80% of the IAM Server Certificates Limit.')
-, ROW('Hs4Ma3G154', 'en', 'An RDS event notifications subscription should be configured for critical database security group events', 'Checks if an Amazon RDS Event subscription for RDS security groups is configured to notify on event categories of both "configuration change" and "failure".')
-, ROW('Hs4Ma3G275', 'en', 'CloudFront distributions should not point to non-existent S3 origins', 'Checks if Amazon CloudFront distributions are pointing to non-existent S3 origins.')
-, ROW('N415c450f2', 'en', 'CloudFront Header Forwarding and Cache Hit Ratio', 'Checks the HTTP request headers that CloudFront currently receives from the client and forwards to your origin server.')
-, ROW('Hs4Ma3G144', 'en', 'Unused IAM user credentials should be removed', 'Checks if your IAM users have passwords or active access keys that were not used within the previous 90 days.')
-, ROW('Hs4Ma3G265', 'en', 'A WAF Regional rule group should have at least one rule', 'Checks if a WAF Regional rule group has at least one rule.')
-, ROW('Hs4Ma3G145', 'en', 'Amazon ECS task definitions should have secure networking modes and user definitions', 'Checks if an Amazon ECS Task Definition with host networking mode has "privileged" or "user" container definitions.')
-, ROW('Hs4Ma3G266', 'en', 'A WAF Regional web ACL should have at least one rule or rule group', 'Checks if a WAF Regional web ACL contains any WAF rules or WAF rule groups.')
-, ROW('iqdCTZKCUp', 'en', 'Load Balancer Optimization', 'Checks your load balancer configuration.')
-, ROW('Hs4Ma3G146', 'en', 'ECS services should not have public IP addresses assigned to them automatically', 'Checks if ECS services are configured to automatically assign public IP addresses.')
-, ROW('Hs4Ma3G267', 'en', 'A WAF global rule should have at least one condition', 'Checks if a WAF global rule has at least one condition.')
-, ROW('Hs4Ma3G147', 'en', 'Amazon Elasticsearch Service domains should be in a VPC', 'Checks whether Amazon Elasticsearch Service domains are in a VPC.')
-, ROW('Hs4Ma3G268', 'en', 'A WAF global rule group should have at least one rule', 'Checks if a WAF global rule group has at least one rule.')
-, ROW('Hs4Ma3G148', 'en', 'Elastic Beanstalk environments should have enhanced health reporting enabled', 'Checks if enhanced health reporting is enabled for your AWS Elastic Beanstalk environments.')
-, ROW('Hs4Ma3G269', 'en', 'A WAF global web ACL should have at least one rule or rule group', 'Checks if a WAF global web ACL contains any WAF rules or WAF rule groups.')
-, ROW('Hs4Ma3G149', 'en', 'Elastic Beanstalk managed platform updates should be enabled', 'Checks if managed platform updates are enabled for the AWS Elastic Beanstalk environment.')
-, ROW('Hs4Ma3G280', 'en', 'Application, Network and Gateway Load Balancers should span multiple Availability Zones', 'Checks if an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) has registered instances from multiple Availability Zones.')
-, ROW('Hs4Ma3G160', 'en', 'IAM authentication should be configured for RDS instances', 'Checks if an RDS DB instance has IAM database authentication enabled.')
-, ROW('Hs4Ma3G281', 'en', 'OpenSearch domains should have at least three data nodes', 'Checks if Amazon OpenSearch Service domains are configured with at least three data nodes and "zoneAwarenessEnabled" is true.')
-, ROW('Hs4Ma3G161', 'en', 'IAM authentication should be configured for RDS clusters', 'Checks if an RDS DB cluster has IAM database authentication enabled.')
-, ROW('Hs4Ma3G282', 'en', 'RSA certificates managed by ACM should use a key length of at least 2,048 bits', 'Checks if RSA certificates managed by AWS Certificate Manager use a key length of at least 2,048 bits.')
-, ROW('Hs4Ma3G162', 'en', 'RDS automatic minor version upgrades should be enabled', 'Checks if automatic minor version upgrades are enabled for the Amazon RDS database instance.')
-, ROW('Hs4Ma3G283', 'en', 'AWS AppSync should have request-level and field-level logging turned on', 'Checks if an AWS AppSync API has request-level and field-level logging turned on.')
-, ROW('Hs4Ma3G163', 'en', 'RDS DB clusters should be configured to copy tags to snapshots', 'Checks if RDS DB clusters are configured to copy all tags to snapshots when the snapshots are created.')
-, ROW('Hs4Ma3G284', 'en', 'CloudFront distributions should use origin access control', 'Checks if an Amazon CloudFront distribution with an Amazon S3 origin has origin access check (OAC) configured.')
-, ROW('Hs4Ma3G164', 'en', 'RDS DB instances should be configured to copy tags to snapshots', 'Checks if RDS DB instances are configured to copy all tags to snapshots when the snapshots are created.')
-, ROW('Hs4Ma3G285', 'en', 'EKS cluster endpoints should not be publicly accessible', 'Checks if an Amazon EKS cluster endpoint is publicly accessible.')
-, ROW('Hs4Ma3G165', 'en', 'RDS instances should be deployed in a VPC', 'Checks if an RDS instance is deployed in a VPC (EC2-VPC).')
-, ROW('Hs4Ma3G286', 'en', 'ElastiCache for Redis cache clusters should have auto minor version upgrades enabled', 'This check evaluates if auto minor version upgrades are enabled for ElastiCache for Redis cache clusters.')
-, ROW('keAhfbH5yb', 'en', 'RDS Event Subscriptions', 'Checks for usage that is more than 80% of the RDS Event Subscriptions Limit.')
-, ROW('c5ftjdfkMr', 'en', 'DynamoDB Write Capacity', 'Checks for usage that is more than 80% of the DynamoDB Provisioned Throughput Limit for Writes per Account.')
-, ROW('Hs4Ma3G155', 'en', 'EC2 instances should be managed by AWS Systems Manager', 'Checks if the Amazon EC2 instances in your account are managed by AWS Systems Manager.')
-, ROW('Hs4Ma3G276', 'en', 'A WAFV2 web ACL should have at least one rule or rule group', 'Checks if a WAFV2 web ACL contains at least one WAF rule or WAF rule group.')
-, ROW('Hs4Ma3G156', 'en', 'EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation', 'Checks if the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance.')
-, ROW('Hs4Ma3G277', 'en', 'EC2 launch templates should not assign public IPs to network interfaces', 'Checks if Amazon EC2 launch templates are configured to assign public IP addresses to network interfaces upon launch.')
-, ROW('Hs4Ma3G157', 'en', 'EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT', 'Checks if the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association is executed on an instance.')
-, ROW('Hs4Ma3G278', 'en', 'Access logging should be configured for API Gateway V2 Stages', 'Checks if Amazon API Gateway V2 stages have access logging configured.')
-, ROW('ZRxQlPsb6c', 'en', 'High CPU Utilization Amazon EC2 Instances', 'Checks the Amazon Elastic Compute Cloud (Amazon EC2) instances that were running at any time during the last 14 days and alerts you if the daily CPU utilization was more than 90% on 4 or more days.')
-, ROW('Hs4Ma3G158', 'en', 'SSM documents should not be public', 'Checks if AWS Systems Manager documents that the account owns are public.')
-, ROW('Hs4Ma3G279', 'en', 'Amazon EC2 Auto Scaling group should cover multiple Availability Zones', 'Checks if an Auto Scaling group spans multiple Availability Zones.')
-, ROW('Hs4Ma3G159', 'en', 'Elastic File System should be configured to encrypt file data at-rest using AWS KMS', 'Checks if Amazon Elastic File System (Amazon EFS) is configured to encrypt the file data using AWS Key Management Service (AWS KMS).')
-, ROW('nO7SS0l7J9', 'en', 'IAM Instance Profiles', 'Checks for usage that is more than 80% of the IAM Instance Profiles Limit.')
-, ROW('c1dfpnchv1', 'en', 'Amazon EFS clients not using data-in-transit encryption', 'Checks if Amazon EFS file system is mounted using data-in-transit encryption.')
-, ROW('c1dfpnchv2', 'en', 'AWS Direct Connect Location Resiliency', 'Checks your Direct Connect location resiliency associated with each Virtual Private Gateway or Transit Gateways.')
-, ROW('Hs4Ma3G250', 'en', 'ECS clusters should use Container Insights', 'Checks if ECS clusters use Container Insights.')
-, ROW('Hs4Ma3G130', 'en', 'Lambda functions should use supported runtimes', 'Checks that the lambda function settings for runtimes, match the expected values set for the supported runtimes for each language.')
-, ROW('Hs4Ma3G251', 'en', 'EFS access points should enforce a root directory', 'Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a root directory.')
-, ROW('Hs4Ma3G131', 'en', 'Lambda function policies should prohibit public access', 'Checks if the AWS Lambda function policy attached to the Lambda resource prohibits public access.')
-, ROW('Hs4Ma3G252', 'en', 'EFS access points should enforce a user identity', 'Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a user identity.')
-, ROW('Hs4Ma3G132', 'en', 'Database Migration Service replication instances should not be public', 'Checks if AWS Database Migration Service replication instances are public by examining the PubliclyAccessible field value.')
-, ROW('Hs4Ma3G253', 'en', 'EKS clusters should run on a supported Kubernetes version', 'Checks if an EKS cluster is running on a supported Kubernetes version.')
-, ROW('dBkuNCvqn5', 'en', 'RDS Max Auths per Security Group', 'Checks for usage that is more than 80% of the RDS Max Auths per Security Group Limit.')
-, ROW('H7IgTzjTYb', 'en', 'Amazon EBS Snapshots', 'Checks the age of the snapshots for your Amazon Elastic Block Store (Amazon EBS) volumes (available or in-use).')
-, ROW('7ujm6yhn5t', 'en', 'Amazon OpenSearch Service Reserved Instance Optimization', 'Checks your usage of Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) and provides recommendations on purchase of Reserved Instances to help reduce costs incurred from using Amazon OpenSearch Service On-Demand.')
-, ROW('Hs4Ma3G122', 'en', 'VPC flow logging should be enabled in all VPCs', 'Checks if Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPCs.')
-, ROW('Hs4Ma3G243', 'en', 'Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)', 'Checks if only IMDSv2 is enabled.')
-, ROW('Hs4Ma3G123', 'en', 'EC2 instances should not have a public IPv4 address', 'Checks if EC2 instances have a public IP address.')
-, ROW('Hs4Ma3G244', 'en', 'Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1', 'Checks the number of network hops that the metadata token can travel.')
-, ROW('Hs4Ma3G124', 'en', 'EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)', 'Checks if your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2).')
-, ROW('Hs4Ma3G245', 'en', 'CloudFormation stacks should be integrated with Simple Notification Service (SNS)', 'Checks if your CloudFormation stacks are sending event notifications to SNS topic.')
-, ROW('gjqMBn6pjz', 'en', 'RDS Clusters', 'Checks for usage that is more than 80% of the RDS Clusters Limit.')
-, ROW('Hs4Ma3G125', 'en', 'API Gateway should be associated with a WAF Web ACL', 'Checks to see if an API Gateway stage is using an AWS WAF Web ACL.')
-, ROW('Hs4Ma3G246', 'en', 'CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins', 'Checks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and your custom origins.')
-, ROW('Hs4Ma3G126', 'en', 'DynamoDB Accelerator (DAX) clusters should be encrypted at rest', 'Checks if a DAX cluster is encrypted at rest.')
-, ROW('Hs4Ma3G247', 'en', 'EC2 Transit Gateways should not automatically accept VPC attachment requests', 'Checks if EC2 Transit Gateways are automatically accepting shared VPC attachments requests.')
-, ROW('Hs4Ma3G127', 'en', 'API Gateway REST and WebSocket API execution logging should be enabled', 'Checks if all stages of Amazon API Gateway REST and WebSocket APIs have logging enabled.')
-, ROW('Hs4Ma3G248', 'en', 'EC2 paravirtual instance types should not be used', 'Checks if the virtualization type of an EC2 instance is paravirtual.')
-, ROW('c1dfpnchv4', 'en', 'NLB - Internet-facing resource in private subnet', 'Checks if an internet-facing Network Load Balancer (NLB) is configured with a private subnet.')
-, ROW('Hs4Ma3G128', 'en', 'API Gateway REST API stages should be configured to use SSL certificates for backend authentication', 'Checks if Amazon API Gateway REST API stages have SSL certificates configured that backend systems can use to authenticate that incoming requests are from the API Gateway.')
-, ROW('Hs4Ma3G249', 'en', 'ECS Fargate services should run on the latest Fargate platform version', 'Checks if ECS Fargate services is running the latest Fargate platform version.')
-, ROW('Hs4Ma3G129', 'en', 'API Gateway REST API stages should have AWS X-Ray tracing enabled', 'Checks if AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages.')
-, ROW('c18d2gz186', 'en', 'Amazon CloudWatch Log Group retention period', 'Checks if Amazon CloudWatch Log Group retention period is set to at least 365 days or other specified number.')
-, ROW('Hs4Ma3G260', 'en', 'OpenSearch domains should have fine-grained access control enabled', 'Checks if Amazon OpenSearch domains have fine-grained access check enabled.')
-, ROW('Hs4Ma3G140', 'en', 'IAM root user access key should not exist', 'Checks if the root user access key is available.')
-, ROW('Hs4Ma3G261', 'en', 'Redshift clusters should not use the default database name', 'Checks if a Redshift cluster has changed the database name from its default value.')
-, ROW('c18d2gz184', 'en', 'Amazon OpenSearch Service logging CloudWatch not configured', 'Checks if Amazon OpenSearch Service domains are configured to send logs to Amazon CloudWatch Logs.')
-, ROW('Hs4Ma3G141', 'en', 'MFA should be enabled for all IAM users that have a console password', 'Checks if AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password.')
-, ROW('Hs4Ma3G262', 'en', 'S3 buckets should have lifecycle policies configured', 'Checks if a lifecycle policy is configured for an S3 bucket.')
-, ROW('Hs4Ma3G142', 'en', 'Hardware MFA should be enabled for the root user', 'Checks if your AWS account is enabled to use hardware multi-factor authentication (MFA) device to sign in with root credentials.')
-, ROW('Hs4Ma3G263', 'en', 'Logging of delivery status should be enabled for notification messages sent to a topic', 'Checks if logging is enabled for the delivery status of notification messages sent to a topic for the endpoints.')
-, ROW('c18d2gz182', 'en', 'AWS Lambda Functions without a dead-letter queue configured', 'Checks if an AWS Lambda function is configured with a dead-letter queue.')
-, ROW('Hs4Ma3G143', 'en', 'Password policies for IAM users should have strong configurations', 'Checks if the account password policy for IAM users uses the following recommended configurations: RequireUppercaseCharacters: true, RequireLowercaseCharacters: true, RequireSymbols: true, RequireNumbers: true, MinimumPasswordLength: 8.')
-, ROW('Hs4Ma3G264', 'en', 'A WAF Regional rule should have at least one condition', 'Checks if a WAF Regional rule has at least one condition.')
-, ROW('c18d2gz183', 'en', 'Amazon OpenSearch Service domains with less than three data nodes', 'Checks if Amazon OpenSearch Service domains are configured with at least three data nodes and ZoneAwarenessEnabled is true.')
-, ROW('vZ2c2W1srf', 'en', 'Savings Plan', 'Checks your usage of EC2, Fargate, and Lambda over the last 30 days and provides Savings Plan purchase recommendations, which allows you to commit to a consistent usage amount measured in $/hour for a one or three year term in exchange for discounted rates.')
-, ROW('Hs4Ma3G133', 'en', 'IAM customer managed policies should not allow decryption actions on all KMS keys', 'Checks if the default version of IAM customer managed policies allow principals to use the AWS Key Management Service (KMS) decryption actions on all resources.')
-, ROW('Hs4Ma3G254', 'en', 'Application Load Balancer should be configured with defensive or strictest desync mitigation mode', 'Checks if the Application Load Balancer is configured with defensive or strictest de-sync mitigation mode.')
-, ROW('Hs4Ma3G134', 'en', 'IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys', 'Checks if the inline policies embedded in your IAM principals (Role/User/Group) allow the AWS Key Management Service (KMS) decryption actions on all KMS keys.')
-, ROW('Hs4Ma3G255', 'en', 'Classic Load Balancer should be configured with defensive or strictest desync mitigation mode', 'Checks if the Classic Load Balancer is configured defensive or strictest desync mitigation mode.')
-, ROW('ty3xfcdfMr', 'en', 'Route 53 Reusable Delegation Sets', 'Checks for usage that is more than 80% of the Route 53 Reusable Delegation Sets Limit per account.')
-, ROW('Hs4Ma3G135', 'en', 'AWS KMS keys should not be deleted unintentionally', 'Checks whether AWS Key Management Service (KMS) keys are scheduled for deletion.')
