vipulvv · September 8, 2022 14:18 · Nov 12, 2019 · Nov 12, 2019 · May 30, 2019 · May 30, 2019
diff --git a/was-security-posture.md → aws-security-posture.md b/was-security-posture.md → aws-security-posture.md
diff --git a/AWS-security-performance-costs.md → was-security-posture.md b/AWS-security-performance-costs.md → was-security-posture.md
diff --git a/AWS-security-performance-costs.md b/AWS-security-performance-costs.md
@@ -46,7 +46,7 @@
 
 ### ACM Certificates Renewal
 **Risk**: Medium  
-**Description**: Ensure that SSL/TLS certificates in ACM are renewed 30 days before their validity period ends. 
+**Description**: Ensure that SSL/TLS certificates in ACM are renewed 30 days before their validity period ends.  
 **Resolution**: Renew any SSL/TLS certificates that are about to expire using AWS Certificate Manager service.  
 
 ### ACM Certificates Validity
@@ -74,7 +74,7 @@
 
 ### API Gateway Private Endpoints
 **Risk**: Medium  
-**Description**: Ensure that API Gateway APIs are only accessible through private API endpoints and not visible to Internet. 
+**Description**: Ensure that API Gateway APIs are only accessible through private API endpoints and not visible to Internet.  
 **Resolution**: Change your API Gateway APIs endpoint type so these can be accessible only through private VPC endpoints  
 
 ---
@@ -110,7 +110,7 @@
 
 ### App-Tier ASGs with Associated ELB
 **Risk**: High  
-**Description**: Ensure that app-tier ASGs have associated ELBs in order to evenly distribute incoming traffic across all the EC2 instances available inside the ASG and help provide high availability for your applications. 
+**Description**: Ensure that app-tier ASGs have associated ELBs in order to evenly distribute incoming traffic across all the EC2 instances available inside the ASG and help provide high availability for your applications.  
 **Resolution**: Create an ELB and associate it with your app-tier Auto Scaling Group (ASG)  
 
 ### CloudWatch Logs Agent for App-Tier ASG In Use
@@ -120,12 +120,12 @@
 
 ### IAM Roles for App-Tier ASG Launch Configurations
 **Risk**: Medium  
-**Description**: Ensure that app-tier ASG launch configurations are using IAM roles to delegate access to the applications running in your ASGs, applications that usually don’t have access to AWS resources. 
+**Description**: Ensure that app-tier ASG launch configurations are using IAM roles to delegate access to the applications running in your ASGs, applications that usually don’t have access to AWS resources.  
 **Resolution**: To attach an IAM role to the EC2 instances launched in your app-tier ASG, you must re-create their launch configuration and configure it with a reference to a new IAM role. 
 
 ### Use Approved AMIs for App-Tier ASG Launch Configurations
 **Risk**: High  
-**Description**: Ensure that app-tier ASG launch configurations are using approved AMIs to launch EC2 instances within the ASG. 
+**Description**: Ensure that app-tier ASG launch configurations are using approved AMIs to launch EC2 instances within the ASG.  
 **Resolution**: To launch EC2 instances inside your app-tier Auto Scaling Group from approved AMI, you must re-create the app-tier ASG launch configuration and configure it to support a golden AMI maintained and approved by your organization.
 
 ### Auto Scaling Group Referencing Missing ELB
@@ -140,7 +140,7 @@
 
 ### Launch Configuration Referencing Missing AMI
 **Risk**: High  
-**Description**: Ensure that ASGs launch configuration is referencing an active AMI. 
+**Description**: Ensure that ASGs launch configuration is referencing an active AMI.  
 **Resolution**: Fix any unhealthy Auto Scaling Groups by replacing their invalid launch configuration with a valid one.  
 
 ### Launch Configuration Referencing Missing Security Group
@@ -166,17 +166,17 @@
 
 ### Suspended Auto Scaling Group Processes
 **Risk**: Medium  
-**Description**: Ensure there are no ASGs with suspended processes, provisioned in your AWS account. 
+**Description**: Ensure there are no ASGs with suspended processes, provisioned in your AWS account.  
 **Resolution**: Resume any auto scaling processes suspended in your ASGs after the application and/or environment remediation process is complete  
 
 ### Web-Tier Auto Scaling Groups with Associated ELBs
 **Risk**: High  
-**Description**: Ensure that web-tier ASGs have associated ELBs to equally distribute incoming traffic across all EC2 instances available within the ASG and help provide high availability for your web applications. 
+**Description**: Ensure that web-tier ASGs have associated ELBs to equally distribute incoming traffic across all EC2 instances available within the ASG and help provide high availability for your web applications.  
 **Resolution**: Create an ELB and associate it with your web-tier Auto Scaling Group (ASG)  
 
 ### Use Approved AMIs for Web-Tier ASG Launch Configurations
 **Risk**: High  
-**Description**: - Ensure that web-tier ASG launch configurations are using approved (golden) AMIs to launch EC2 instances within the ASG. 
+**Description**: - Ensure that web-tier ASG launch configurations are using approved (golden) AMIs to launch EC2 instances within the ASG.  
 **Resolution**: To launch EC2 instances in your web-tier ASG from golden/approved AMI, you must re-create the web-tier ASG launch configuration template with a reference to a well-defined AMI maintained and approved by your organization.
 
 ---
@@ -221,7 +221,7 @@
 
 ### Use Cloudfront CDN
 **Risk**: Medium  
-**Description**: Ensure that web application is using Cloudfront CDN to secure its content delivery (media files and static resource files such as .html, .css, .js). 
+**Description**: Ensure that web application is using Cloudfront CDN to secure its content delivery (media files and static resource files such as .html, .css, .js).  
 **Resolution**: To use Cloudfront as a CDN to secure and accelerate the content delivery of your web application, you need to create and configure a Cloudfront web distribution.  
 
 ---
@@ -300,7 +300,7 @@
 
 ### Exposed CloudWatch Event Bus
 **Risk**: High  
-**Description**: Ensure that CloudWatch default event bus is not configured to allow access to everyone (*) in order to prevent anonymous users from sharing their CloudWatch events. 
+**Description**: Ensure that CloudWatch default event bus is not configured to allow access to everyone (*) in order to prevent anonymous users from sharing their CloudWatch events.  
 **Resolution**: Update the access permissions defined for the CloudWatch default event bus in order authorize only specific AWS entities to send CloudWatch event data to your AWS account.  
 
 ### CloudWatch Events In Use
@@ -377,7 +377,7 @@
 
 ### Include Global Resources into AWS Config Settings
 **Risk**: Medium  
-**Description**: Ensure that AWS Config service is configured to include Global resources in order to have complete visibility over the configuration changes made in your AWS account. 
+**Description**: Ensure that AWS Config service is configured to include Global resources in order to have complete visibility over the configuration changes made in your AWS account.  
 **Resolution**: To include Global resources into AWS Config settings.  
 
 ---
@@ -391,12 +391,12 @@
 
 ### Enable DynamoDB Auto Scaling
 **Risk**: Medium  
-**Description**: Ensure that DynamoDB Auto Scaling feature is enabled to dynamically adjust provisioned throughput (read and write) capacity for your tables and global secondary indexes. 
+**Description**: Ensure that DynamoDB Auto Scaling feature is enabled to dynamically adjust provisioned throughput (read and write) capacity for your tables and global secondary indexes.  
 **Resolution**: Enable Application Auto Scaling for DynamoDB tables and indexes.  
 
 ### DynamoDB Backup and Restore
 **Risk**: High  
-**Description**: Ensure that DynamoDB tables are using on-demand backup and restore functionality for data protection and archival purposes, helping you meet regulatory requirements in your organization. 
+**Description**: Ensure that DynamoDB tables are using on-demand backup and restore functionality for data protection and archival purposes, helping you meet regulatory requirements in your organization.  
 **Resolution**: To make use of DynamoDB on-demand backup and restore functionality, you need to create full table backups and restore them when needed  
 
 ### Enable DynamoDB Continuous Backups
@@ -439,7 +439,7 @@
 
 ### EBS Public Snapshots
 **Risk**: High  
-**Description**: Ensure that EBS volume snapshots aren’t public (i.e. publicly shared with other AWS accounts) in order to avoid exposing personal and sensitive data. 
+**Description**: Ensure that EBS volume snapshots aren’t public (i.e. publicly shared with other AWS accounts) in order to avoid exposing personal and sensitive data.  
 **Resolution**: Change privacy property to private.  
 
 ### EBS volumes recent snapshots
@@ -449,7 +449,7 @@
 
 ### Remove EBS old snapshots
 **Risk**: Recommendation  
-**Description**: Check for any EBS snapshots older than 30 days available in your AWS account and remove them in order to lower the cost of your monthly bill. 
+**Description**: Check for any EBS snapshots older than 30 days available in your AWS account and remove them in order to lower the cost of your monthly bill.  
 **Resolution**: Safely delete any old and unneeded EBS volume snapshots from your AWS account.  
 
 ### Remove Unattached EC2 EBS volumes
@@ -552,7 +552,7 @@ EC2
 
 ### AWS Blacklisted AMI
 **Risk**: Medium  
-**Description**: Ensure that all EC2 instances provisioned in your AWS account are launched from approved AMIs only and not from blacklisted AMIs in order to enforce security at application stack level. 
+**Description**: Ensure that all EC2 instances provisioned in your AWS account are launched from approved AMIs only and not from blacklisted AMIs in order to enforce security at application stack level.  
 **Resolution**: To relaunch an EC2 instance that was built from a blacklisted AMI  
 
 ### Enable AMI Encryption
@@ -596,7 +596,7 @@ EC2
 
 ### IAM Roles for App-Tier EC2 Instances
 **Risk**: Medium  
-**Description**: Ensure that app-tier EC2 instances are using IAM roles to grant the necessary permissions (following the principle of least privilege) to the applications running on these instances. 
+**Description**: Ensure that app-tier EC2 instances are using IAM roles to grant the necessary permissions (following the principle of least privilege) to the applications running on these instances.  
 **Resolution**: To attach IAM roles to your running app-tier EC2 instances, you need to re-launch those instances and associate them with the required IAM roles. 
 
 ### Create and Configure App-Tier Security Group
@@ -663,7 +663,7 @@ EC2
 
 ### Unused EC2 Reserved Instances
 **Risk**: Recommendation  
-**Description**: Ensure that all purchased EC2 Reserved Instances (RI) have corresponding instances running within the same account or within any linked AWS accounts available in an AWS Organization (if you are using one). 
+**Description**: Ensure that all purchased EC2 Reserved Instances (RI) have corresponding instances running within the same account or within any linked AWS accounts available in an AWS Organization (if you are using one).  
 **Resolution**: Since EC2 Standard Reserved Instances cannot be canceled, the only way to remove the unneeded EC2 RIs and reclaim their cost is to sell them to other businesses and organizations on EC2 Reserved Instance Marketplace.  
 
 ### Total Number of EC2 Instances
@@ -697,7 +697,7 @@ EC2
 
 ### EC2 Instances with Scheduled Events
 **Risk**: High  
-**Description**: Determine if there are any EC2 instances scheduled for retirement and/or maintenance in your AWS account and take the necessary steps (reboot, restart or re-launch) to resolve them. 
+**Description**: Determine if there are any EC2 instances scheduled for retirement and/or maintenance in your AWS account and take the necessary steps (reboot, restart or re-launch) to resolve them.  
 **Resolution**: To resolve EC2 instances scheduled for retirement/maintenance based on the event type (see Audit section to identify the event type(s) assigned to your instance(s)).  
 
 ### EC2 Instance Security Group Rules Count
@@ -753,7 +753,7 @@ EC2
 
 ### Underutilized EC2 Instances
 **Risk**: Recommendation  
-**Description**: Identify any EC2 instances that appear to be underutilized and downsize (resize) them to help lower the cost of your monthly AWS bill. 
+**Description**: Identify any EC2 instances that appear to be underutilized and downsize (resize) them to help lower the cost of your monthly AWS bill.  
 **Resolution**: Downsize (resize) the underused EC2 instances provisioned in your AWS account.  
 
 ### EC2 Security Group Unrestricted Access
@@ -772,13 +772,13 @@ EC2
 
 ### Unrestricted ElasticSearch Access
 **Risk**: Medium  
-**Description**: Check EC2 security groups for inbound rules that allow total access (0.0.0.0/0) to TCP port 9200 and restrict access to only those IP addresses that require it. 
+**Description**: Check EC2 security groups for inbound rules that allow total access (0.0.0.0/0) to TCP port 9200 and restrict access to only those IP addresses that require it.  
 **Resolution**: Update security groups inbound/ingress configuration in order to restrict ElasticSearch access to specific IPs  
 
 
 ### Unrestricted FTP Access
 **Risk**: Medium  
-**Description**: Check EC2 security groups for inbound rules that allow total access (0.0.0.0/0) to TCP ports 20 and 21 and restrict access to only those IP addresses that require it. 
+**Description**: Check EC2 security groups for inbound rules that allow total access (0.0.0.0/0) to TCP ports 20 and 21 and restrict access to only those IP addresses that require it.  
 **Resolution**: Update security groups inbound/ingress configuration in order to restrict FTP access to specific IPs.  
 
 ### Unrestricted HTTP Access
@@ -808,7 +808,7 @@ EC2
 
 ### Unrestricted MSSQL Database Access
 **Risk**: Medium  
-**Description**: Check EC2 security groups for inbound rules that allow total access (0.0.0.0/0) to TCP port 1433 and restrict access to only those IP addresses that require it. 
+**Description**: Check EC2 security groups for inbound rules that allow total access (0.0.0.0/0) to TCP port 1433 and restrict access to only those IP addresses that require it.  
 **Resolution**: Update security groups inbound/ingress configuration in order to restrict MSSQL access to specific IPs.  
 
 ### Unrestricted MySQL Database Access
@@ -843,7 +843,7 @@ EC2
 
 ### Unrestricted RPC Access
 **Risk**: Medium  
-**Description**: Check EC2 security groups for inbound rules that allow total access (0.0.0.0/0) to TCP port 135 and restrict access to only those IP addresses that require it. 
+**Description**: Check EC2 security groups for inbound rules that allow total access (0.0.0.0/0) to TCP port 135 and restrict access to only those IP addresses that require it.  
 **Resolution**: Update security groups inbound/ingress configuration in order to restrict RPC access to specific IPs.  
 
 ### Unrestricted SMTP Access
@@ -858,7 +858,7 @@ EC2
 
 ### Unrestricted Telnet Access
 **Risk**: Medium  
-**Description**: Check EC2 security groups for inbound rules that allow total access (0.0.0.0/0) to TCP port 23 and restrict access to only those IP addresses that require it. 
+**Description**: Check EC2 security groups for inbound rules that allow total access (0.0.0.0/0) to TCP port 23 and restrict access to only those IP addresses that require it.  
 **Resolution**: Update security groups inbound/ingress configuration in order to restrict Telnet access to specific IPs.  
 
 ### Unused Elastic Network Interfaces
@@ -883,7 +883,7 @@ EC2
 
 ### Web-Tier EC2 Instances Without Elastic or Public IP Addresses
 **Risk**: Medium  
-**Description**: Ensure that web-tier EC2 instances aren’t associated with Elastic or Public IP addresses as these instances are usually deployed behind an internet-facing load balancer and don’t have to be publicly reachable. 
+**Description**: Ensure that web-tier EC2 instances aren’t associated with Elastic or Public IP addresses as these instances are usually deployed behind an internet-facing load balancer and don’t have to be publicly reachable.  
 **Resolution**: To remove a Public IP address from a web-tier EC2 instance, you must re-launch the instance with the right network interface configuration. 
 
 ### Check web-tier ELB subnet connectivity to Internet Gateway
@@ -898,7 +898,7 @@ EC2
 
 ### IAM Roles for Web-Tier EC2 Instances
 **Risk**: Medium  
-**Description**: Ensure that web-tier EC2 instances are using IAM roles to grant any necessary permissions to the web applications running on these instances as the applications can assume the role applied to their instances. 
+**Description**: Ensure that web-tier EC2 instances are using IAM roles to grant any necessary permissions to the web applications running on these instances as the applications can assume the role applied to their instances.  
 **Resolution**: To assign IAM roles to your running web-tier instances, you must re-launch those instances with the desired roles 
 
 ### Create and Configure Web-Tier Security Group
@@ -991,7 +991,7 @@ EC2
 
 ### ElasticSearch Domain IP-Based Access
 **Risk**: High  
-**Description**: Ensure that the access to your ElasticSearchdomains is made based on whitelisted IP addresses only in order to protect them against unauthorized access. 
+**Description**: Ensure that the access to your ElasticSearchdomains is made based on whitelisted IP addresses only in order to protect them against unauthorized access.  
 **Resolution**: Implement an IP-based access policy for your ElasticSearch domains.  
 
 ### ElasticSearch General Purpose SSD Node Type
@@ -1070,7 +1070,7 @@ EC2
 
 ### Enable HTTPS/SSL Listener for App-Tier ELBs
 **Risk**: High  
-**Description**: Ensure that app-tier ELB listeners are using the HTTPS/SSL protocol to encrypt the communication between your application clients and the load balancer. 
+**Description**: Ensure that app-tier ELB listeners are using the HTTPS/SSL protocol to encrypt the communication between your application clients and the load balancer.  
 **Resolution**: To secure the connection between the application clients and app-tier load balancer by using SSL encryption, 
 
 ### Enable Latest SSL Security Policy for App-Tier ELBs
@@ -1080,12 +1080,12 @@ EC2
 
 ### Add SSL/TLS Server Certificates to App-Tier ELBs
 **Risk**: High  
-**Description**: Ensure that app-tier ELBs are using SSL/TLS certificates to encrypt the communication between your application users and the load balancer. 
+**Description**: Ensure that app-tier ELBs are using SSL/TLS certificates to encrypt the communication between your application users and the load balancer.  
 **Resolution**: To secure the traffic between your application users and the app-tier load balancer using SSL encryption, Update ELB configuration to attach an SSL/TLS server certificate.  
 
 ### App-Tier ELBs Health Check
 **Risk**: High  
-**Description**: Ensure that app-tier ELBs are using the right health check configuration in order to monitor the availability of the EC2 instances registered to the ELBs through application layer. 
+**Description**: Ensure that app-tier ELBs are using the right health check configuration in order to monitor the availability of the EC2 instances registered to the ELBs through application layer.  
 **Resolution**: Update app-tier ELBs configuration in order to use application layer health checks instead of TCP health checks.  
 
 ### Enable ELB Access Logging
@@ -1105,7 +1105,7 @@ EC2
 
 ### Enable ELB Cross-Zone Load Balancing
 **Risk**: Medium  
-**Description**: By using at least two subnets in different Availability Zones with the Cross-Zone Load Balancing feature enabled, your ELBs can distribute the traffic evenly across all backend instances. 
+**Description**: By using at least two subnets in different Availability Zones with the Cross-Zone Load Balancing feature enabled, your ELBs can distribute the traffic evenly across all backend instances.  
 **Resolution**: Enable Cross-Zone Load Balancing with at least two subnets in different Availability Zones.  
 
 ### ELB insecure SSL ciphers
@@ -1120,7 +1120,7 @@ EC2
 
 ### ELB Listener Security
 **Risk**: High  
-**Description**: Check ELBs listener for secure configurations. 
+**Description**: Check ELBs listener for secure configurations.  
 **Resolution**: To secure the connection between the client and the load balancer, update each ELB configuration to use listeners with HTTPS or SSL protocols (an X.509 SSL certificate is required). 
 
 ### ELB minimum number of EC2 instances
@@ -1145,7 +1145,7 @@ EC2
 
 ### ELB Instances Distribution Across Availability Zones
 **Risk**: Medium  
-**Description**: Ensure that the EC2 instances registered to your Elastic Load Balancing (ELB) are evenly distributed across all Availability Zones in order to improve the ELBs configuration reliability. 
+**Description**: Ensure that the EC2 instances registered to your Elastic Load Balancing (ELB) are evenly distributed across all Availability Zones in order to improve the ELBs configuration reliability.  
 **Resolution**: To equally distribute your existing ELB backend instances across all Availability Zones within the selected AWS region, you need to add new Availability Zones to the ELB configuration and migrate the registered instances between these Availability Zones.
 
 ### Review AWS Internet Facing Load Balancers
@@ -1154,12 +1154,12 @@ EC2
 
 ### Enable HTTPS/SSL Listener for Web-Tier ELBs
 **Risk**: High  
-**Description**: Ensure that web-tier ELB listeners are using a secure protocol such as HTTPS/SSL to encrypt the communication between the web application clients and the load balancer. 
+**Description**: Ensure that web-tier ELB listeners are using a secure protocol such as HTTPS/SSL to encrypt the communication between the web application clients and the load balancer.  
 **Resolution**: To secure the connection between the web clients and your web-tier load balancer by using SSL encryption, Update ELB configuration to use listeners with HTTPS or SSL protocols (an X.509 SSL certificate is required).  
 
 ### Enable Latest SSL Security Policy for Web-Tier ELBs
 **Risk**: High  
-**Description**: Ensure that web-tier ELBs listeners are using the latest AWS security policy for their SSL negotiation configuration. 
+**Description**: Ensure that web-tier ELBs listeners are using the latest AWS security policy for their SSL negotiation configuration.  
 **Resolution**: Enable the latest predefined SSL security policy for your web-tier ELBs.  
 
 ### Add SSL/TLS Server Certificates to Web-Tier ELBs
@@ -1169,7 +1169,7 @@ EC2
 
 ### Web-Tier ELBs Health Check
 **Risk**: High  
-**Description**: Ensure that web-tier ELBs are using the appropriate health check configuration in order to monitor the availability of the EC2 instances associated with the ELBs through application layer. 
+**Description**: Ensure that web-tier ELBs are using the appropriate health check configuration in order to monitor the availability of the EC2 instances associated with the ELBs through application layer.  
 **Resolution**: Update web-tier ELBs configuration in order to use application layer health checks instead of TCP health checks.  
 ELBv2
 
@@ -1190,7 +1190,7 @@ ELBv2
 
 ### ALB (ELBv2) Listener Security
 **Risk**: High  
-**Description**: Check Application Load Balancer listeners for secure configurations. 
+**Description**: Check Application Load Balancer listeners for secure configurations.  
 **Resolution**: To secure the connection between your application clients and your load balancers, update ALBs listeners configuration to support the HTTPS protocol (an X.509 SSL certificate is required).  
 
 ### Minimum Number of EC2 Target Instances
@@ -1230,7 +1230,7 @@ ELBv2
 
 ### EMR Desired Instance Type
 **Risk**: Medium  
-**Description**: Determine if the EMR cluster instances (master and core instances) provisioned in your AWS account have the desired instance type established by your organization based on the workload deployed. 
+**Description**: Determine if the EMR cluster instances (master and core instances) provisioned in your AWS account have the desired instance type established by your organization based on the workload deployed.  
 **Resolution**: To limit the new Elastic MapReduce cluster instances to the desired type, create an AWS support case where you explain why you need this type of limitation. For any existing EMR clusters launched without using the desired instance type, just clone the necessary clusters and re-create them using the desired instance type. 
 
 ### EMR Instance Type Generation
@@ -1261,7 +1261,7 @@ ELBv2
 
 ### Monitor GuardDuty Configuration Changes
 **Risk**: High  
-**Description**: Monitor GuardDuty Configuration Changes. 
+**Description**: Monitor GuardDuty Configuration Changes.  
 **Resolution**: Enable GuardDuty  
 
 ### GuardDuty In Use
@@ -1331,7 +1331,7 @@ ELBv2
 
 ### Unnecessary IAM Access Keys
 **Risk**: Medium  
-**Description**: Identify and deactivate any unnecessary IAM access keys as a security best practice. AWS allows you to assign maximum two active access keys but this is recommended only during the key rotation process. 
+**Description**: Identify and deactivate any unnecessary IAM access keys as a security best practice. AWS allows you to assign maximum two active access keys but this is recommended only during the key rotation process.  
 **Resolution**: To deactivate any unnecessary IAM access keys.  
 
 ### Enable Security Challenge Questions for your Account
@@ -1341,7 +1341,7 @@ ELBv2
 
 ### Attach Policy to IAM Roles Associated with App-Tier EC2 Instances
 **Risk**: High  
-**Description**: Ensure that the IAM roles associated with your app-tier EC2 instances are using IAM policies to assign necessary permissions to the applications installed on these instances. 
+**Description**: Ensure that the IAM roles associated with your app-tier EC2 instances are using IAM policies to assign necessary permissions to the applications installed on these instances.  
 **Resolution**: To define and attach access policies to the IAM roles associated with your app-tier EC2 instances and implement the principle of least privilege (i.e. provide the minimal set of actions required to perform successfully the desired tasks).
 
 ### SSL/TLS Certificate Renewal
@@ -1361,12 +1361,12 @@ ELBv2
 
 ### Deprecated AWS Managed Policies In Use
 **Risk**: Medium  
-**Description**: Ensure that deprecated IAM managed policies are replaced with new ones, approved by AWS. 
+**Description**: Ensure that deprecated IAM managed policies are replaced with new ones, approved by AWS.  
 **Resolution**: Change deprecated AWS managed policies with their replacement policies within IAM entities configuration  
 
 ### IAM Users Unauthorized to Edit Access Policies
 **Risk**: High  
-**Description**: Identify any IAM users that aren’t authorized to edit IAM policies and decommission them in order to protect against unapproved access. 
+**Description**: Identify any IAM users that aren’t authorized to edit IAM policies and decommission them in order to protect against unapproved access.  
 **Resolution**: To decommission any unauthorized IAM users that have the permission to edit IAM access policies in your AWS account.  
 
 ### IAM Users with Admin Privileges
@@ -1380,7 +1380,7 @@ ELBv2
 
 ### IAM Group with Administrator Privileges In Use
 **Risk**: Medium  
-**Description**: Ensure there is an IAM group that has the types of permissions that administrators typically need, available in your AWS account. 
+**Description**: Ensure there is an IAM group that has the types of permissions that administrators typically need, available in your AWS account.  
 **Resolution**: Create an IAM group that provides administrative permissions to the IAM users assigned to the group, required for administration purposes  
 
 ### Unused IAM Groups
@@ -1452,22 +1452,22 @@ ELBv2
 
 ### Root Account Access Keys
 **Risk**: High  
-**Description**: To secure your AWS environment and adhere to IAM best-practices ensure that the AWS account (root user) is not using access keys to perform API requests to access resources or billing information. 
+**Description**: To secure your AWS environment and adhere to IAM best-practices ensure that the AWS account (root user) is not using access keys to perform API requests to access resources or billing information.  
 **Resolution**: To remove any active access keys created for your AWS root account.  
 
 ### Root Account Credentials Usage
 **Risk**: High  
-**Description**: Ensure that the AWS root account credentials have not been used within the past 30 days (default threshold) to access your AWS account in order to keep the root account usage minimised. 
+**Description**: Ensure that the AWS root account credentials have not been used within the past 30 days (default threshold) to access your AWS account in order to keep the root account usage minimised.  
 **Resolution**: To restrict AWS root account usage implement the principle of least privilege by creating IAM users with minimal set of permissions necessary to access and manage just the required AWS resources and services.  
 
 ### Root Account Active Signing Certificates
 **Risk**: High  
-**Description**: To secure your AWS account and adhere to security best-practices, ensure that AWS root user is not using X.509 certificates to perform SOAP-protocol requests to AWS services. 
+**Description**: To secure your AWS account and adhere to security best-practices, ensure that AWS root user is not using X.509 certificates to perform SOAP-protocol requests to AWS services.  
 **Resolution**: To disable any active X.509 signing certificates created for your AWS root account  
 
 ### Enable Hardware MFA for Root Account
 **Risk**: High  
-**Description**: Ensure that hardware MFA is enabled for your root account in order to secure the access to your AWS resources and adhere to Amazon security best-practices. 
+**Description**: Ensure that hardware MFA is enabled for your root account in order to secure the access to your AWS resources and adhere to Amazon security best-practices.  
 **Resolution**: Implement strong protection for your AWS root account using a MFA hardware device.  
 
 ### Enable MFA for Root Account
@@ -1498,7 +1498,7 @@ ELBv2
 
 ### AWS Inspector Findings
 **Risk**: Medium  
-**Description**: Check for AWS Inspector Findings and resolve them step by step to ensure that systems are configured securely. 
+**Description**: Check for AWS Inspector Findings and resolve them step by step to ensure that systems are configured securely.  
 **Resolution**: To solve any Inspector Findings discovered for your EC2 resources provisioned in your AWS account.  
 
 ---
@@ -1700,7 +1700,7 @@ ELBv2
 
 ### RDS Free Storage Space
 **Risk**: High  
-**Description**: Identify any RDS database instances that appear to run low on disk space and scale them up to alleviate any problems triggered by insufficient disk space and improve their I/O performance. 
+**Description**: Identify any RDS database instances that appear to run low on disk space and scale them up to alleviate any problems triggered by insufficient disk space and improve their I/O performance.  
 **Resolution**: To scale up (expand) the storage space for any RDS database instances that run low on disk space  
 
 ### Enable IAM Database Authentication
@@ -1731,7 +1731,7 @@ ELBv2
 
 ### Use Data-Tier Security Group for RDS Databases
 **Risk**: Medium  
-**Description**: Ensure that RDS instances are using the dedicated data-tier security group in order to control and secure the access to their databases. 
+**Description**: Ensure that RDS instances are using the dedicated data-tier security group in order to control and secure the access to their databases.  
 **Resolution**: To reconfigure your RDS database instances in order to use the data-tier security group  
 
 ### RDS Database Default Port
@@ -1771,7 +1771,7 @@ ELBv2
 
 ### Enable RDS Transport Encryption
 **Risk**: High  
-**Description**: Ensure that Microsoft SQL Server instances provisioned with RDS have Transport Encryption feature enabled in order to meet security and compliance requirements. 
+**Description**: Ensure that Microsoft SQL Server instances provisioned with RDS have Transport Encryption feature enabled in order to meet security and compliance requirements.  
 **Resolution**: To enable the Transport Encryption feature for your Microsoft SQL Server database instances, you need to update the necessary RDS parameter group and change the rds.force_ssl parameter value to 1. 
 
 ### Underutilized RDS Instances
@@ -1793,7 +1793,7 @@ Route53
 
 ### Create DNS Alias Record for Root Domain
 **Risk**: Medium  
-**Description**: Ensure that a DNS alias record for the root domain name is created in your Route 53 hosted zone. 
+**Description**: Ensure that a DNS alias record for the root domain name is created in your Route 53 hosted zone.  
 **Resolution**: Create and configure a Route 53 DNS alias record for your root domain name.  
 
 ### Remove Route 53 Dangling DNS Records
@@ -1818,7 +1818,7 @@ Route53
 
 ### Root Domain Alias Records that Point to ELB
 **Risk**: Medium  
-**Description**: Ensure that the root domain alias record points to the ELB associated with your web-server layer. 
+**Description**: Ensure that the root domain alias record points to the ELB associated with your web-server layer.  
 **Resolution**: Update Route 53 domains configuration and enable the Auto Renew feature.  
 
 ### Monitor Route 53 Configuration Changes
@@ -1837,7 +1837,7 @@ Route53
 
 ### Enable Route 53 Domain Transfer Lock
 **Risk**: High  
-**Description**: Ensure that Route 53 registered domains are locked to prevent any unauthorized transfers to another domain name registrar. Your domains must have the Transfer Lock feature enabled. 
+**Description**: Ensure that Route 53 registered domains are locked to prevent any unauthorized transfers to another domain name registrar. Your domains must have the Transfer Lock feature enabled.  
 **Resolution**: Update Route 53 domain names configuration and enable transfer locking.  
 Route53Domains
 
@@ -1923,32 +1923,32 @@ Route53Domains
 
 ### S3 Bucket Public Access Via Policy
 **Risk**: Very High  
-**Description**: Ensure that S3 buckets aren’t publicly accessible via bucket policies in order to protect against unauthorized access. 
+**Description**: Ensure that S3 buckets aren’t publicly accessible via bucket policies in order to protect against unauthorized access.  
 **Resolution**: To restrict access to your publicly accessible S3 buckets via bucket policies.  
 
 ### Publicly Accessible S3 Buckets
 **Risk**: Very High  
-**Description**: Ensure there aren’t any publicly accessible S3 buckets available in your AWS account in order to protect your S3 data from loss and unauthorized access. 
+**Description**: Ensure there aren’t any publicly accessible S3 buckets available in your AWS account in order to protect your S3 data from loss and unauthorized access.  
 **Resolution**: To remove public (FULL_CONTROL) access for your S3 buckets.  
 
 ### S3 Bucket Public ‘READ’ Access
 **Risk**: Very High  
-**Description**: Ensure that S3 buckets content cannot be publicly listed in order to protect against unauthorized access. 
+**Description**: Ensure that S3 buckets content cannot be publicly listed in order to protect against unauthorized access.  
 **Resolution**: To remove public READ access from your S3 buckets.  
 
 ### S3 Bucket Public ‘READ_ACP’ Access
 **Risk**: Very High  
-**Description**: Ensure that S3 buckets content permissions details cannot be viewed by anonymous users in order to protect against unauthorized access. 
+**Description**: Ensure that S3 buckets content permissions details cannot be viewed by anonymous users in order to protect against unauthorized access.  
 **Resolution**: To remove public access to your S3 buckets ACL config information (ACL permissions).  
 
 ### S3 Bucket Public ‘WRITE’ Access
 **Risk**: Very High  
-**Description**: Ensure that S3 buckets cannot be publicly accessed for WRITE actions in order to protect your S3 data from unauthorized users. 
+**Description**: Ensure that S3 buckets cannot be publicly accessed for WRITE actions in order to protect your S3 data from unauthorized users.  
 **Resolution**: To remove public WRITE access for your S3 buckets.  
 
 ### S3 Bucket Public ‘WRITE_ACP’ Access
 **Risk**: Very High  
-**Description**: Ensure that S3 buckets do not allow anonymous users to modify their access control permissions to protect your S3 data from unauthorized access. 
+**Description**: Ensure that S3 buckets do not allow anonymous users to modify their access control permissions to protect your S3 data from unauthorized access.  
 **Resolution**: To remove public WRITE_ACP access for your S3 buckets.  
 
 ### Enable Versioning for S3 Buckets
@@ -1967,7 +1967,7 @@ Route53Domains
 
 ### S3 Unknown Cross Account Access
 **Risk**: High  
-**Description**: Ensure that all your S3 buckets are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account access. 
+**Description**: Ensure that all your S3 buckets are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account access.  
 **Resolution**: Update S3 buckets policy in order to allow cross account access only from trusted entities.  
 
 ### Secure Transport
@@ -2001,7 +2001,7 @@ Route53Domains
 
 ### Unknown Cross-Account Access
 **Risk**: High  
-**Description**: Ensure that all your SES identities are configured to allow access only to trusted (friendly) AWS accounts in order to prevent unauthorized users from sending emails on your behalf. 
+**Description**: Ensure that all your SES identities are configured to allow access only to trusted (friendly) AWS accounts in order to prevent unauthorized users from sending emails on your behalf.  
 **Resolution**: Update the sending authorization policies associated with your SES identities in order to allow sender requests only from trusted AWS entities (delegate senders)  
 
 ### Exposed SES Identities
@@ -2034,12 +2034,12 @@ Route53Domains
 
 ### Trusted Advisor Checks
 **Risk**: Medium  
-**Description**: Ensure that all Trusted Advisor checks found in your AWS account are inspected and resolved. 
+**Description**: Ensure that all Trusted Advisor checks found in your AWS account are inspected and resolved.  
 **Resolution**: To fix the issue highlighted by the selected Trusted Advisor check (i.e. enable MFAfor the AWS root account)  
 
 ### Exposed IAM Access Keys
 **Risk**: Extreme  
-**Description**: Identify and invalidate (disable) any exposed IAM access keys in order to protect your AWS resources against unapproved access. 
+**Description**: Identify and invalidate (disable) any exposed IAM access keys in order to protect your AWS resources against unapproved access.  
 **Resolution**: Disable exposed IAM access keys so that these credentials can no longer be used to access to AWS.  
 
 ---
@@ -2071,22 +2071,22 @@ Route53Domains
 
 ### Allocate Elastic IPs for NAT Gateways
 **Risk**: Medium  
-**Description**: Ensure that an Elastic IP is allocated for each NAT gateway that you want to deploy in your AWS account. 
+**Description**: Ensure that an Elastic IP is allocated for each NAT gateway that you want to deploy in your AWS account.  
 **Resolution**: To allocate an Elastic IP for each NAT gateway that you want to deploy in your VPC  
 
 ### Create App-Tier VPC Subnets
 **Risk**: Medium  
-**Description**: Ensure that at least two subnets in two different Availability Zones are created for your app tier. Each app-tier subnet must reside entirely within one Availability Zone and cannot span multiple zones. 
+**Description**: Ensure that at least two subnets in two different Availability Zones are created for your app tier. Each app-tier subnet must reside entirely within one Availability Zone and cannot span multiple zones.  
 **Resolution**: Create VPC subnets for your web tier (at least two subnets in different Availability Zones)  
 
 ### Create Data-Tier VPC Subnets
 **Risk**: Medium  
-**Description**: Ensure that at least two subnets in two different Availability Zones are created for your data tier. Each data-tier subnet must be located entirely in one Availability Zone and cannot span multiple zones. 
+**Description**: Ensure that at least two subnets in two different Availability Zones are created for your data tier. Each data-tier subnet must be located entirely in one Availability Zone and cannot span multiple zones.  
 **Resolution**: Create VPC subnets for your data tier (at least two subnets in different Availability Zones)  
 
 ### Default VPC In Use
 **Risk**: Medium  
-**Description**: Ensure that AWS application is not deployed within the default VPC in order to follow security best-practices. 
+**Description**: Ensure that AWS application is not deployed within the default VPC in order to follow security best-practices.  
 **Resolution**: Create a non-default VPC and migrate your custom AWS applications to it  
 
 ### Unused VPC Internet Gateways
@@ -2106,7 +2106,7 @@ Route53Domains
 
 ### Ineffective Network ACL DENY Rules
 **Risk**: High  
-**Description**: Ensure that NACLs do not have ineffective or misconfigured DENY rules that promotes overly-permissive access to your VPC. 
+**Description**: Ensure that NACLs do not have ineffective or misconfigured DENY rules that promotes overly-permissive access to your VPC.  
 **Resolution**: To reconfigure any ineffective NACL DENY rules in order to block the traffic to the necessary port.  
 
 ### Unrestricted Network ACL Inbound Traffic
@@ -2131,7 +2131,7 @@ Route53Domains
 
 ### Enable Flow Logs for VPC Subnets
 **Risk**: Low  
-**Description**: Ensure that flow logs are enabled for your VPC subnets. Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces associated with your subnets. 
+**Description**: Ensure that flow logs are enabled for your VPC subnets. Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces associated with your subnets.  
 **Resolution**: Enable flow logs for your VPC subnets  
 
 ### VPC Endpoint Unknown Cross Account Access
@@ -2160,7 +2160,7 @@ Route53Domains
 
 ### VPC Peering Connection Configuration
 **Risk**: Medium  
-**Description**: Review the routing tables of your peered VPCs to determine if the existing peering connection configuration is compliant with the desired routing policy. 
+**Description**: Review the routing tables of your peered VPCs to determine if the existing peering connection configuration is compliant with the desired routing policy.  
 **Resolution**: Implement the compliant routing policy for the selected VPC peering connection.  
 
 ### Unused Virtual Private Gateways
@@ -2170,12 +2170,12 @@ Route53Domains
 
 ### Create Web-Tier ELB Subnets
 **Risk**: Medium  
-**Description**: Ensure that subnets for the web-tier ELBs are created. Each web-tier ELB subnet must reside entirely in one Availability Zone and cannot span zones. 
+**Description**: Ensure that subnets for the web-tier ELBs are created. Each web-tier ELB subnet must reside entirely in one Availability Zone and cannot span zones.  
 **Resolution**: Create web-tier subnets (at least two subnets in different AZs) and associate them with your web-tier ELB  
 
 ### Create Web-Tier VPC Subnets
 **Risk**: Medium  
-**Description**: Ensure that at least two subnets in two different Availability Zones are created for your web tier. Each web-tier subnet must reside entirely within one Availability Zone and cannot span zones. 
+**Description**: Ensure that at least two subnets in two different Availability Zones are created for your web tier. Each web-tier subnet must reside entirely within one Availability Zone and cannot span zones.  
 **Resolution**: Create VPC subnets for your web tier (at least two subnets in different Availability Zones)  
 
 ---

diff --git a/AWS-security-performance-costs.md b/AWS-security-performance-costs.md
diff --git a/AWS-security-performance-costs.md b/AWS-security-performance-costs.md
@@ -105,7 +105,7 @@
 
 ### Enable ASG Notifications
 **Risk**: Low  
-**Description**: Ensure that Auto Scaling Groups are configured to send email notifications when a scaling event occurs, such as launching or terminating an EC2 instance. Once the ASG Notifications feature is enabled, the SNS topic   associated will process and send ASG scaling events notifications to the email address that you specified during setup.
+**Description**: Ensure that Auto Scaling Groups are configured to send email notifications when a scaling event occurs, such as launching or terminating an EC2 instance. Once the ASG Notifications feature is enabled, the SNS topic   associated will process and send ASG scaling events notifications to the email address that you specified during setup.  
 **Resolution**: Configure your Auto Scaling Groups with the SNS service in order to send scaling events notifications via email.  
 
 ### App-Tier ASGs with Associated ELB
@@ -115,7 +115,7 @@
 
 ### CloudWatch Logs Agent for App-Tier ASG In Use
 **Risk**: Medium  
-**Description**: Ensure that the EC2 instances launched in your app-tier ASG are using CloudWatch log agents to monitor, store and access log files (application or system data logs) from these instances. A CloudWatch Logs agent needs   to be installed on the guest Operating System of the app-tier EC2 instance that you want to get logs from.
+**Description**: Ensure that the EC2 instances launched in your app-tier ASG are using CloudWatch log agents to monitor, store and access log files (application or system data logs) from these instances. A CloudWatch Logs agent needs   to be installed on the guest Operating System of the app-tier EC2 instance that you want to get logs from.  
 **Resolution**: - To install the Cloudwatch Logs agent on the EC2 instances in your app-tier ASG, you must re-create the ASG launch configuration and set it up with the necessary user data (i.e. agent installation script).  
 
 ### IAM Roles for App-Tier ASG Launch Configurations
@@ -161,7 +161,7 @@
 
 ### Same ELB Availability Zones
 **Risk**: Medium  
-**Description**: Ensure that the ASGs and their associated ELBs are sharing the same Availability Zones in order to increase the performance of your auto scaling environments by allowing your applications to use AWS low-latency   network links.
+**Description**: Ensure that the ASGs and their associated ELBs are sharing the same Availability Zones in order to increase the performance of your auto scaling environments by allowing your applications to use AWS low-latency   network links.  
 **Resolution**: Configure your Auto Scaling Groups to share the same availability zones with their load balancers.  
 
 ### Suspended Auto Scaling Group Processes
@@ -193,7 +193,7 @@
 
 ### CloudFront CDN In Use
 **Risk**: Medium  
-**Description**: Ensure that CloudFront CDN service is used in your AWS account to secure and accelerate the delivery of your websites, media files or static resources (e.g., CSS files, JavaScript files, images) handled by your web   applications.
+**Description**: Ensure that CloudFront CDN service is used in your AWS account to secure and accelerate the delivery of your websites, media files or static resources (e.g., CSS files, JavaScript files, images) handled by your web   applications.  
 **Resolution**: In order to utilize Cloudfront as a CDN service to secure and accelerate the delivery of your websites, media files or other static resources, you must create and configure Cloudfront web distributions.  
 
 ### CloudFront WAF Integration
@@ -266,7 +266,7 @@
 
 ### Enable CloudTrail log files encryption
 **Risk**: Medium  
-**Description**: Ensure that CloudTrail logs are encrypted at rest using server-side encryption provided by KMS Managed Keys (SSE-KMS) to enhance the security of your CloudTrail bucket and allow you to have better control over who can   read the log files in your organization.
+**Description**: Ensure that CloudTrail logs are encrypted at rest using server-side encryption provided by KMS Managed Keys (SSE-KMS) to enhance the security of your CloudTrail bucket and allow you to have better control over who can   read the log files in your organization.  
 **Resolution**: Enable SSE-KMS encryption for your CloudTrail log files.  
 
 ### CloudTrail Log Files Delivery Failing
@@ -406,7 +406,7 @@
 
 ### DynamoDB Server-Side Encryption
 **Risk**: High  
-**Description**: Ensure that DynamoDB data at rest (tables, local secondary indexes, global secondary indexes and backups) is encrypted using Server-Side Encryption. The encryption process is using AWS-managed keys stored in KMS, adds   no storage overhead and is completely transparent and you can insert, query, scan and delete items as before.
+**Description**: Ensure that DynamoDB data at rest (tables, local secondary indexes, global secondary indexes and backups) is encrypted using Server-Side Encryption. The encryption process is using AWS-managed keys stored in KMS, adds   no storage overhead and is completely transparent and you can insert, query, scan and delete items as before.  
 **Resolution**: To make use of Server-Side Encryption feature for your new DynamoDB tables  
 
 ---
@@ -430,7 +430,7 @@
 
 ### Use KMS Customer Master Keys for EBS encryption
 **Risk**: High  
-**Description**: Ensure that EBS volumes are using KMS CMK customer-managed keys instead of AWS managed-keys (default key used for volume encryption) in order to have more granular control over your data encryption and decryption   process.
+**Description**: Ensure that EBS volumes are using KMS CMK customer-managed keys instead of AWS managed-keys (default key used for volume encryption) in order to have more granular control over your data encryption and decryption   process.  
 **Resolution**: Use your own CMK key to encrypt an EBS volume.  
 
 ### EBS Volume Naming Conventions
@@ -557,7 +557,7 @@ EC2
 
 ### Enable AMI Encryption
 **Risk**: High  
-**Description**: Ensure that AMIs are encrypted to fulfill compliance requirements for data-at-rest encryption. The AMI data encryption and decryption is handled transparently and doesn’t require any additional action from your   applications.
+**Description**: Ensure that AMIs are encrypted to fulfill compliance requirements for data-at-rest encryption. The AMI data encryption and decryption is handled transparently and doesn’t require any additional action from your   applications.  
 **Resolution**: To encrypt any unencrypted AMI available in your AWS account, you need to create AMIs with encrypted snapshots from AMIs with unencrypted snapshots by copying them.   
 
 ### AMI Naming Conventions
@@ -571,7 +571,7 @@ EC2
 
 ### Unused AMI
 **Risk**: Recommendation  
-**Description**: Find any unused AMI available in your AWS account and remove them in order to lower the cost of your monthly AWS bill. The AMI removal/cleanup process consists of two steps: 1) deregister the unused image and 2)   delete the snapshot associated with it.
+**Description**: Find any unused AMI available in your AWS account and remove them in order to lower the cost of your monthly AWS bill. The AMI removal/cleanup process consists of two steps: 1) deregister the unused image and 2)   delete the snapshot associated with it.  
 **Resolution**: To remove any unused AMIs available in your account, you need to deregister the image and then delete the associated snapshot.   
 
 ### Unassociated Elastic IP Addresses
@@ -591,7 +591,7 @@ EC2
 
 ### Check app-tier ELB subnet connectivity to Internet Gateway
 **Risk**: Medium  
-**Description**: - Ensure that the VPC route table associated with the app-tier ELB subnets has the default route set up to allow access to the Internet Gateway (IGW) in order to provide internet connectivity for the app-tier load   balancer. A route table contains a set of rules that are used to determine where the network traffic is directed. The route table associated with the ELB subnets should contain a default route (i.e. 0.0.0.0/0) that points to an Internet Gateway. 
+**Description**: - Ensure that the VPC route table associated with the app-tier ELB subnets has the default route set up to allow access to the Internet Gateway (IGW) in order to provide internet connectivity for the app-tier load   balancer. A route table contains a set of rules that are used to determine where the network traffic is directed. The route table associated with the ELB subnets should contain a default route (i.e. 0.0.0.0/0) that points to an Internet Gateway.  
 **Resolution**: Create the required route (i.e. 0.0.0.0/0) with an IGW configured as gateway for the route table associated with the app-tier ELB subnets.  
 
 ### IAM Roles for App-Tier EC2 Instances
@@ -601,7 +601,7 @@ EC2
 
 ### Create and Configure App-Tier Security Group
 **Risk**: Medium  
-**Description**: Ensure there is an EC2 security group created and configured for the app tier to grant inbound access from the app-tier ELB security group for explicit ports, in order to secure the access to the EC2 instances running   within the tier. 
+**Description**: Ensure there is an EC2 security group created and configured for the app tier to grant inbound access from the app-tier ELB security group for explicit ports, in order to secure the access to the EC2 instances running   within the tier.  
 **Resolution**: Create a compliant EC2 security group and configure it to allow inbound traffic from the app-tier ELB security group on explicit ports  
 
 ### EC2 Instances Distribution Across Availability Zones
@@ -611,7 +611,7 @@ EC2
 
 ### EC2-Classic Elastic IP Address Limit
 **Risk**: Medium  
-**Description**: Determine if the number of EC2-Classic Elastic IPs (EIPs) allocated per region is close to the limit number established by Amazon for accounts that support EC2-Classic platform and request limit increase in order to   avoid encountering IP resource limitations on future EC2 provisioning sessions. As the IPv4 public IP addresses are a scarce resource nowadays, by default, all AWS accounts are limited to 5 (five) Elastic IP addresses per region.
+**Description**: Determine if the number of EC2-Classic Elastic IPs (EIPs) allocated per region is close to the limit number established by Amazon for accounts that support EC2-Classic platform and request limit increase in order to   avoid encountering IP resource limitations on future EC2 provisioning sessions. As the IPv4 public IP addresses are a scarce resource nowadays, by default, all AWS accounts are limited to 5 (five) Elastic IP addresses per region.  
 **Resolution**: To request an increase for the EC2-Classic Elastic IP limit.  
 