-, ROW('Hs4Ma3G256', 'en', 'Kinesis streams should be encrypted at rest', 'Checks if Kinesis streams are encrypted at rest with server-side encryption.')
-, ROW('Hs4Ma3G136', 'en', 'Amazon SQS queues should be encrypted at rest', 'Checks if Amazon SQS queues are encrypted at rest.')
-, ROW('Hs4Ma3G257', 'en', 'Network Firewall policies should have at least one rule group associated', 'Checks if a Network Firewall policy has any stateful or stateless rule groups associated.')
-, ROW('gfZAn3W7wl', 'en', 'RDS DB Security Groups', 'Checks for usage that is more than 80% of the RDS DB Security Groups Limit.')
-, ROW('Hs4Ma3G137', 'en', 'IAM policies should not allow full "*" administrative privileges', 'Checks if the default version of AWS Identity and Access Management (IAM) policies (also known as customer managed policies) do not have administrator access with a statement that has "Effect": "Allow" with "Action": "*" over "Resource": "*".')
-, ROW('Hs4Ma3G258', 'en', 'The default stateless action for Network Firewall policies should be drop or forward for full packets', 'Checks if the default stateless action for full packets for a Network Firewall policy is drop or forward.')
-, ROW('Hs4Ma3G138', 'en', 'IAM users should not have IAM policies attached', 'Checks that none of your IAM users have policies attached.')
-, ROW('Hs4Ma3G259', 'en', 'The default stateless action for Network Firewall policies should be drop or forward for fragmented packets', 'Checks if a Network Firewall policy has drop or forward as the default stateless action for fragmented packets.')
-, ROW('Hs4Ma3G139', 'en', 'IAM users" access keys should be rotated every 90 days or less', 'Checks if the active access keys are rotated within 90 days.')
-, ROW('c18d2gz177', 'en', 'AWS Elastic Beanstalk with Managed Platform Updates disabled', 'Checks if managed platform updates in AWS Elastic Beanstalk environments and configuration templates are enabled.')
-, ROW('c18d2gz178', 'en', 'Amazon ElastiCache Redis clusters Automatic Backup', 'Checks if the Amazon ElastiCache Redis clusters have automatic backup turned on.')
-, ROW('c18d2gz175', 'en', 'Amazon ECS task Logging not enabled', 'Checks if log configuration is set on active Amazon ECS task definitions.')
-, ROW('c18d2gz176', 'en', 'Amazon ECS Memory Hard Limit', 'Checks if Amazon ECS task definitions have a set memory limit for its container definitions.')
-, ROW('c18d2gz173', 'en', 'Amazon ECS clusters with Container Insights disabled', 'Checks if Amazon CloudWatch Container Insights is turned on for your Amazon ECS clusters.')
-, ROW('c18d2gz174', 'en', 'AWS Fargate platform version is not latest', 'Checks if Amazon ECS is running the latest platform version of AWS Fargate.')
-, ROW('Hs4Ma3G230', 'en', 'S3 bucket server access logging should be enabled', 'Checks if an Amazon S3 Bucket has server access logging enabled to a chosen target bucket.')
-, ROW('c18d2gz171', 'en', 'Amazon S3 version-enabled buckets without lifecycle policies configured', 'Checks if Amazon S3 version-enabled buckets have a lifecycle policy configured.')
-, ROW('Hs4Ma3G110', 'en', 'CloudTrail should have encryption at-rest enabled', 'Checks whether AWS CloudTrail is configured to use the server-side encryption (SSE) AWS Key Management Service (AWS KMS) key encryption.')
-, ROW('Hs4Ma3G231', 'en', 'Stateless network firewall rule group should not be empty', 'Checks if a Stateless Network Firewall Rule Group contains rules.')
-, ROW('Qsdfp3A4L1', 'en', 'Amazon EC2 instances over-provisioned for Microsoft SQL Server', 'Checks your Amazon Elastic Compute Cloud (Amazon EC2) instances that are running SQL Server in the past 24 hours.')
-, ROW('Hs4Ma3G108', 'en', 'CloudTrail trails should be integrated with Amazon CloudWatch Logs', 'Checks if AWS CloudTrail trails are configured to send logs to Amazon CloudWatch Logs.')
-, ROW('Hs4Ma3G229', 'en', 'CloudFront distributions should encrypt traffic to custom origins', 'Checks if CloudFront distributions are encrypting traffic to custom origins.')
-, ROW('Hs4Ma3G109', 'en', 'CloudTrail log file validation should be enabled', 'Checks if CloudTrail log file validation is enabled.')
-, ROW('jL7PP0l7J9', 'en', 'VPC', 'Checks for usage that is more than 80% of the VPC Limit.')
-, ROW('Hs4Ma3G100', 'en', 'Amazon SageMaker notebook instances should not have direct internet access', 'Checks if direct internet access is disabled for an Amazon SageMaker notebook instance by examining the DirectInternetAccess field is disabled for an Amazon SageMaker notebook instance.')
-, ROW('Hs4Ma3G221', 'en', 'OpenSearch domains should have audit logging enabled', 'Checks if Amazon OpenSearch Service domains have audit logging enabled.')
-, ROW('Hs4Ma3G101', 'en', 'Amazon Elastic MapReduce cluster master nodes should not have public IP addresses', 'Checks if master nodes on EMR clusters have public IP addresses.')
-, ROW('Hs4Ma3G222', 'en', 'OpenSearch domain error logging to CloudWatch Logs should be enabled', 'Checks if Amazon OpenSearch domains are configured to send error logs to CloudWatch Logs.')
-, ROW('c18d2gz181', 'en', 'AWS Lambda Functions without Concurrency Limit configured', 'Checks if AWS Lambda function is configured with function-level concurrent execution limit.')
-, ROW('Hs4Ma3G102', 'en', 'Connections to Amazon Redshift clusters should be encrypted in transit', 'Checks if connections to Amazon Redshift clusters are required to use encryption in transit.')
-, ROW('Hs4Ma3G223', 'en', 'OpenSearch domains should encrypt data sent between nodes', 'Checks if Amazon OpenSearch domains have node-to-node encryption enabled.')
-, ROW('Hs4Ma3G103', 'en', 'Amazon Redshift clusters should prohibit public access', 'Checks if Amazon Redshift clusters are publicly accessible.')
-, ROW('Hs4Ma3G224', 'en', 'OpenSearch domains should be in a VPC', 'Checks Amazon OpenSearch Service domains are in an Amazon Virtual Private Cloud (VPC).')
-, ROW('cX3c2R1chu', 'en', 'Amazon EC2 Reserved Instances Optimization', 'A significant part of using AWS involves balancing your Reserved Instance (RI) usage and your On-Demand instance usage.')
-, ROW('Hs4Ma3G104', 'en', 'Redshift clusters should use enhanced VPC routing', 'Checks if a Redshift cluster has EnhancedVpcRouting enabled.')
-, ROW('Hs4Ma3G225', 'en', 'OpenSearch domains should have encryption at rest enabled', 'Checks if Amazon OpenSearch domains have encryption-at-rest configuration enabled.')
-, ROW('Hs4Ma3G105', 'en', 'Amazon Redshift should have automatic upgrades to major versions enabled', 'Checks if an Amazon Redshift cluster is configured with automatic upgrades to major versions.')
-, ROW('Hs4Ma3G226', 'en', 'Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses', 'Checks if Amazon EC2 Auto Scaling groups have public IP addresses enabled using launch configurations.')
-, ROW('Hs4Ma3G106', 'en', 'Amazon Redshift clusters should have audit logging enabled', 'Checks if an Amazon Redshift cluster has audit logging enabled.')
-, ROW('Hs4Ma3G227', 'en', 'CloudFront distributions should use custom SSL/TLS certificates', 'Checks if CloudFront distributions are using the default SSL/TLS certificate CloudFront provides instead of a custom one.')
-, ROW('Hs4Ma3G107', 'en', 'CloudFront distributions should require encryption in transit', 'Checks if an Amazon CloudFront distribution requires viewers to use HTTPS directly, or if it uses redirection.')
-, ROW('Hs4Ma3G228', 'en', 'CloudFront distributions should use SNI to serve HTTPS requests', 'Checks if Amazon CloudFront distributions are using a custom SSL/TLS certificate and are configured to use SNI to serve HTTPS requests as opposed to dedicated IP address.')
-, ROW('c18d2gz166', 'en', 'AWS CloudTrail data events logging for objects in an S3 bucket', 'Checks if at least one AWS CloudTrail trail logs Amazon S3 data events for all of your S3 buckets.')
-, ROW('c18d2gz167', 'en', 'Application Load Balancers and Classic Load Balancers Without Access Logs Enabled', 'Checks if Application Load Balancers and Classic Load Balancers have access logging enabled.')
-, ROW('c18d2gz164', 'en', 'CloudTrail trails are not configured with Amazon CloudWatch Logs', 'Checks if AWS CloudTrail trails are configured to send logs to Amazon CloudWatch logs.')
-, ROW('c18d2gz163', 'en', 'Amazon S3 does not have Event Notifications enabled', 'Checks if Amazon S3 Event Notifications is enabled or is correctly configured with the desired destination or types.')
-, ROW('Hs4Ma3G120', 'en', 'Stopped EC2 instances should be removed after a specified time period', 'Checks if any EC2 instances have been stopped for more than the allowed number of days.')
-, ROW('Hs4Ma3G241', 'en', 'Secrets should not be passed as container environment variable', 'Checks if the container environment variables includes the following keys - AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY,  or ECS_ENGINE_AUTH_DATA.')
-, ROW('c18d2gz160', 'en', 'RDS DB Cluster Deletion Protection Check', 'Checks if your Amazon RDS DB clusters have deletion protection enabled.')
-, ROW('Hs4Ma3G121', 'en', 'EBS default encryption should be enabled', 'Checks if Amazon Elastic Block Store (EBS) encryption is enabled by default.')
-, ROW('Hs4Ma3G242', 'en', 'Amazon ECR private repositories should have image scanning enabled', 'Checks if a private ECR repository has image scanning enabled.')
-, ROW('c18d2gz161', 'en', 'RDS DB Cluster has no Multi-AZ replication enabled', 'Checks if your Amazon RDS DB clusters have Multi-AZ replication enabled.')
-, ROW('c18d2gz168', 'en', 'Elastic Load Balancing Deletion Protection Not Enabled for Load Balancers', 'Checks if deletion protection is turned on for your load balancers.')
-, ROW('c18d2gz169', 'en', 'Application, Network and Gateway Load Balancers Not Spanning Multiple Availability Zones', 'Checks If your load balancers (Application, Network, and Gateway Load Balancer) are configured with subnets across multiple Availability Zones.')
-, ROW('Hs4Ma3G111', 'en', 'CloudTrail should be enabled and configured with at least one multi-region trail', 'Checks that there is at least one multi-region AWS CloudTrail trail.')
-, ROW('Hs4Ma3G232', 'en', 'RDS Database Clusters should use a custom administrator username', 'Checks if an RDS database cluster has changed the admin username from its default value.')
-, ROW('Hs4Ma3G112', 'en', 'Secrets Manager secrets should be rotated within a specified number of days', 'Checks if your secrets have rotated at least once within 90 days.')
-, ROW('Hs4Ma3G233', 'en', 'RDS database instances should use a custom administrator username', 'Checks if an Amazon Relational Database Service (Amazon RDS) database instance has changed the admin username from its default value.')
-, ROW('Hs4Ma3G113', 'en', 'Secrets Manager secrets configured with automatic rotation should rotate successfully', 'Checks if an AWS Secrets Manager secret rotated successfully based on the rotation schedule.')
-, ROW('Hs4Ma3G234', 'en', 'AWS CodeBuild S3 Logs should be encrypted', 'Checks if a AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs.')
-, ROW('Hs4Ma3G114', 'en', 'Remove unused Secrets Manager secrets', 'Checks if your secrets have been accessed within a specified number of days.')
-, ROW('Hs4Ma3G235', 'en', 'Amazon ECR private repositories should have tag immutability enabled', 'Checks if a private ECR repository has tag immutability enabled.')
-, ROW('Hs4Ma3G115', 'en', 'Secrets Manager secrets should have automatic rotation enabled', 'Checks if a secret stored in AWS Secrets Manager is configured to rotate automatically.')
-, ROW('Hs4Ma3G236', 'en', 'Amazon ECS Task Definitions should not share the host"s process namespace', 'Checks if Amazon ECS Task Definitions are configured to share a host"s process namespace with its containers.')
-, ROW('Hs4Ma3G116', 'en', 'EBS snapshots should not be public, determined by the ability to be restorable by anyone', 'Checks if Amazon Elastic Block Store snapshots are not publicly restorable.')
-, ROW('Hs4Ma3G237', 'en', 'Amazon ECS Containers should run as non-privileged', 'Checks if the Privileged parameter in the container definition of Amazon ECS Task Definitions is set to "true".')
-, ROW('Hs4Ma3G117', 'en', 'Attached EBS volumes should be encrypted at-rest', 'Checks if the EBS volumes that are in an attached state are encrypted.')
-, ROW('Hs4Ma3G238', 'en', 'Amazon ECS Containers should only have read-only access to its root filesystems', 'Checks if ECS Containers are limited to read-only access to its mounted root filesystems.')
-, ROW('Hs4Ma3G118', 'en', 'The VPC default security group should not allow inbound and outbound traffic', 'Checks that the default security group of a VPC does not allow inbound or outbound traffic.')
-, ROW('dYWBaXaaMM', 'en', 'RDS Subnet Groups', 'Checks for usage that is more than 80% of the RDS Subnet Groups Limit.')
-, ROW('c18d2gz155', 'en', 'RDS DB Instance Automatic Minor Version Upgrade Check', 'Checks if Amazon RDS DB instances have automatic minor version upgrades configured.')
-, ROW('c18d2gz156', 'en', 'RDS Multi-AZ Standby Instance Not Enabled', 'Checks if your Amazon RDS DB instances have a Multi-AZ standby replica configured.')
-, ROW('c18d2gz154', 'en', 'Classic Load Balancer has no multiple AZs configured', 'Checks if Classic Load Balancer spans multiple Availability Zones (AZs).')
-, ROW('0Xc6LMYG8P', 'en', 'EC2 On-Demand Instances', 'Checks for usage that is more than 80% of the EC2 On-Demand Instances Limit.')
-, ROW('c18d2gz152', 'en', 'AWS Backup Vault Without Resource-Based Policy to Prevent Deletion of Recovery Points', 'Checks if AWS Backup vaults have an attached resource-based policy that prevents recovery point deletion.')
-, ROW('Hs4Ma3G330', 'en', 'OpenSearch domains should have the latest software update installed', 'Checks if an Amazon OpenSearch Service domain has the latest software update installed.')
-, ROW('c18d2gz150', 'en', 'Amazon EC2 Instances Stopped', 'Checks if there are Amazon EC2 instances that have been stopped for more than 30 days or other specified number.')
-, ROW('ECHdfsQ402', 'en', 'Amazon ElastiCache Multi-AZ clusters', 'Checks for ElastiCache clusters that deploy in a single Availability Zone (AZ).')
-, ROW('c18d2gz159', 'en', 'Amazon RDS not in AWS Backup plan', 'Checks if your Amazon RDS DB instances are included in a backup plan in AWS Backup.')
-, ROW('c18d2gz158', 'en', 'Amazon RDS DB Instance Enhanced monitoring not enabled', 'Checks if your RDS DB instances have Enhanced Monitoring enabled.')
-, ROW('Hs4Ma3G207', 'en', 'EC2 subnets should not automatically assign public IP addresses', 'Checks if the assignment of public IPs in Amazon Virtual Private Cloud (VPC) subnets have the MapPublicIpOnLaunch set to FALSE.')
-, ROW('Hs4Ma3G328', 'en', 'Macie should be enabled', 'Checks if Amazon Macie is enabled for an account.')
-, ROW('Hs4Ma3G208', 'en', 'EC2 instances should not use multiple ENIs', 'Checks to see if Amazon EC2 instance uses multiple ENI/EFA.')
-, ROW('Hs4Ma3G329', 'en', 'Macie automated sensitive data discovery should be enabled', 'Checks if automated sensitive data discovery is enabled for an Amazon Macie administrator account.')
-, ROW('Hs4Ma3G209', 'en', 'Unused Network Access Control Lists should be removed', 'Checks to see if there are any NACLs (Network Access Control List) that are unused.')
-, ROW('Hs4Ma3G320', 'en', 'AWS WAF rules should have CloudWatch metrics enabled', 'Checks if an AWS WAF rule or rule group has CloudWatch metrics enabled.')
-, ROW('Hs4Ma3G200', 'en', 'CloudFront distributions should have a default root object configured', 'Checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object.')
-, ROW('Hs4Ma3G321', 'en', 'MSK clusters should be encrypted in transit among broker nodes', 'This controls assesses if a MSK cluster allows encryption in transit using HTTPS(TLS) among the broker nodes of the cluster.')
-, ROW('Hs4Ma3G201', 'en', 'CloudFront distributions should have WAF enabled', 'Checks to see if Amazon CloudFront distributions are associated with either WAF or WAFv2 web ACLs.')