 ### Data-Tier Instances Without Elastic or Public IP Addresses
@@ -622,27 +622,27 @@ EC2
 
 ### Create and Configure Data-Tier Security Group
 **Risk**: Medium  
-**Description**: Ensure there is an AWS security group created and configured for the data tier that grants inbound access from the app-tier security group on explicit TCP ports such as 3306 (MySQL, MariaDB and Aurora), 1433 (MSSQL),   1521 (Oracle SQL) and 5432 (PostgreSQL), to secure the access to your database instances. 
+**Description**: Ensure there is an AWS security group created and configured for the data tier that grants inbound access from the app-tier security group on explicit TCP ports such as 3306 (MySQL, MariaDB and Aurora), 1433 (MSSQL),   1521 (Oracle SQL) and 5432 (PostgreSQL), to secure the access to your database instances.  
 **Resolution**: To create a compliant Amazon data-tier security group and configure it to allow inbound traffic from the app-tier security group on explicit port (in this case TCP port 3306).  
 
 ### Restrict data-tier subnet connectivity to VPC NAT Gateway
 **Risk**: Medium  
-**Description**: Ensure that the VPC route table associated with the data-tier subnets has no default route configured to allow access to an NAT Gateway in order to restrict Internet connectivity for the EC2 instances available within   the data tier. A route table contains a set of rules (also known as routes) that are used to determine where the network traffic is directed. Each subnet deployed in your VPC must be associated with a route table to control the routing. The route table associated with the data-tier subnets should not have a default route (i.e. 0.0.0.0/0) that points to a NAT Gateway. 
+**Description**: Ensure that the VPC route table associated with the data-tier subnets has no default route configured to allow access to an NAT Gateway in order to restrict Internet connectivity for the EC2 instances available within   the data tier. A route table contains a set of rules (also known as routes) that are used to determine where the network traffic is directed. Each subnet deployed in your VPC must be associated with a route table to control the routing. The route table associated with the data-tier subnets should not have a default route (i.e. 0.0.0.0/0) that points to a NAT Gateway.  
 **Resolution**: To remove the default route that has an NAT device configured as gateway for the route table associated with your data-tier subnets.  
 
 ### Unrestricted Default Security Groups
 **Risk**: Medium  
-**Description**: Ensure that EC2 default security groups restrict all inbound public traffic in order to enforce AWS users (EC2 administrators, resource managers, etc) to create custom security groups that exercise the rule of least   privilege instead of using the default security groups.
+**Description**: Ensure that EC2 default security groups restrict all inbound public traffic in order to enforce AWS users (EC2 administrators, resource managers, etc) to create custom security groups that exercise the rule of least   privilege instead of using the default security groups.  
 **Resolution**: To restrict public inbound traffic to your default security groups and use custom security groups instead of default ones for your EC2 instances.  
 
 ### Default EC2 Security Groups In Use
 **Risk**: Medium  
-**Description**: Ensure that the EC2 instances provisioned in your AWS account aren’t associated with default security groups created alongside with your VPCs in order to enforce using custom and unique security groups that exercise   the principle of least privilege.
+**Description**: Ensure that the EC2 instances provisioned in your AWS account aren’t associated with default security groups created alongside with your VPCs in order to enforce using custom and unique security groups that exercise   the principle of least privilege.  
 **Resolution**: To adhere to the principle of least privilege and replace the associated default security groups with custom security groups.  
 
 ### Detailed Monitoring for EC2 Instances
 **Risk**: Low  
-**Description**: Ensure that detailed monitoring is enabled for your EC2 instances in order to have enough monitoring data to help you make better decisions on architecting and managing compute resources in your AWS account. By   default, whenever an EC2 instance is launched, CloudWatch enables basic monitoring for that instance. The basic monitoring level collects monitoring data in 5 minute periods. To increase this level and make the monitoring data available at 1-minute periods, you must specifically enable it for your instance(s).
+**Description**: Ensure that detailed monitoring is enabled for your EC2 instances in order to have enough monitoring data to help you make better decisions on architecting and managing compute resources in your AWS account. By   default, whenever an EC2 instance is launched, CloudWatch enables basic monitoring for that instance. The basic monitoring level collects monitoring data in 5 minute periods. To increase this level and make the monitoring data available at 1-minute periods, you must specifically enable it for your instance(s).  
 **Resolution**: Enable detailed monitoring for your existing EC2 instances.  
 
 ### EC2 Desired Instance Type
@@ -658,7 +658,7 @@ EC2
 
 ### EC2 Instance Not In Public Subnet
 **Risk**: High  
-**Description**: Ensure that no backend EC2 instances are provisioned in public subnets in order to protect them from exposure to the Internet. In this context, backend instances are EC2 instances that do not require direct access to   the public internet such as database, API or caching servers. 
+**Description**: Ensure that no backend EC2 instances are provisioned in public subnets in order to protect them from exposure to the Internet. In this context, backend instances are EC2 instances that do not require direct access to   the public internet such as database, API or caching servers.  
 **Resolution**: To move your backend EC2 instances from public subnets to private subnets, you must re-launch these instances within the right subnets.   
 
 ### Unused EC2 Reserved Instances
@@ -687,7 +687,7 @@ EC2
 
 ### EC2 Instance Limit
 **Risk**: Medium  
-**Description**: Determine if the number of EC2 instances provisioned per region is close to the limit number established by EC2 Service Limit and request limit increase in order to avoid encountering resources limitations on future   provisioning sessions.
+**Description**: Determine if the number of EC2 instances provisioned per region is close to the limit number established by EC2 Service Limit and request limit increase in order to avoid encountering resources limitations on future   provisioning sessions.  
 **Resolution**: To request an increase for EC2 instances limits based on your requirements.  
 
 ### EC2 Instance Naming Conventions
@@ -717,12 +717,12 @@ EC2
 
 ### EC2 Instance Age
 **Risk**: Low  
-**Description**: Identify and re-launch any running EC2 instances older than 180 days in order to ensure their reliability. An EC2 instance is not supposed to run indefinitely in the cloud and having too old instances in your AWS your   account could increase the risk of potential issues.
+**Description**: Identify and re-launch any running EC2 instances older than 180 days in order to ensure their reliability. An EC2 instance is not supposed to run indefinitely in the cloud and having too old instances in your AWS your   account could increase the risk of potential issues.  
 **Resolution**: To safely restart the old instances running inside your AWS account.  
 
 ### EC2 Instance IAM Roles
 **Risk**: Medium  
-**Description**: Use IAM Roles/Instance Profiles instead of IAM Access Keys to appropriately grant access permissions to any application that perform API requests running on your EC2 instances. With IAM roles you can avoid sharing   long-term credentials and protect your instances against unauthorized access.
+**Description**: Use IAM Roles/Instance Profiles instead of IAM Access Keys to appropriately grant access permissions to any application that perform API requests running on your EC2 instances. With IAM roles you can avoid sharing   long-term credentials and protect your instances against unauthorized access.  
 **Resolution**: To assign IAM roles to your running EC2 instances, you must re-launch those instances by creating images (AMIs) of the instances then launch new ones from images with the desired roles attached.   
 
 ### Overutilized EC2 Instances
@@ -732,12 +732,13 @@ EC2
 
 ### Publicly Shared AMIs
 **Risk**: Medium  
-**Description**: Ensure that AMIs aren’t publicly shared with the other AWS accounts in order to avoid exposing sensitive data. **Resolution**: Share your images with specific AWS accounts without making them public.    
+**Description**: Ensure that AMIs aren’t publicly shared with the other AWS accounts in order to avoid exposing sensitive data.  
+**Resolution**: Share your images with specific AWS accounts without making them public.    
 
 
 ### EC2 Reserved Instance Lease Expiration
 **Risk**: Recommendation  
-**Description**: Ensure that EC2 Reserved Instances are renewed before expiration in order to get a significant discount (up to 75% depending on the commitment term) on the hourly charges. The renewal process consists of purchasing   another EC2 Reserved Instance so that Amazon can keep charging you based on the chosen reservation term.
+**Description**: Ensure that EC2 Reserved Instances are renewed before expiration in order to get a significant discount (up to 75% depending on the commitment term) on the hourly charges. The renewal process consists of purchasing   another EC2 Reserved Instance so that Amazon can keep charging you based on the chosen reservation term.  
 **Resolution**: To renew the EC2 Reserved Instances before their reservation expire, you need to repurchase them using the same configuration attributes (region, instance type, OS platform, etc). To renew your existing EC2 RIs in   order to avoid On-Demand rates charges when the current reservation expires.
 
 ### EC2 Security Groups Count
@@ -797,7 +798,7 @@ EC2
 
 ### Unrestricted Inbound Access on Uncommon Ports
 **Risk**: Medium  
-**Description**: Check EC2 security groups for inbound rules that allow total access (0.0.0.0/0) to any uncommon TCP and UDP ports and restrict access to only those IP addresses that require it. A uncommon port can be any TCP/UDP port   that is not included in the common services ports category, i.e. other than the commonly used ports such as 80 (HTTP), 443 (HTTPS), 20/21 (FTP), 22 (SSH), 23 (Telnet), 3389 (RDP), 1521 (Oracle), 3306 (MySQL), 5432 (PostgreSQL), 53 (DNS), 1433 (MSSQL) and 137/138/139/445 (SMB/CIFS).
+**Description**: Check EC2 security groups for inbound rules that allow total access (0.0.0.0/0) to any uncommon TCP and UDP ports and restrict access to only those IP addresses that require it. A uncommon port can be any TCP/UDP port   that is not included in the common services ports category, i.e. other than the commonly used ports such as 80 (HTTP), 443 (HTTPS), 20/21 (FTP), 22 (SSH), 23 (Telnet), 3389 (RDP), 1521 (Oracle), 3306 (MySQL), 5432 (PostgreSQL), 53 (DNS), 1433 (MSSQL) and 137/138/139/445 (SMB/CIFS).  
 **Resolution**: Update EC2 security groups inbound configuration in order to restrict access to specific IPs.  
 
 ### Unrestricted MongoDB Access
@@ -812,7 +813,7 @@ EC2
 
 ### Unrestricted MySQL Database Access
 **Risk**: Medium  
-**Description**: Check EC2 security groups for inbound rules that allow total access (0.0.0.0/0) to TCP port 3306 and restrict access to only those IP addresses that require it. TCP port 3306 is used by the MySQL Server which is an   open-source relational database management system (RDBMS) server.
+**Description**: Check EC2 security groups for inbound rules that allow total access (0.0.0.0/0) to TCP port 3306 and restrict access to only those IP addresses that require it. TCP port 3306 is used by the MySQL Server which is an   open-source relational database management system (RDBMS) server.  
 **Resolution**: Update security groups inbound/ingress configuration in order to restrict MySQL access to specific IPs.   
 
 ### Unrestricted NetBIOS Access
@@ -862,22 +863,22 @@ EC2
 
 ### Unused Elastic Network Interfaces
 **Risk**: Low  
-**Description**: Identify and delete any unused Elastic Network Interfaces in order to adhere to best-practices and to avoid reaching the service limit. An Elastic Network Interface (ENI) is pronounced unused when is not attached   anymore to an EC2 instance.
+**Description**: Identify and delete any unused Elastic Network Interfaces in order to adhere to best-practices and to avoid reaching the service limit. An Elastic Network Interface (ENI) is pronounced unused when is not attached   anymore to an EC2 instance.  
 **Resolution**: To remove any unused Elastic Network Interfaces (ENIs) available in your AWS account.  
 
 ### Unused EC2 Key Pairs
 **Risk**: Medium  
-**Description**: Identify and remove any unused EC2 key pairs in order to adhere to AWS security best-practices and protect against unapproved SSH access. An SSH key pair is evaluated as unused when is not associated with any of the   EC2 instances available in the same AWS region.
+**Description**: Identify and remove any unused EC2 key pairs in order to adhere to AWS security best-practices and protect against unapproved SSH access. An SSH key pair is evaluated as unused when is not associated with any of the   EC2 instances available in the same AWS region.  
 **Resolution**: To decommission (remove) any unused EC2 key pairs provisioned in your AWS account.  
 
 ### EC2-VPC Elastic IP Address Limit
 **Risk**: Medium  
-**Description**: Determine if the number of EC2-VPC Elastic IPs (EIPs) allocated per region is close to the limit number established by AWS for accounts that support VPCs (VPCs) and request limit increase in order to avoid   encountering IP resource limitations on future EC2 provisioning sessions. As the IPv4 public IP addresses are a scarce resource nowadays, all AWS accounts are limited to 5 (five) Elastic IP addresses per region.
+**Description**: Determine if the number of EC2-VPC Elastic IPs (EIPs) allocated per region is close to the limit number established by AWS for accounts that support VPCs (VPCs) and request limit increase in order to avoid   encountering IP resource limitations on future EC2 provisioning sessions. As the IPv4 public IP addresses are a scarce resource nowadays, all AWS accounts are limited to 5 (five) Elastic IP addresses per region.  
 **Resolution**: To request an increase for the EC2-VPC Elastic IP limit.  
 
 ### Publicly Shared Web-Tier AMIs
 **Risk**: High  
-**Description**: Ensure that none of the AMIs created in your web tier are publicly shared with other AWS accounts in order to avoid exposing sensitive information, as these images can contain proprietary web applications, personal   data and configuration information that can be used to exploit or compromise running EC2 instances available in your web tier. 
+**Description**: Ensure that none of the AMIs created in your web tier are publicly shared with other AWS accounts in order to avoid exposing sensitive information, as these images can contain proprietary web applications, personal   data and configuration information that can be used to exploit or compromise running EC2 instances available in your web tier.  
 **Resolution**: Make the publicly shared AMIs, available in your web tier.  
 
 ### Web-Tier EC2 Instances Without Elastic or Public IP Addresses
@@ -887,12 +888,12 @@ EC2
 
 ### Check web-tier ELB subnet connectivity to Internet Gateway
 **Risk**: Medium  
-**Description**: Ensure that the VPC route table associated with the web-tier ELB subnets has the default route configured to allow access to an Internet Gateway (IGW) in order to provide internet connectivity for the web-tier load   balancer. A VPC route table contains a set of rules (also known as routes) that are used to determine where the network traffic is directed. The route table associated with the ELB subnets should contain a default route (i.e. 0.0.0.0/0) that points to an Internet Gateway. 
+**Description**: Ensure that the VPC route table associated with the web-tier ELB subnets has the default route configured to allow access to an Internet Gateway (IGW) in order to provide internet connectivity for the web-tier load   balancer. A VPC route table contains a set of rules (also known as routes) that are used to determine where the network traffic is directed. The route table associated with the ELB subnets should contain a default route (i.e. 0.0.0.0/0) that points to an Internet Gateway.  
 **Resolution**: To create the required route (i.e. 0.0.0.0/0) with an IGW configured as gateway for the route table associated with the web-tier ELB subnets  
 
 ### Attach Policy to IAM Roles Associated with Web-Tier EC2 Instances
 **Risk**: High  
-**Description**: Ensure that the IAM roles associated with your web-tier EC2 instances are using IAM policies to grant the necessary permissions to the web applications installed on these instances. The IAM policies must follow the   principle of least privilege and provide the web-tier IAM roles the minimum level of access to the AWS services used by the applications. 
+**Description**: Ensure that the IAM roles associated with your web-tier EC2 instances are using IAM policies to grant the necessary permissions to the web applications installed on these instances. The IAM policies must follow the   principle of least privilege and provide the web-tier IAM roles the minimum level of access to the AWS services used by the applications.  
 **Resolution**: To define and attach IAM policies to the IAM roles associated with your web-tier EC2 instances and implement the principle of least privilege (i.e. provide the minimal set of actions required to perform successfully   the desired tasks)
 
 ### IAM Roles for Web-Tier EC2 Instances
@@ -902,12 +903,12 @@ EC2
 
 ### Create and Configure Web-Tier Security Group
 **Risk**: Medium  
-**Description**: Ensure there is an EC2 security group created and configured for the web tier to allow inbound traffic directly from the web-tier ELB security group for the required ports, in order to secure the access to the EC2   instances. 
+**Description**: Ensure there is an EC2 security group created and configured for the web tier to allow inbound traffic directly from the web-tier ELB security group for the required ports, in order to secure the access to the EC2   instances.  
 **Resolution**: Create a compliant EC2 security group and configure it to allow inbound traffic from the web-tier ELB security group on explicit ports  
 
 ### Check web-tier subnet connectivity to VPC NAT Gateway
 **Risk**: Medium  
-**Description**: Ensure that the VPC route table associated with the web-tier subnets has the default route configured to allow connectivity to the NAT Gateway deployed in the same VPC, in order to provide Internet access for the   web-tier EC2 instances.
+**Description**: Ensure that the VPC route table associated with the web-tier subnets has the default route configured to allow connectivity to the NAT Gateway deployed in the same VPC, in order to provide Internet access for the   web-tier EC2 instances.  
 **Resolution**: Create the necessary route with an NAT device configured as gateway for the route table associated with the web-tier subnets  
 
 ---
@@ -936,7 +937,7 @@ EC2
 
 ### KMS Customer Master Keys for EFS Encryption
 **Risk**: High  
-**Description**: Ensure that EFS file systems are encrypted using KMS CMK customer-managed keys instead of AWS managed-keys (default keys used by the EFS service when there are no customer keys defined) in order to have more granular   control over your data-at-rest encryption/decryption process.
+**Description**: Ensure that EFS file systems are encrypted using KMS CMK customer-managed keys instead of AWS managed-keys (default keys used by the EFS service when there are no customer keys defined) in order to have more granular   control over your data-at-rest encryption/decryption process.  
 **Resolution**: To encrypt an existing EFS file system with your own KMS CMK customer-managed key you must copy the data from the existing file system onto the new one, that has the encryption feature enabled.  
 
 
@@ -1005,7 +1006,7 @@ EC2
 
 ### Enable ElasticSearch Zone Awareness
 **Risk**: Medium  
-**Description**: Ensure that ElasticSearch cross-zone replication (Zone Awareness) is enabled to increase the availability of your ES clusters by allocating the nodes and replicate the data across two Availability Zones in the same   region in order to prevent data loss and minimize downtime in the event of node or data center (AZ) failure.
+**Description**: Ensure that ElasticSearch cross-zone replication (Zone Awareness) is enabled to increase the availability of your ES clusters by allocating the nodes and replicate the data across two Availability Zones in the same   region in order to prevent data loss and minimize downtime in the event of node or data center (AZ) failure.  
 **Resolution**: Enable cross-zone replication for your ElasticSearch clusters.  
 
 ### Enable ElasticSearch Encryption At Rest
@@ -1020,12 +1021,12 @@ EC2
 
 ### Total Number of ElasticSearch Instances
 **Risk**: Medium  
-**Description**: Ensure that the number of ElasticSearch cluster instances (including dedicated master instances) provisioned in your AWS account has not reached the limit quota established by your organization for the ElasticSearch   workload deployed. 
+**Description**: Ensure that the number of ElasticSearch cluster instances (including dedicated master instances) provisioned in your AWS account has not reached the limit quota established by your organization for the ElasticSearch   workload deployed.  
 **Resolution**: To build an AWS support case to limit the number of provisioned ElasticSearch instances based on your requirements  
 
 ### Enable ElasticSearch Node-to-Node Encryption
 **Risk**: High  
-**Description**: Ensure that node-to-node encryption feature is enabled for your ElasticSearch domains (clusters) in order to add an extra layer of data protection on top of the existing ES security features such as HTTPS client to   cluster encryption and data-at-rest encryption and meet strict compliance requirements. 
+**Description**: Ensure that node-to-node encryption feature is enabled for your ElasticSearch domains (clusters) in order to add an extra layer of data protection on top of the existing ES security features such as HTTPS client to   cluster encryption and data-at-rest encryption and meet strict compliance requirements.  
 **Resolution**: To enable node-to-node encryption for your existing ElasticSearch domains, you need to re-create them with the necessary configuration.  
 
 ### Enable ElasticSearch Slow Logs
@@ -1094,12 +1095,12 @@ EC2
 
 ### AWS Classic Load Balancer
 **Risk**: Medium  
-**Description**: Ensure that HTTP/HTTPS applications (monolithic or containerized) are using the Application Load Balancer (ALB) instead of Classic Load Balancer (ELB) for enhanced incoming traffic distribution, better performance and   lower costs. 
+**Description**: Ensure that HTTP/HTTPS applications (monolithic or containerized) are using the Application Load Balancer (ALB) instead of Classic Load Balancer (ELB) for enhanced incoming traffic distribution, better performance and   lower costs.  
 **Resolution**: Migrate your HTTP/HTTPS web application(s) from a Classic Load Balancer (ELB) to an Application Load Balancer (ALB) using the AWS Management Console and AWS CLI. To move your application(s) instances to the ALB,   redirect the traffic and remove the ELB.
 
 ### Connection Draining Enabled
 **Risk**: Medium  
-**Description**: With Connection Draining feature enabled, if an EC2 backend instance fails health checks the ELB will not send any new requests to the unhealthy instance. However, it will still allow existing (in-flight) requests to   complete for the duration of the configured timeout.
+**Description**: With Connection Draining feature enabled, if an EC2 backend instance fails health checks the ELB will not send any new requests to the unhealthy instance. However, it will still allow existing (in-flight) requests to   complete for the duration of the configured timeout.  
 **Resolution**: Enable Connection Draining.  
 
 ### Enable ELB Cross-Zone Load Balancing
@@ -1163,7 +1164,7 @@ EC2
 
 ### Add SSL/TLS Server Certificates to Web-Tier ELBs
 **Risk**: High  
-**Description**: Ensure that web-tier ELBs are using SSL/TLS server certificates to encrypt the communication between the web application clients and the load balancer. When you use HTTPS/SSL (secure HTTP/TCP) for the ELB front-end   listeners, you must deploy an SSL/TLS certificate on your load balancer. This SSL/TLS server certificate is used by the web-tier ELB to terminate the connection and decrypt requests from clients before sending them to the EC2 instances behind the load balancer (also known as backend instances). 
+**Description**: Ensure that web-tier ELBs are using SSL/TLS server certificates to encrypt the communication between the web application clients and the load balancer. When you use HTTPS/SSL (secure HTTP/TCP) for the ELB front-end   listeners, you must deploy an SSL/TLS certificate on your load balancer. This SSL/TLS server certificate is used by the web-tier ELB to terminate the connection and decrypt requests from clients before sending them to the EC2 instances behind the load balancer (also known as backend instances).  
 **Resolution**: To secure the traffic between the web clients and your web-tier load balancer using SSL encryption, Update ELB configuration to attach an SSL/TLS server certificate (an X.509 certificate is required).   
 
 ### Web-Tier ELBs Health Check
@@ -1184,7 +1185,7 @@ ELBv2
 
 ### ELBv2 Instances Distribution Across Availability Zones
 **Risk**: Medium  
-**Description**: Ensure that the EC2 instances (targets) registered to your Application Load Balancers (ALBs) and Network Load Balancers (NLBs) are evenly distributed across all Availability Zones in order to improve the reliability   of your load balancers configuration.
+**Description**: Ensure that the EC2 instances (targets) registered to your Application Load Balancers (ALBs) and Network Load Balancers (NLBs) are evenly distributed across all Availability Zones in order to improve the reliability   of your load balancers configuration.  
 **Resolution**: To equally distribute your existing EC2 target instances across all Availability Zones within the selected AWS region, you need to add new Availability Zones to the ELBv2 load balancer configuration and migrate the   registered instances between these Availability Zones. 
 
 ### ALB (ELBv2) Listener Security
@@ -1194,22 +1195,22 @@ ELBv2
 
 ### Minimum Number of EC2 Target Instances
 **Risk**: High  
-**Description**: Ensure there are at least two healthy EC2 target instances registered to each Application Load Balancer (ALB) and Network Load Balancer (NLB) in order to provide a fault-tolerant load balancing configuration for your   applications.
+**Description**: Ensure there are at least two healthy EC2 target instances registered to each Application Load Balancer (ALB) and Network Load Balancer (NLB) in order to provide a fault-tolerant load balancing configuration for your   applications.  
 **Resolution**: To register additional healthy EC2 instances to the target group(s) associated with your ELBv2 load balancers.  
 
 ### ELBv2 Security Groups
 **Risk**: High  
-**Description**: Ensure that all Application Load Balancers (ALBs) available in your AWS account are associated with valid and secure security groups that restrict access only to the ports defined within the load balancers listeners   configuration.
+**Description**: Ensure that all Application Load Balancers (ALBs) available in your AWS account are associated with valid and secure security groups that restrict access only to the ports defined within the load balancers listeners   configuration.  
 **Resolution**: To replace any invalid/insecure security group associated with your ELBv2 load balancers.  
 
 ### ALB (ELBv2) Security Policy
 **Risk**: Medium  
-**Description**: Ensure that ALBs are using the latest predefined security policy for their SSL negotiation configuration in order to follow security best-practices and protect their front-end connections against SSL/TLS   vulnerabilities.
+**Description**: Ensure that ALBs are using the latest predefined security policy for their SSL negotiation configuration in order to follow security best-practices and protect their front-end connections against SSL/TLS   vulnerabilities.  
 **Resolution**: Update Application Load Balancers listeners configuration to use the latest predefined security policies  
 
 ### Unused ELBs (ELBv2)
 **Risk**: Recommendation  
-**Description**: Find any unused Application Load Balancers (ALBs) and Network Load Balancers (NLBs) and remove them in order to help lower the cost of your monthly AWS bill. An ELBv2 load balancer is considered “unused” when the   associated target group has no EC2 target instance registered or when the registered target instances aren’t healthy anymore.
+**Description**: Find any unused Application Load Balancers (ALBs) and Network Load Balancers (NLBs) and remove them in order to help lower the cost of your monthly AWS bill. An ELBv2 load balancer is considered “unused” when the   associated target group has no EC2 target instance registered or when the registered target instances aren’t healthy anymore.  
 **Resolution**: Delete any unused ELB currently available in your AWS account  
 
 ---
@@ -1238,12 +1239,12 @@ ELBv2
 
 ### Enable EMR In-Transit and At-Rest Encryption
 **Risk**: High  
-**Description**: Ensure that EMR clusters are encrypted in order to meet security and compliance requirements. Data encryption helps prevent unauthorized users from reading sensitive data available on your EMR clusters and their   associated data storage systems. This includes data saved to persistent media, known as data at-rest, and data that can be intercepted as it travels through the network, known as data in-transit.
+**Description**: Ensure that EMR clusters are encrypted in order to meet security and compliance requirements. Data encryption helps prevent unauthorized users from reading sensitive data available on your EMR clusters and their   associated data storage systems. This includes data saved to persistent media, known as data at-rest, and data that can be intercepted as it travels through the network, known as data in-transit.  
 **Resolution**: To enable in-transit and at-rest encryption for your existing EMR clusters, you must define and configure an EMR security configuration then re-create these clusters with the new security configuration.  
 
 ### Total Number of EMR Instances
 **Risk**: Medium  
-**Description**: Ensure that the number of Elastic MapReduce (EMR) cluster instances (master and core instances) provisioned in your AWS account has not reached the limit quota established by your organization for the EMR workload   deployed. 
+**Description**: Ensure that the number of Elastic MapReduce (EMR) cluster instances (master and core instances) provisioned in your AWS account has not reached the limit quota established by your organization for the EMR workload   deployed.  
 **Resolution**: To build an AWS support case in order to limit the number of provisioned Elastic MapReduce cluster instances based on your requirements  
 
 ---
@@ -1265,7 +1266,7 @@ ELBv2
 
 ### GuardDuty In Use
 **Risk**: Medium  
-**Description**: Ensure that GuardDuty service is currently enabled in order to protect your AWS environment and infrastructure (AWS accounts and resources, IAM credentials, guest operating systems, applications, etc) against security   threats. 
+**Description**: Ensure that GuardDuty service is currently enabled in order to protect your AWS environment and infrastructure (AWS accounts and resources, IAM credentials, guest operating systems, applications, etc) against security   threats.  
 **Resolution**: Enable GuardDuty  
 
 ---
@@ -1335,7 +1336,7 @@ ELBv2
 
 ### Enable Security Challenge Questions for your Account
 **Risk**: Very High  
-**Description**: Ensure your account is configured to use security challenge questions so Amazon can use these questions to verify your identity in case your account become compromised or if you just need to contact their customer   service for help.
+**Description**: Ensure your account is configured to use security challenge questions so Amazon can use these questions to verify your identity in case your account become compromised or if you just need to contact their customer   service for help.  
 **Resolution**: To secure your AWS account identity by enabling and configuring security challenge questions.  
 
 ### Attach Policy to IAM Roles Associated with App-Tier EC2 Instances
@@ -1350,7 +1351,7 @@ ELBv2
 
 ### Server Certificate Signature Algorithm
 **Risk**: High  
-**Description**: - Ensure that all the SSL/TLS certificates stored within IAM aren’t using the MD5/SHA-1 signature algorithm in order to adhere to AWS security best-practices and protect from Collision attacks (i.e. cryptographic hash   collisions).
+**Description**: - Ensure that all the SSL/TLS certificates stored within IAM aren’t using the MD5/SHA-1 signature algorithm in order to adhere to AWS security best-practices and protect from Collision attacks (i.e. cryptographic hash   collisions).  
 **Resolution**: To replace any insecure/deprecated SSL/TLS certificates managed by IAM service.  
 
 ### IAM Server Certificate Size
@@ -1370,7 +1371,7 @@ ELBv2
 
 ### IAM Users with Admin Privileges
 **Risk**: High  
-**Description**: Ensure that there are no IAM users with administrator permissions (i.e. privileged users) available in your AWS account in order to adhere to IAM security best-practices and implement the principle of least privilege   (the practice of providing every user the minimal amount of access required to perform its tasks).
+**Description**: Ensure that there are no IAM users with administrator permissions (i.e. privileged users) available in your AWS account in order to adhere to IAM security best-practices and implement the principle of least privilege   (the practice of providing every user the minimal amount of access required to perform its tasks).  
 **Resolution**: To adhere to security best-practices and implement the IAM Master and IAM Manager role policies for your privileged IAM user.  
 
 ### Detect IAM Configuration Changes
@@ -1389,7 +1390,7 @@ ELBv2
 
 ### Remove IAM Policies with Full Administrative Privileges
 **Risk**: High  
-**Description**: Ensure there are no IAM policies (inline and customer managed) that allow full administrative privileges available in your AWS account, in order to promote the principle of least privilege and provide the users,   groups and roles that use these policies the minimal amount of access required to perform their tasks. 
+**Description**: Ensure there are no IAM policies (inline and customer managed) that allow full administrative privileges available in your AWS account, in order to promote the principle of least privilege and provide the users,   groups and roles that use these policies the minimal amount of access required to perform their tasks.  
 **Resolution**: To detach IAM managed policies that provide full administrative privileges from IAM users, groups and roles  
 
 ### IAM Customer Managed Policy with Administrative Permissions In Use
@@ -1422,7 +1423,7 @@ ELBv2
 
 ### Valid IAM Identity Providers
 **Risk**: Medium  
-**Description**: Ensure that the IAM Identity Providers (IdPs) utilized in your AWS account are valid in order to manage securely your user identities outside of AWS and give these external identities permissions to use AWS resources   in your account. 
+**Description**: Ensure that the IAM Identity Providers (IdPs) utilized in your AWS account are valid in order to manage securely your user identities outside of AWS and give these external identities permissions to use AWS resources   in your account.  
 **Resolution**: To replace an invalid Identity Provider (IdP) available in your AWS account.For SAML Identity Providers:  
 
 ### MFA Device Deactivated for IAM Users
@@ -1436,7 +1437,7 @@ ELBv2
 
 ### IAM Master and IAM Manager Roles
 **Risk**: High  
-**Description**: Ensure that the IAM administration and permission management in your AWS account is divided between two roles: IAM Master and IAM Manager. The IAM Master role duty is to create IAM users, groups and roles, while the   IAM Manager role responsibility is to assign users and roles to groups.
+**Description**: Ensure that the IAM administration and permission management in your AWS account is divided between two roles: IAM Master and IAM Manager. The IAM Master role duty is to create IAM users, groups and roles, while the   IAM Manager role responsibility is to assign users and roles to groups.  
 **Resolution**: Create the IAM Master and IAM Manager roles necessary for an efficient IAM administration and permission management in your AWS account.  
 
 ### IAM Password Expiry
@@ -1519,17 +1520,17 @@ ELBv2
 
 ### App-Tier Customer Master Key In Use
 **Risk**: High  
-**Description**: Ensure there is one KMS Customer Master Key created in your AWS account for the app tier in order to protect data that transits your AWS application stack, have full control over encryption process, and meet security   and compliance requirements. 
+**Description**: Ensure there is one KMS Customer Master Key created in your AWS account for the app tier in order to protect data that transits your AWS application stack, have full control over encryption process, and meet security   and compliance requirements.  
 **Resolution**: Create a dedicated KMS Customer Master Key to be used by AWS resources and services in your app stack.  
 
 ### KMS Customer Master Key In Use
 **Risk**: Medium  
-**Description**: Ensure that you have KMS CMK customer-managed keys in use in your account instead of AWS managed-keys in order to have full control over your data encryption and decryption process. KMS CMK customer-managed keys can   be used to encrypt and decrypt data for multiple AWS components such as S3, Redshift, EBS and RDS.
+**Description**: Ensure that you have KMS CMK customer-managed keys in use in your account instead of AWS managed-keys in order to have full control over your data encryption and decryption process. KMS CMK customer-managed keys can   be used to encrypt and decrypt data for multiple AWS components such as S3, Redshift, EBS and RDS.  
 **Resolution**: Use your own CMK customer-managed key instead of the default / AWS-managed key to encrypt an EBS vol.  
 
 ### Database Tier Customer Master Key In Use
 **Risk**: High  
-**Description**: Ensure there is one KMS Customer Master Key created in your AWS account for the database tier in order to protect data-at-rest available in your AWS web stack, have full control over encryption/decryption process, and   meet security and compliance requirements.
+**Description**: Ensure there is one KMS Customer Master Key created in your AWS account for the database tier in order to protect data-at-rest available in your AWS web stack, have full control over encryption/decryption process, and   meet security and compliance requirements.  
 **Resolution**: Create a dedicated KMS Customer Master Key to be used by AWS resources in your database tier  
 
 ### Default KMS Key Usage
@@ -1564,7 +1565,7 @@ ELBv2
 
 ### Enable KMS Key Rotation
 **Risk**: Medium  
-**Description**: Once enabled, the KMS Key Rotation will allow you to set an yearly rotation schedule for your CMK so when a customer master key is required to encrypt your new data, the KMS service can automatically use the latest   version of the HSA backing key (AWS hardened security appliance key) to perform the encryption.
+**Description**: Once enabled, the KMS Key Rotation will allow you to set an yearly rotation schedule for your CMK so when a customer master key is required to encrypt your new data, the KMS service can automatically use the latest   version of the HSA backing key (AWS hardened security appliance key) to perform the encryption.  
 **Resolution**: Enable KMS Key Rotation.  
 
 ### Remove unused KMS keys
@@ -1574,7 +1575,7 @@ ELBv2
 
 ### Web-Tier Customer Master Key In Use
 **Risk**: High  
-**Description**: Ensure there is one KMS Customer Master Key created in your AWS account for the web tier in order to protect data that transits your AWS web stack, have full control over data encryption/decryption process, and meet   compliance requirements. 
+**Description**: Ensure there is one KMS Customer Master Key created in your AWS account for the web tier in order to protect data that transits your AWS web stack, have full control over data encryption/decryption process, and meet   compliance requirements.  
 **Resolution**: Create a dedicated KMS Customer Master Key to be used by AWS resources provisioned in your web tier  
 
 ---
@@ -1594,7 +1595,7 @@ ELBv2
 
 ### Lambda Functions with Admin Privileges
 **Risk**: Medium  
-**Description**: Ensure that Lambda functions do not have administrative permissions (i.e. access to all AWS actions and resources) in order to promote the Principle of Least Privilege and provide your functions the minimal amount of   access required to perform their tasks.
+**Description**: Ensure that Lambda functions do not have administrative permissions (i.e. access to all AWS actions and resources) in order to promote the Principle of Least Privilege and provide your functions the minimal amount of   access required to perform their tasks.  
 **Resolution**: Implement the Principle of Least Privilege and provide your Lambda functions with the right set of permissions instead of full administrative permissions.  
 
 ### Lambda Unknown Cross Account Access
@@ -1604,12 +1605,12 @@ ELBv2
 
 ### Lambda Runtime Environment Version
 **Risk**: Medium  
-**Description**: Ensure that you always use the latest version of the execution environment for your Lambda functions in order to adhere to AWS best-practices and receive the newest software features, get the latest security patches   and bug fixes, and benefit from better performance and reliability. 
+**Description**: Ensure that you always use the latest version of the execution environment for your Lambda functions in order to adhere to AWS best-practices and receive the newest software features, get the latest security patches   and bug fixes, and benefit from better performance and reliability.  
 **Resolution**: To upgrade the runtime environment version for your Lambda functions  
 
 ### An IAM role for a Lambda Function
 **Risk**: High  
-**Description**: Ensure that Lambda functions do not share the same IAM execution role in order to promote the Principle of Least Privilege (POLP) by providing each individual function the minimal amount of access required to perform   its tasks. 
+**Description**: Ensure that Lambda functions do not share the same IAM execution role in order to promote the Principle of Least Privilege (POLP) by providing each individual function the minimal amount of access required to perform   its tasks.  
 **Resolution**: Create a separate IAM role (with the right set of permissions) for each individual Lambda function.  
 
 ---
@@ -1630,7 +1631,7 @@ ELBv2
 
 ### AWS Organizations In Use
 **Risk**: Medium  
-**Description**: Ensure that Amazon Organizations service is currently in use to gain central control over the use of AWS services across multiple AWS accounts (using Service Control Policies) in order to help you comply with the   security and compliance policies in your company. 
+**Description**: Ensure that Amazon Organizations service is currently in use to gain central control over the use of AWS services across multiple AWS accounts (using Service Control Policies) in order to help you comply with the   security and compliance policies in your company.  
 **Resolution**: To make use of Amazon Organizations service and benefit from centralized control over the use of AWS services across multiple accounts you must create first an organization (with All features set enabled) using your   current AWS account as the master account then invite other accounts to join your organization.
 
 ---
@@ -1679,22 +1680,22 @@ ELBv2
 
 ### RDS Auto Minor Version Upgrade
 **Risk**: Medium  
-**Description**: Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. Each version upgrade is available   only after is tested and approved by AWS.
+**Description**: Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. Each version upgrade is available   only after is tested and approved by AWS.  
 **Resolution**: Update RDS instances configuration and enable Auto Minor Version Upgrade.  
 
 ### Enable RDS Automated Backups
 **Risk**: High  
-**Description**: Ensure that RDS database instances have automated backups enabled for point-in-time recovery. To back up your database instances, RDS take automatically a full daily snapshot of your data (with transactions logs)   during the specified backup window and keeps the backups for a limited period of time (known as retention period) defined by the instance owner.
+**Description**: Ensure that RDS database instances have automated backups enabled for point-in-time recovery. To back up your database instances, RDS take automatically a full daily snapshot of your data (with transactions logs)   during the specified backup window and keeps the backups for a limited period of time (known as retention period) defined by the instance owner.  
 **Resolution**: Update RDS instances configuration and enable automated backups.  
 
 ### Enable RDS Deletion Protection
 **Risk**: Medium  
-**Description**: Ensure that Relational Database Service (RDS) instances have Deletion Protection feature enabled in order to protect them from being accidentally deleted. Deletion protection is supported by all RDS engines as well as   the Aurora MySQL and Aurora PostgreSQL database engines.
+**Description**: Ensure that Relational Database Service (RDS) instances have Deletion Protection feature enabled in order to protect them from being accidentally deleted. Deletion protection is supported by all RDS engines as well as   the Aurora MySQL and Aurora PostgreSQL database engines.  
 **Resolution**: Enable Deletion Protection feature for your existing RDS database instances  
 
 ### Enable RDS Encryption
 **Risk**: High  
-**Description**: Ensure that RDS database instances are encrypted to fulfill compliance requirements for data-at-rest encryption. The RDS data encryption and decryption is handled transparently and doesn’t require any additional   action from you or your application.
+**Description**: Ensure that RDS database instances are encrypted to fulfill compliance requirements for data-at-rest encryption. The RDS data encryption and decryption is handled transparently and doesn’t require any additional   action from you or your application.  
 **Resolution**: Enable data encryption for your existing RDS instances you need to re-create (back-up and restore) them with encryption flag enabled.  
 
 ### RDS Free Storage Space
@@ -1704,7 +1705,7 @@ ELBv2
 
 ### Enable IAM Database Authentication
 **Risk**: Medium  
-**Description**: Ensure IAM Database Authentication feature is enabled in order to use IAM service to manage database access to your RDS MySQL and PostgreSQL instances. With this feature enabled, you don’t have to use a password when   you connect to your MySQL/PostgreSQL database instances, instead you use an authentication token. 
+**Description**: Ensure IAM Database Authentication feature is enabled in order to use IAM service to manage database access to your RDS MySQL and PostgreSQL instances. With this feature enabled, you don’t have to use a password when   you connect to your MySQL/PostgreSQL database instances, instead you use an authentication token.  
 **Resolution**: Enable IAM Database Authentication feature for your existing RDS database instances in order to manage your MySQL/PostgreSQL database user credentials through IAM users and roles  
 
 
@@ -1725,7 +1726,7 @@ ELBv2
 
 ### Publicly Accessible RDS Instances
 **Risk**: High  
-**Description**: Check for any public facing RDS database instances provisioned in your AWS account and restrict unauthorized access in order to minimise security risks. To restrict access to any publicly accessible RDS database   instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.
+**Description**: Check for any public facing RDS database instances provisioned in your AWS account and restrict unauthorized access in order to minimise security risks. To restrict access to any publicly accessible RDS database   instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.  
 **Resolution**: Update RDS instances connection configuration in order to restrict access.  
 
 ### Use Data-Tier Security Group for RDS Databases
@@ -1735,22 +1736,22 @@ ELBv2
 
 ### RDS Database Default Port
 **Risk**: Low  
-**Description**: Ensure that RDS databases instances aren’t using their default endpoint ports (i.e. MySQL/Aurora port 3306, SQL Server port 1433, PostgreSQL port 5432, etc) in order to promote port obfuscation as an additional layer   of defense against non-targeted attacks.
+**Description**: Ensure that RDS databases instances aren’t using their default endpoint ports (i.e. MySQL/Aurora port 3306, SQL Server port 1433, PostgreSQL port 5432, etc) in order to promote port obfuscation as an additional layer   of defense against non-targeted attacks.  
 **Resolution**: To change the default port number for your existing RDS database instances.  
 
 ### Use KMS Customer Master Keys for RDS encryption
 **Risk**: High  
-**Description**: Ensure that RDS database instances are using KMS CMK customer-managed keys rather than AWS managed-keys (default keys used by RDS when there are no customer keys available), in order to have more granular control over   your data-at-rest encryption/decryption process.
+**Description**: Ensure that RDS database instances are using KMS CMK customer-managed keys rather than AWS managed-keys (default keys used by RDS when there are no customer keys available), in order to have more granular control over   your data-at-rest encryption/decryption process.  
 **Resolution**: Since RDS encryption is an immutable setting that must be turned on at the creation time, to migrate a database from unencrypted to encrypted, the database must be backed up and restored onto a new one with the   encryption flag enabled.
 
 ### RDS General Purpose SSD Storage Type
 **Risk**: Recommendation  
-**Description**: Ensure that RDS instances are using General Purpose SSDs instead of Provisioned IOPS SSDs for cost-effective storage that fits a broad range of database workloads. Unless you are running mission-critical applications   that require more than 10000 IOPS or 160 MiB/s of throughput per database, we recommende converting your Provisioned IOPS RDS instances to General Purpose instances in order to lower the cost of your monthly AWS bill while keeping the same I/O performance. 
+**Description**: Ensure that RDS instances are using General Purpose SSDs instead of Provisioned IOPS SSDs for cost-effective storage that fits a broad range of database workloads. Unless you are running mission-critical applications   that require more than 10000 IOPS or 160 MiB/s of throughput per database, we recommende converting your Provisioned IOPS RDS instances to General Purpose instances in order to lower the cost of your monthly AWS bill while keeping the same I/O performance.  
 **Resolution**: To convert your Provisioned IOPS SSD based RDS instances to General Purpose SSD based instances, you need to modify your instances storage type configuration.  
 
 ### RDS Instance Not In Public Subnet
 **Risk**: High  
-**Description**: Ensure that no RDS database instances are provisioned inside VPC public subnets in order to protect them from direct exposure to the Internet. Since database instances aren’t Internet-facing and their management   (running software updates, implementing security patches, etc) is done by Amazon, these instances should run only in private subnets.
+**Description**: Ensure that no RDS database instances are provisioned inside VPC public subnets in order to protect them from direct exposure to the Internet. Since database instances aren’t Internet-facing and their management   (running software updates, implementing security patches, etc) is done by Amazon, these instances should run only in private subnets.  
 **Resolution**: To move your RDS database instances from public subnets to private subnets, you must replace their current subnet groups with the ones that contain VPC private subnets.  
 
 ### RDS Database Master Username
@@ -1765,7 +1766,7 @@ ELBv2
 
 ### RDS Sufficient Backup Retention Period
 **Risk**: Medium  
-**Description**: Ensure that RDS database instances have set a minimum backup retention period in order to achieve the compliance requirements. Recommended a minimum (default) retention period of 7 (seven) days but you can adjust the   minimumRetentionPeriod parameter value to narrow or extend the default retention period.
+**Description**: Ensure that RDS database instances have set a minimum backup retention period in order to achieve the compliance requirements. Recommended a minimum (default) retention period of 7 (seven) days but you can adjust the   minimumRetentionPeriod parameter value to narrow or extend the default retention period.  
 **Resolution**: Update RDS instances automated backups configuration and extend the retention period.  
 
 ### Enable RDS Transport Encryption
@@ -1787,7 +1788,7 @@ Route53
 
 ### Enable Route 53 Domain Auto Renew
 **Risk**: High  
-**Description**: Ensure that Route 53 Auto Renew feature is enabled to automatically renew your domain names as the expiration date approaches. The automatic renewal registration fee will be charged to your AWS account and you will   get an email with the renewal confirmation once the registration is processed.
+**Description**: Ensure that Route 53 Auto Renew feature is enabled to automatically renew your domain names as the expiration date approaches. The automatic renewal registration fee will be charged to your AWS account and you will   get an email with the renewal confirmation once the registration is processed.  
 **Resolution**: Update Route 53 domains configuration and enable the Auto Renew feature.  
 
 ### Create DNS Alias Record for Root Domain
@@ -1812,7 +1813,7 @@ Route53
 
 ### Enable Privacy Protection for Route 53 Domains
 **Risk**: Low  
-**Description**: Ensure that Route 53 domains have Privacy Protection feature enabled in order to hide all their contact information from WHOIS queries and reduce the amount of spam received. The feature allows you to conceal your   personal phone number, email and physical address for the domain names registered and/or transferred to Route 53 service.
+**Description**: Ensure that Route 53 domains have Privacy Protection feature enabled in order to hide all their contact information from WHOIS queries and reduce the amount of spam received. The feature allows you to conceal your   personal phone number, email and physical address for the domain names registered and/or transferred to Route 53 service.  
 **Resolution**: Enable Privacy Protection for your Route 53 domains in order to hide all their contact information from WHOIS queries and reduce spam  
 
 ### Root Domain Alias Records that Point to ELB
@@ -1826,12 +1827,12 @@ Route53
 
 ### Route 53 DNS In Use
 **Risk**: High  
-**Description**: Ensure that Route 53 Domain Name System (DNS) service is used in your AWS account to manage DNS zones for your domains. Route 53 is an authoritative Domain Name System service built on top of AWS highly available,   scalable and reliable infrastructure.
+**Description**: Ensure that Route 53 Domain Name System (DNS) service is used in your AWS account to manage DNS zones for your domains. Route 53 is an authoritative Domain Name System service built on top of AWS highly available,   scalable and reliable infrastructure.  
 **Resolution**: In order to utilize Route 53 as DNS service for your domain names, you must create and configure Route 53 hosted zones.  
 
 ### Route 53 SPF DNS Records
 **Risk**: Medium  
-**Description**: Ensure your Route 53 hosted zones have a TXT DNS record that contains a corresponding Sender Policy Framework (SPF) value set for each MX record available. The SPF record enables your Route 53 registered domains to   publicly state which mail servers are authorized to send emails on its behalf.
+**Description**: Ensure your Route 53 hosted zones have a TXT DNS record that contains a corresponding Sender Policy Framework (SPF) value set for each MX record available. The SPF record enables your Route 53 registered domains to   publicly state which mail servers are authorized to send emails on its behalf.  
 **Resolution**: Create SPF record sets for the corresponding MX records in your Route 53 DNS hosted zones.  
 