-, ROW('Hs4Ma3G322', 'en', 'AWS Private CA root certificate authority should be disabled', 'Checks if AWS Private CA has a root certificate authority (CA) that is disabled.')
-, ROW('Hs4Ma3G202', 'en', 'API Gateway REST API cache data should be encrypted at rest', 'Checks if all methods in Amazon API Gateway REST API stages that have cache enabled are encrypted.')
-, ROW('Hs4Ma3G323', 'en', 'DynamoDB tables should have deletion protection enabled', 'Checks if an Amazon DynamoDB table has deletion protection enabled.')
-, ROW('Hs4Ma3G203', 'en', 'Amazon Elasticsearch Service domains should have audit logging enabled', 'This check checks whether Amazon Elasticsearch Service domains have audit logging enabled.')
-, ROW('Hs4Ma3G324', 'en', 'EC2 Client VPN endpoints should have client connection logging enabled', 'Checks if an AWS Client VPN endpoint has client connection logging enabled.')
-, ROW('Hs4Ma3G204', 'en', 'Security groups should not allow unrestricted access to ports with high risk', 'Checks if unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22 ] that have the highest risk.')
-, ROW('Hs4Ma3G325', 'en', 'EKS clusters should have audit logging enabled', 'Checks if an Amazon EKS cluster has audit logging enabled.')
-, ROW('Hs4Ma3G205', 'en', 'Classic Load Balancers with HTTPS/SSL listeners should use a predefined security policy that has strong configuration', 'Checks if your Classic Load Balancer SSL listeners use the predefined policy ELBSecurityPolicy-TLS-1-2-2017-01.')
-, ROW('Hs4Ma3G326', 'en', 'Amazon EMR block public access setting should be enabled', 'Checks if your account is configured with Amazon EMR block public access.')
-, ROW('Hs4Ma3G206', 'en', 'Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service', 'Checks if a service endpoint for Amazon EC2 is created for each VPC.')
-, ROW('Hs4Ma3G327', 'en', 'FSx for OpenZFS file systems should be configured to copy tags to backups and volumes', 'Checks if an Amazon FSx for OpenZFS file system is configured to copy tags to backups and volumes.')
-, ROW('c18d2gz144', 'en', 'Amazon EC2 Detailed Monitoring Not Enabled', 'Checks if detailed monitoring is enabled for your Amazon EC2 instances.')
-, ROW('c18d2gz145', 'en', 'Amazon EC2 Instance Not Managed by AWS Systems Manager', 'Checks if the Amazon EC2 instances in your account are managed by AWS Systems Manager.')
-, ROW('c18d2gz142', 'en', 'Amazon EBS Optimization Not Enabled', 'Checks if Amazon EBS optimization is enabled for your EC2 instances.')
-, ROW('dH7RR0l6J3', 'en', 'EBS General Purpose SSD (gp3) Volume Storage', 'Checks for usage that is more than 80% of the EBS General Purpose SSD (gp3) Volume Storage Limit.')
-, ROW('dH7RR0l6J9', 'en', 'EBS General Purpose SSD (gp2) Volume Storage', 'Checks for usage that is more than 80% of the EBS General Purpose SSD (gp2) Volume Storage Limit.')
-, ROW('Hs4Ma3G220', 'en', 'Connections to OpenSearch domains should be encrypted using TLS 1.', '')
-, ROW('c18d2gz148', 'en', 'EC2 Virtualization Type is Paravirtual', 'Checks if the virtualization type of an Amazon EC2 instance is paravirtual.')
-, ROW('c18d2gz147', 'en', 'AWS Systems Manager State Manager Association in Non-compliant Status', 'Checks if the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance.')
-, ROW('Hs4Ma3G218', 'en', 'CodeBuild project environments should not have privileged mode enabled', 'Checks if an AWS CodeBuild project environment has privileged mode enabled.')
-, ROW('Hs4Ma3G219', 'en', 'Amazon Redshift clusters should not use the default Admin username', 'Checks if a Redshift cluster has changed the Admin username from its default value.')
-, ROW('c9D319e7sG', 'en', 'Amazon Route 53 MX Resource Record Sets and Sender Policy Framework', 'For each MX resource record set, checks that the TXT or SPF resource record set contains a valid SPF record.')
-, ROW('Qsdfp3A4L4', 'en', 'Amazon EC2 instances with Microsoft Windows Server end of support', 'This check alerts you if the versions are near or have reached the end of support.')
-, ROW('Qsdfp3A4L3', 'en', 'Amazon EC2 instances with Microsoft SQL Server end of support', 'Checks the SQL Server versions for Amazon Elastic Compute Cloud (Amazon EC2) instances running in the past 24 hours.')
-, ROW('Qsdfp3A4L2', 'en', 'Amazon EC2 instances consolidation for Microsoft SQL Server', 'Checks your Amazon Elastic Compute Cloud (Amazon EC2) instances that are running SQL Server in the past 24 hours.')
-, ROW('Hs4Ma3G210', 'en', 'CloudFront distributions should have logging enabled', 'Checks to see if server access logging is enabled on Amazon CloudFront Distributions.')
-, ROW('Hs4Ma3G331', 'en', 'S3 access points should have block public access settings enabled', 'Checks if an Amazon S3 access point has block public access settings enabled.')
-, ROW('Hs4Ma3G211', 'en', 'S3 buckets with versioning enabled should have lifecycle policies configured', 'Checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured.')
-, ROW('Hs4Ma3G212', 'en', 'S3 buckets should have event notifications enabled', 'Checks if S3 Event Notifications are enabled on an S3 bucket.')
-, ROW('Hs4Ma3G213', 'en', 'S3 access control lists (ACLs) should not be used to manage user access to buckets', 'Checks if S3 buckets allow user permissions via access check lists (ACLs).')
-, ROW('Hs4Ma3G214', 'en', 'Network ACLs should not allow ingress from 0.', '')
-, ROW('Hs4Ma3G215', 'en', 'Unused EC2 security groups should be removed', 'Checks that security groups are attached to Amazon EC2 instances or to an elastic network interface.')
-, ROW('Hs4Ma3G216', 'en', 'ECR repositories should have at least one lifecycle policy configured', 'Checks if an ECR repository has at least one lifecycle policy configured.')
-, ROW('Hs4Ma3G217', 'en', 'CodeBuild project environments should have a logging configuration', 'Checks if a CodeBuild project environment has at least one log option enabled.')
-, ROW('qS7VV0l7J9', 'en', 'IAM Users', 'Checks for usage that is more than 80% of the IAM Users Limit.')
+  ROW('c18d2gz134', 'en', 'Amazon Redshift cluster audit logging', 'Checks if your Amazon Redshift clusters have database audit logging turned on')
+, ROW('rSs93HQwa1', 'en', 'Amazon RDS Public Snapshots', 'Checks the permission settings for your Amazon Relational Database Service (Amazon RDS) DB snapshots and alerts you if any snapshots are marked as public')
+, ROW('c18d2gz131', 'en', 'Amazon Aurora MySQL cluster backtracking not enabled', 'Checks if an Amazon Aurora MySQL cluster has backtracking enabled')
+, ROW('dx3xfbjfMr', 'en', 'Route 53 Traffic Policies', 'Checks for usage that is more than 80% of the Route 53 Traffic Policies Limit per account')
+, ROW('gH5CC0e3J9', 'en', 'EBS Cold HDD (sc1) Volume Storage', 'Checks for usage that is more than 80% of the EBS Cold HDD (sc1) Volume Storage Limit')
+, ROW('c18d2gz138', 'en', 'Amazon DynamoDB Point-in-time Recovery', 'Checks if point-in time-recovery is enabled for your Amazon DynamoDB tables')
+, ROW('c18d2gz135', 'en', 'Amazon Redshift cluster automated snapshots', 'Checks if automated snapshots are enabled for your Amazon Redshift clusters')
+, ROW('c18d2gz136', 'en', 'Amazon DynamoDB Auto Scaling Not Enabled', 'Checks if your Amazon DynamoDB tables and global secondary indexes have auto scaling or on-demand enabled')
+, ROW('cF171Db240', 'en', 'Amazon Route 53 Name Server Delegations', 'Checks for Amazon Route 53 hosted zones for which your domain registrar or DNS is not using the correct Route 53 name servers')
+, ROW('c18d2gz122', 'en', 'Amazon VPC Without Flow Logs', 'Checks if Amazon VPC Flow Logs are created for a VPC')
+, ROW('c18d2gz123', 'en', 'AWS Site-to-Site VPN has at least one Tunnel in DOWN Status', 'Checks the number of tunnels that are active for each of your AWS Site-to-Site VPNs')
+, ROW('cG7HH0l7J9', 'en', 'EBS Magnetic (standard) Volume Storage', 'Checks for usage that is more than 80% of the EBS Magnetic (standard) Volume Storage Limit')
+, ROW('c18d2gz121', 'en', 'Amazon SNS Topics Not Logging Message Delivery Status', 'Checks if Amazon Simple Notification Service (SNS) topics have message delivery status logging turned on')
+, ROW('sU7XX0l7J9', 'en', 'IAM Group', 'Checks for usage that is more than 80% of the IAM Group Limit')
+, ROW('c18d2gz128', 'en', 'Amazon ECR Repository Without Lifecycle Policy Configured', 'Checks if a private Amazon ECR repository has at least one lifecycle policy configured')
+, ROW('c18d2gz129', 'en', 'Amazon ECR Repository With Tag Immutability Disabled', 'Checks if a private Amazon ECR repository has image tag immutability turned on')
+, ROW('c18d2gz126', 'en', 'Amazon API Gateway REST APIs Without X-Ray Tracing Enabled', 'Checks if Amazon API Gateway REST APIs have AWS X-Ray tracing turned on')
+, ROW('c18d2gz127', 'en', 'AWS Account Not Part of AWS Organizations', 'Checks if an AWS account is part of AWS Organizations under the appropriate management account')
+, ROW('c18d2gz124', 'en', 'Amazon VPC Peering Connections With DNS Resolution Disabled', 'Checks if your VPC peering connections have DNS resolution turned on for both the acceptor and requester VPCs')
+, ROW('c18d2gz125', 'en', 'Amazon API Gateway Not Logging Execution Logs', 'Checks if Amazon API Gateway has Amazon CloudWatch Logs turned on')
+, ROW('COr6dfpM04', 'en', 'Amazon EBS under-provisioned volumes', 'Checks the Amazon Elastic Block Storage (Amazon EBS) volumes that were running at any time during the lookback period')
+, ROW('COr6dfpM03', 'en', 'Amazon EBS over-provisioned volumes', 'Checks the Amazon Elastic Block Storage (Amazon EBS) volumes that were running at any time during the lookback period')
+, ROW('jtlIMO3qZM', 'en', 'RDS Cluster Parameter Groups', 'Checks for usage that is more than 80% of the RDS Cluster Parameter Groups Limit')
+, ROW('COr6dfpM06', 'en', 'AWS Lambda under-provisioned functions for memory size', 'Checks the AWS Lambda functions that were invoked at least once during the lookback period')
+, ROW('COr6dfpM05', 'en', 'AWS Lambda over-provisioned functions for memory size', 'Checks the AWS Lambda functions that were invoked at least once during the lookback period')
+, ROW('f2iK5R6Dep', 'en', 'Amazon RDS Multi-AZ', 'Checks for DB instances that are deployed in a single Availability Zone')
+, ROW('jEhCtdJKOY', 'en', 'RDS Subnets per Subnet Group', 'Checks for usage that is more than 80% of the RDS Subnets per Subnet Group Limit')
+, ROW('a2sEc6ILx', 'en', 'ELB Listener Security', 'Checks for load balancers with listeners that do not use recommended security configurations for encrypted communication')
+, ROW('c18d2gz111', 'en', 'AWS CloudFormation Stack Notification', 'Checks if all of your AWS CloudFormation stacks use Amazon SNS to receive notifications when an event occurs')
+, ROW('ePs02jT06w', 'en', 'Amazon EBS Public Snapshots', 'Checks the permission settings for your Amazon Elastic Block Store (Amazon EBS) volume snapshots and alerts you if any snapshots are publicly accessible')
+, ROW('c18d2gz112', 'en', 'Amazon CloudFront Origin Failover', 'Checks that an origin group is configured for distributions that include two origins in Amazon CloudFront')
+, ROW('R365s2Qddf', 'en', 'Amazon S3 Bucket Versioning', 'Checks for Amazon Simple Storage Service buckets that do not have versioning enabled, or have versioning suspended')
+, ROW('c18d2gz110', 'en', 'Amazon CloudFront Access Log Configured', 'Checks if Amazon CloudFront distributions are configured to capture information from Amazon S3server access logs')
+, ROW('Wxdfp4B1L2', 'en', 'AWS Well-Architected high risk issues for performance efficiency', 'Checks for high risk issues (HRIs) for your workloads in the performance pillar')
+, ROW('c18d2gz119', 'en', 'Amazon S3 Bucket Replication Not Enabled', 'Checks if your Amazon S3 buckets have replication rules enabled for Cross-Region Replication, Same-Region Replication, or both')
+, ROW('Wxdfp4B1L3', 'en', 'AWS Well-Architected high risk issues for security', 'Checks for high risk issues (HRIs) for your workloads in the security pillar')
+, ROW('Wxdfp4B1L4', 'en', 'AWS Well-Architected high risk issues for reliability', 'Checks for high risk issues (HRIs) for your workloads in the Reliability pillar')
+, ROW('c18d2gz117', 'en', 'Amazon EFS not in AWS Backup Plan', 'Checks if Amazon EFS file systems are included in backup plans with AWS Backup')
+, ROW('c18d2gz115', 'en', 'AWS CodeDeploy Lambda is using all at-once deployment configuration', 'Checks if the AWS CodeDeploy deployment group for AWS Lambda compute platform is using all-at-once deployment configuration')
+, ROW('c18d2gz113', 'en', 'AWS CodeBuild Project Logging', 'Checks If the AWS CodeBuild project environment uses logging')
+, ROW('Wxdfp4B1L1', 'en', 'AWS Well-Architected high risk issues for cost optimization', 'Checks for high risk issues (HRIs) for your workloads in the cost optimization pillar')
+, ROW('c18d2gz114', 'en', 'AWS CodeDeploy Auto Rollback and Monitor Enabled', 'Checks if the deployment group is configured with automatic deployment rollback and deployment monitoring with alarms attached')
+, ROW('opQPADkZvH', 'en', 'Amazon RDS Backups', 'Checks for automated backups of Amazon RDS DB instances')
+, ROW('vjafUGJ9H0', 'en', 'AWS CloudTrail Logging', 'Checks for your use of AWS CloudTrail')
+, ROW('7fuccf1Mx7', 'en', 'RDS Cluster Roles', 'Checks for usage that is more than 80% of the RDS Cluster Roles Limit')
+, ROW('c18d2gz100', 'en', 'Amazon S3 Bucket Lifecycle Policy Configured', 'Checks if an Amazon S3 bucket has a lifecycle policy configured')
+, ROW('c18d2gz101', 'en', 'Amazon EC2 AutoScaling Group Multiple Availability Zone', 'Checks if the Amazon EC2 Auto Scaling group is deployed in multiple Availability Zones or the minimum number of Avalability Zones specified')
+, ROW('528d6f5ee7', 'en', 'Gateway Load Balancer endpoint AZ independence', 'Checks if your Gateway Load Balancer endpoints are configured as route destination from another Availability Zone (AZ)')
+, ROW('c2vlfg0p86', 'en', 'IAM SAML 2.0 Identity Provider', 'Checks if the AWS account is configured for access via an identity provider (IdP) that supports SAML 2')
+, ROW('c18d2gz108', 'en', 'AWS Elastic Beanstalk Enhanced Health Reporting Is Not Configured', 'Checks if an AWS Elastic Beanstalk environment is configured for enhanced health reporting')
+, ROW('c18d2gz109', 'en', 'Amazon CloudWatch Alarm action is disabled', 'Checks if your Amazon CloudWatch alarm action is in a disabled state')
+, ROW('c18d2gz106', 'en', 'Amazon EBS Not Included in AWS Backup Plan', 'Check if Amazon Elastic Block Store (Amazon EBS) volumes are present in backup plans of AWS Backup')
+, ROW('c18d2gz107', 'en', 'Amazon DynamoDB Table Not Included in Backup Plan', 'Checks whether Amazon DynamoDB table is part of AWS Backup plan')
+, ROW('c18d2gz104', 'en', 'Amazon EC2 Auto Scaling Group does not have ELB Health Check Enabled', 'Checks if your Amazon EC2 Auto Scaling groups that are associated with a Classic Load Balancer are using Elastic Load Balancing (ELB) health checks')
+, ROW('c18d2gz105', 'en', 'Network Load Balancers Cross Load Balancing', 'Checks if cross-zone load balancing is enabled on Network Load Balancers (NLBs) <br><br>Cross-zone load balancing ensures even distribution of incoming traffic across instances in different Availability Zones')
+, ROW('hc0dfs7601', 'en', 'AWS CloudHSM clusters running HSM instances in a single AZ', 'Checks your clusters that run HSM instances in a single Availability Zone (AZ)')
+, ROW('c18d2gz102', 'en', 'Amazon EC2 Auto Scaling Group is not Associated with a Launch Template', 'Checks if an Amazon EC2 Auto Scaling group is created from an EC2 launch template')
+, ROW('c18d2gz103', 'en', 'Amazon EC2 Auto Scaling Group has Capacity Rebalancing Enabled', 'Checks if Capacity Rebalancing is enabled for Amazon EC2 Auto Scaling groups that use multiple instance types')
+, ROW('7DAFEmoDos', 'en', 'MFA on Root Account', 'Checks the root account and warns if multi-factor authentication (MFA) is not enabled')