 ### Enable Route 53 Domain Transfer Lock
@@ -1882,32 +1883,32 @@ Route53Domains
 
 ### S3 Bucket Authenticated ‘FULL_CONTROL’ Access
 **Risk**: Very High  
-**Description**: Ensure that S3 buckets aren’t granting FULL_CONTROL access to authenticated users (i.e. signed AWS accounts or IAM users) in order to prevent unauthorized access. An S3 bucket that allows full control access to   authenticated users will give any AWS account or IAM user the ability to LIST (READ) objects, UPLOAD/DELETE (WRITE) objects, VIEW (READ_ACP) objects permissions and EDIT (WRITE_ACP) permissions for the objects within the bucket. 
+**Description**: Ensure that S3 buckets aren’t granting FULL_CONTROL access to authenticated users (i.e. signed AWS accounts or IAM users) in order to prevent unauthorized access. An S3 bucket that allows full control access to   authenticated users will give any AWS account or IAM user the ability to LIST (READ) objects, UPLOAD/DELETE (WRITE) objects, VIEW (READ_ACP) objects permissions and EDIT (WRITE_ACP) permissions for the objects within the bucket.  
 **Resolution**: To remove authenticated FULL_CONTROL access for your S3 buckets.  
 
 ### S3 Bucket Authenticated ‘READ’ Access
 **Risk**: Very High  
-**Description**: Ensure that S3 buckets content cannot be listed by AWS authenticated accounts or IAM users in order to protect your S3 data against unauthorized access. An S3 bucket that allows READ (LIST) access to authenticated   users will provide AWS accounts or IAM users the ability to list the objects within the bucket and use the information acquired to find objects with misconfigured ACL permissions and exploit them.
+**Description**: Ensure that S3 buckets content cannot be listed by AWS authenticated accounts or IAM users in order to protect your S3 data against unauthorized access. An S3 bucket that allows READ (LIST) access to authenticated   users will provide AWS accounts or IAM users the ability to list the objects within the bucket and use the information acquired to find objects with misconfigured ACL permissions and exploit them.  
 **Resolution**: To remove authenticated READ access to your S3 buckets.  
 
 ### S3 Bucket Authenticated ‘READ_ACP’ Access
 **Risk**: Very High  
-**Description**: Ensure that S3 buckets content permissions cannot be viewed by AWS authenticated accounts or IAM users in order to protect against unauthorized access. An S3 bucket that grants READ_ACP (VIEW PERMISSIONS) access to   AWS signed users can allow them to examine your S3 Access Control Lists (ACLs) configuration details and find permission vulnerabilities.
+**Description**: Ensure that S3 buckets content permissions cannot be viewed by AWS authenticated accounts or IAM users in order to protect against unauthorized access. An S3 bucket that grants READ_ACP (VIEW PERMISSIONS) access to   AWS signed users can allow them to examine your S3 Access Control Lists (ACLs) configuration details and find permission vulnerabilities.  
 **Resolution**: To remove authenticated READ_ACP access for your S3 buckets ACL configuration.  
 
 ### S3 Bucket Authenticated ‘WRITE’ Access
 **Risk**: Very High  
-**Description**: Ensure that S3 buckets cannot be accessed for WRITE actions by AWS authenticated accounts or IAM users in order to protect your S3 data from unauthorized access. An S3 bucket that allows WRITE (UPLOAD/DELETE) access   to any AWS authenticated users can provide them the capability to add, delete and replace objects within the bucket without restrictions.
+**Description**: Ensure that S3 buckets cannot be accessed for WRITE actions by AWS authenticated accounts or IAM users in order to protect your S3 data from unauthorized access. An S3 bucket that allows WRITE (UPLOAD/DELETE) access   to any AWS authenticated users can provide them the capability to add, delete and replace objects within the bucket without restrictions.  
 **Resolution**: To remove authenticated WRITE access for your S3 buckets.  
 
 ### S3 Bucket Authenticated ‘WRITE_ACP’ Access
 **Risk**: Very High  
-**Description**: Ensure that S3 buckets do not allow authenticated AWS accounts or IAM users to modify access control permissions to protect your S3 data from unauthorized access. An S3 bucket that allows WRITE_ACP access to AWS   authenticated users can give these the capability to edit permissions and gain full access to the resource. Allowing this type of access is dangerous and can lead to data loss or unexpectedly high S3 charges on your AWS bill as a result of economic denial-of-service attacks.
+**Description**: Ensure that S3 buckets do not allow authenticated AWS accounts or IAM users to modify access control permissions to protect your S3 data from unauthorized access. An S3 bucket that allows WRITE_ACP access to AWS   authenticated users can give these the capability to edit permissions and gain full access to the resource. Allowing this type of access is dangerous and can lead to data loss or unexpectedly high S3 charges on your AWS bill as a result of economic denial-of-service attacks.  
 **Resolution**: To remove authenticated WRITE_ACP access for your S3 buckets.  
 
 ### Enable S3 Bucket Default Encryption
 **Risk**: High  
-**Description**: Ensure that default encryption is enabled at the bucket level to automatically encrypt all objects when stored in S3. The S3 objects are encrypted during the upload process using Server-Side Encryption with either   S3-managed keys (SSE-S3) or KMS-managed keys (SSE-KMS).
+**Description**: Ensure that default encryption is enabled at the bucket level to automatically encrypt all objects when stored in S3. The S3 objects are encrypted during the upload process using Server-Side Encryption with either   S3-managed keys (SSE-S3) or KMS-managed keys (SSE-KMS).  
 **Resolution**: Enable default encryption for your existing S3 buckets.  
 
 ### Enable Access Logging for S3 Buckets
@@ -2010,7 +2011,7 @@ Route53Domains
 
 ### SES Identity Verification Status
 **Risk**: Low  
-**Description**: Ensure SES identities are verified in order to prove their ownership and to prevent others from using them. Before you can use SES to send emails, you must verify each email address (or the email address domain) that   you will use as a “From”, “Source”, “Sender” or “Return-Path” address, to confirm that you own it.
+**Description**: Ensure SES identities are verified in order to prove their ownership and to prevent others from using them. Before you can use SES to send emails, you must verify each email address (or the email address domain) that   you will use as a “From”, “Source”, “Sender” or “Return-Path” address, to confirm that you own it.  
 **Resolution**: To verify any SES identities in order to prove their ownership.  
 
 ---
@@ -2021,7 +2022,7 @@ Route53Domains
 
 ### AWS Shield In Use
 **Risk**: Medium  
-**Description**: Ensure that Shield service is currently in use in order to protect your AWS-powered web applications from Distributed Denial of Service (DDoS) attacks that can affect the application’s availability and response time   by overwhelming (flooding) them with traffic from multiple sources. 
+**Description**: Ensure that Shield service is currently in use in order to protect your AWS-powered web applications from Distributed Denial of Service (DDoS) attacks that can affect the application’s availability and response time   by overwhelming (flooding) them with traffic from multiple sources.  
 **Resolution**: - To enable AWS Shield Advanced tier for your AWS account  
 
 ---
@@ -2090,17 +2091,17 @@ Route53Domains
 
 ### Unused VPC Internet Gateways
 **Risk**: Low  
-**Description**: Identify and remove any unused VPC Internet Gateways (IGWs) and VPC Egress-Only Internet Gateways (EIGWs) in order to adhere to best-practices and to avoid approaching the service limit (by default, you are limited to   5 IGWs and 5 EIGWs per AWS region). 
+**Description**: Identify and remove any unused VPC Internet Gateways (IGWs) and VPC Egress-Only Internet Gateways (EIGWs) in order to adhere to best-practices and to avoid approaching the service limit (by default, you are limited to   5 IGWs and 5 EIGWs per AWS region).  
 **Resolution**: To remove any unused IGWs and EIGWs available in your VPC  
 
 ### Use Managed NAT Gateway for VPC
 **Risk**: Medium  
-**Description**: Ensure that VPC network(s) use the highly available Managed NAT Gateway service instead of an NAT instance in order to enable EC2 instances sitting in a private subnet to connect to the internet or with other AWS   components.
+**Description**: Ensure that VPC network(s) use the highly available Managed NAT Gateway service instead of an NAT instance in order to enable EC2 instances sitting in a private subnet to connect to the internet or with other AWS   components.  
 **Resolution**: Enable the Managed NAT Gateway service for your VPC network(s).  
 
 ### Create NAT Gateways in at Least Two Availability Zones
 **Risk**: Medium  
-**Description**: Ensure that NAT gateways are deployed in at least two Availability Zones in order to enable EC2 instances available within private subnets to connect to the Internet or to other AWS services but prevent the Internet   from initiating a connection with those instances. 
+**Description**: Ensure that NAT gateways are deployed in at least two Availability Zones in order to enable EC2 instances available within private subnets to connect to the Internet or to other AWS services but prevent the Internet   from initiating a connection with those instances.  
 **Resolution**: To deploy your NAT gateways in at least two Availability Zones  
 
 ### Ineffective Network ACL DENY Rules
@@ -2145,12 +2146,12 @@ Route53Domains
 
 ### VPC Endpoints In Use
 **Risk**: Medium  
-**Description**: Ensure that VPC endpoints are being used to allow you to securely connect your VPC to other AWS services and VPC endpoint services without the need of an Internet Gateway (IGW), NAT device, VPN connection or an AWS   Direct Connect connection. 
+**Description**: Ensure that VPC endpoints are being used to allow you to securely connect your VPC to other AWS services and VPC endpoint services without the need of an Internet Gateway (IGW), NAT device, VPN connection or an AWS   Direct Connect connection.  
 **Resolution**: A VPC endpoint enables you to connect with particular AWS services that are outside your VPC network through a private link. To deploy and configure a VPC endpoint in your AWS account  
 
 ### Enable VPC Flow Logs
 **Risk**: Medium  
-**Description**: Once enabled, the Flow Logs feature will start collecting network traffic data to and from your VPC, data that can be useful to detect and troubleshoot security issues and make sure that the network access rules   aren’t overly permissive.
+**Description**: Once enabled, the Flow Logs feature will start collecting network traffic data to and from your VPC, data that can be useful to detect and troubleshoot security issues and make sure that the network access rules   aren’t overly permissive.  
 **Resolution**: Enable Flow Logs for your VPC, you need to create first an IAM role that will grant permissions to publish flow log streams to the specified log group in CloudWatch Logs  
 
 ### VPC Naming Conventions

diff --git a/aws_sercurity_test.md → AWS-security-performance-costs.md b/aws_sercurity_test.md → AWS-security-performance-costs.md
diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
@@ -24,6 +24,7 @@
 1. [Organizations](#Organizations)  
 1. [RDS](#RDS)  
 1. [ResourceGroup](#ResourceGroup)  
+1. [S3](#S3)  
 1. [SES](#SES)  
 1. [Shield](#Shield)  
 1. [TrustedAdvisor](#TrustedAdvisor)  
@@ -1848,6 +1849,15 @@ Route53Domains
 # ResourceGroup
 
 * [Use tags to organize AWS resources](#Use-tags-to-organize-AWS-resources)
+
+### Use tags to organize AWS resources
+**Risk**: Low  
+**Description**: Ensure that user-defined tags (metadata) are being used for labeling, collecting and organizing resources available in your AWS environment.   
+
+---
+
+# S3
+
 * [S3 Bucket Authenticated ‘FULL_CONTROL’ Access](#S3-Bucket-Authenticated-‘FULL_CONTROL’-Access)
 * [S3 Bucket Authenticated ‘READ’ Access](#S3-Bucket-Authenticated-‘READ’-Access)
 * [S3 Bucket Authenticated ‘READ_ACP’ Access](#S3-Bucket-Authenticated-‘READ_ACP’-Access)
@@ -1870,11 +1880,6 @@ Route53Domains
 * [Server-Side Encryption](#Server-Side-Encryption)
 * [Limit S3 Bucket Access by IP Address](#Limit-S3-Bucket-Access-by-IP-Address)
 
-### Use tags to organize AWS resources
-**Risk**: Low  
-**Description**: Ensure that user-defined tags (metadata) are being used for labeling, collecting and organizing resources available in your AWS environment.   
-S3
-
 ### S3 Bucket Authenticated ‘FULL_CONTROL’ Access
 **Risk**: Very High  
 **Description**: Ensure that S3 buckets aren’t granting FULL_CONTROL access to authenticated users (i.e. signed AWS accounts or IAM users) in order to prevent unauthorized access. An S3 bucket that allows full control access to   authenticated users will give any AWS account or IAM user the ability to LIST (READ) objects, UPLOAD/DELETE (WRITE) objects, VIEW (READ_ACP) objects permissions and EDIT (WRITE_ACP) permissions for the objects within the bucket. 

diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
@@ -9,6 +9,7 @@
 1. [Config](#Config)  
 1. [DynamoDB](#DynamoDB)  
 1. [EBS](#EBS)  
+1. [EC2](#EC2)  
 1. [ECR](#ECR)  
 1. [EFS](#EFS)  
 1. [ElasticSearch](#ElasticSearch)  
@@ -420,6 +421,55 @@
 * [Remove Unattached EC2 EBS volumes](#Remove-Unattached-EC2-EBS-volumes)
 * [Enable EBS Snapshot Encryption](#Enable-EBS-Snapshot-Encryption)
 * [EBS Volumes Attached to Stopped EC2 Instances](#EBS-Volumes-Attached-to-Stopped-EC2-Instances)
+
+### Enable EBS Encryption
+**Risk**: High  
+**Description**: With encryption enabled, your EBS volumes can hold very sensitive and critical data.  
+**Resolution**: To enable encryption on EBS volumes and snapshots, you need to re-create them.  
+
+### Use KMS Customer Master Keys for EBS encryption
+**Risk**: High  
+**Description**: Ensure that EBS volumes are using KMS CMK customer-managed keys instead of AWS managed-keys (default key used for volume encryption) in order to have more granular control over your data encryption and decryption   process.
+**Resolution**: Use your own CMK key to encrypt an EBS volume.  
+
+### EBS Volume Naming Conventions
+**Risk**: Low  
+**Description**: Ensure that all your EBS volumes are using proper naming conventions for tagging in order to manage them more efficiently and adhere to AWS resource tagging best-practices.   
+
+### EBS Public Snapshots
+**Risk**: High  
+**Description**: Ensure that EBS volume snapshots aren’t public (i.e. publicly shared with other AWS accounts) in order to avoid exposing personal and sensitive data.   
+**Resolution**: Change privacy property to private.  
+
+### EBS volumes recent snapshots
+**Risk**: Medium  
+**Description**: Ensure that EBS volumes have recent snapshots available for point-in-time recovery for a better, more reliable data backup strategy.  
+**Resolution**: Maintain your EBS backup stack up-to-date, you need to create new EBS snapshots.   
+
+### Remove EBS old snapshots
+**Risk**: Recommendation  
+**Description**: Check for any EBS snapshots older than 30 days available in your AWS account and remove them in order to lower the cost of your monthly bill.   
+**Resolution**: Safely delete any old and unneeded EBS volume snapshots from your AWS account.  
+
+### Remove Unattached EC2 EBS volumes
+**Risk**: Medium  
+**Description**: Identify any unattached (unused) EBS volumes available in your AWS account and remove them in order to lower the cost of your monthly AWS bill and reduce the risk of confidential/sensitive data leaving your premise.  
+**Resolution**: Remove any unused and unwanted EBS volumes from your AWS account.  
+
+### Enable EBS Snapshot Encryption
+**Risk**: Medium  
+**Description**: Ensure that the EBS volume snapshots that hold sensitive and critical data are encrypted to fulfill compliance requirements for data-at-rest encryption.  
+**Resolution**: To encrypt existing EBS volume snapshots available in your AWS account.  
+
+### EBS Volumes Attached to Stopped EC2 Instances
+**Risk**: Recommendation  
+**Description**: Identify any EBS volumes that are currently attached to stopped EC2 instances and remove them if the instances are no longer needed in order avoid unexpected charges on your AWS bill.  
+EC2
+
+---
+
+# EC2
+
 * [Approved/Golden AMI](#Approved/Golden-AMI)
 * [AWS Blacklisted AMI](#AWS-Blacklisted-AMI)
 * [Enable AMI Encryption](#Enable-AMI-Encryption)
@@ -494,50 +544,6 @@
 * [Create and Configure Web-Tier Security Group](#Create-and-Configure-Web-Tier-Security-Group)
 * [Check web-tier subnet connectivity to VPC NAT Gateway](#Check-web-tier-subnet-connectivity-to-VPC-NAT-Gateway)
 
-### Enable EBS Encryption
-**Risk**: High  
-**Description**: With encryption enabled, your EBS volumes can hold very sensitive and critical data.  
-**Resolution**: To enable encryption on EBS volumes and snapshots, you need to re-create them.  
-
-### Use KMS Customer Master Keys for EBS encryption
-**Risk**: High  
-**Description**: Ensure that EBS volumes are using KMS CMK customer-managed keys instead of AWS managed-keys (default key used for volume encryption) in order to have more granular control over your data encryption and decryption   process.
-**Resolution**: Use your own CMK key to encrypt an EBS volume.  
-
-### EBS Volume Naming Conventions
-**Risk**: Low  
-**Description**: Ensure that all your EBS volumes are using proper naming conventions for tagging in order to manage them more efficiently and adhere to AWS resource tagging best-practices.   
-
-### EBS Public Snapshots
-**Risk**: High  
-**Description**: Ensure that EBS volume snapshots aren’t public (i.e. publicly shared with other AWS accounts) in order to avoid exposing personal and sensitive data.   
-**Resolution**: Change privacy property to private.  
-
-### EBS volumes recent snapshots
-**Risk**: Medium  
-**Description**: Ensure that EBS volumes have recent snapshots available for point-in-time recovery for a better, more reliable data backup strategy.  
-**Resolution**: Maintain your EBS backup stack up-to-date, you need to create new EBS snapshots.   
-
-### Remove EBS old snapshots
-**Risk**: Recommendation  
-**Description**: Check for any EBS snapshots older than 30 days available in your AWS account and remove them in order to lower the cost of your monthly bill.   
-**Resolution**: Safely delete any old and unneeded EBS volume snapshots from your AWS account.  
-
-### Remove Unattached EC2 EBS volumes
-**Risk**: Medium  
-**Description**: Identify any unattached (unused) EBS volumes available in your AWS account and remove them in order to lower the cost of your monthly AWS bill and reduce the risk of confidential/sensitive data leaving your premise.  
-**Resolution**: Remove any unused and unwanted EBS volumes from your AWS account.  
-
-### Enable EBS Snapshot Encryption
-**Risk**: Medium  
-**Description**: Ensure that the EBS volume snapshots that hold sensitive and critical data are encrypted to fulfill compliance requirements for data-at-rest encryption.  
-**Resolution**: To encrypt existing EBS volume snapshots available in your AWS account.  
-
-### EBS Volumes Attached to Stopped EC2 Instances
-**Risk**: Recommendation  
-**Description**: Identify any EBS volumes that are currently attached to stopped EC2 instances and remove them if the instances are no longer needed in order avoid unexpected charges on your AWS bill.  
-EC2
-
 ### Approved/Golden AMI
 **Risk**: Medium  
 **Description**: Ensure that all the EC2 instances necessary for your application stack are launched from your approved base AMI (AMIs), known as golden AMIs in order to enforce consistency and save time when scaling your application.  

diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
@@ -1,33 +1,33 @@
 # Table of Contents
 
-1. [ACM](ACM)  
-1. [API Gateway](API-Gateway)  
-1. [AutoScaling](AutoScaling)  
-1. [CloudFront](CloudFront)  
-1. [CloudTrail](CloudTrail)  
-1. [CloudWatch](CloudWatch)  
-1. [Config](Config)  
-1. [DynamoDB](DynamoDB)  
-1. [EBS](EBS)  
-1. [ECR](ECR)  
-1. [EFS](EFS)  
-1. [ElasticSearch](ElasticSearch)  
-1. [ELB](ELB)  
-1. [EMR](EMR)  
-1. [GuardDuty](GuardDuty)  
-1. [Health](Health)  
-1. [IAM](IAM)  
-1. [Inspector](Inspector)  
-1. [KMS](KMS)  
-1. [Lambda](Lambda)  
-1. [Organizations](Organizations)  
-1. [RDS](RDS)  
-1. [ResourceGroup](ResourceGroup)  
-1. [SES](SES)  
-1. [Shield](Shield)  
-1. [TrustedAdvisor](TrustedAdvisor)  
-1. [VPC](VPC)  
-1. [WAF](WAF)  
+1. [ACM](#ACM)  
+1. [API Gateway](#API-Gateway)  
+1. [AutoScaling](#AutoScaling)  
+1. [CloudFront](#CloudFront)  
+1. [CloudTrail](#CloudTrail)  
+1. [CloudWatch](#CloudWatch)  
+1. [Config](#Config)  
+1. [DynamoDB](#DynamoDB)  
+1. [EBS](#EBS)  
+1. [ECR](#ECR)  
+1. [EFS](#EFS)  
+1. [ElasticSearch](#ElasticSearch)  
+1. [ELB](#ELB)  
+1. [EMR](#EMR)  
+1. [GuardDuty](#GuardDuty)  
+1. [Health](#Health)  
+1. [IAM](#IAM)  
+1. [Inspector](#Inspector)  
+1. [KMS](#KMS)  
+1. [Lambda](#Lambda)  
+1. [Organizations](#Organizations)  
+1. [RDS](#RDS)  
+1. [ResourceGroup](#ResourceGroup)  
+1. [SES](#SES)  
+1. [Shield](#Shield)  
+1. [TrustedAdvisor](#TrustedAdvisor)  
+1. [VPC](#VPC)  
+1. [WAF](#WAF)  
 
 ---
 

diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
@@ -2170,6 +2170,8 @@ S3
 
 # WAF
 
+* [AWS Web Application Firewall In Use](#AWS-Web-Application-Firewall-In-Use)
+
 ### AWS Web Application Firewall In Use
 **Risk**: Medium  
 **Description**: Ensure that WAF service is currently in use.  

diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
@@ -56,6 +56,10 @@
 
 # API Gateway
 
+* [Enable CloudWatch Logs for APIs](#Enable-CloudWatch-Logs-for-APIs)
+* [Enable Detailed CloudWatch Metrics for APIs](#Enable-Detailed-CloudWatch-Metrics-for-APIs)
+* [API Gateway Private Endpoints](#API-Gateway-Private-Endpoints)
+
 ### Enable CloudWatch Logs for APIs
 **Risk**: Medium  
 **Description**: Ensure that CloudWatch logs are enabled for all your APIs created with API Gateway service.  
@@ -75,6 +79,23 @@
 
 # AutoScaling
 
+* [ASG Cooldown Period](#ASG-Cooldown-Period)
+* [Enable ASG Notifications](#Enable-ASG-Notifications)
+* [App-Tier ASGs with Associated ELB](#App-Tier-ASGs-with-Associated-ELB)
+* [CloudWatch Logs Agent for App-Tier ASG In Use](#CloudWatch-Logs-Agent-for-App-Tier-ASG-In-Use)
+* [IAM Roles for App-Tier ASG Launch Configurations](#IAM-Roles-for-App-Tier-ASG-Launch-Configurations)
+* [Use Approved AMIs for App-Tier ASG Launch Configurations](#Use-Approved-AMIs-for-App-Tier-ASG-Launch-Configurations)
+* [Auto Scaling Group Referencing Missing ELB](#Auto-Scaling-Group-Referencing-Missing-ELB)
+* [Empty Auto Scaling Groups](#Empty-Auto-Scaling-Groups)
+* [Launch Configuration Referencing Missing AMI](#Launch-Configuration-Referencing-Missing-AMI)
+* [Launch Configuration Referencing Missing Security Group](#Launch-Configuration-Referencing-Missing-Security-Group)
+* [Unused Launch Configuration Templates](#Unused-Launch-Configuration-Templates)
+* [Multi-AZ Auto Scaling Groups](#Multi-AZ-Auto-Scaling-Groups)
+* [Same ELB Availability Zones](#Same-ELB-Availability-Zones)
+* [Suspended Auto Scaling Group Processes](#Suspended-Auto-Scaling-Group-Processes)
+* [Web-Tier Auto Scaling Groups with Associated ELBs](#Web-Tier-Auto-Scaling-Groups-with-Associated-ELBs)
+* [Use Approved AMIs for Web-Tier ASG Launch Configurations](#Use-Approved-AMIs-for-Web-Tier-ASG-Launch-Configurations)
+
 ### ASG Cooldown Period
 **Risk**: High  
 **Description**: Ensure that ASGs are configured to use a cooldown period to temporarily suspend any scaling activities in order to allow the newly launched EC2 instance some time to start handling the application traffic.  
@@ -160,6 +181,14 @@
 