+, ROW('Hs4Ma3G191', 'en', 'RDS cluster snapshots and database snapshots should be encrypted at rest', 'Checks if Amazon RDS cluster snapshots and database snapshots are encrypted')
+, ROW('Hs4Ma3G192', 'en', 'RDS DB Instances should prohibit public access, determined by the PubliclyAccessible configuration', 'Checks if RDS instances are publicly accessible by evaluating the publiclyAccessible field in the instance configuration item')
+, ROW('Hs4Ma3G193', 'en', 'RDS DB instances should have encryption at-rest enabled', 'Checks if storage encryption is enabled for your RDS DB instances')
+, ROW('Hs4Ma3G194', 'en', 'RDS snapshot should be private', 'Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public')
+, ROW('B913Ef6fb4', 'en', 'Amazon Route 53 Alias Resource Record Sets', 'Checks for resource record sets that can be changed to alias resource record sets to improve performance and save money')
+, ROW('Hs4Ma3G196', 'en', 'AWS Config should be enabled', 'Checks if the Config service is enabled in the account for the local region and is recording all resources')
+, ROW('Chrv231ch1', 'en', 'Amazon Route53 Resolver Endpoint Availability Zone Redundancy', 'Checks to see if your service configuration has IP addresses specified in at least two Availability Zones (AZs) for redundancy')
+, ROW('Hs4Ma3G197', 'en', 'Amazon Elasticsearch Service domains should have encryption at-rest enabled', 'Checks whether Amazon Elasticsearch Service domains have encryption at rest configuration enabled')
+, ROW('Hs4Ma3G198', 'en', 'RDS DB instances should have deletion protection enabled', 'Checks if RDS DB instances have deletion protection enabled')
+, ROW('1iG5NDGVre', 'en', 'Security Groups - Unrestricted Access', 'Checks security groups for rules that allow unrestricted access to a resource')
+, ROW('Hs4Ma3G190', 'en', 'RDS clusters should have deletion protection enabled', 'Checks if RDS clusters have deletion protection enabled')
+, ROW('nNauJisYIT', 'en', 'Amazon RDS Security Group Access Risk', 'Checks security group configurations for Amazon Relational Database Service (Amazon RDS) and warns when a security group rule might grant overly permissive access to your database')
+, ROW('Hs4Ma3G188', 'en', 'GuardDuty should be enabled', 'Checks if Amazon GuardDuty is enabled in your AWS account and region')
+, ROW('Hs4Ma3G189', 'en', 'Enhanced monitoring should be configured for RDS DB instances', 'Checks if enhanced monitoring is enabled for your RDS DB instances')
+, ROW('1e93e4c0b5', 'en', 'Amazon EC2 Reserved Instance Lease Expiration', 'Checks for Amazon EC2 Reserved Instances that are scheduled to expire within the next 30 days or have expired in the preceding 30 days')
+, ROW('C056F80cR3', 'en', 'Amazon Route 53 High TTL Resource Record Sets', 'Checks for resource record sets that can benefit from having a lower time-to-live (TTL) value')
+, ROW('6gtQddfEw6', 'en', 'DynamoDB Read Capacity', 'Checks for usage that is more than 80% of the DynamoDB Provisioned Throughput Limit for Reads per Account')
+, ROW('Hs4Ma3G199', 'en', 'Database logging should be enabled', 'Checks if the following Amazon RDS logs are enabled and sent to CloudWatch Logs: Oracle: (Alert, Audit, Trace, Listener), PostgreSQL: (Postgresql, Upgrade), MySQL: (Audit, Error, General, SlowQuery), MariaDB: (Audit, Error, General, SlowQuery), SQL Server: (Error, Agent), Aurora: (Audit, Error, General, SlowQuery), Aurora-MySQL: (Audit, Error, General, SlowQuery), Aurora-PostgreSQL: (Postgresql)')
+, ROW('c1dfptbg10', 'en', 'NAT Gateway AZ Independence', 'Checks if your NAT Gateways are configured with Availability Zone (AZ) independence')
+, ROW('c1dfptbg11', 'en', 'Single AZ Application Check', 'Checks through network patterns if your egress network traffic is routing through a single Availability Zone (AZ)')
+, ROW('XG0aXHpIEt', 'en', 'RDS DB Instances', 'Checks for usage that is more than 80% of the RDS DB Instances Limit')
+, ROW('Hs4Ma3G290', 'en', 'ElastiCache clusters should not use the default subnet group', 'Checks if ElastiCache clusters are configured with a custom subnet group')
+, ROW('Hs4Ma3G170', 'en', 'S3 Block Public Access setting should be enabled', 'Checks if the following public access block settings are configured from account level: ignorePublicAcls: True, blockPublicPolicy: True, blockPublicAcls: True, restrictPublicBuckets: True')
+, ROW('Hs4Ma3G291', 'en', 'Elastic Beanstalk should stream logs to CloudWatch', 'Checks if an AWS Elastic Beanstalk environment is configured to send logs to CloudWatch Logs')
+, ROW('Hs4Ma3G171', 'en', 'S3 buckets should prohibit public read access', 'Checks if your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access check list (ACL)')
+, ROW('Hs4Ma3G292', 'en', 'Redshift clusters should be encrypted at rest', 'Checks if an Amazon Redshift cluster is encrypted at rest')
+, ROW('Hs4Ma3G172', 'en', 'S3 buckets should prohibit public write access', 'Checks if your S3 buckets allow public write access by evaluating the Block Public Access settings, the bucket policy, and the bucket access check list (ACL)')
+, ROW('Hs4Ma3G293', 'en', 'Step Functions state machines should have logging turned on', 'This controls assesses if an AWS Step Functions state machine has logging turned on')
+, ROW('Hs4Ma3G173', 'en', 'S3 Block Public Access setting should be enabled at the bucket-level', 'Checks if Amazon S3 buckets have bucket level public access blocks applied')
+, ROW('Hs4Ma3G294', 'en', 'Athena workgroups should be encrypted at rest', 'Checks if an Athena workgroup is encrypted at rest')
+, ROW('c1z7dfpz01', 'en', 'Amazon ECS service using a single AZ', 'Checks that your service configuration uses a single Availability Zone (AZ)')
+, ROW('Hs4Ma3G174', 'en', 'CodeBuild GitHub or Bitbucket source repository URLs should use OAuth', 'Checks if the GitHub or Bitbucket source repository URL contains either personal access tokens or user name and password')
+, ROW('Hs4Ma3G295', 'en', 'Amazon DocumentDB clusters should be encrypted at rest', 'Checks if an Amazon DocumentDB cluster is encrypted at rest')
+, ROW('c1z7dfpz02', 'en', 'Amazon ECS Multi-AZ placement strategy', 'Checks that your Amazon ECS service uses the spread placement strategy based on availability zone')
+, ROW('Hs4Ma3G175', 'en', 'CodeBuild project environment variables should not contain clear text credentials', 'Checks if the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY')
+, ROW('Hs4Ma3G296', 'en', 'Neptune DB clusters should be encrypted at rest', 'Checks if a Neptune DB cluster is encrypted at rest')
+, ROW('CLOG40CDO8', 'en', 'Auto Scaling Group Health Check', 'Examines the health check configuration for Auto Scaling groups')
+, ROW('Hs4Ma3G176', 'en', 'ACM certificates should be renewed after a specified time period', 'Checks if ACM Certificates in your account are marked for expiration within a specified time period')
+, ROW('Hs4Ma3G297', 'en', 'Neptune DB clusters should publish audit logs to CloudWatch Logs', 'Checks if a Neptune DB cluster publishes audit logs to Amazon CloudWatch Logs')
+, ROW('aW9HH0l8J6', 'en', 'EC2-Classic Elastic IP Addresses', 'Checks for usage that is more than 80% of the EC2-Classic Elastic IP Addresses Limit')
+, ROW('iK7OO0l7J9', 'en', 'ELB Classic Load Balancers', 'Checks for usage that is more than 80% of the ELB Classic Load Balancers')
+, ROW('wH7DD0l3J9', 'en', 'EBS Throughput Optimized HDD (st1) Volume Storage', 'Checks for usage that is more than 80% of the EBS Throughput Optimized HDD (st1) Volume Storage Limit')
+, ROW('c2vlfg0p1w', 'en', 'Application Load Balancer Target Groups encrypted protocol', 'Checks Application Load Balancer (ALB) target groups are using HTTPS protocol to encrypt communication in transit for back-end target types of instance or IP')
+, ROW('Hs4Ma3G166', 'en', 'An RDS event notifications subscription should be configured for critical cluster events', 'Checks if an Amazon RDS Event subscription for RDS clusters is configured to notify on event categories of both "maintenance" and "failure"')
+, ROW('Hs4Ma3G287', 'en', 'ElastiCache replication groups should have encryption-at-rest enabled', 'Checks if ElastiCache replication groups have encryption-at-rest enabled')
+, ROW('Hs4Ma3G288', 'en', 'ElastiCache replication groups should have encryption-in-transit enabled', 'Checks if ElastiCache replication groups have encryption-in-transit enabled')
+, ROW('Hs4Ma3G168', 'en', 'S3 buckets should require requests to use Secure Socket Layer', 'Checks if S3 buckets have policies that require requests to use Secure Socket Layer (SSL)')
+, ROW('Hs4Ma3G289', 'en', 'ElastiCache replication groups of earlier Redis versions should have Redis AUTH enabled', 'Checks if ElastiCache replication groups have Redis AUTH enabled')
+, ROW('Hs4Ma3G169', 'en', 'S3 permissions granted to other AWS accounts in bucket policies should be restricted', 'Checks if the S3 bucket policy allows sensitive bucket-level or object-level actions from a principal in another AWS account')
+, ROW('Hs4Ma3G180', 'en', 'Amazon Elasticsearch Service domain error logging to CloudWatch Logs should be enabled', 'Checks whether Amazon Elasticsearch Service domains are configured to send error logs to CloudWatch Logs')
+, ROW('Hs4Ma3G181', 'en', 'Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager', 'Checks if a Classic Load Balancer uses HTTPS/SSL certificates provided by AWS Certificate Manager')
+, ROW('1qazXsw23e', 'en', 'Amazon Relational Database Service (RDS) Reserved Instance Optimization', 'Checks your usage of RDS and provides recommendations on purchase of Reserved Instances to help reduce costs incurred from using RDS On-Demand')
+, ROW('Hs4Ma3G182', 'en', 'Classic Load Balancer listeners should be configured with HTTPS or TLS termination', 'Checks if your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections')
+, ROW('Hs4Ma3G183', 'en', 'Application load balancer should be configured to drop http headers', 'This check evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop http headers')
+, ROW('Hs4Ma3G184', 'en', 'Application and Classic Load Balancers logging should be enabled', 'Checks if the Application Load Balancer and the Classic Load Balancer have logging enabled')
+, ROW('Hs4Ma3G185', 'en', 'IAM customer managed policies that you create should not allow wildcard actions for services', 'Checks if the IAM identity-based custom policies have Allow statements that grant permissions for all actions on a service')
+, ROW('Hs4Ma3G186', 'en', 'AWS WAF Classic Global Web ACL logging should be enabled', 'Checks if logging is enabled for a WAF global Web ACL')
+, ROW('Hs4Ma3G187', 'en', 'Connections to Amazon Elasticsearch Service domains should be encrypted using TLS 1.2', 'Checks whether connections to Amazon Elasticsearch Service domains are required to use TLS 1')
+, ROW('Cmsvnj8db1', 'en', 'Amazon RDS ReplicaLag', 'Checks to see if the ReplicaLag CloudWatch metric for an RDS database instance has increased above an operationally reasonable threshold over the past day')
+, ROW('Cmsvnj8db2', 'en', 'Amazon RDS FreeStorageSpace', 'Checks to see if the FreeStorageSpace CloudWatch metric for an RDS database instance has decreased below an operationally reasonable threshold')
+, ROW('Cmsvnj8db3', 'en', 'Amazon RDS DiskQueueDepth', 'Checks to see if the CloudWatch metric DiskQueueDepth shows that number of queued writes to the RDS Instance database storage has grown to a level where an operational investigation should be suggested')
+, ROW('hjLMh88uM8', 'en', 'Idle Load Balancers', 'Checks your Elastic Load Balancing configuration for load balancers that are not actively used')
+, ROW('Hs4Ma3G177', 'en', 'Auto scaling groups associated with a load balancer should use load balancer health checks', 'Checks if your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks')
+, ROW('Hs4Ma3G298', 'en', 'Neptune DB cluster snapshots should not be public', 'Checks if a Neptune manual DB cluster snapshot is public')
+, ROW('Hs4Ma3G178', 'en', 'Security groups should only allow unrestricted incoming traffic for authorized ports', 'Checks if the security groups allow unrestricted incoming traffic')
+, ROW('Hs4Ma3G299', 'en', 'Neptune DB clusters should have deletion protection enabled', 'Checks if a Neptune DB cluster has deletion protection enabled')
+, ROW('Cmsvnj8vf1', 'en', 'Amazon MSK brokers hosting too many partitions', 'Checks that the brokers of a Managed Streaming for Kafka (MSK) Cluster do not have more than the recommended number of partitions assigned')
+, ROW('Hs4Ma3G179', 'en', 'SNS topics should be encrypted at-rest using AWS KMS', 'Checks if an Amazon SNS topic is encrypted at rest using AWS KMS')
+, ROW('c2vlfg0k35', 'en', 'Inactive Gateway Load Balancer endpoints', 'Checks your Gateway Load Balancer endpoints and warns when they appear to be inactive')
+, ROW('gI7MM0l7J2', 'en', 'EBS Provisioned IOPS SSD (io2) Volume Storage', 'Checks for usage that is more than 80% of the EBS Provisioned IOPS SSD (io2) Volume Storage Limit')
+, ROW('EM8b3yLRTr', 'en', 'ELB Application Load Balancers', 'Checks for usage that is more than 80% of the ELB Application Load Balancers Limit')
+, ROW('7040ea389a', 'en', 'Network Firewall endpoint Independence', 'Checks if your AWS Network Firewall endpoints are configured as a route destination from another Availability Zone (AZ)')
+, ROW('gI7MM0l7J9', 'en', 'EBS Provisioned IOPS SSD (io1) Volume Storage', 'Checks for usage that is more than 80% of the EBS Provisioned IOPS SSD (io1) Volume Storage Limit')
+, ROW('Ti39halfu8', 'en', 'Amazon RDS Idle DB Instances', 'Checks the configuration of your Amazon Relational Database Service (Amazon RDS) for any DB instances that appear to be idle')
+, ROW('1qw23er45t', 'en', 'Amazon Redshift Reserved Node Optimization', 'Checks your usage of Redshift and provides recommendations on purchase of Reserved Nodes to help reduce costs incurred from using Redshift On-Demand')
+, ROW('Cb877eB72b', 'en', 'Amazon Route 53 Deleted Health Checks', 'Checks for resource record sets that are associated with health checks that have been deleted')
+, ROW('796d6f3D83', 'en', 'CloudFront Content Delivery Optimization', 'Checks for cases where data transfer from Amazon Simple Storage Service (Amazon S3) buckets could be accelerated by using Amazon CloudFront, the AWS global content delivery service')
+, ROW('c15vnddn2x', 'en', 'Amazon DocumentDB Single-AZ clusters', 'Checks if there are Amazon DocumentDB clusters configured as Single-AZ')
+, ROW('Cm24dfsM13', 'en', 'Amazon Comprehend Endpoint Access Risk', 'Checks the AWS Key Management Service (AWS KMS) key permissions for an endpoint where the underlying model was encrypted by using customer managed keys')
+, ROW('Cm24dfsM12', 'en', 'Amazon Comprehend Underutilized Endpoints', 'Checks the throughput configuration of your endpoints')
+, ROW('bW7HH0l7J9', 'en', 'Kinesis Shards per Region', 'Checks for usage that is more than 80% of the Kinesis Shards per Region Limit')
+, ROW('dx3xfcdfMr', 'en', 'Route 53 Hosted Zones', 'Checks for usage that is more than 80% of the Route 53 Hosted Zones Limit per account')
+, ROW('PPkZrjsH2q', 'en', 'Amazon EBS Provisioned IOPS (SSD) Volume Attachment Configuration', 'Checks for Provisioned IOPS (SSD) volumes that are attached to an Amazon EBS-optimizable Amazon Elastic Compute Cloud (Amazon EC2) instance that is not EBS-optimized')
+, ROW('lN7RR0l7J9', 'en', 'EC2-VPC Elastic IP Address', 'Checks for usage that is more than 80% of the EC2-VPC Elastic IP Address Limit')
+, ROW('Z4AUBRNSmz', 'en', 'Unassociated Elastic IP Addresses', 'Checks for Elastic IP addresses (EIPs) that are not associated with a running Amazon Elastic Compute Cloud (Amazon EC2) instance')
+, ROW('Qch7DwouX1', 'en', 'Low Utilization Amazon EC2 Instances', 'Checks the Amazon Elastic Compute Cloud (Amazon EC2) instances that were running at any time during the last 14 days and alerts you if the daily CPU utilization was 10% or less and network I/O was 5 MB or less on 4 or more days')