 # CloudFront
 
+* [CloudFront CDN In Use](#CloudFront-CDN-In-Use)
+* [CloudFront WAF Integration](#CloudFront-WAF-Integration)
+* [Enable Origin Access Identity for CloudFront Distributions with S3 Origin](#Enable-Origin-Access-Identity-for-CloudFront-Distributions-with-S3-Origin)
+* [CloudFront Origin Insecure SSL Protocols](#CloudFront-Origin-Insecure-SSL-Protocols)
+* [CloudFront Security Policy](#CloudFront-Security-Policy)
+* [Unencrypted CloudFront Traffic](#Unencrypted-CloudFront-Traffic)
+* [Use Cloudfront CDN](#Use-Cloudfront-CDN)
+
 ### CloudFront CDN In Use
 **Risk**: Medium  
 **Description**: Ensure that CloudFront CDN service is used in your AWS account to secure and accelerate the delivery of your websites, media files or static resources (e.g., CSS files, JavaScript files, images) handled by your web   applications.
@@ -197,6 +226,15 @@
 
 # CloudTrail
 
+* [Enable access logging for CloudTrail buckets](#Enable-access-logging-for-CloudTrail-buckets)
+* [Enable MFA Delete for CloudTrail bucket](#Enable-MFA-Delete-for-CloudTrail-bucket)
+* [CloudTrail insecure buckets](#CloudTrail-insecure-buckets)
+* [Monitor CloudTrail Configuration Changes](#Monitor-CloudTrail-Configuration-Changes)
+* [Enable CloudTrail integration with CloudWatch](#Enable-CloudTrail-integration-with-CloudWatch)
+* [Enable CloudTrail log file integrity validation](#Enable-CloudTrail-log-file-integrity-validation)
+* [Enable CloudTrail log files encryption](#Enable-CloudTrail-log-files-encryption)
+* [CloudTrail Log Files Delivery Failing](#CloudTrail-Log-Files-Delivery-Failing)
+
 ### Enable access logging for CloudTrail buckets
 **Risk**: Medium  
 **Description**: Ensure that any S3 buckets used by CloudTrail have Server Access Logging feature enabled in order to track requests for accessing the buckets and necessary for security audits.  
@@ -237,6 +275,19 @@
 
 # CloudWatch
 
+* [Enable AWS Billing Alerts](#Enable-AWS-Billing-Alerts)
+* [Enable CloudWatch Billing Alarm](#Enable-CloudWatch-Billing-Alarm)
+* [Exposed CloudWatch Event Bus](#Exposed-CloudWatch-Event-Bus)
+* [CloudWatch Events In Use](#CloudWatch-Events-In-Use)
+* [Alarm for Config Changes](#Alarm-for-Config-Changes)
+* [Alarm for Organizations Changes](#Alarm-for-Organizations-Changes)
+* [Alarm for multiple Sign-in Failures](#Alarm-for-multiple-Sign-in-Failures)
+* [Monitor for AWS Console Sign-In Requests Without MFA](#Monitor-for-AWS-Console-Sign-In-Requests-Without-MFA)
+* [Alarm for EC2 Instance Changes](#Alarm-for-EC2-Instance-Changes)
+* [Alarm for EC2 Large Instance Changes](#Alarm-for-EC2-Large-Instance-Changes)
+* [Alarm for Root Account Usage](#Alarm-for-Root-Account-Usage)
+* [Alarm for S3 Bucket Changes](#Alarm-for-S3-Bucket-Changes)
+
 ### Enable AWS Billing Alerts
 **Risk**: High  
 **Description**: Ensure that billing alerts are enabled in order to receive notifications when your AWS estimated charges exceed a threshold that you choose. These alerts are triggered by CloudWatch and sent to you using the SNS.  
@@ -291,6 +342,13 @@
 
 # Config
 
+* [Monitor AWS Config configuration changes](#Monitor-AWS-Config-configuration-changes)
+* [Enable AWS Config](#Enable-AWS-Config)
+* [AWS Config Referencing Missing S3 Bucket](#AWS-Config-Referencing-Missing-S3-Bucket)
+* [AWS Config Referencing Missing SNS Topic](#AWS-Config-Referencing-Missing-SNS-Topic)
+* [AWS Config Log Files Delivery Failing](#AWS-Config-Log-Files-Delivery-Failing)
+* [Include Global Resources into AWS Config Settings](#Include-Global-Resources-into-AWS-Config-Settings)
+
 ### Monitor AWS Config configuration changes
 **Risk**: High  
 **Description**: Monitor AWS Config configuration changes.  
@@ -324,6 +382,11 @@
 
 # DynamoDB
 
+* [Enable DynamoDB Auto Scaling](#Enable-DynamoDB-Auto-Scaling)
+* [DynamoDB Backup and Restore](#DynamoDB-Backup-and-Restore)
+* [Enable DynamoDB Continuous Backups](#Enable-DynamoDB-Continuous-Backups)
+* [DynamoDB Server-Side Encryption](#DynamoDB-Server-Side-Encryption)
+
 ### Enable DynamoDB Auto Scaling
 **Risk**: Medium  
 **Description**: Ensure that DynamoDB Auto Scaling feature is enabled to dynamically adjust provisioned throughput (read and write) capacity for your tables and global secondary indexes.   
@@ -348,6 +411,89 @@
 
 # EBS
 
+* [Enable EBS Encryption](#Enable-EBS-Encryption)
+* [Use KMS Customer Master Keys for EBS encryption](#Use-KMS-Customer-Master-Keys-for-EBS-encryption)
+* [EBS Volume Naming Conventions](#EBS-Volume-Naming-Conventions)
+* [EBS Public Snapshots](#EBS-Public-Snapshots)
+* [EBS volumes recent snapshots](#EBS-volumes-recent-snapshots)
+* [Remove EBS old snapshots](#Remove-EBS-old-snapshots)
+* [Remove Unattached EC2 EBS volumes](#Remove-Unattached-EC2-EBS-volumes)
+* [Enable EBS Snapshot Encryption](#Enable-EBS-Snapshot-Encryption)
+* [EBS Volumes Attached to Stopped EC2 Instances](#EBS-Volumes-Attached-to-Stopped-EC2-Instances)
+* [Approved/Golden AMI](#Approved/Golden-AMI)
+* [AWS Blacklisted AMI](#AWS-Blacklisted-AMI)
+* [Enable AMI Encryption](#Enable-AMI-Encryption)
+* [AMI Naming Conventions](#AMI-Naming-Conventions)
+* [Check for AMI Age](#Check-for-AMI-Age)
+* [Unused AMI](#Unused-AMI)
+* [Unassociated Elastic IP Addresses](#Unassociated-Elastic-IP-Addresses)
+* [Publicly Shared App-Tier AMIs](#Publicly-Shared-App-Tier-AMIs)
+* [App-Tier EC2 Instances Without Elastic or Public IP Addresses](#App-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)
+* [Check app-tier ELB subnet connectivity to Internet Gateway](#Check-app-tier-ELB-subnet-connectivity-to-Internet-Gateway)
+* [IAM Roles for App-Tier EC2 Instances](#IAM-Roles-for-App-Tier-EC2-Instances)
+* [Create and Configure App-Tier Security Group](#Create-and-Configure-App-Tier-Security-Group)
+* [EC2 Instances Distribution Across Availability Zones](#EC2-Instances-Distribution-Across-Availability-Zones)
+* [EC2-Classic Elastic IP Address Limit](#EC2-Classic-Elastic-IP-Address-Limit)
+* [Data-Tier Instances Without Elastic or Public IP Addresses](#Data-Tier-Instances-Without-Elastic-or-Public-IP-Addresses)
+* [Create and Configure Data-Tier Security Group](#Create-and-Configure-Data-Tier-Security-Group)
+* [Restrict data-tier subnet connectivity to VPC NAT Gateway](#Restrict-data-tier-subnet-connectivity-to-VPC-NAT-Gateway)
+* [Unrestricted Default Security Groups](#Unrestricted-Default-Security-Groups)
+* [Default EC2 Security Groups In Use](#Default-EC2-Security-Groups-In-Use)
+* [Detailed Monitoring for EC2 Instances](#Detailed-Monitoring-for-EC2-Instances)
+* [EC2 Desired Instance Type](#EC2-Desired-Instance-Type)
+* [Review EC2 Dedicated Instances](#Review-EC2-Dedicated-Instances)
+* [EC2 Instance Not In Public Subnet](#EC2-Instance-Not-In-Public-Subnet)
+* [Unused EC2 Reserved Instances](#Unused-EC2-Reserved-Instances)
+* [Total Number of EC2 Instances](#Total-Number-of-EC2-Instances)
+* [EC2 Instance Type Generation](#EC2-Instance-Type-Generation)
+* [Instance In Auto Scaling Group](#Instance-In-Auto-Scaling-Group)
+* [EC2 Platform](#EC2-Platform)
+* [EC2 Instance Limit](#EC2-Instance-Limit)
+* [EC2 Instance Naming Conventions](#EC2-Instance-Naming-Conventions)
+* [EC2 Instances with Scheduled Events](#EC2-Instances-with-Scheduled-Events)
+* [EC2 Instance Security Group Rules Count](#EC2-Instance-Security-Group-Rules-Count)
+* [EC2 Instance Tenancy Type](#EC2-Instance-Tenancy-Type)
+* [EC2 Instance Termination Protection](#EC2-Instance-Termination-Protection)
+* [EC2 Instance Age](#EC2-Instance-Age)
+* [EC2 Instance IAM Roles](#EC2-Instance-IAM-Roles)
+* [Overutilized EC2 Instances](#Overutilized-EC2-Instances)
+* [Publicly Shared AMIs](#Publicly-Shared-AMIs)
+* [EC2 Reserved Instance Lease Expiration](#EC2-Reserved-Instance-Lease-Expiration)
+* [EC2 Security Groups Count](#EC2-Security-Groups-Count)
+* [EC2 Security Group Port Range](#EC2-Security-Group-Port-Range)
+* [Underutilized EC2 Instances](#Underutilized-EC2-Instances)
+* [EC2 Security Group Unrestricted Access](#EC2-Security-Group-Unrestricted-Access)
+* [Unrestricted CIFS Access](#Unrestricted-CIFS-Access)
+* [Unrestricted DNS Access](#Unrestricted-DNS-Access)
+* [Unrestricted ElasticSearch Access](#Unrestricted-ElasticSearch-Access)
+* [Unrestricted FTP Access](#Unrestricted-FTP-Access)
+* [Unrestricted HTTP Access](#Unrestricted-HTTP-Access)
+* [Unrestricted HTTPS Access](#Unrestricted-HTTPS-Access)
+* [Unrestricted ICMP Access](#Unrestricted-ICMP-Access)
+* [Unrestricted Inbound Access on Uncommon Ports](#Unrestricted-Inbound-Access-on-Uncommon-Ports)
+* [Unrestricted MongoDB Access](#Unrestricted-MongoDB-Access)
+* [Unrestricted MSSQL Database Access](#Unrestricted-MSSQL-Database-Access)
+* [Unrestricted MySQL Database Access](#Unrestricted-MySQL-Database-Access)
+* [Unrestricted NetBIOS Access](#Unrestricted-NetBIOS-Access)
+* [Unrestricted Oracle Database Access](#Unrestricted-Oracle-Database-Access)
+* [Unrestricted Outbound Access on All Ports](#Unrestricted-Outbound-Access-on-All-Ports)
+* [Unrestricted PostgreSQL Database Access](#Unrestricted-PostgreSQL-Database-Access)
+* [Unrestricted RDP Access](#Unrestricted-RDP-Access)
+* [Unrestricted RPC Access](#Unrestricted-RPC-Access)
+* [Unrestricted SMTP Access](#Unrestricted-SMTP-Access)
+* [Unrestricted SSH Access](#Unrestricted-SSH-Access)
+* [Unrestricted Telnet Access](#Unrestricted-Telnet-Access)
+* [Unused Elastic Network Interfaces](#Unused-Elastic-Network-Interfaces)
+* [Unused EC2 Key Pairs](#Unused-EC2-Key-Pairs)
+* [EC2-VPC Elastic IP Address Limit](#EC2-VPC-Elastic-IP-Address-Limit)
+* [Publicly Shared Web-Tier AMIs](#Publicly-Shared-Web-Tier-AMIs)
+* [Web-Tier EC2 Instances Without Elastic or Public IP Addresses](#Web-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)
+* [Check web-tier ELB subnet connectivity to Internet Gateway](#Check-web-tier-ELB-subnet-connectivity-to-Internet-Gateway)
+* [Attach Policy to IAM Roles Associated with Web-Tier EC2 Instances](#Attach-Policy-to-IAM-Roles-Associated-with-Web-Tier-EC2-Instances)
+* [IAM Roles for Web-Tier EC2 Instances](#IAM-Roles-for-Web-Tier-EC2-Instances)
+* [Create and Configure Web-Tier Security Group](#Create-and-Configure-Web-Tier-Security-Group)
+* [Check web-tier subnet connectivity to VPC NAT Gateway](#Check-web-tier-subnet-connectivity-to-VPC-NAT-Gateway)
+
 ### Enable EBS Encryption
 **Risk**: High  
 **Description**: With encryption enabled, your EBS volumes can hold very sensitive and critical data.  
@@ -761,6 +907,9 @@ EC2
 
 # ECR
 
+* [ECR Unknown Cross Account Access](#ECR-Unknown-Cross-Account-Access)
+* [Check for Exposed ECR Repositories](#Check-for-Exposed-ECR-Repositories)
+
 ### ECR Unknown Cross Account Access
 **Risk**: High  
 **Description**: Ensure that ECR repositories are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account entities.  
@@ -775,6 +924,9 @@ EC2
 
 # EFS
 
+* [KMS Customer Master Keys for EFS Encryption](#KMS-Customer-Master-Keys-for-EFS-Encryption)
+* [Enable EFS Encryption](#Enable-EFS-Encryption)
+
 ### KMS Customer Master Keys for EFS Encryption
 **Risk**: High  
 **Description**: Ensure that EFS file systems are encrypted using KMS CMK customer-managed keys instead of AWS managed-keys (default keys used by the EFS service when there are no customer keys defined) in order to have more granular   control over your data-at-rest encryption/decryption process.
@@ -790,6 +942,21 @@ EC2
 
 # ElasticSearch
 
+* [ElasticSearch Cluster Status](#ElasticSearch-Cluster-Status)
+* [ElasticSearch Instance Type](#ElasticSearch-Instance-Type)
+* [ElasticSearch Domain Encrypted with KMS CMKs](#ElasticSearch-Domain-Encrypted-with-KMS-CMKs)
+* [ElasticSearch Unknown Cross Account Access](#ElasticSearch-Unknown-Cross-Account-Access)
+* [ElasticSearch Exposed Domains](#ElasticSearch-Exposed-Domains)
+* [ElasticSearch Domain IP-Based Access](#ElasticSearch-Domain-IP-Based-Access)
+* [ElasticSearch General Purpose SSD Node Type](#ElasticSearch-General-Purpose-SSD-Node-Type)
+* [ElasticSearch Version](#ElasticSearch-Version)
+* [Enable ElasticSearch Zone Awareness](#Enable-ElasticSearch-Zone-Awareness)
+* [Enable ElasticSearch Encryption At Rest](#Enable-ElasticSearch-Encryption-At-Rest)
+* [ElasticSearch Free Storage Space](#ElasticSearch-Free-Storage-Space)
+* [Total Number of ElasticSearch Instances](#Total-Number-of-ElasticSearch-Instances)
+* [Enable ElasticSearch Node-to-Node Encryption](#Enable-ElasticSearch-Node-to-Node-Encryption)
+* [Enable ElasticSearch Slow Logs](#Enable-ElasticSearch-Slow-Logs)
+
 ### ElasticSearch Cluster Status
 **Risk**: High  
 **Description**: Ensure that ElasticSearch clusters are healthy.  
@@ -863,6 +1030,36 @@ EC2
 
 # ELB
 
+* [Enable HTTPS/SSL Listener for App-Tier ELBs](#Enable-HTTPS/SSL-Listener-for-App-Tier-ELBs)
+* [Enable Latest SSL Security Policy for App-Tier ELBs](#Enable-Latest-SSL-Security-Policy-for-App-Tier-ELBs)
+* [Add SSL/TLS Server Certificates to App-Tier ELBs](#Add-SSL/TLS-Server-Certificates-to-App-Tier-ELBs)
+* [App-Tier ELBs Health Check](#App-Tier-ELBs-Health-Check)
+* [Enable ELB Access Logging](#Enable-ELB-Access-Logging)
+* [AWS Classic Load Balancer](#AWS-Classic-Load-Balancer)
+* [Connection Draining Enabled](#Connection-Draining-Enabled)
+* [Enable ELB Cross-Zone Load Balancing](#Enable-ELB-Cross-Zone-Load-Balancing)
+* [ELB insecure SSL ciphers](#ELB-insecure-SSL-ciphers)
+* [ELB insecure SSL protocols](#ELB-insecure-SSL-protocols)
+* [ELB Listener Security](#ELB-Listener-Security)
+* [ELB minimum number of EC2 instances](#ELB-minimum-number-of-EC2-instances)
+* [ELB Security Group](#ELB-Security-Group)
+* [ELB Security Policy](#ELB-Security-Policy)
+* [Remove unused ELBs](#Remove-unused-ELBs)
+* [ELB Instances Distribution Across Availability Zones](#ELB-Instances-Distribution-Across-Availability-Zones)
+* [Review AWS Internet Facing Load Balancers](#Review-AWS-Internet-Facing-Load-Balancers)
+* [Enable HTTPS/SSL Listener for Web-Tier ELBs](#Enable-HTTPS/SSL-Listener-for-Web-Tier-ELBs)
+* [Enable Latest SSL Security Policy for Web-Tier ELBs](#Enable-Latest-SSL-Security-Policy-for-Web-Tier-ELBs)
+* [Add SSL/TLS Server Certificates to Web-Tier ELBs](#Add-SSL/TLS-Server-Certificates-to-Web-Tier-ELBs)
+* [Web-Tier ELBs Health Check](#Web-Tier-ELBs-Health-Check)
+* [Enable ALB (ELBv2)-Access-Logging](#Enable-ALB-(ELBv2)-Access-Logging)
+* [Enable Elastic Load Balancing Deletion Protection](#Enable-Elastic-Load-Balancing-Deletion-Protection)
+* [ELBv2 Instances Distribution Across Availability Zones](#ELBv2-Instances-Distribution-Across-Availability-Zones)
+* [ALB (ELBv2)-Listener-Security](#ALB-(ELBv2)-Listener-Security)
+* [Minimum Number of EC2 Target Instances](#Minimum-Number-of-EC2-Target-Instances)
+* [ELBv2 Security Groups](#ELBv2-Security-Groups)
+* [ALB (ELBv2)-Security-Policy](#ALB-(ELBv2)-Security-Policy)
+* [Unused ELBs (ELBv2)](#Unused-ELBs-(ELBv2))
+
 ### Enable HTTPS/SSL Listener for App-Tier ELBs
 **Risk**: High  
 **Description**: Ensure that app-tier ELB listeners are using the HTTPS/SSL protocol to encrypt the communication between your application clients and the load balancer.   
@@ -1012,6 +1209,12 @@ ELBv2
 
 # EMR
 
+* [EMR Cluster In VPC](#EMR-Cluster-In-VPC)
+* [EMR Desired Instance Type](#EMR-Desired-Instance-Type)
+* [EMR Instance Type Generation](#EMR-Instance-Type-Generation)
+* [Enable EMR In-Transit and At-Rest Encryption](#Enable-EMR-In-Transit-and-At-Rest-Encryption)
+* [Total Number of EMR Instances](#Total-Number-of-EMR-Instances)
+
 ### EMR Cluster In VPC
 **Risk**: Medium  
 **Description**: Ensure that EMR clusters are provisioned using the EC2-VPC platform instead of EC2-Classic platform (outdated from 2013.12.04) for better flexibility and control over security, better traffic routing and availability.  
@@ -1040,6 +1243,10 @@ ELBv2
 
 # GuardDuty
 
+* [GuardDuty Findings](#GuardDuty-Findings)
+* [Monitor GuardDuty Configuration Changes](#Monitor-GuardDuty-Configuration-Changes)
+* [GuardDuty In Use](#GuardDuty-In-Use)
+
 ### GuardDuty Findings
 **Risk**: Medium  
 **Description**: Check for GuardDuty findings and resolve them step by step to ensure that AWS infrastructure is protected against security threats.   
@@ -1058,6 +1265,8 @@ ELBv2
 
 # Health
 
+* [AWS Health](#AWS-Health)
+
 ### AWS Health
 **Risk**: Medium  
 **Description**: Provides ongoing visibility into the health state of your AWS resources and services in order to keep you fully aware of what is happening in your AWS account from the availability and performance standpoint.  
@@ -1066,6 +1275,42 @@ ELBv2
 
 # IAM
 
+* [Unused IAM Access Keys](#Unused-IAM-Access-Keys)
+* [IAM Access Keys Rotation](#IAM-Access-Keys-Rotation)
+* [Unnecessary IAM Access Keys](#Unnecessary-IAM-Access-Keys)
+* [Enable Security Challenge Questions for your Account](#Enable-Security-Challenge-Questions-for-your-Account)
+* [Attach Policy to IAM Roles Associated with App-Tier EC2 Instances](#Attach-Policy-to-IAM-Roles-Associated-with-App-Tier-EC2-Instances)
+* [SSL/TLS Certificate Renewal](#SSL/TLS-Certificate-Renewal)
+* [Server Certificate Signature Algorithm](#Server-Certificate-Signature-Algorithm)
+* [IAM Server Certificate Size](#IAM-Server-Certificate-Size)
+* [Deprecated AWS Managed Policies In Use](#Deprecated-AWS-Managed-Policies-In-Use)
+* [IAM Users Unauthorized to Edit Access Policies](#IAM-Users-Unauthorized-to-Edit-Access-Policies)
+* [IAM Users with Admin Privileges](#IAM-Users-with-Admin-Privileges)
+* [Detect IAM Configuration Changes](#Detect-IAM-Configuration-Changes)
+* [IAM Group with Administrator Privileges In Use](#IAM-Group-with-Administrator-Privileges-In-Use)
+* [Unused IAM Groups](#Unused-IAM-Groups)
+* [Remove IAM Policies with Full Administrative Privileges](#Remove-IAM-Policies-with-Full-Administrative-Privileges)
+* [IAM Customer Managed Policy with Administrative Permissions In Use](#IAM-Customer-Managed-Policy-with-Administrative-Permissions-In-Use)
+* [IAM Role Policy Too Permissive](#IAM-Role-Policy-Too-Permissive)
+* [IAM User Present](#IAM-User-Present)
+* [Inactive IAM Users](#Inactive-IAM-Users)
+* [Unused IAM Users](#Unused-IAM-Users)
+* [IAM Users with Password and Access Keys](#IAM-Users-with-Password-and-Access-Keys)
+* [Valid IAM Identity Providers](#Valid-IAM-Identity-Providers)
+* [MFA Device Deactivated for IAM Users](#MFA-Device-Deactivated-for-IAM-Users)
+* [Enable MFA for IAM Users](#Enable-MFA-for-IAM-Users)
+* [IAM Master and IAM Manager Roles](#IAM-Master-and-IAM-Manager-Roles)
+* [IAM Password Expiry](#IAM-Password-Expiry)
+* [IAM Password Policy](#IAM-Password-Policy)
+* [Root Account Access Keys](#Root-Account-Access-Keys)
+* [Root Account Credentials Usage](#Root-Account-Credentials-Usage)
+* [Root Account Active Signing Certificates](#Root-Account-Active-Signing-Certificates)
+* [Enable Hardware MFA for Root Account](#Enable-Hardware-MFA-for-Root-Account)
+* [Enable MFA for Root Account](#Enable-MFA-for-Root-Account)
+* [IAM SSH Public Keys Rotation (90-Days)](#IAM-SSH-Public-Keys-Rotation-(90-Days))
+* [Unnecessary IAM SSH Public Keys](#Unnecessary-IAM-SSH-Public-Keys)
+* [IAM Support Role](#IAM-Support-Role)
+
 ### Unused IAM Access Keys
 **Risk**: Medium  
 **Description**: Identify and remove any unused IAM access keys in order to protect your AWS resources against unapproved access. An IAM user access key pair is rendered as unused when is not being used for a specified period of time.  
@@ -1241,6 +1486,8 @@ ELBv2
 
 # Inspector
 
+* [AWS Inspector Findings](#AWS-Inspector-Findings)
+
 ### AWS Inspector Findings
 **Risk**: Medium  
 **Description**: Check for AWS Inspector Findings and resolve them step by step to ensure that systems are configured securely.   
@@ -1250,6 +1497,19 @@ ELBv2
 