+, ROW('G31sQ1E9U', 'en', 'Underutilized Amazon Redshift Clusters', 'Checks your Amazon Redshift configuration for clusters that appear to be underutilized')
+, ROW('h3L1otH3re', 'en', 'Amazon ElastiCache Reserved Node Optimization', 'Checks your usage of ElastiCache and provides recommendations on purchase of Reserved Nodes to help reduce costs incurred from using ElastiCache On-Demand')
+, ROW('N430c450f2', 'en', 'CloudFront SSL Certificate on the Origin Server', 'Checks your origin server for SSL certificates that are expired, about to expire, missing, or that use outdated encryption')
+, ROW('3Njm0DJQO9', 'en', 'RDS Option Groups', 'Checks for usage that is more than 80% of the RDS Option Groups Limit')
+, ROW('tV7YY0l7J9', 'en', 'EBS Provisioned IOPS (SSD) Volume Aggregate IOPS', 'Checks for usage that is more than 80% of the EBS Provisioned IOPS (SSD) Volume Aggregate IOPS Limit')
+, ROW('cIdfp1js9r', 'en', 'Number of AWS Regions in an Incident Manager replication set', 'Checks that an Incident Manager replication set''s configuration uses more than one AWS Region to support regional failover and response')
+, ROW('7qGXsKIUw', 'en', 'CLB Connection Draining', 'Checks for Classic load balancers that do not have connection draining enabled')
+, ROW('c1qf5bt010', 'en', 'Amazon RDS DB instances in the clusters with heterogeneous parameter groups', 'We recommend that all of the DB instances in the DB cluster use the same DB parameter group')
+, ROW('c1qf5bt014', 'en', 'Amazon RDS resources major versions update is required', 'Databases with the current major version for the DB engine  won''t be supported')
+, ROW('c1qf5bt013', 'en', 'Amazon RDS DB instances have storage autoscaling turned off', 'Amazon RDS storage autoscaling isn''t turned on for your DB instance')
+, ROW('c1qf5bt012', 'en', 'Amazon RDS Performance Insights is turned off', 'Amazon RDS Performance Insights monitors your DB instance load to help you analyze and resolve database performance issues')
+, ROW('c1qf5bt011', 'en', 'Amazon RDS DB clusters have one DB instance', 'Add at least another DB instance to the DB cluster, to improve availability and performance')
+, ROW('UUDvOa5r34', 'en', 'RDS Reserved Instances', 'Checks for usage that is more than 80% of the RDS Reserved Instances Limit')
+, ROW('oQ7TT0l7J9', 'en', 'IAM Roles', 'Checks for usage that is more than 80% of the IAM Roles Limit')
+, ROW('c1dvkm4z6b', 'en', 'Amazon ECS AWSLogs driver in blocking mode', 'Checks for Amazon ECS task definitions configured with the AWSLogs logging driver in blocking mode')
+, ROW('c1dfprch05', 'en', 'AWS Lambda On Failure Event Destinations', 'Checks that Lambda functions in your account have On Failure event destination or Dead Letter Queue (DLQ) configured for asynchronous invocations, so that records from failed invocations can be routed to a destination for further investigation or processing')
+, ROW('c1qf5bt018', 'en', 'Amazon RDS DB clusters with all reader instances in the same Availability Zone', 'Your DB cluster has all the reader instances in the same Availability Zone')
+, ROW('c1qf5bt017', 'en', 'Amazon RDS DB clusters support only up to 64 TiB volume', 'Your DB clusters support volumes up to 64 TiB')
+, ROW('c1dfprch07', 'en', 'Lambda Code Storage Usage', 'Checks for code storage usage that is more than 80% of the account limit')
+, ROW('c1qf5bt016', 'en', 'Amazon RDS resources using end of support engine edition under license-included', 'We recommend that you upgrade the major version to the latest engine version supported by Amazon RDS to continue with the current license support')
+, ROW('c1dfprch08', 'en', 'ALB Multi-AZ', 'Checks whether your Application Load Balancers (ALB) are configured to use more than one Availability Zone (AZ)')
+, ROW('c1qf5bt015', 'en', 'Amazon RDS resources instance class update is required', 'Your database is running a previous generation DB instance class')
+, ROW('c1dfprch01', 'en', 'Amazon EFS No Mount Target Redundancy', 'Checks if mount targets exist in multiple Availability Zones for an Amazon EFS file system')
+, ROW('c1dfprch02', 'en', 'Amazon EFS Throughput Mode Optimization', 'Checks whether the customer''s Amazon EFS file system is currently configured to use Bursting Throughput mode')
+, ROW('c1qf5bt019', 'en', 'Amazon RDS DB instances not using Multi-AZ deployment', 'We recommend that you use Multi-AZ deployment')
+, ROW('c1dfprch09', 'en', 'NLB Multi-AZ', 'Checks whether your Network Load Balancers (NLB) are configured to use more than one Availability Zone (AZ)')
+, ROW('c1qf5bt003', 'en', 'Amazon RDS engine minor version upgrade is required', 'Your database resources aren''t running the latest minor DB engine version')
+, ROW('S45wrEXrLz', 'en', 'VPN Tunnel Redundancy', 'Checks the number of tunnels that are active for each of your Site-to-Site VPNs')
+, ROW('c1qf5bt001', 'en', 'Amazon RDS resource Automated backups is turned off', 'Automated backups are disabled on your DB resources')
+, ROW('c1qf5bt000', 'en', 'Amazon RDS magnetic volume is in use', 'Your DB instances are using magnetic storage')
+, ROW('c2vlfg0jp6', 'en', 'Inactive VPC interface endpoints', 'Checks your VPC interface endpoints and warns when the endpoints appear to be inactive')
+, ROW('c1dfprch10', 'en', 'VPC interface endpoint network interfaces in multiple-AZs', 'Checks whether your AWS PrivateLink VPC interface endpoints are configured to use more than one Availability Zone (AZ)')
+, ROW('c1qf5bt007', 'en', 'Amazon RDS DB clusters with all instances in the same Availability Zone', 'The DB clusters are currently in a single Availability Zone')
+, ROW('c1qf5bt006', 'en', 'Amazon RDS storage encryption is turned off', 'Amazon RDS supports encryption at rest for all the database engines by using the keys which you manage in AWS Key Management Service (KMS)')
+, ROW('c1qf5bt005', 'en', 'Amazon RDS Aurora storage encryption is turned off', 'Amazon RDS supports encryption at rest for all the database engines by using the keys that you manage in AWS Key Management Service (AWS KMS)')
+, ROW('c1qf5bt004', 'en', 'Amazon RDS Enhanced Monitoring is turned off', 'Your database resources don''t have Enhanced Monitoring turned on')
+, ROW('c1t3k8mqv1', 'en', 'ActiveMQ Availability Zone Redundancy.', 'Checks that Amazon MQ for ActiveMQ brokers are configured for high availability with an active/standby broker in multiple Availability Zones')
+, ROW('Cjxm268ch1', 'en', 'Auto Scaling Available IPs in Subnets', 'Checks that sufficient available IPs remain among targeted Subnets')
+, ROW('jEECYg2YVU', 'en', 'RDS DB Parameter Groups', 'Checks for usage that is more than 80% of the RDS DB Parameter Groups Limit')
+, ROW('c1qf5bt009', 'en', 'Amazon RDS DB instances in the clusters with heterogeneous instance classes', 'We recommend that you use the same DB instance class and size for all the DB instances in your DB cluster')
+, ROW('c1dfprch15', 'en', 'Amazon EC2 instances with Ubuntu LTS end of standard support', 'This check alerts you if the versions are near or have reached the end of standard support')
+, ROW('c1qf5bt008', 'en', 'Amazon RDS DB instances in the clusters with heterogeneous instance sizes', 'We recommend that you use the same DB instance class and size for all the DB instances in your DB cluster')
+, ROW('c1t3k8mqv2', 'en', 'RabbitMQ Availability Zone Redundancy.', 'Checks that Amazon MQ for RabbitMQ brokers are configured for high availability with cluster instances in multiple Availability Zones')
+, ROW('c1qf5bt032', 'en', 'Amazon RDS innodb_stats_persistent parameter is turned off', 'Your DB instance isn''t configured to persist the InnoDB statistics to the disk')
+, ROW('c1qf5bt031', 'en', 'Amazon RDS sync_binlog parameter is turned off', 'The synchronization of the binary log to disk isn''t enforced before the transaction commits are acknowledged in your DB instance')
+, ROW('c1qf5bt030', 'en', 'Amazon RDS innodb_flush_log_at_trx parameter is turned off', 'The value of the innodb_flush_log_at_trx_commit parameter of your DB instance isn''t safe value')
+, ROW('MDBdfsQ401', 'en', 'Amazon MemoryDB Multi-AZ clusters', 'Checks for MemoryDB clusters that deploy in a single Availability Zone (AZ)')
+, ROW('c1qf5bt036', 'en', 'Amazon RDS innodb_default_row_format parameter setting is unsafe', 'Your DB instance encounters a known issue: A table created in a MySQL version lower than 8')
+, ROW('c1qf5bt035', 'en', 'Amazon RDS Read Replicas are open in writable mode', 'Your DB instance has a read replica in writable mode, which allows updates from clients')
+, ROW('c1qf5bt034', 'en', 'Amazon RDS max_user_connections parameter is low', 'Your DB instance has a low value for the maximum number of simultaneous connections for each database account')
+, ROW('c1qf5bt033', 'en', 'Amazon RDS innodb_open_files parameter is low', 'The innodb_open_files parameter controls the number of files InnoDB can open at one time')
+, ROW('Bh2xRR2FGH', 'en', 'Amazon EC2 to EBS Throughput Optimization', 'Checks for Amazon EBS volumes whose performance might be affected by the maximum throughput capability of the Amazon EC2 instance they are attached to')
+, ROW('c1qf5bt039', 'en', 'Amazon RDS instance under-provisioned for system capacity', 'Checks whether Amazon RDS instance or Amazon Aurora DB instance has the required system capacity to operate')
+, ROW('iH7PP0l7J9', 'en', 'EC2 Reserved Instance Leases', 'Checks for usage that is more than 80% of the EC2 Reserved Instance Leases Limit')
+, ROW('c1qf5bt038', 'en', 'Amazon Aurora DB cluster under-provisioned for read workload', 'Checks whether Amazon Aurora DB cluster has the resources to support a read workload')
+, ROW('c1qf5bt037', 'en', 'Amazon RDS general_logging parameter is turned on', 'The general logging is turned on for your DB instance')
+, ROW('51fC20e7I2', 'en', 'Amazon Route 53 Latency Resource Record Sets', 'Checks for Amazon Route 53 latency record sets that are configured inefficiently')
+, ROW('c1qf5bt021', 'en', 'Amazon RDS InnoDB_Change_Buffering parameter using less than optimum value', 'Change buffering allows a MySQL DB instance to defer a few writes, which are required to maintain secondary indexes')
+, ROW('hJ7NN0l7J9', 'en', 'SES Daily Sending Quota', 'Checks for usage that is more than 80% of the SES Daily Sending Quota Limit')
+, ROW('c1qf5bt020', 'en', 'Amazon RDS DB memory parameters are diverging from default', 'The memory parameters of the DB instances are significantly different from the default values')
+, ROW('c1qf5bt025', 'en', 'Amazon RDS autovacuum parameter is turned off', 'The autovacuum parameter is turned off for your DB instances')
+, ROW('c1qf5bt024', 'en', 'Amazon RDS parameter groups not using huge pages', 'Large pages can increase database scalability, but your DB instance isn''t using large pages')
+, ROW('c1qf5bt023', 'en', 'Amazon RDS log_output parameter is set to table', 'When log_output is set to TABLE, more storage is used than when log_output is set to FILE')
+, ROW('c1qf5bt022', 'en', 'Amazon RDS query cache parameter is turned on', 'When changes require that your query cache is purged, your DB instance will appear to stall')
+, ROW('Yw2K9puPzl', 'en', 'IAM Password Policy', 'Checks the password policy for your account and warns when a password policy is not enabled, or if password content requirements have not been enabled')
+, ROW('dx8afcdfMr', 'en', 'Route 53 Traffic Policy Instances', 'Checks for usage that is more than 80% of the Route 53 Traffic Policy Instances Limit per account')
+, ROW('c1qf5bt029', 'en', 'Amazon RDS enable_indexscan parameter is turned off', 'The query planner or optimizer can''t use the index scan plan type when it is turned off')
+, ROW('c1qf5bt028', 'en', 'Amazon RDS enable_indexonlyscan parameter is turned off', 'The query planner or optimizer can''t use the index-only scan plan type when it is turned off')
+, ROW('c1qf5bt027', 'en', 'Amazon RDS track_counts parameter is turned off', 'When the track_counts parameter is turned off, the database doesn''t collect the database activity statistics')
+, ROW('c1qf5bt026', 'en', 'Amazon RDS synchronous_commit parameter is turned off', 'When synchronous_commit parameter is turned off, data can be lost in a database crash')
+, ROW('aW7HH0l7J9', 'en', 'Auto Scaling Launch Configurations', 'Checks for usage that is more than 80% of the Auto Scaling Launch Configurations Limit')
+, ROW('xSqX82fQu', 'en', 'Classic Load Balancer Security Groups', 'Checks for classic load balancers configured with a security group that allows access to ports that are not configured for the load balancer')
+, ROW('b73EEdD790', 'en', 'Amazon Route 53 Failover Resource Record Sets', 'Checks for Amazon Route 53 failover resource record sets that are misconfigured')
+, ROW('Hs4Ma3G306', 'en', 'Amazon DocumentDB manual cluster snapshots should not be public', 'Checks if an Amazon DocumentDB manual snapshot is public')
+, ROW('N425c450f2', 'en', 'CloudFront Custom SSL Certificates in the IAM Certificate Store', 'Checks the SSL certificates for CloudFront alternate domain names in the IAM certificate store and alerts you if the certificate is expired, will soon expire, uses outdated encryption, or is not configured correctly for the distribution')
+, ROW('Hs4Ma3G307', 'en', 'Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs', 'Checks if a DocumentDB cluster publishes audit logs to Amazon CloudWatch Logs')
+, ROW('Hs4Ma3G308', 'en', 'Amazon DocumentDB clusters should have deletion protection enabled', 'Checks if an Amazon Document DB cluster has deletion protection enabled')
+, ROW('Hs4Ma3G309', 'en', 'DMS replication instances should have automatic minor version upgrade enabled', 'Checks if automatic minor version upgrade is enabled for an AWS DMS replication instance')
+, ROW('L4dfs2Q4C5', 'en', 'AWS Lambda Functions Using Deprecated Runtimes', 'Checks for Lambda functions whose $LATEST version is configured to use a runtime that is approaching deprecation, or is deprecated')
+, ROW('L4dfs2Q4C6', 'en', 'AWS Lambda VPC-enabled Functions without Multi-AZ Redundancy', 'Checks the $LATEST version of VPC-enabled Lambda functions that are vulnerable to service interruption in a single Availability Zone')
+, ROW('Hs4Ma3G300', 'en', 'Neptune DB cluster snapshots should be encrypted at rest', 'Checks if a Neptune DB cluster snapshot is encrypted at rest')
+, ROW('Hs4Ma3G301', 'en', 'Neptune DB clusters should have IAM database authentication enabled', 'Checks if a Neptune DB cluster has IAM database authentication enabled')
+, ROW('Hs4Ma3G302', 'en', 'Neptune DB clusters should be configured to copy tags to snapshots', 'Checks if a Neptune DB cluster is configured to copy tags to snapshots when the snapshots are created')
+, ROW('Hs4Ma3G303', 'en', 'RDS DB clusters should be encrypted at rest', 'Checks if an RDS DB cluster is encrypted at rest')
+, ROW('Hs4Ma3G304', 'en', 'ECS task definitions should have a logging configuration', 'Checks if the latest active Amazon ECS task definition has a logging configuration specified')
+, ROW('Hs4Ma3G305', 'en', 'Network Firewall logging should be enabled', 'Checks if logging is enabled for an AWS Network Firewall firewall')
+, ROW('N420c450f2', 'en', 'CloudFront Alternate Domain Names', 'Checks Amazon CloudFront distributions for alternate domain names (CNAMES) that have incorrectly configured DNS settings')
+, ROW('Hs4Ma3G317', 'en', 'AWS AppSync GraphQL APIs should not be authenticated with API keys', 'Checks if your application uses an API key to interact with an AWS AppSync GraphQL API')
+, ROW('Hs4Ma3G318', 'en', 'AWS Backup recovery points should be encrypted at rest', 'Checks if an AWS Backup recovery point is encrypted at rest')
+, ROW('Hs4Ma3G319', 'en', 'Network Firewall firewalls should have deletion protection enabled', 'Checks if an AWS Network Firewall firewall has deletion protection enabled')
+, ROW('Hs4Ma3G310', 'en', 'DMS replication tasks for the target database should have logging enabled', 'Checks if logging is enabled with the minimum severity level of LOGGER_SEVERITY_DEFAULT for DMS replication task events TARGET_APPLY and TARGET_LOAD')
+, ROW('Hs4Ma3G311', 'en', 'DMS replication tasks for the source database should have logging enabled', 'The check assesses if logging is enabled with the minimum severity level of LOGGER_SEVERITY_DEFAULT for DMS replication task events SOURCE_CAPTURE and SOURCE_UNLOAD')
+, ROW('Hs4Ma3G312', 'en', 'DMS endpoints should use SSL', 'Checks if an AWS DMS endpoint uses an SSL connection')
+, ROW('Hs4Ma3G313', 'en', 'EventBridge custom event buses should have a resource-based policy attached', 'Checks if an Amazon EventBridge custom event bus has a resource policy attached')
+, ROW('Hs4Ma3G314', 'en', 'Route 53 public hosted zones should log DNS queries', 'Checks if DNS query logging is enabled for an Amazon Route 53 public hosted zone')
+, ROW('Hs4Ma3G315', 'en', 'Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs', 'Checks if an Amazon Aurora MySQL DB cluster is configured to publish audit logs to Amazon CloudWatch Logs')
+, ROW('Hs4Ma3G316', 'en', 'RDS DB clusters should have automatic minor version upgrade enabled', 'Checks if automatic minor version upgrade is enabled for an Amazon RDS database cluster')
+, ROW('c243hjzrhn', 'en', 'AWS Outposts Single Rack Deployment', 'Checks for Outposts Racks balance that will evaluate if a customers Outposts instances are deployed across multiple Outposts Racks or if deployed to a single Outpost Rack')
+, ROW('8wIqYSt25K', 'en', 'ELB Network Load Balancers', 'Checks for usage that is more than 80% of the ELB Network Load Balancers Limit')
+, ROW('L4dfs2Q3C2', 'en', 'AWS Lambda Functions with High Error Rates', 'Checks for Lambda functions with high error rates that may result in high cost')
+, ROW('L4dfs2Q3C3', 'en', 'AWS Lambda Functions with Excessive Timeouts', 'Checks for Lambda functions with high timeout rates that may result in high cost')
+, ROW('ru4xfcdfMr', 'en', 'Route 53 Max Health Checks', 'Checks for usage that is more than 80% of the Route 53 Health Checks Limit per account')
+, ROW('dV84wpqRUs', 'en', 'RDS DB Manual Snapshots', 'Checks for usage that is more than 80% of the RDS DB Manual Snapshots Limit')
+, ROW('xuy7H1avtl', 'en', 'Amazon Aurora DB Instance Accessibility', 'Checks for cases where an Amazon Aurora DB cluster has both private and public instances')
+, ROW('RH23stmM01', 'en', 'AWS Resilience Hub resilience scores', 'Checks if you have run an assessment for your applications in Resilience Hub')
+, ROW('RH23stmM02', 'en', 'AWS Resilience Hub policy breached', 'Checks Resilience Hub for applications that don''t meet the recovery time objective (RTO) and recovery point objective (RPO) that the policy defines')
+, ROW('RH23stmM03', 'en', 'AWS Resilience Hub assessment age', 'Checks how long since you last ran an application assessment')
+, ROW('RH23stmM04', 'en', 'AWS Resilience Hub Application Component check', 'Checks if an Application Component (AppComponent) in your application is unrecoverable')
+, ROW('DqdJqYeRm5', 'en', 'IAM Access Key Rotation', 'Checks for active IAM access keys that have not been rotated in the last 90 days')
+, ROW('kM7QQ0l7J9', 'en', 'VPC Internet Gateways', 'Checks for usage that is more than 80% of the VPC Internet Gateways Limit')
+, ROW('HCP4007jGY', 'en', 'Security Groups - Specific Ports Unrestricted', 'Checks security groups for rules that allow unrestricted access (0')
+, ROW('Pfx0RwqBli', 'en', 'Amazon S3 Bucket Permissions', 'Checks buckets in Amazon Simple Storage Service (Amazon S3) that have open access permissions or allow access to any authenticated AWS user')
+, ROW('c1ng44jvbm', 'en', 'Amazon Route 53 mismatching CNAME records pointing directly to S3 buckets', 'Checks the Amazon Route 53 Hosted Zones with CNAME records pointing directly to Amazon S3 bucket hostnames and alerts if your CNAME does not match with your S3 bucket name')
+, ROW('c2vlfg0bfw', 'en', 'Inactive AWS Network Firewall', 'Checks your AWS Network Firewall endpoints and warns when the Network Firewall appear to be inactive')
+, ROW('c1fd6b96l4', 'en', 'Amazon S3 Server Access Logs Enabled', 'Checks the logging configuration of Amazon Simple Storage Service buckets')
+, ROW('c2vlfg0gqd', 'en', 'Network Firewall Multi-AZ', 'Checks if your Network Firewalls are configured to use more than one Availability Zone (AZ) for firewall endpoints')
+, ROW('c1cj39rr6v', 'en', 'S3 Incomplete Multipart Upload Abort Configuration', 'Checks that each S3 bucket is configured with a lifecycle rule to abort multipart uploads that remain incomplete after 7 days')
+, ROW('wuy7G1zxql', 'en', 'Amazon EC2 Availability Zone Balance', 'Checks the distribution of Amazon Elastic Compute Cloud (Amazon EC2) instances across Availability Zones in a region')
+, ROW('DAvU99Dc4C', 'en', 'Underutilized Amazon EBS Volumes', 'Checks Amazon Elastic Block Store (Amazon EBS) volume configurations and warns when volumes appear to be underused')
+, ROW('pYW8UkYz2w', 'en', 'RDS Read Replicas per Master', 'Checks for usage that is more than 80% of the RDS Read Replicas per Master Limit')
+, ROW('eI7KK0l7J9', 'en', 'EBS Active Snapshots', 'Checks for usage that is more than 80% of the EBS Active Snapshots Limit')
+, ROW('pR7UU0l7J9', 'en', 'IAM Policies', 'Checks for usage that is more than 80% of the IAM Policies Limit')
+, ROW('fW7HH0l7J9', 'en', 'Auto Scaling Groups', 'Checks for usage that is more than 80% of the Auto Scaling Groups Limit')
+, ROW('P1jhKWEmLa', 'en', 'RDS Total Storage Quota', 'Checks for usage that is more than 80% of the RDS Total Storage Quota Limit')
+, ROW('12Fnkpl8Y5', 'en', 'Exposed Access Keys', 'Checks popular code repositories for access keys that have been exposed to the public and for irregular Amazon Elastic Compute Cloud (Amazon EC2) usage that could be the result of a compromised access key')
+, ROW('8CNsSllI5v', 'en', 'Auto Scaling Group Resources', 'Checks the availability of resources associated with launch configurations and your Auto Scaling groups')
+, ROW('90046ff5b5', 'en', 'MSK cluster high availability', 'Checks the number of availability zones for your MSK provisioned cluster')
+, ROW('BueAdJ7NrP', 'en', 'Amazon S3 Bucket Logging', 'Checks the logging configuration of Amazon Simple Storage Service (Amazon S3) buckets')
+, ROW('gW7HH0l7J9', 'en', 'CloudFormation Stacks', 'Checks for usage that is more than 80% of the CloudFormation Stacks Limit')
+, ROW('Hs4Ma3G270', 'en', 'EC2 Auto Scaling groups should use EC2 launch templates', 'Checks if an Amazon EC2 Auto Scaling group is created from an EC2 launch template')
+, ROW('Hs4Ma3G150', 'en', 'Elasticsearch domains should encrypt data sent between nodes', 'Checks if Elasticsearch domains have node-to-node encryption enabled')
+, ROW('Hs4Ma3G271', 'en', 'API Gateway routes should specify an authorization type', 'Checks if Amazon API Gateway routes have an authorization type')
+, ROW('Hs4Ma3G151', 'en', 'An RDS event notifications subscription should be configured for critical database parameter group events', 'Checks if an Amazon RDS Event subscription for RDS parameter groups is configured to notify on event category of "configuration change"')
+, ROW('Hs4Ma3G272', 'en', 'Users should not have root access to SageMaker notebook instances', 'Checks if root access is turned off for Amazon SageMaker notebook instances')
+, ROW('Hs4Ma3G152', 'en', 'An RDS event notifications subscription should be configured for critical database instance events', 'Checks if an Amazon RDS Event subscription for RDS instances is configured to notify on event categories of both "maintenance", "configuration change", and "failure"')
+, ROW('Hs4Ma3G273', 'en', 'Security contact information should be provided for an AWS account.', 'Checks if an Amazon Web Services (AWS) account has security contact information')
+, ROW('Hs4Ma3G153', 'en', 'RDS instances should not use a database engine default port', 'Checks if RDS instances use the default port of that database engine')
+, ROW('Hs4Ma3G274', 'en', 'SageMaker notebook instances should be launched in a custom VPC', 'Checks if an Amazon SageMaker notebook instance is launched within a custom VPC')
+, ROW('rT7WW0l7J9', 'en', 'IAM Server Certificates', 'Checks for usage that is more than 80% of the IAM Server Certificates Limit')
+, ROW('Hs4Ma3G154', 'en', 'An RDS event notifications subscription should be configured for critical database security group events', 'Checks if an Amazon RDS Event subscription for RDS security groups is configured to notify on event categories of both "configuration change" and "failure"')
+, ROW('Hs4Ma3G275', 'en', 'CloudFront distributions should not point to non-existent S3 origins', 'Checks if Amazon CloudFront distributions are pointing to non-existent S3 origins')
+, ROW('N415c450f2', 'en', 'CloudFront Header Forwarding and Cache Hit Ratio', 'Checks the HTTP request headers that CloudFront currently receives from the client and forwards to your origin server')
+, ROW('Hs4Ma3G144', 'en', 'Unused IAM user credentials should be removed', 'Checks if your IAM users have passwords or active access keys that were not used within the previous 90 days')
+, ROW('Hs4Ma3G265', 'en', 'A WAF Regional rule group should have at least one rule', 'Checks if a WAF Regional rule group has at least one rule')
+, ROW('Hs4Ma3G145', 'en', 'Amazon ECS task definitions should have secure networking modes and user definitions.', 'Checks if an Amazon ECS Task Definition with host networking mode has "privileged" or "user" container definitions')
+, ROW('Hs4Ma3G266', 'en', 'A WAF Regional web ACL should have at least one rule or rule group', 'Checks if a WAF Regional web ACL contains any WAF rules or WAF rule groups')
+, ROW('iqdCTZKCUp', 'en', 'Load Balancer Optimization', 'Checks your load balancer configuration')
+, ROW('Hs4Ma3G146', 'en', 'ECS services should not have public IP addresses assigned to them automatically', 'Checks if ECS services are configured to automatically assign public IP addresses')
+, ROW('Hs4Ma3G267', 'en', 'A WAF global rule should have at least one condition', 'Checks if a WAF global rule has at least one condition')
+, ROW('Hs4Ma3G147', 'en', 'Amazon Elasticsearch Service domains should be in a VPC', 'Checks whether Amazon Elasticsearch Service domains are in a VPC')
+, ROW('Hs4Ma3G268', 'en', 'A WAF global rule group should have at least one rule', 'Checks if a WAF global rule group has at least one rule')
+, ROW('Hs4Ma3G148', 'en', 'Elastic Beanstalk environments should have enhanced health reporting enabled', 'Checks if enhanced health reporting is enabled for your AWS Elastic Beanstalk environments')
+, ROW('Hs4Ma3G269', 'en', 'A WAF global web ACL should have at least one rule or rule group', 'Checks if a WAF global web ACL contains any WAF rules or WAF rule groups')
+, ROW('Hs4Ma3G149', 'en', 'Elastic Beanstalk managed platform updates should be enabled', 'Checks if managed platform updates are enabled for the AWS Elastic Beanstalk environment')
+, ROW('Hs4Ma3G280', 'en', 'Application, Network and Gateway Load Balancers should span multiple Availability Zones', 'Checks if an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) has registered instances from multiple Availability Zones')
+, ROW('Hs4Ma3G160', 'en', 'IAM authentication should be configured for RDS instances', 'Checks if an RDS DB instance has IAM database authentication enabled')
+, ROW('Hs4Ma3G281', 'en', 'OpenSearch domains should have at least three data nodes.', 'Checks if Amazon OpenSearch Service domains are configured with at least three data nodes and "zoneAwarenessEnabled" is true')
+, ROW('Hs4Ma3G161', 'en', 'IAM authentication should be configured for RDS clusters', 'Checks if an RDS DB cluster has IAM database authentication enabled')
+, ROW('Hs4Ma3G282', 'en', 'RSA certificates managed by ACM should use a key length of at least 2,048 bits', 'Checks if RSA certificates managed by AWS Certificate Manager use a key length of at least 2,048 bits')
+, ROW('Hs4Ma3G162', 'en', 'RDS automatic minor version upgrades should be enabled', 'Checks if automatic minor version upgrades are enabled for the Amazon RDS database instance')
+, ROW('Hs4Ma3G283', 'en', 'AWS AppSync should have request-level and field-level logging turned on', 'Checks if an AWS AppSync API has request-level and field-level logging turned on')
+, ROW('Hs4Ma3G163', 'en', 'RDS DB clusters should be configured to copy tags to snapshots', 'Checks if RDS DB clusters are configured to copy all tags to snapshots when the snapshots are created')
+, ROW('Hs4Ma3G284', 'en', 'CloudFront distributions should use origin access control', 'Checks if an Amazon CloudFront distribution with an Amazon S3 origin has origin access check (OAC) configured')
+, ROW('Hs4Ma3G164', 'en', 'RDS DB instances should be configured to copy tags to snapshots', 'Checks if RDS DB instances are configured to copy all tags to snapshots when the snapshots are created')
+, ROW('Hs4Ma3G285', 'en', 'EKS cluster endpoints should not be publicly accessible', 'Checks if an Amazon EKS cluster endpoint is publicly accessible')
+, ROW('Hs4Ma3G165', 'en', 'RDS instances should be deployed in a VPC', 'Checks if an RDS instance is deployed in a VPC (EC2-VPC)')
+, ROW('Hs4Ma3G286', 'en', 'ElastiCache for Redis cache clusters should have auto minor version upgrades enabled', 'This check evaluates if auto minor version upgrades are enabled for ElastiCache for Redis cache clusters')
+, ROW('keAhfbH5yb', 'en', 'RDS Event Subscriptions', 'Checks for usage that is more than 80% of the RDS Event Subscriptions Limit')
+, ROW('c2vlfg022t', 'en', 'Inactive NAT Gateways', 'Checks your NAT Gateways for any gateways that appear to be inactive')
+, ROW('c5ftjdfkMr', 'en', 'DynamoDB Write Capacity', 'Checks for usage that is more than 80% of the DynamoDB Provisioned Throughput Limit for Writes per Account')
+, ROW('Hs4Ma3G155', 'en', 'EC2 instances should be managed by AWS Systems Manager', 'Checks if the Amazon EC2 instances in your account are managed by AWS Systems Manager')
+, ROW('Hs4Ma3G276', 'en', 'A WAFV2 web ACL should have at least one rule or rule group', 'Checks if a WAFV2 web ACL contains at least one WAF rule or WAF rule group')
+, ROW('Hs4Ma3G156', 'en', 'EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation', 'Checks if the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance')
+, ROW('Hs4Ma3G277', 'en', 'EC2 launch templates should not assign public IPs to network interfaces', 'Checks if Amazon EC2 launch templates are configured to assign public IP addresses to network interfaces upon launch')
+, ROW('Hs4Ma3G157', 'en', 'EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT', 'Checks if the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association is executed on an instance')
+, ROW('Hs4Ma3G278', 'en', 'Access logging should be configured for API Gateway V2 Stages', 'Checks if Amazon API Gateway V2 stages have access logging configured')
+, ROW('ZRxQlPsb6c', 'en', 'High CPU Utilization Amazon EC2 Instances', 'Checks the Amazon Elastic Compute Cloud (Amazon EC2) instances that were running at any time during the last 14 days and alerts you if the daily CPU utilization was more than 90% on 4 or more days')
+, ROW('Hs4Ma3G158', 'en', 'SSM documents should not be public', 'Checks if AWS Systems Manager documents that the account owns are public')
+, ROW('Hs4Ma3G279', 'en', 'Amazon EC2 Auto Scaling group should cover multiple Availability Zones', 'Checks if an Auto Scaling group spans multiple Availability Zones')
+, ROW('Hs4Ma3G159', 'en', 'Elastic File System should be configured to encrypt file data at-rest using AWS KMS', 'Checks if Amazon Elastic File System (Amazon EFS) is configured to encrypt the file data using AWS Key Management Service (AWS KMS)')