 # KMS
 
+* [App-Tier Customer Master Key In Use](#App-Tier-Customer-Master-Key-In-Use)
+* [KMS Customer Master Key In Use](#KMS-Customer-Master-Key-In-Use)
+* [Database Tier Customer Master Key In Use](#Database-Tier-Customer-Master-Key-In-Use)
+* [Default KMS Key Usage](#Default-KMS-Key-Usage)
+* [Disabled KMS keys](#Disabled-KMS-keys)
+* [Monitor KMS Configuration Changes](#Monitor-KMS-Configuration-Changes)
+* [KMS Unknown Cross Account Access](#KMS-Unknown-Cross-Account-Access)
+* [KMS Exposed Keys](#KMS-Exposed-Keys)
+* [Recover KMS Customer Master Keys](#Recover-KMS-Customer-Master-Keys)
+* [Enable KMS Key Rotation](#Enable-KMS-Key-Rotation)
+* [Remove unused KMS keys](#Remove-unused-KMS-keys)
+* [Web-Tier Customer Master Key In Use](#Web-Tier-Customer-Master-Key-In-Use)
+
 ### App-Tier Customer Master Key In Use
 **Risk**: High  
 **Description**: Ensure there is one KMS Customer Master Key created in your AWS account for the app tier in order to protect data that transits your AWS application stack, have full control over encryption process, and meet security   and compliance requirements. 
@@ -1314,11 +1574,16 @@ ELBv2
 
 # Lambda
 
+* [Exposed Lambda Functions](#Exposed-Lambda-Functions)
+* [Lambda Functions with Admin Privileges](#Lambda-Functions-with-Admin-Privileges)
+* [Lambda Unknown Cross Account Access](#Lambda-Unknown-Cross-Account-Access)
+* [Lambda Runtime Environment Version](#Lambda-Runtime-Environment-Version)
+* [An IAM role for a Lambda Function](#An-IAM-role-for-a-Lambda-Function)
+
 ### Exposed Lambda Functions
 **Risk**: High  
 **Description**: Identify any publicly accessible Lambda functions and update their access policy in order to protect against unauthorized users that are sending requests to invoke these functions.  
 **Resolution**: Update the access policies (also known as resource-based policies) associated with your Lambda functions in order to allow function invocation only from trusted AWS entities.  
-
 
 ### Lambda Functions with Admin Privileges
 **Risk**: Medium  
@@ -1344,6 +1609,10 @@ ELBv2
 
 # Organizations
 
+* [Monitor AWS Org. Configuration Changes](#Monitor-AWS-Org.-Configuration-Changes)
+* [Enable All Features](#Enable-All-Features)
+* [AWS Organizations In Use](#AWS-Organizations-In-Use)
+
 ### Monitor AWS Org. Configuration Changes
 **Risk**: High  
 **Description**: Monitor AWS Organizations Configuration Changes.   
@@ -1361,6 +1630,41 @@ ELBv2
 
 # RDS
 
+* [Aurora Database Instance Accessibility](#Aurora-Database-Instance-Accessibility)
+* [RDS Auto Minor Version Upgrade](#RDS-Auto-Minor-Version-Upgrade)
+* [Enable RDS Automated Backups](#Enable-RDS-Automated-Backups)
+* [Enable RDS Deletion Protection](#Enable-RDS-Deletion-Protection)
+* [Enable RDS Encryption](#Enable-RDS-Encryption)
+* [RDS Free Storage Space](#RDS-Free-Storage-Space)
+* [Enable IAM Database Authentication](#Enable-IAM-Database-Authentication)
+* [Total Number of Provisioned RDS Instances](#Total-Number-of-Provisioned-RDS-Instances)
+* [RDS Multi-AZ](#RDS-Multi-AZ)
+* [Overutilized RDS Instances](#Overutilized-RDS-Instances)
+* [Publicly Accessible RDS Instances](#Publicly-Accessible-RDS-Instances)
+* [Use Data-Tier Security Group for RDS Databases](#Use-Data-Tier-Security-Group-for-RDS-Databases)
+* [RDS Database Default Port](#RDS-Database-Default-Port)
+* [Use KMS Customer Master Keys for RDS encryption](#Use-KMS-Customer-Master-Keys-for-RDS-encryption)
+* [RDS General Purpose SSD Storage Type](#RDS-General-Purpose-SSD-Storage-Type)
+* [RDS Instance Not In Public Subnet](#RDS-Instance-Not-In-Public-Subnet)
+* [RDS Database Master Username](#RDS-Database-Master-Username)
+* [RDS Public Snapshots](#RDS-Public-Snapshots)
+* [RDS Sufficient Backup Retention Period](#RDS-Sufficient-Backup-Retention-Period)
+* [Enable RDS Transport Encryption](#Enable-RDS-Transport-Encryption)
+* [Underutilized RDS Instances](#Underutilized-RDS-Instances)
+* [Unrestricted RDS DB Security Group](#Unrestricted-RDS-DB-Security-Group)
+* [Enable Route 53 Domain Auto Renew](#Enable-Route-53-Domain-Auto-Renew)
+* [Create DNS Alias Record for Root Domain](#Create-DNS-Alias-Record-for-Root-Domain)
+* [Remove Route 53 Dangling DNS Records](#Remove-Route-53-Dangling-DNS-Records)
+* [Expired Route 53 Domain Names](#Expired-Route-53-Domain-Names)
+* [Route 53 Domain Name Renewal](#Route-53-Domain-Name-Renewal)
+* [Enable Privacy Protection for Route 53 Domains](#Enable-Privacy-Protection-for-Route-53-Domains)
+* [Root Domain Alias Records that Point to ELB](#Root-Domain-Alias-Records-that-Point-to-ELB)
+* [Monitor Route 53 Configuration Changes](#Monitor-Route-53-Configuration-Changes)
+* [Route 53 DNS In Use](#Route-53-DNS-In-Use)
+* [Route 53 SPF DNS Records](#Route-53-SPF-DNS-Records)
+* [Enable Route 53 Domain Transfer Lock](#Enable-Route-53-Domain-Transfer-Lock)
+* [Monitor Route 53 Domains Configuration Changes](#Monitor-Route-53-Domains-Configuration-Changes)
+
 ### Aurora Database Instance Accessibility
 **Risk**: Medium  
 **Description**: Ensure that all the database instances in your Aurora clusters have the same accessibility (either public or private) in order to follow AWS best-practices.  
@@ -1537,6 +1841,29 @@ Route53Domains
 
 # ResourceGroup
 
+* [Use tags to organize AWS resources](#Use-tags-to-organize-AWS-resources)
+* [S3 Bucket Authenticated ‘FULL_CONTROL’ Access](#S3-Bucket-Authenticated-‘FULL_CONTROL’-Access)
+* [S3 Bucket Authenticated ‘READ’ Access](#S3-Bucket-Authenticated-‘READ’-Access)
+* [S3 Bucket Authenticated ‘READ_ACP’ Access](#S3-Bucket-Authenticated-‘READ_ACP’-Access)
+* [S3 Bucket Authenticated ‘WRITE’ Access](#S3-Bucket-Authenticated-‘WRITE’-Access)
+* [S3 Bucket Authenticated ‘WRITE_ACP’ Access](#S3-Bucket-Authenticated-‘WRITE_ACP’-Access)
+* [Enable S3 Bucket Default Encryption](#Enable-S3-Bucket-Default-Encryption)
+* [Enable Access Logging for S3 Buckets](#Enable-Access-Logging-for-S3-Buckets)
+* [Enable MFA Delete for S3 Buckets](#Enable-MFA-Delete-for-S3-Buckets)
+* [S3 Bucket Public Access Via Policy](#S3-Bucket-Public-Access-Via-Policy)
+* [Publicly Accessible S3 Buckets](#Publicly-Accessible-S3-Buckets)
+* [S3 Bucket Public ‘READ’ Access](#S3-Bucket-Public-‘READ’-Access)
+* [S3 Bucket Public ‘READ_ACP’ Access](#S3-Bucket-Public-‘READ_ACP’-Access)
+* [S3 Bucket Public ‘WRITE’ Access](#S3-Bucket-Public-‘WRITE’-Access)
+* [S3 Bucket Public ‘WRITE_ACP’ Access](#S3-Bucket-Public-‘WRITE_ACP’-Access)
+* [Enable Versioning for S3 Buckets](#Enable-Versioning-for-S3-Buckets)
+* [Review S3 Buckets with Website Configuration Enabled](#Review-S3-Buckets-with-Website-Configuration-Enabled)
+* [Detect S3 Configuration Changes](#Detect-S3-Configuration-Changes)
+* [S3 Unknown Cross Account Access](#S3-Unknown-Cross-Account-Access)
+* [Secure Transport](#Secure-Transport)
+* [Server-Side Encryption](#Server-Side-Encryption)
+* [Limit S3 Bucket Access by IP Address](#Limit-S3-Bucket-Access-by-IP-Address)
+
 ### Use tags to organize AWS resources
 **Risk**: Low  
 **Description**: Ensure that user-defined tags (metadata) are being used for labeling, collecting and organizing resources available in your AWS environment.   
@@ -1650,6 +1977,11 @@ S3
 
 # SES
 
+* [Enable DKIM for SES](#Enable-DKIM-for-SES)
+* [Unknown Cross-Account Access](#Unknown-Cross-Account-Access)
+* [Exposed SES Identities](#Exposed-SES-Identities)
+* [SES Identity Verification Status](#SES-Identity-Verification-Status)
+
 ### Enable DKIM for SES
 **Risk**: Low  
 **Description**: Ensure DKIM feature is enabled in your SES settings to protect both email senders and receivers against phishing attacks by using DKIM-signature headers to make sure that each message sent is authentic.  
@@ -1674,6 +2006,8 @@ S3
 
 # Shield
 
+* [AWS Shield In Use](#AWS-Shield-In-Use)
+
 ### AWS Shield In Use
 **Risk**: Medium  
 **Description**: Ensure that Shield service is currently in use in order to protect your AWS-powered web applications from Distributed Denial of Service (DDoS) attacks that can affect the application’s availability and response time   by overwhelming (flooding) them with traffic from multiple sources. 
@@ -1683,6 +2017,9 @@ S3
 
 # TrustedAdvisor
 
+* [Trusted Advisor Checks](#Trusted-Advisor-Checks)
+* [Exposed IAM Access Keys](#Exposed-IAM-Access-Keys)
+
 ### Trusted Advisor Checks
 **Risk**: Medium  
 **Description**: Ensure that all Trusted Advisor checks found in your AWS account are inspected and resolved.   
@@ -1697,6 +2034,29 @@ S3
 
 # VPC
 
+* [Allocate Elastic IPs for NAT Gateways](#Allocate-Elastic-IPs-for-NAT-Gateways)
+* [Create App-Tier VPC Subnets](#Create-App-Tier-VPC-Subnets)
+* [Create Data-Tier VPC Subnets](#Create-Data-Tier-VPC-Subnets)
+* [Default VPC In Use](#Default-VPC-In-Use)
+* [Unused VPC Internet Gateways](#Unused-VPC-Internet-Gateways)
+* [Use Managed NAT Gateway for VPC](#Use-Managed-NAT-Gateway-for-VPC)
+* [Create NAT Gateways in at Least Two Availability Zones](#Create-NAT-Gateways-in-at-Least-Two-Availability-Zones)
+* [Ineffective Network ACL DENY Rules](#Ineffective-Network-ACL-DENY-Rules)
+* [Unrestricted Network ACL Inbound Traffic](#Unrestricted-Network-ACL-Inbound-Traffic)
+* [Unrestricted Network ACL Outbound Traffic](#Unrestricted-Network-ACL-Outbound-Traffic)
+* [Create Route Table for Private Subnets](#Create-Route-Table-for-Private-Subnets)
+* [Create Route Table for Public Subnets](#Create-Route-Table-for-Public-Subnets)
+* [Enable Flow Logs for VPC Subnets](#Enable-Flow-Logs-for-VPC-Subnets)
+* [VPC Endpoint Unknown Cross Account Access](#VPC-Endpoint-Unknown-Cross-Account-Access)
+* [VPC Exposed Endpoints](#VPC-Exposed-Endpoints)
+* [VPC Endpoints In Use](#VPC-Endpoints-In-Use)
+* [Enable VPC Flow Logs](#Enable-VPC-Flow-Logs)
+* [VPC Naming Conventions](#VPC-Naming-Conventions)
+* [VPC Peering Connection Configuration](#VPC-Peering-Connection-Configuration)
+* [Unused Virtual Private Gateways](#Unused-Virtual-Private-Gateways)
+* [Create Web-Tier ELB Subnets](#Create-Web-Tier-ELB-Subnets)
+* [Create Web-Tier VPC Subnets](#Create-Web-Tier-VPC-Subnets)
+
 ### Allocate Elastic IPs for NAT Gateways
 **Risk**: Medium  
 **Description**: Ensure that an Elastic IP is allocated for each NAT gateway that you want to deploy in your AWS account.   

diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
@@ -33,9 +33,9 @@
 
 # ACM
 
-* [Expired ACM Certificates](Expired-ACM-Certificates)
-* [ACM Certificates Renewal](ACM-Certificates-Renewal)
-* [ACM Certificates Validity](ACM-Certificates-Validity)
+* [Expired ACM Certificates](#Expired-ACM-Certificates)
+* [ACM Certificates Renewal](#ACM-Certificates-Renewal)
+* [ACM Certificates Validity](#ACM-Certificates-Validity)
 
 ### Expired ACM Certificates
 **Risk**: High  

diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
@@ -33,9 +33,9 @@
 
 # ACM
 
-1. [Expired ACM Certificates](Expired-ACM-Certificates)
-1. [ACM Certificates Renewal](ACM-Certificates-Renewal)
-1. [ACM Certificates Validity](ACM-Certificates-Validity)
+* [Expired ACM Certificates](Expired-ACM-Certificates)
+* [ACM Certificates Renewal](ACM-Certificates-Renewal)
+* [ACM Certificates Validity](ACM-Certificates-Validity)
 
 ### Expired ACM Certificates
 **Risk**: High  

diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
@@ -1,378 +1,42 @@
 # Table of Contents
 