+, ROW('nO7SS0l7J9', 'en', 'IAM Instance Profiles', 'Checks for usage that is more than 80% of the IAM Instance Profiles Limit')
+, ROW('c1dfpnchv1', 'en', 'Amazon EFS clients not using data-in-transit encryption', 'Checks if Amazon EFS file system is mounted using data-in-transit encryption')
+, ROW('c1dfpnchv2', 'en', 'AWS Direct Connect Location Resiliency', 'Checks your Direct Connect location resiliency associated with each Virtual Private Gateway or Transit Gateways')
+, ROW('Hs4Ma3G250', 'en', 'ECS clusters should use Container Insights', 'Checks if ECS clusters use Container Insights')
+, ROW('Hs4Ma3G130', 'en', 'Lambda functions should use supported runtimes', 'Checks that the lambda function settings for runtimes, match the expected values set for the supported runtimes for each language')
+, ROW('Hs4Ma3G251', 'en', 'EFS access points should enforce a root directory', 'Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a root directory')
+, ROW('Hs4Ma3G131', 'en', 'Lambda function policies should prohibit public access', 'Checks if the AWS Lambda function policy attached to the Lambda resource prohibits public access')
+, ROW('Hs4Ma3G252', 'en', 'EFS access points should enforce a user identity', 'Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a user identity')
+, ROW('Hs4Ma3G132', 'en', 'Database Migration Service replication instances should not be public', 'Checks if AWS Database Migration Service replication instances are public by examining the PubliclyAccessible field value')
+, ROW('Hs4Ma3G253', 'en', 'EKS clusters should run on a supported Kubernetes version', 'Checks if an EKS cluster is running on a supported Kubernetes version')
+, ROW('dBkuNCvqn5', 'en', 'RDS Max Auths per Security Group', 'Checks for usage that is more than 80% of the RDS Max Auths per Security Group Limit')
+, ROW('H7IgTzjTYb', 'en', 'Amazon EBS Snapshots', 'Checks the age of the snapshots for your Amazon Elastic Block Store (Amazon EBS) volumes (available or in-use)')
+, ROW('7ujm6yhn5t', 'en', 'Amazon OpenSearch Service Reserved Instance Optimization', 'Checks your usage of Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) and provides recommendations on purchase of Reserved Instances to help reduce costs incurred from using Amazon OpenSearch Service On-Demand')
+, ROW('Hs4Ma3G122', 'en', 'VPC flow logging should be enabled in all VPCs', 'Checks if Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPCs')
+, ROW('Hs4Ma3G243', 'en', 'Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)', 'Checks if only IMDSv2 is enabled')
+, ROW('Hs4Ma3G123', 'en', 'EC2 instances should not have a public IPv4 address', 'Checks if EC2 instances have a public IP address')
+, ROW('Hs4Ma3G244', 'en', 'Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1', 'Checks the number of network hops that the metadata token can travel')
+, ROW('Hs4Ma3G124', 'en', 'EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)', 'Checks if your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2)')
+, ROW('Hs4Ma3G245', 'en', 'CloudFormation stacks should be integrated with Simple Notification Service (SNS)', 'Checks if your CloudFormation stacks are sending event notifications to SNS topic')
+, ROW('gjqMBn6pjz', 'en', 'RDS Clusters', 'Checks for usage that is more than 80% of the RDS Clusters Limit')
+, ROW('Hs4Ma3G125', 'en', 'API Gateway should be associated with a WAF Web ACL', 'Checks to see if an API Gateway stage is using an AWS WAF Web ACL')
+, ROW('Hs4Ma3G246', 'en', 'CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins', 'Checks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and your custom origins')
+, ROW('Hs4Ma3G126', 'en', 'DynamoDB Accelerator (DAX) clusters should be encrypted at rest', 'Checks if a DAX cluster is encrypted at rest')
+, ROW('Hs4Ma3G247', 'en', 'EC2 Transit Gateways should not automatically accept VPC attachment requests', 'Checks if EC2 Transit Gateways are automatically accepting shared VPC attachments requests')
+, ROW('Hs4Ma3G127', 'en', 'API Gateway REST and WebSocket API execution logging should be enabled', 'Checks if all stages of Amazon API Gateway REST and WebSocket APIs have logging enabled')
+, ROW('Hs4Ma3G248', 'en', 'EC2 paravirtual instance types should not be used', 'Checks if the virtualization type of an EC2 instance is paravirtual')
+, ROW('c1dfpnchv4', 'en', 'NLB - Internet-facing resource in private subnet', 'Checks if an internet-facing Network Load Balancer (NLB) is configured with a private subnet')
+, ROW('Hs4Ma3G128', 'en', 'API Gateway REST API stages should be configured to use SSL certificates for backend authentication', 'Checks if Amazon API Gateway REST API stages have SSL certificates configured that backend systems can use to authenticate that incoming requests are from the API Gateway')
+, ROW('Hs4Ma3G249', 'en', 'ECS Fargate services should run on the latest Fargate platform version', 'Checks if ECS Fargate services is running the latest Fargate platform version')
+, ROW('Hs4Ma3G129', 'en', 'API Gateway REST API stages should have AWS X-Ray tracing enabled', 'Checks if AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages')
+, ROW('c18d2gz186', 'en', 'Amazon CloudWatch Log Group retention period', 'Checks if Amazon CloudWatch Log Group retention period is set to at least 365 days or other specified number')
+, ROW('Hs4Ma3G260', 'en', 'OpenSearch domains should have fine-grained access control enabled', 'Checks if Amazon OpenSearch domains have fine-grained access check enabled')
+, ROW('Hs4Ma3G140', 'en', 'IAM root user access key should not exist', 'Checks if the root user access key is available')
+, ROW('Hs4Ma3G261', 'en', 'Redshift clusters should not use the default database name', 'Checks if a Redshift cluster has changed the database name from its default value')
+, ROW('c18d2gz184', 'en', 'Amazon OpenSearch Service logging CloudWatch not configured', 'Checks if Amazon OpenSearch Service domains are configured to send logs to Amazon CloudWatch Logs')
+, ROW('Hs4Ma3G141', 'en', 'MFA should be enabled for all IAM users that have a console password', 'Checks if AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password')
+, ROW('Hs4Ma3G262', 'en', 'S3 buckets should have lifecycle policies configured', 'Checks if a lifecycle policy is configured for an S3 bucket')
+, ROW('Hs4Ma3G142', 'en', 'Hardware MFA should be enabled for the root user', 'Checks if your AWS account is enabled to use hardware multi-factor authentication (MFA) device to sign in with root credentials')
+, ROW('Hs4Ma3G263', 'en', 'Logging of delivery status should be enabled for notification messages sent to a topic', 'Checks if logging is enabled for the delivery status of notification messages sent to a topic for the endpoints')
+, ROW('c18d2gz182', 'en', 'AWS Lambda Functions without a dead-letter queue configured', 'Checks if an AWS Lambda function is configured with a dead-letter queue')
+, ROW('Hs4Ma3G143', 'en', 'Password policies for IAM users should have strong configurations', 'Checks if the account password policy for IAM users uses the following recommended configurations: RequireUppercaseCharacters: true, RequireLowercaseCharacters: true, RequireSymbols: true, RequireNumbers: true, MinimumPasswordLength: 8')
+, ROW('Hs4Ma3G264', 'en', 'A WAF Regional rule should have at least one condition', 'Checks if a WAF Regional rule has at least one condition')
+, ROW('c18d2gz183', 'en', 'Amazon OpenSearch Service domains with less than three data nodes', 'Checks if Amazon OpenSearch Service domains are configured with at least three data nodes and ZoneAwarenessEnabled is true')
+, ROW('vZ2c2W1srf', 'en', 'Savings Plan', 'Checks your usage of EC2, Fargate, and Lambda over the last 30 days and provides Savings Plan purchase recommendations, which allows you to commit to a consistent usage amount measured in $/hour for a one or three year term in exchange for discounted rates')
+, ROW('Hs4Ma3G133', 'en', 'IAM customer managed policies should not allow decryption actions on all KMS keys', 'Checks if the default version of IAM customer managed policies allow principals to use the AWS Key Management Service (KMS) decryption actions on all resources')
+, ROW('Hs4Ma3G254', 'en', 'Application Load Balancer should be configured with defensive or strictest desync mitigation mode', 'Checks if the Application Load Balancer is configured with defensive or strictest de-sync mitigation mode')
+, ROW('Hs4Ma3G134', 'en', 'IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys', 'Checks if the inline policies embedded in your IAM principals (Role/User/Group) allow the AWS Key Management Service (KMS) decryption actions on all KMS keys')
+, ROW('Hs4Ma3G255', 'en', 'Classic Load Balancer should be configured with defensive or strictest desync mitigation mode', 'Checks if the Classic Load Balancer is configured defensive or strictest desync mitigation mode')
+, ROW('ty3xfcdfMr', 'en', 'Route 53 Reusable Delegation Sets', 'Checks for usage that is more than 80% of the Route 53 Reusable Delegation Sets Limit per account')
+, ROW('Hs4Ma3G135', 'en', 'AWS KMS keys should not be deleted unintentionally', 'Checks whether AWS Key Management Service (KMS) keys are scheduled for deletion')
+, ROW('Hs4Ma3G256', 'en', 'Kinesis streams should be encrypted at rest', 'Checks if Kinesis streams are encrypted at rest with server-side encryption')
+, ROW('Hs4Ma3G136', 'en', 'Amazon SQS queues should be encrypted at rest', 'Checks if Amazon SQS queues are encrypted at rest')
+, ROW('Hs4Ma3G257', 'en', 'Network Firewall policies should have at least one rule group associated', 'Checks if a Network Firewall policy has any stateful or stateless rule groups associated')
+, ROW('gfZAn3W7wl', 'en', 'RDS DB Security Groups', 'Checks for usage that is more than 80% of the RDS DB Security Groups Limit')
+, ROW('Hs4Ma3G137', 'en', 'IAM policies should not allow full "*" administrative privileges', 'Checks if the default version of AWS Identity and Access Management (IAM) policies (also known as customer managed policies) do not have administrator access with a statement that has "Effect": "Allow" with "Action": "*" over "Resource": "*"')
+, ROW('Hs4Ma3G258', 'en', 'The default stateless action for Network Firewall policies should be drop or forward for full packets', 'Checks if the default stateless action for full packets for a Network Firewall policy is drop or forward')
+, ROW('Hs4Ma3G138', 'en', 'IAM users should not have IAM policies attached', 'Checks that none of your IAM users have policies attached')
+, ROW('Hs4Ma3G259', 'en', 'The default stateless action for Network Firewall policies should be drop or forward for fragmented packets', 'Checks if a Network Firewall policy has drop or forward as the default stateless action for fragmented packets')
+, ROW('Hs4Ma3G139', 'en', 'IAM users'' access keys should be rotated every 90 days or less', 'Checks if the active access keys are rotated within 90 days')
+, ROW('c18d2gz177', 'en', 'AWS Elastic Beanstalk with Managed Platform Updates disabled', 'Checks if managed platform updates in AWS Elastic Beanstalk environments and configuration templates are enabled')
+, ROW('c18d2gz178', 'en', 'Amazon ElastiCache Redis clusters Automatic Backup', 'Checks if the Amazon ElastiCache Redis clusters have automatic backup turned on')
+, ROW('c18d2gz175', 'en', 'Amazon ECS task Logging not enabled', 'Checks if log configuration is set on active Amazon ECS task definitions')
+, ROW('c18d2gz176', 'en', 'Amazon ECS Memory Hard Limit', 'Checks if Amazon ECS task definitions have a set memory limit for its container definitions')
+, ROW('c18d2gz173', 'en', 'Amazon ECS clusters with Container Insights disabled', 'Checks if Amazon CloudWatch Container Insights is turned on for your Amazon ECS clusters')
+, ROW('c18d2gz174', 'en', 'AWS Fargate platform version is not latest', 'Checks if Amazon ECS is running the latest platform version of AWS Fargate')
+, ROW('Hs4Ma3G230', 'en', 'S3 bucket server access logging should be enabled', 'Checks if an Amazon S3 Bucket has server access logging enabled to a chosen target bucket')
+, ROW('c18d2gz171', 'en', 'Amazon S3 version-enabled buckets without lifecycle policies configured', 'Checks if Amazon S3 version-enabled buckets have a lifecycle policy configured')
+, ROW('Hs4Ma3G110', 'en', 'CloudTrail should have encryption at-rest enabled', 'Checks whether AWS CloudTrail is configured to use the server-side encryption (SSE) AWS Key Management Service (AWS KMS) key encryption')
+, ROW('Hs4Ma3G231', 'en', 'Stateless network firewall rule group should not be empty', 'Checks if a Stateless Network Firewall Rule Group contains rules')
+, ROW('Qsdfp3A4L1', 'en', 'Amazon EC2 instances over-provisioned for Microsoft SQL Server', 'Checks your Amazon Elastic Compute Cloud (Amazon EC2) instances that are running SQL Server in the past 24 hours')
+, ROW('Hs4Ma3G108', 'en', 'CloudTrail trails should be integrated with Amazon CloudWatch Logs', 'Checks if AWS CloudTrail trails are configured to send logs to Amazon CloudWatch Logs')
+, ROW('Hs4Ma3G229', 'en', 'CloudFront distributions should encrypt traffic to custom origins', 'Checks if CloudFront distributions are encrypting traffic to custom origins')
+, ROW('Hs4Ma3G109', 'en', 'CloudTrail log file validation should be enabled', 'Checks if CloudTrail log file validation is enabled')
+, ROW('c2vlfg0f4h', 'en', 'Root User Access Key', 'Checks if the root user access key is present')
+, ROW('jL7PP0l7J9', 'en', 'VPC', 'Checks for usage that is more than 80% of the VPC Limit')
+, ROW('b92b83d667', 'en', 'ELB - Target Imbalance', 'Check the target groups\u2019 target distribution across Availability Zones (AZs) for Application Load Balancer (ALB), Network Load Balancer (NLB) and Gateway Load Balancer (GWLB)')
+, ROW('Hs4Ma3G100', 'en', 'Amazon SageMaker notebook instances should not have direct internet access', 'Checks if direct internet access is disabled for an Amazon SageMaker notebook instance by examining the DirectInternetAccess field is disabled for an Amazon SageMaker notebook instance')
+, ROW('Hs4Ma3G221', 'en', 'OpenSearch domains should have audit logging enabled', 'Checks if Amazon OpenSearch Service domains have audit logging enabled')
+, ROW('Hs4Ma3G101', 'en', 'Amazon Elastic MapReduce cluster master nodes should not have public IP addresses', 'Checks if master nodes on EMR clusters have public IP addresses')
+, ROW('Hs4Ma3G222', 'en', 'OpenSearch domain error logging to CloudWatch Logs should be enabled', 'Checks if Amazon OpenSearch domains are configured to send error logs to CloudWatch Logs')
+, ROW('c18d2gz181', 'en', 'AWS Lambda Functions without Concurrency Limit configured', 'Checks if AWS Lambda function is configured with function-level concurrent execution limit')
+, ROW('Hs4Ma3G102', 'en', 'Connections to Amazon Redshift clusters should be encrypted in transit', 'Checks if connections to Amazon Redshift clusters are required to use encryption in transit')
+, ROW('Hs4Ma3G223', 'en', 'OpenSearch domains should encrypt data sent between nodes', 'Checks if Amazon OpenSearch domains have node-to-node encryption enabled')
+, ROW('Hs4Ma3G103', 'en', 'Amazon Redshift clusters should prohibit public access', 'Checks if Amazon Redshift clusters are publicly accessible')
+, ROW('Hs4Ma3G224', 'en', 'OpenSearch domains should be in a VPC', 'Checks Amazon OpenSearch Service domains are in an Amazon Virtual Private Cloud (VPC)')
+, ROW('cX3c2R1chu', 'en', 'Amazon EC2 Reserved Instances Optimization', 'A significant part of using AWS involves balancing your Reserved Instance (RI) usage and your On-Demand instance usage')
+, ROW('Hs4Ma3G104', 'en', 'Redshift clusters should use enhanced VPC routing', 'Checks if a Redshift cluster has EnhancedVpcRouting enabled')
+, ROW('Hs4Ma3G225', 'en', 'OpenSearch domains should have encryption at rest enabled', 'Checks if Amazon OpenSearch domains have encryption-at-rest configuration enabled')
+, ROW('Hs4Ma3G105', 'en', 'Amazon Redshift should have automatic upgrades to major versions enabled', 'Checks if an Amazon Redshift cluster is configured with automatic upgrades to major versions')
+, ROW('Hs4Ma3G226', 'en', 'Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses', 'Checks if Amazon EC2 Auto Scaling groups have public IP addresses enabled using launch configurations')
+, ROW('Hs4Ma3G106', 'en', 'Amazon Redshift clusters should have audit logging enabled', 'Checks if an Amazon Redshift cluster has audit logging enabled')
+, ROW('Hs4Ma3G227', 'en', 'CloudFront distributions should use custom SSL/TLS certificates', 'Checks if CloudFront distributions are using the default SSL/TLS certificate CloudFront provides instead of a custom one')
+, ROW('Hs4Ma3G107', 'en', 'CloudFront distributions should require encryption in transit', 'Checks if an Amazon CloudFront distribution requires viewers to use HTTPS directly, or if it uses redirection')
+, ROW('Hs4Ma3G228', 'en', 'CloudFront distributions should use SNI to serve HTTPS requests', 'Checks if Amazon CloudFront distributions are using a custom SSL/TLS certificate and are configured to use SNI to serve HTTPS requests as opposed to dedicated IP address')
+, ROW('c18d2gz166', 'en', 'AWS CloudTrail data events logging for objects in an S3 bucket', 'Checks if at least one AWS CloudTrail trail logs Amazon S3 data events for all of your S3 buckets')
+, ROW('c18d2gz167', 'en', 'Application Load Balancers and Classic Load Balancers Without Access Logs Enabled', 'Checks if Application Load Balancers and Classic Load Balancers have access logging enabled')
+, ROW('c18d2gz164', 'en', 'CloudTrail trails are not configured with Amazon CloudWatch Logs', 'Checks if AWS CloudTrail trails are configured to send logs to Amazon CloudWatch logs')
+, ROW('07602fcad6', 'en', 'IAM Access Analyzer - external access', 'Checks if the IAM Access Analyzer external access at the account or organization level is present')
+, ROW('c18d2gz163', 'en', 'Amazon S3 does not have Event Notifications enabled', 'Checks if Amazon S3 Event Notifications is enabled or is correctly configured with the desired destination or types')
+, ROW('Hs4Ma3G120', 'en', 'Stopped EC2 instances should be removed after a specified time period', 'Checks if any EC2 instances have been stopped for more than the allowed number of days')
+, ROW('Hs4Ma3G241', 'en', 'Secrets should not be passed as container environment variable', 'Checks if the container environment variables includes the following keys - AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY,  or ECS_ENGINE_AUTH_DATA')
+, ROW('c18d2gz160', 'en', 'RDS DB Cluster Deletion Protection Check', 'Checks if your Amazon RDS DB clusters have deletion protection enabled')
+, ROW('Hs4Ma3G121', 'en', 'EBS default encryption should be enabled', 'Checks if Amazon Elastic Block Store (EBS) encryption is enabled by default')
+, ROW('Hs4Ma3G242', 'en', 'Amazon ECR private repositories should have image scanning enabled', 'Checks if a private ECR repository has image scanning enabled')
+, ROW('c18d2gz161', 'en', 'RDS DB Cluster has no Multi-AZ replication enabled', 'Checks if your Amazon RDS DB clusters have Multi-AZ replication enabled')
+, ROW('c18d2gz168', 'en', 'Elastic Load Balancing Deletion Protection Not Enabled for Load Balancers', 'Checks if deletion protection is turned on for your load balancers')
+, ROW('c18d2gz169', 'en', 'Application, Network and Gateway Load Balancers Not Spanning Multiple Availability Zones', 'Checks If your load balancers (Application, Network, and Gateway Load Balancer) are configured with subnets across multiple Availability Zones')
+, ROW('Hs4Ma3G111', 'en', 'CloudTrail should be enabled and configured with at least one multi-region trail', 'Checks that there is at least one multi-region AWS CloudTrail trail')
+, ROW('Hs4Ma3G232', 'en', 'RDS Database Clusters should use a custom administrator username', 'Checks if an RDS database cluster has changed the admin username from its default value')
+, ROW('Hs4Ma3G112', 'en', 'Secrets Manager secrets should be rotated within a specified number of days', 'Checks if your secrets have rotated at least once within 90 days')
+, ROW('Hs4Ma3G233', 'en', 'RDS database instances should use a custom administrator username', 'Checks if an Amazon Relational Database Service (Amazon RDS) database instance has changed the admin username from its default value')
+, ROW('Hs4Ma3G113', 'en', 'Secrets Manager secrets configured with automatic rotation should rotate successfully', 'Checks if an AWS Secrets Manager secret rotated successfully based on the rotation schedule')
+, ROW('Hs4Ma3G234', 'en', 'AWS CodeBuild S3 Logs should be encrypted', 'Checks if a AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs')
+, ROW('Hs4Ma3G114', 'en', 'Remove unused Secrets Manager secrets', 'Checks if your secrets have been accessed within a specified number of days')
+, ROW('Hs4Ma3G235', 'en', 'Amazon ECR private repositories should have tag immutability enabled', 'Checks if a private ECR repository has tag immutability enabled')
+, ROW('Hs4Ma3G115', 'en', 'Secrets Manager secrets should have automatic rotation enabled', 'Checks if a secret stored in AWS Secrets Manager is configured to rotate automatically')
+, ROW('Hs4Ma3G236', 'en', 'Amazon ECS Task Definitions should not share the host''s process namespace', 'Checks if Amazon ECS Task Definitions are configured to share a host''s process namespace with its containers')
+, ROW('Hs4Ma3G116', 'en', 'EBS snapshots should not be public, determined by the ability to be restorable by anyone', 'Checks if Amazon Elastic Block Store snapshots are not publicly restorable')
+, ROW('Hs4Ma3G237', 'en', 'Amazon ECS Containers should run as non-privileged', 'Checks if the Privileged parameter in the container definition of Amazon ECS Task Definitions is set to ''true''')
+, ROW('Hs4Ma3G117', 'en', 'Attached EBS volumes should be encrypted at-rest', 'Checks if the EBS volumes that are in an attached state are encrypted')
+, ROW('Hs4Ma3G238', 'en', 'Amazon ECS Containers should only have read-only access to its root filesystems', 'Checks if ECS Containers are limited to read-only access to its mounted root filesystems')
+, ROW('Hs4Ma3G118', 'en', 'The VPC default security group should not allow inbound and outbound traffic', 'Checks that the default security group of a VPC does not allow inbound or outbound traffic')
+, ROW('dYWBaXaaMM', 'en', 'RDS Subnet Groups', 'Checks for usage that is more than 80% of the RDS Subnet Groups Limit')
+, ROW('c18d2gz155', 'en', 'RDS DB Instance Automatic Minor Version Upgrade Check', 'Checks if Amazon RDS DB instances have automatic minor version upgrades configured')
+, ROW('c18d2gz156', 'en', 'RDS Multi-AZ Standby Instance Not Enabled', 'Checks if your Amazon RDS DB instances have a Multi-AZ standby replica configured')
+, ROW('c18d2gz154', 'en', 'Classic Load Balancer has no multiple AZs configured', 'Checks if Classic Load Balancer spans multiple Availability Zones (AZs)')
+, ROW('0Xc6LMYG8P', 'en', 'EC2 On-Demand Instances', 'Checks for usage that is more than 80% of the EC2 On-Demand Instances Limit')
+, ROW('c18d2gz152', 'en', 'AWS Backup Vault Without Resource-Based Policy to Prevent Deletion of Recovery Points', 'Checks if AWS Backup vaults have an attached resource-based policy that prevents recovery point deletion')
+, ROW('Hs4Ma3G330', 'en', 'OpenSearch domains should have the latest software update installed', 'Checks if an Amazon OpenSearch Service domain has the latest software update installed')
+, ROW('c18d2gz150', 'en', 'Amazon EC2 Instances Stopped', 'Checks if there are Amazon EC2 instances that have been stopped for more than 30 days or other specified number')
+, ROW('ECHdfsQ402', 'en', 'Amazon ElastiCache Multi-AZ clusters', 'Checks for ElastiCache clusters that deploy in a single Availability Zone (AZ)')
+, ROW('c18d2gz159', 'en', 'Amazon RDS not in AWS Backup plan', 'Checks if your Amazon RDS DB instances are included in a backup plan in AWS Backup')
+, ROW('c18d2gz158', 'en', 'Amazon RDS DB Instance Enhanced monitoring not enabled', 'Checks if your RDS DB instances have Enhanced Monitoring enabled')
+, ROW('Hs4Ma3G207', 'en', 'EC2 subnets should not automatically assign public IP addresses', 'Checks if the assignment of public IPs in Amazon Virtual Private Cloud (VPC) subnets have the MapPublicIpOnLaunch set to FALSE')
+, ROW('Hs4Ma3G328', 'en', 'Macie should be enabled', 'Checks if Amazon Macie is enabled for an account')
+, ROW('Hs4Ma3G208', 'en', 'EC2 instances should not use multiple ENIs', 'Checks to see if Amazon EC2 instance uses multiple ENI/EFA')
+, ROW('Hs4Ma3G329', 'en', 'Macie automated sensitive data discovery should be enabled', 'Checks if automated sensitive data discovery is enabled for an Amazon Macie administrator account')
+, ROW('Hs4Ma3G209', 'en', 'Unused Network Access Control Lists should be removed', 'Checks to see if there are any NACLs (Network Access Control List) that are unused')
+, ROW('Hs4Ma3G320', 'en', 'AWS WAF rules should have CloudWatch metrics enabled', 'Checks if an AWS WAF rule or rule group has CloudWatch metrics enabled')
+, ROW('Hs4Ma3G200', 'en', 'CloudFront distributions should have a default root object configured', 'Checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object')
+, ROW('Hs4Ma3G321', 'en', 'MSK clusters should be encrypted in transit among broker nodes', 'This controls assesses if a MSK cluster allows encryption in transit using HTTPS(TLS) among the broker nodes of the cluster')
+, ROW('Hs4Ma3G201', 'en', 'CloudFront distributions should have WAF enabled', 'Checks to see if Amazon CloudFront distributions are associated with either WAF or WAFv2 web ACLs')
+, ROW('Hs4Ma3G322', 'en', 'AWS Private CA root certificate authority should be disabled', 'Checks if AWS Private CA has a root certificate authority (CA) that is disabled')
+, ROW('Hs4Ma3G202', 'en', 'API Gateway REST API cache data should be encrypted at rest', 'Checks if all methods in Amazon API Gateway REST API stages that have cache enabled are encrypted')
+, ROW('Hs4Ma3G323', 'en', 'DynamoDB tables should have deletion protection enabled', 'Checks if an Amazon DynamoDB table has deletion protection enabled')
+, ROW('Hs4Ma3G203', 'en', 'Amazon Elasticsearch Service domains should have audit logging enabled', 'This check checks whether Amazon Elasticsearch Service domains have audit logging enabled')
+, ROW('Hs4Ma3G324', 'en', 'EC2 Client VPN endpoints should have client connection logging enabled', 'Checks if an AWS Client VPN endpoint has client connection logging enabled')
+, ROW('Hs4Ma3G204', 'en', 'Security groups should not allow unrestricted access to ports with high risk', 'Checks if unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22 ] that have the highest risk')
+, ROW('Hs4Ma3G325', 'en', 'EKS clusters should have audit logging enabled', 'Checks if an Amazon EKS cluster has audit logging enabled')
+, ROW('Hs4Ma3G205', 'en', 'Classic Load Balancers with HTTPS/SSL listeners should use a predefined security policy that has strong configuration', 'Checks if your Classic Load Balancer SSL listeners use the predefined policy ELBSecurityPolicy-TLS-1-2-2017-01')
+, ROW('Hs4Ma3G326', 'en', 'Amazon EMR block public access setting should be enabled', 'Checks if your account is configured with Amazon EMR block public access')
+, ROW('Hs4Ma3G206', 'en', 'Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service', 'Checks if a service endpoint for Amazon EC2 is created for each VPC')
+, ROW('Hs4Ma3G327', 'en', 'FSx for OpenZFS file systems should be configured to copy tags to backups and volumes', 'Checks if an Amazon FSx for OpenZFS file system is configured to copy tags to backups and volumes')
+, ROW('c18d2gz144', 'en', 'Amazon EC2 Detailed Monitoring Not Enabled', 'Checks if detailed monitoring is enabled for your Amazon EC2 instances')
+, ROW('c18d2gz145', 'en', 'Amazon EC2 Instance Not Managed by AWS Systems Manager', 'Checks if the Amazon EC2 instances in your account are managed by AWS Systems Manager')
+, ROW('c18d2gz142', 'en', 'Amazon EBS Optimization Not Enabled', 'Checks if Amazon EBS optimization is enabled for your EC2 instances')
+, ROW('dH7RR0l6J3', 'en', 'EBS General Purpose SSD (gp3) Volume Storage', 'Checks for usage that is more than 80% of the EBS General Purpose SSD (gp3) Volume Storage Limit')
+, ROW('dH7RR0l6J9', 'en', 'EBS General Purpose SSD (gp2) Volume Storage', 'Checks for usage that is more than 80% of the EBS General Purpose SSD (gp2) Volume Storage Limit')
+, ROW('Hs4Ma3G220', 'en', 'Connections to OpenSearch domains should be encrypted using TLS 1.2', 'Checks if connections to OpenSearch domains are required to use TLS 1')
+, ROW('c18d2gz148', 'en', 'EC2 Virtualization Type is Paravirtual', 'Checks if the virtualization type of an Amazon EC2 instance is paravirtual')
+, ROW('c18d2gz147', 'en', 'AWS Systems Manager State Manager Association in Non-compliant Status', 'Checks if the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance')
+, ROW('Hs4Ma3G218', 'en', 'CodeBuild project environments should not have privileged mode enabled', 'Checks if an AWS CodeBuild project environment has privileged mode enabled')
+, ROW('Hs4Ma3G219', 'en', 'Amazon Redshift clusters should not use the default Admin username', 'Checks if a Redshift cluster has changed the Admin username from its default value')
+, ROW('c9D319e7sG', 'en', 'Amazon Route 53 MX Resource Record Sets and Sender Policy Framework', 'For each MX resource record set, checks that the TXT or SPF resource record set contains a valid SPF record')
+, ROW('Qsdfp3A4L4', 'en', 'Amazon EC2 instances with Microsoft Windows Server end of support', 'This check alerts you if the versions are near or have reached the end of support')
+, ROW('Qsdfp3A4L3', 'en', 'Amazon EC2 instances with Microsoft SQL Server end of support', 'Checks the SQL Server versions for Amazon Elastic Compute Cloud (Amazon EC2) instances running in the past 24 hours')
+, ROW('Qsdfp3A4L2', 'en', 'Amazon EC2 instances consolidation for Microsoft SQL Server', 'Checks your Amazon Elastic Compute Cloud (Amazon EC2) instances that are running SQL Server in the past 24 hours')
+, ROW('Hs4Ma3G210', 'en', 'CloudFront distributions should have logging enabled', 'Checks to see if server access logging is enabled on Amazon CloudFront Distributions')
+, ROW('Hs4Ma3G331', 'en', 'S3 access points should have block public access settings enabled', 'Checks if an Amazon S3 access point has block public access settings enabled')
+, ROW('Hs4Ma3G211', 'en', 'S3 buckets with versioning enabled should have lifecycle policies configured', 'Checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured')
+, ROW('Hs4Ma3G212', 'en', 'S3 buckets should have event notifications enabled', 'Checks if S3 Event Notifications are enabled on an S3 bucket')
+, ROW('Hs4Ma3G213', 'en', 'S3 access control lists (ACLs) should not be used to manage user access to buckets', 'Checks if S3 buckets allow user permissions via access check lists (ACLs)')
+, ROW('Hs4Ma3G214', 'en', 'Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389', 'Checks if a network access check list (NACL) allows unrestricted access to the default ports for SSH/RDP ingress traffic')
+, ROW('Hs4Ma3G215', 'en', 'Unused EC2 security groups should be removed', 'Checks that security groups are attached to Amazon EC2 instances or to an elastic network interface')
+, ROW('Hs4Ma3G216', 'en', 'ECR repositories should have at least one lifecycle policy configured', 'Checks if an ECR repository has at least one lifecycle policy configured')
+, ROW('Hs4Ma3G217', 'en', 'CodeBuild project environments should have a logging configuration', 'Checks if a CodeBuild project environment has at least one log option enabled')
+, ROW('qS7VV0l7J9', 'en', 'IAM Users', 'Checks for usage that is more than 80% of the IAM Users Limit')
 )  ignored_tabe_name (check_id, language, name, description)