 1. [ACM](ACM)  
-    - [Expired ACM Certificates](Expired-ACM-Certificates)  
-    - [ACM Certificates Renewal](ACM-Certificates-Renewal)  
-    - [ACM Certificates Validity](ACM-Certificates-Validity)  
 1. [API Gateway](API-Gateway)  
-    - [Enable CloudWatch Logs for APIs](Enable-CloudWatch-Logs-for-APIs)  
-    - [Enable Detailed CloudWatch Metrics for APIs](Enable-Detailed-CloudWatch-Metrics-for-APIs)  
-    - [API Gateway Private Endpoints](API-Gateway-Private-Endpoints)  
 1. [AutoScaling](AutoScaling)  
-    - [ASG Cooldown Period](ASG-Cooldown-Period)  
-    - [Enable ASG Notifications](Enable-ASG-Notifications)  
-    - [App-Tier ASGs with Associated ELB](App-Tier-ASGs-with-Associated-ELB)  
-    - [CloudWatch Logs Agent for App-Tier ASG In Use](CloudWatch-Logs-Agent-for-App-Tier-ASG-In-Use)  
-    - [IAM Roles for App-Tier ASG Launch Configurations](IAM-Roles-for-App-Tier-ASG-Launch-Configurations)  
-    - [Use Approved AMIs for App-Tier ASG Launch Configurations](Use-Approved-AMIs-for-App-Tier-ASG-Launch-Configurations)  
-    - [Auto Scaling Group Referencing Missing ELB](Auto-Scaling-Group-Referencing-Missing-ELB)  
-    - [Empty Auto Scaling Groups](Empty-Auto-Scaling-Groups)  
-    - [Launch Configuration Referencing Missing AMI](Launch-Configuration-Referencing-Missing-AMI)  
-    - [Launch Configuration Referencing Missing Security Group](Launch-Configuration-Referencing-Missing-Security-Group)  
-    - [Unused Launch Configuration Templates](Unused-Launch-Configuration-Templates)  
-    - [Multi-AZ Auto Scaling Groups](Multi-AZ-Auto-Scaling-Groups)  
-    - [Same ELB Availability Zones](Same-ELB-Availability-Zones)  
-    - [Suspended Auto Scaling Group Processes](Suspended-Auto-Scaling-Group-Processes)  
-    - [Web-Tier Auto Scaling Groups with Associated ELBs](Web-Tier-Auto-Scaling-Groups-with-Associated-ELBs)  
-    - [Use Approved AMIs for Web-Tier ASG Launch Configurations](Use-Approved-AMIs-for-Web-Tier-ASG-Launch-Configurations)  
 1. [CloudFront](CloudFront)  
-    - [CloudFront CDN In Use](CloudFront-CDN-In-Use)  
-    - [CloudFront WAF Integration](CloudFront-WAF-Integration)  
-    - [Enable Origin Access Identity for CloudFront Distributions with S3 Origin](Enable-Origin-Access-Identity-for-CloudFront-Distributions-with-S3-Origin)  
-    - [CloudFront Origin Insecure SSL Protocols](CloudFront-Origin-Insecure-SSL-Protocols)  
-    - [CloudFront Security Policy](CloudFront-Security-Policy)  
-    - [Unencrypted CloudFront Traffic](Unencrypted-CloudFront-Traffic)  
-    - [Use Cloudfront CDN](Use-Cloudfront-CDN)  
 1. [CloudTrail](CloudTrail)  
-    - [Enable access logging for CloudTrail buckets](Enable-access-logging-for-CloudTrail-buckets)  
-    - [Enable MFA Delete for CloudTrail bucket](Enable-MFA-Delete-for-CloudTrail-bucket)  
-    - [CloudTrail insecure buckets](CloudTrail-insecure-buckets)  
-    - [Monitor CloudTrail Configuration Changes](Monitor-CloudTrail-Configuration-Changes)  
-    - [Enable CloudTrail integration with CloudWatch](Enable-CloudTrail-integration-with-CloudWatch)  
-    - [Enable CloudTrail log file integrity validation](Enable-CloudTrail-log-file-integrity-validation)  
-    - [Enable CloudTrail log files encryption](Enable-CloudTrail-log-files-encryption)  
-    - [CloudTrail Log Files Delivery Failing](CloudTrail-Log-Files-Delivery-Failing)  
 1. [CloudWatch](CloudWatch)  
-    - [Enable AWS Billing Alerts](Enable-AWS-Billing-Alerts)  
-    - [Enable CloudWatch Billing Alarm](Enable-CloudWatch-Billing-Alarm)  
-    - [Exposed CloudWatch Event Bus](Exposed-CloudWatch-Event-Bus)  
-    - [CloudWatch Events In Use](CloudWatch-Events-In-Use)  
-    - [Alarm for Config Changes](Alarm-for-Config-Changes)  
-    - [Alarm for Organizations Changes](Alarm-for-Organizations-Changes)  
-    - [Alarm for multiple Sign-in Failures](Alarm-for-multiple-Sign-in-Failures)  
-    - [Monitor for AWS Console Sign-In Requests Without MFA](Monitor-for-AWS-Console-Sign-In-Requests-Without-MFA)  
-    - [Alarm for EC2 Instance Changes](Alarm-for-EC2-Instance-Changes)  
-    - [Alarm for EC2 Large Instance Changes](Alarm-for-EC2-Large-Instance-Changes)  
-    - [Alarm for Root Account Usage](Alarm-for-Root-Account-Usage)  
-    - [Alarm for S3 Bucket Changes](Alarm-for-S3-Bucket-Changes)  
 1. [Config](Config)  
-    - [Monitor AWS Config configuration changes](Monitor-AWS-Config-configuration-changes)  
-    - [Enable AWS Config](Enable-AWS-Config)  
-    - [AWS Config Referencing Missing S3 Bucket](AWS-Config-Referencing-Missing-S3-Bucket)  
-    - [AWS Config Referencing Missing SNS Topic](AWS-Config-Referencing-Missing-SNS-Topic)  
-    - [AWS Config Log Files Delivery Failing](AWS-Config-Log-Files-Delivery-Failing)  
-    - [Include Global Resources into AWS Config Settings](Include-Global-Resources-into-AWS-Config-Settings)  
 1. [DynamoDB](DynamoDB)  
-    - [Enable DynamoDB Auto Scaling](Enable-DynamoDB-Auto-Scaling)  
-    - [DynamoDB Backup and Restore](DynamoDB-Backup-and-Restore)  
-    - [Enable DynamoDB Continuous Backups](Enable-DynamoDB-Continuous-Backups)  
-    - [DynamoDB Server-Side Encryption](DynamoDB-Server-Side-Encryption)  
 1. [EBS](EBS)  
-    - [Enable EBS Encryption](Enable-EBS-Encryption)  
-    - [Use KMS Customer Master Keys for EBS encryption](Use-KMS-Customer-Master-Keys-for-EBS-encryption)  
-    - [EBS Volume Naming Conventions](EBS-Volume-Naming-Conventions)  
-    - [EBS Public Snapshots](EBS-Public-Snapshots)  
-    - [EBS volumes recent snapshots](EBS-volumes-recent-snapshots)  
-    - [Remove EBS old snapshots](Remove-EBS-old-snapshots)  
-    - [Remove Unattached EC2 EBS volumes](Remove-Unattached-EC2-EBS-volumes)  
-    - [Enable EBS Snapshot Encryption](Enable-EBS-Snapshot-Encryption)  
-    - [EBS Volumes Attached to Stopped EC2 Instances](EBS-Volumes-Attached-to-Stopped-EC2-Instances)  
-    - [Approved/Golden AMI](Approved/Golden-AMI)  
-    - [AWS Blacklisted AMI](AWS-Blacklisted-AMI)  
-    - [Enable AMI Encryption](Enable-AMI-Encryption)  
-    - [AMI Naming Conventions](AMI-Naming-Conventions)  
-    - [Check for AMI Age](Check-for-AMI-Age)  
-    - [Unused AMI](Unused-AMI)  
-    - [Unassociated Elastic IP Addresses](Unassociated-Elastic-IP-Addresses)  
-    - [Publicly Shared App-Tier AMIs](Publicly-Shared-App-Tier-AMIs)  
-    - [App-Tier EC2 Instances Without Elastic or Public IP Addresses](App-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
-    - [Check app-tier ELB subnet connectivity to Internet Gateway](Check-app-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
-    - [IAM Roles for App-Tier EC2 Instances](IAM-Roles-for-App-Tier-EC2-Instances)  
-    - [Create and Configure App-Tier Security Group](Create-and-Configure-App-Tier-Security-Group)  
-    - [EC2 Instances Distribution Across Availability Zones](EC2-Instances-Distribution-Across-Availability-Zones)  
-    - [EC2-Classic Elastic IP Address Limit](EC2-Classic-Elastic-IP-Address-Limit)  
-    - [Data-Tier Instances Without Elastic or Public IP Addresses](Data-Tier-Instances-Without-Elastic-or-Public-IP-Addresses)  
-    - [Create and Configure Data-Tier Security Group](Create-and-Configure-Data-Tier-Security-Group)  
-    - [Restrict data-tier subnet connectivity to VPC NAT Gateway](Restrict-data-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
-    - [Unrestricted Default Security Groups](Unrestricted-Default-Security-Groups)  
-    - [Default EC2 Security Groups In Use](Default-EC2-Security-Groups-In-Use)  
-    - [Detailed Monitoring for EC2 Instances](Detailed-Monitoring-for-EC2-Instances)  
-    - [EC2 Desired Instance Type](EC2-Desired-Instance-Type)  
-    - [Review EC2 Dedicated Instances](Review-EC2-Dedicated-Instances)  
-    - [EC2 Instance Not In Public Subnet](EC2-Instance-Not-In-Public-Subnet)  
-    - [Unused EC2 Reserved Instances](Unused-EC2-Reserved-Instances)  
-    - [Total Number of EC2 Instances](Total-Number-of-EC2-Instances)  
-    - [EC2 Instance Type Generation](EC2-Instance-Type-Generation)  
-    - [Instance In Auto Scaling Group](Instance-In-Auto-Scaling-Group)  
-    - [EC2 Platform](EC2-Platform)  
-    - [EC2 Instance Limit](EC2-Instance-Limit)  
-    - [EC2 Instance Naming Conventions](EC2-Instance-Naming-Conventions)  
-    - [EC2 Instances with Scheduled Events](EC2-Instances-with-Scheduled-Events)  
-    - [EC2 Instance Security Group Rules Count](EC2-Instance-Security-Group-Rules-Count)  
-    - [EC2 Instance Tenancy Type](EC2-Instance-Tenancy-Type)  
-    - [EC2 Instance Termination Protection](EC2-Instance-Termination-Protection)  
-    - [EC2 Instance Age](EC2-Instance-Age)  
-    - [EC2 Instance IAM Roles](EC2-Instance-IAM-Roles)  
-    - [Overutilized EC2 Instances](Overutilized-EC2-Instances)  
-    - [Publicly Shared AMIs](Publicly-Shared-AMIs)  
-    - [EC2 Reserved Instance Lease Expiration](EC2-Reserved-Instance-Lease-Expiration)  
-    - [EC2 Security Groups Count](EC2-Security-Groups-Count)  
-    - [EC2 Security Group Port Range](EC2-Security-Group-Port-Range)  
-    - [Underutilized EC2 Instances](Underutilized-EC2-Instances)  
-    - [EC2 Security Group Unrestricted Access](EC2-Security-Group-Unrestricted-Access)  
-    - [Unrestricted CIFS Access](Unrestricted-CIFS-Access)  
-    - [Unrestricted DNS Access](Unrestricted-DNS-Access)  
-    - [Unrestricted ElasticSearch Access](Unrestricted-ElasticSearch-Access)  
-    - [Unrestricted FTP Access](Unrestricted-FTP-Access)  
-    - [Unrestricted HTTP Access](Unrestricted-HTTP-Access)  
-    - [Unrestricted HTTPS Access](Unrestricted-HTTPS-Access)  
-    - [Unrestricted ICMP Access](Unrestricted-ICMP-Access)  
-    - [Unrestricted Inbound Access on Uncommon Ports](Unrestricted-Inbound-Access-on-Uncommon-Ports)  
-    - [Unrestricted MongoDB Access](Unrestricted-MongoDB-Access)  
-    - [Unrestricted MSSQL Database Access](Unrestricted-MSSQL-Database-Access)  
-    - [Unrestricted MySQL Database Access](Unrestricted-MySQL-Database-Access)  
-    - [Unrestricted NetBIOS Access](Unrestricted-NetBIOS-Access)  
-    - [Unrestricted Oracle Database Access](Unrestricted-Oracle-Database-Access)  
-    - [Unrestricted Outbound Access on All Ports](Unrestricted-Outbound-Access-on-All-Ports)  
-    - [Unrestricted PostgreSQL Database Access](Unrestricted-PostgreSQL-Database-Access)  
-    - [Unrestricted RDP Access](Unrestricted-RDP-Access)  
-    - [Unrestricted RPC Access](Unrestricted-RPC-Access)  
-    - [Unrestricted SMTP Access](Unrestricted-SMTP-Access)  
-    - [Unrestricted SSH Access](Unrestricted-SSH-Access)  
-    - [Unrestricted Telnet Access](Unrestricted-Telnet-Access)  
-    - [Unused Elastic Network Interfaces](Unused-Elastic-Network-Interfaces)  
-    - [Unused EC2 Key Pairs](Unused-EC2-Key-Pairs)  
-    - [EC2-VPC Elastic IP Address Limit](EC2-VPC-Elastic-IP-Address-Limit)  
-    - [Publicly Shared Web-Tier AMIs](Publicly-Shared-Web-Tier-AMIs)  
-    - [Web-Tier EC2 Instances Without Elastic or Public IP Addresses](Web-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
-    - [Check web-tier ELB subnet connectivity to Internet Gateway](Check-web-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
-    - [Attach Policy to IAM Roles Associated with Web-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-Web-Tier-EC2-Instances)  
-    - [IAM Roles for Web-Tier EC2 Instances](IAM-Roles-for-Web-Tier-EC2-Instances)  
-    - [Create and Configure Web-Tier Security Group](Create-and-Configure-Web-Tier-Security-Group)  
-    - [Check web-tier subnet connectivity to VPC NAT Gateway](Check-web-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
 1. [ECR](ECR)  
-    - [ECR Unknown Cross Account Access](ECR-Unknown-Cross-Account-Access)  
-    - [Check for Exposed ECR Repositories](Check-for-Exposed-ECR-Repositories)  
 1. [EFS](EFS)  
-    - [KMS Customer Master Keys for EFS Encryption](KMS-Customer-Master-Keys-for-EFS-Encryption)  
-    - [Enable EFS Encryption](Enable-EFS-Encryption)  
 1. [ElasticSearch](ElasticSearch)  
-    - [ElasticSearch Cluster Status](ElasticSearch-Cluster-Status)  
-    - [ElasticSearch Instance Type](ElasticSearch-Instance-Type)  
-    - [ElasticSearch Domain Encrypted with KMS CMKs](ElasticSearch-Domain-Encrypted-with-KMS-CMKs)  
-    - [ElasticSearch Unknown Cross Account Access](ElasticSearch-Unknown-Cross-Account-Access)  
-    - [ElasticSearch Exposed Domains](ElasticSearch-Exposed-Domains)  
-    - [ElasticSearch Domain IP-Based Access](ElasticSearch-Domain-IP-Based-Access)  
-    - [ElasticSearch General Purpose SSD Node Type](ElasticSearch-General-Purpose-SSD-Node-Type)  
-    - [ElasticSearch Version](ElasticSearch-Version)  
-    - [Enable ElasticSearch Zone Awareness](Enable-ElasticSearch-Zone-Awareness)  
-    - [Enable ElasticSearch Encryption At Rest](Enable-ElasticSearch-Encryption-At-Rest)  
-    - [ElasticSearch Free Storage Space](ElasticSearch-Free-Storage-Space)  
-    - [Total Number of ElasticSearch Instances](Total-Number-of-ElasticSearch-Instances)  
-    - [Enable ElasticSearch Node-to-Node Encryption](Enable-ElasticSearch-Node-to-Node-Encryption)  
-    - [Enable ElasticSearch Slow Logs](Enable-ElasticSearch-Slow-Logs)  
 1. [ELB](ELB)  
-    - [Enable HTTPS/SSL Listener for App-Tier ELBs](Enable-HTTPS/SSL-Listener-for-App-Tier-ELBs)  
-    - [Enable Latest SSL Security Policy for App-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-App-Tier-ELBs)  
-    - [Add SSL/TLS Server Certificates to App-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-App-Tier-ELBs)  
-    - [App-Tier ELBs Health Check](App-Tier-ELBs-Health-Check)  
-    - [Enable ELB Access Logging](Enable-ELB-Access-Logging)  
-    - [AWS Classic Load Balancer](AWS-Classic-Load-Balancer)  
-    - [Connection Draining Enabled](Connection-Draining-Enabled)  
-    - [Enable ELB Cross-Zone Load Balancing](Enable-ELB-Cross-Zone-Load-Balancing)  
-    - [ELB insecure SSL ciphers](ELB-insecure-SSL-ciphers)  
-    - [ELB insecure SSL protocols](ELB-insecure-SSL-protocols)  
-    - [ELB Listener Security](ELB-Listener-Security)  
-    - [ELB minimum number of EC2 instances](ELB-minimum-number-of-EC2-instances)  
-    - [ELB Security Group](ELB-Security-Group)  
-    - [ELB Security Policy](ELB-Security-Policy)  
-    - [Remove unused ELBs](Remove-unused-ELBs)  
-    - [ELB Instances Distribution Across Availability Zones](ELB-Instances-Distribution-Across-Availability-Zones)  
-    - [Review AWS Internet Facing Load Balancers](Review-AWS-Internet-Facing-Load-Balancers)  
-    - [Enable HTTPS/SSL Listener for Web-Tier ELBs](Enable-HTTPS/SSL-Listener-for-Web-Tier-ELBs)  
-    - [Enable Latest SSL Security Policy for Web-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-Web-Tier-ELBs)  
-    - [Add SSL/TLS Server Certificates to Web-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-Web-Tier-ELBs)  
-    - [Web-Tier ELBs Health Check](Web-Tier-ELBs-Health-Check)  
-    - [Enable ALB (ELBv2)-Access-Logging](Enable-ALB-(ELBv2)-Access-Logging)  
-    - [Enable Elastic Load Balancing Deletion Protection](Enable-Elastic-Load-Balancing-Deletion-Protection)  
-    - [ELBv2 Instances Distribution Across Availability Zones](ELBv2-Instances-Distribution-Across-Availability-Zones)  
-    - [ALB (ELBv2)-Listener-Security](ALB-(ELBv2)-Listener-Security)  
-    - [Minimum Number of EC2 Target Instances](Minimum-Number-of-EC2-Target-Instances)  
-    - [ELBv2 Security Groups](ELBv2-Security-Groups)  
-    - [ALB (ELBv2)-Security-Policy](ALB-(ELBv2)-Security-Policy)  
-    - [Unused ELBs (ELBv2)](Unused-ELBs-(ELBv2))  
 1. [EMR](EMR)  
-    - [EMR Cluster In VPC](EMR-Cluster-In-VPC)  
-    - [EMR Desired Instance Type](EMR-Desired-Instance-Type)  
-    - [EMR Instance Type Generation](EMR-Instance-Type-Generation)  
-    - [Enable EMR In-Transit and At-Rest Encryption](Enable-EMR-In-Transit-and-At-Rest-Encryption)  
-    - [Total Number of EMR Instances](Total-Number-of-EMR-Instances)  
 1. [GuardDuty](GuardDuty)  
-    - [GuardDuty Findings](GuardDuty-Findings)  
-    - [Monitor GuardDuty Configuration Changes](Monitor-GuardDuty-Configuration-Changes)  
-    - [GuardDuty In Use](GuardDuty-In-Use)  
 1. [Health](Health)  
-    - [AWS Health](AWS-Health)  
 1. [IAM](IAM)  
-    - [Unused IAM Access Keys](Unused-IAM-Access-Keys)  
-    - [IAM Access Keys Rotation](IAM-Access-Keys-Rotation)  
-    - [Unnecessary IAM Access Keys](Unnecessary-IAM-Access-Keys)  
-    - [Enable Security Challenge Questions for your Account](Enable-Security-Challenge-Questions-for-your-Account)  
-    - [Attach Policy to IAM Roles Associated with App-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-App-Tier-EC2-Instances)  
-    - [SSL/TLS Certificate Renewal](SSL/TLS-Certificate-Renewal)  
-    - [Server Certificate Signature Algorithm](Server-Certificate-Signature-Algorithm)  
-    - [IAM Server Certificate Size](IAM-Server-Certificate-Size)  
-    - [Deprecated AWS Managed Policies In Use](Deprecated-AWS-Managed-Policies-In-Use)  
-    - [IAM Users Unauthorized to Edit Access Policies](IAM-Users-Unauthorized-to-Edit-Access-Policies)  
-    - [IAM Users with Admin Privileges](IAM-Users-with-Admin-Privileges)  
-    - [Detect IAM Configuration Changes](Detect-IAM-Configuration-Changes)  
-    - [IAM Group with Administrator Privileges In Use](IAM-Group-with-Administrator-Privileges-In-Use)  
-    - [Unused IAM Groups](Unused-IAM-Groups)  
-    - [Remove IAM Policies with Full Administrative Privileges](Remove-IAM-Policies-with-Full-Administrative-Privileges)  
-    - [IAM Customer Managed Policy with Administrative Permissions In Use](IAM-Customer-Managed-Policy-with-Administrative-Permissions-In-Use)  
-    - [IAM Role Policy Too Permissive](IAM-Role-Policy-Too-Permissive)  
-    - [IAM User Present](IAM-User-Present)  
-    - [Inactive IAM Users](Inactive-IAM-Users)  
-    - [Unused IAM Users](Unused-IAM-Users)  
-    - [IAM Users with Password and Access Keys](IAM-Users-with-Password-and-Access-Keys)  
-    - [Valid IAM Identity Providers](Valid-IAM-Identity-Providers)  
-    - [MFA Device Deactivated for IAM Users](MFA-Device-Deactivated-for-IAM-Users)  
-    - [Enable MFA for IAM Users](Enable-MFA-for-IAM-Users)  
-    - [IAM Master and IAM Manager Roles](IAM-Master-and-IAM-Manager-Roles)  
-    - [IAM Password Expiry](IAM-Password-Expiry)  
-    - [IAM Password Policy](IAM-Password-Policy)  
-    - [Root Account Access Keys](Root-Account-Access-Keys)  
-    - [Root Account Credentials Usage](Root-Account-Credentials-Usage)  
-    - [Root Account Active Signing Certificates](Root-Account-Active-Signing-Certificates)  
-    - [Enable Hardware MFA for Root Account](Enable-Hardware-MFA-for-Root-Account)  
-    - [Enable MFA for Root Account](Enable-MFA-for-Root-Account)  
-    - [IAM SSH Public Keys Rotation (90-Days)](IAM-SSH-Public-Keys-Rotation-(90-Days))  
-    - [Unnecessary IAM SSH Public Keys](Unnecessary-IAM-SSH-Public-Keys)  
-    - [IAM Support Role](IAM-Support-Role)  
 1. [Inspector](Inspector)  
-    - [AWS Inspector Findings](AWS-Inspector-Findings)  
 1. [KMS](KMS)  
-    - [App-Tier Customer Master Key In Use](App-Tier-Customer-Master-Key-In-Use)  
-    - [KMS Customer Master Key In Use](KMS-Customer-Master-Key-In-Use)  
-    - [Database Tier Customer Master Key In Use](Database-Tier-Customer-Master-Key-In-Use)  
-    - [Default KMS Key Usage](Default-KMS-Key-Usage)  
-    - [Disabled KMS keys](Disabled-KMS-keys)  
-    - [Monitor KMS Configuration Changes](Monitor-KMS-Configuration-Changes)  
-    - [KMS Unknown Cross Account Access](KMS-Unknown-Cross-Account-Access)  
-    - [KMS Exposed Keys](KMS-Exposed-Keys)  
-    - [Recover KMS Customer Master Keys](Recover-KMS-Customer-Master-Keys)  
-    - [Enable KMS Key Rotation](Enable-KMS-Key-Rotation)  
-    - [Remove unused KMS keys](Remove-unused-KMS-keys)  
-    - [Web-Tier Customer Master Key In Use](Web-Tier-Customer-Master-Key-In-Use)  
 1. [Lambda](Lambda)  
-    - [Exposed Lambda Functions](Exposed-Lambda-Functions)  
-    - [Lambda Functions with Admin Privileges](Lambda-Functions-with-Admin-Privileges)  
-    - [Lambda Unknown Cross Account Access](Lambda-Unknown-Cross-Account-Access)  
-    - [Lambda Runtime Environment Version](Lambda-Runtime-Environment-Version)  
-    - [An IAM role for a Lambda Function](An-IAM-role-for-a-Lambda-Function)  
 1. [Organizations](Organizations)  
-    - [Monitor AWS Org. Configuration Changes](Monitor-AWS-Org.-Configuration-Changes)  
-    - [Enable All Features](Enable-All-Features)  
-    - [AWS Organizations In Use](AWS-Organizations-In-Use)  
 1. [RDS](RDS)  
-    - [Aurora Database Instance Accessibility](Aurora-Database-Instance-Accessibility)  
-    - [RDS Auto Minor Version Upgrade](RDS-Auto-Minor-Version-Upgrade)  
-    - [Enable RDS Automated Backups](Enable-RDS-Automated-Backups)  
-    - [Enable RDS Deletion Protection](Enable-RDS-Deletion-Protection)  
-    - [Enable RDS Encryption](Enable-RDS-Encryption)  
-    - [RDS Free Storage Space](RDS-Free-Storage-Space)  
-    - [Enable IAM Database Authentication](Enable-IAM-Database-Authentication)  
-    - [Total Number of Provisioned RDS Instances](Total-Number-of-Provisioned-RDS-Instances)  
-    - [RDS Multi-AZ](RDS-Multi-AZ)  
-    - [Overutilized RDS Instances](Overutilized-RDS-Instances)  
-    - [Publicly Accessible RDS Instances](Publicly-Accessible-RDS-Instances)  
-    - [Use Data-Tier Security Group for RDS Databases](Use-Data-Tier-Security-Group-for-RDS-Databases)  
-    - [RDS Database Default Port](RDS-Database-Default-Port)  
-    - [Use KMS Customer Master Keys for RDS encryption](Use-KMS-Customer-Master-Keys-for-RDS-encryption)  
-    - [RDS General Purpose SSD Storage Type](RDS-General-Purpose-SSD-Storage-Type)  
-    - [RDS Instance Not In Public Subnet](RDS-Instance-Not-In-Public-Subnet)  
-    - [RDS Database Master Username](RDS-Database-Master-Username)  
-    - [RDS Public Snapshots](RDS-Public-Snapshots)  
-    - [RDS Sufficient Backup Retention Period](RDS-Sufficient-Backup-Retention-Period)  
-    - [Enable RDS Transport Encryption](Enable-RDS-Transport-Encryption)  
-    - [Underutilized RDS Instances](Underutilized-RDS-Instances)  
-    - [Unrestricted RDS DB Security Group](Unrestricted-RDS-DB-Security-Group)  
-    - [Enable Route 53 Domain Auto Renew](Enable-Route-53-Domain-Auto-Renew)  
-    - [Create DNS Alias Record for Root Domain](Create-DNS-Alias-Record-for-Root-Domain)  
-    - [Remove Route 53 Dangling DNS Records](Remove-Route-53-Dangling-DNS-Records)  
-    - [Expired Route 53 Domain Names](Expired-Route-53-Domain-Names)  
-    - [Route 53 Domain Name Renewal](Route-53-Domain-Name-Renewal)  
-    - [Enable Privacy Protection for Route 53 Domains](Enable-Privacy-Protection-for-Route-53-Domains)  
-    - [Root Domain Alias Records that Point to ELB](Root-Domain-Alias-Records-that-Point-to-ELB)  
-    - [Monitor Route 53 Configuration Changes](Monitor-Route-53-Configuration-Changes)  
-    - [Route 53 DNS In Use](Route-53-DNS-In-Use)  
-    - [Route 53 SPF DNS Records](Route-53-SPF-DNS-Records)  
-    - [Enable Route 53 Domain Transfer Lock](Enable-Route-53-Domain-Transfer-Lock)  
-    - [Monitor Route 53 Domains Configuration Changes](Monitor-Route-53-Domains-Configuration-Changes)  
 1. [ResourceGroup](ResourceGroup)  
-    - [Use tags to organize AWS resources](Use-tags-to-organize-AWS-resources)  
-    - [S3 Bucket Authenticated ‘FULL_CONTROL’ Access](S3-Bucket-Authenticated-‘FULL_CONTROL’-Access)  
-    - [S3 Bucket Authenticated ‘READ’ Access](S3-Bucket-Authenticated-‘READ’-Access)  
-    - [S3 Bucket Authenticated ‘READ_ACP’ Access](S3-Bucket-Authenticated-‘READ_ACP’-Access)  
-    - [S3 Bucket Authenticated ‘WRITE’ Access](S3-Bucket-Authenticated-‘WRITE’-Access)  
-    - [S3 Bucket Authenticated ‘WRITE_ACP’ Access](S3-Bucket-Authenticated-‘WRITE_ACP’-Access)  
-    - [Enable S3 Bucket Default Encryption](Enable-S3-Bucket-Default-Encryption)  
-    - [Enable Access Logging for S3 Buckets](Enable-Access-Logging-for-S3-Buckets)  
-    - [Enable MFA Delete for S3 Buckets](Enable-MFA-Delete-for-S3-Buckets)  
-    - [S3 Bucket Public Access Via Policy](S3-Bucket-Public-Access-Via-Policy)  
-    - [Publicly Accessible S3 Buckets](Publicly-Accessible-S3-Buckets)  
-    - [S3 Bucket Public ‘READ’ Access](S3-Bucket-Public-‘READ’-Access)  
-    - [S3 Bucket Public ‘READ_ACP’ Access](S3-Bucket-Public-‘READ_ACP’-Access)  
-    - [S3 Bucket Public ‘WRITE’ Access](S3-Bucket-Public-‘WRITE’-Access)  
-    - [S3 Bucket Public ‘WRITE_ACP’ Access](S3-Bucket-Public-‘WRITE_ACP’-Access)  
-    - [Enable Versioning for S3 Buckets](Enable-Versioning-for-S3-Buckets)  
-    - [Review S3 Buckets with Website Configuration Enabled](Review-S3-Buckets-with-Website-Configuration-Enabled)  
-    - [Detect S3 Configuration Changes](Detect-S3-Configuration-Changes)  
-    - [S3 Unknown Cross Account Access](S3-Unknown-Cross-Account-Access)  
-    - [Secure Transport](Secure-Transport)  
-    - [Server-Side Encryption](Server-Side-Encryption)  
-    - [Limit S3 Bucket Access by IP Address](Limit-S3-Bucket-Access-by-IP-Address)  
 1. [SES](SES)  
-    - [Enable DKIM for SES](Enable-DKIM-for-SES)  
-    - [Unknown Cross-Account Access](Unknown-Cross-Account-Access)  
-    - [Exposed SES Identities](Exposed-SES-Identities)  
-    - [SES Identity Verification Status](SES-Identity-Verification-Status)  
 1. [Shield](Shield)  
-    - [AWS Shield In Use](AWS-Shield-In-Use)  
 1. [TrustedAdvisor](TrustedAdvisor)  
-    - [Trusted Advisor Checks](Trusted-Advisor-Checks)  
-    - [Exposed IAM Access Keys](Exposed-IAM-Access-Keys)  
 1. [VPC](VPC)  
-    - [Allocate Elastic IPs for NAT Gateways](Allocate-Elastic-IPs-for-NAT-Gateways)  
-    - [Create App-Tier VPC Subnets](Create-App-Tier-VPC-Subnets)  
-    - [Create Data-Tier VPC Subnets](Create-Data-Tier-VPC-Subnets)  
-    - [Default VPC In Use](Default-VPC-In-Use)  
-    - [Unused VPC Internet Gateways](Unused-VPC-Internet-Gateways)  
-    - [Use Managed NAT Gateway for VPC](Use-Managed-NAT-Gateway-for-VPC)  
-    - [Create NAT Gateways in at Least Two Availability Zones](Create-NAT-Gateways-in-at-Least-Two-Availability-Zones)  
-    - [Ineffective Network ACL DENY Rules](Ineffective-Network-ACL-DENY-Rules)  
-    - [Unrestricted Network ACL Inbound Traffic](Unrestricted-Network-ACL-Inbound-Traffic)  
-    - [Unrestricted Network ACL Outbound Traffic](Unrestricted-Network-ACL-Outbound-Traffic)  
-    - [Create Route Table for Private Subnets](Create-Route-Table-for-Private-Subnets)  
-    - [Create Route Table for Public Subnets](Create-Route-Table-for-Public-Subnets)  
-    - [Enable Flow Logs for VPC Subnets](Enable-Flow-Logs-for-VPC-Subnets)  
-    - [VPC Endpoint Unknown Cross Account Access](VPC-Endpoint-Unknown-Cross-Account-Access)  
-    - [VPC Exposed Endpoints](VPC-Exposed-Endpoints)  
-    - [VPC Endpoints In Use](VPC-Endpoints-In-Use)  
-    - [Enable VPC Flow Logs](Enable-VPC-Flow-Logs)  
-    - [VPC Naming Conventions](VPC-Naming-Conventions)  
-    - [VPC Peering Connection Configuration](VPC-Peering-Connection-Configuration)  
-    - [Unused Virtual Private Gateways](Unused-Virtual-Private-Gateways)  
-    - [Create Web-Tier ELB Subnets](Create-Web-Tier-ELB-Subnets)  
-    - [Create Web-Tier VPC Subnets](Create-Web-Tier-VPC-Subnets)  
 1. [WAF](WAF)  
-    - [AWS Web Application Firewall In Use](AWS-Web-Application-Firewall-In-Use)  
-
 
 ---
 
 # ACM
 
+1. [Expired ACM Certificates](Expired-ACM-Certificates)
+1. [ACM Certificates Renewal](ACM-Certificates-Renewal)
+1. [ACM Certificates Validity](ACM-Certificates-Validity)
+
 ### Expired ACM Certificates
 **Risk**: High  
 **Description**: Ensure that all expired SSL/TLS certificates in ACM service are removed.  
@@ -518,8 +182,6 @@
 
 ### CloudFront Security Policy
 **Risk**: Medium  
-**Description**: Ensure that CloudFront distributions use a security policy with minimum TLSv-  or TLSv1.2 and appropriate security ciphers for HTTPS viewer connections.     
-**Resolution**: Enable security policies that enforce TLS version -  or 1.2 as the minimum protocol version    
 
 ### Unencrypted CloudFront Traffic
 **Risk**: Medium  

diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
@@ -1,372 +1,372 @@
 # Table of Contents
 
 1. [ACM](ACM)  
-    0. [Expired ACM Certificates](Expired-ACM-Certificates)  
-    0. [ACM Certificates Renewal](ACM-Certificates-Renewal)  
-    0. [ACM Certificates Validity](ACM-Certificates-Validity)  
+    - [Expired ACM Certificates](Expired-ACM-Certificates)  
+    - [ACM Certificates Renewal](ACM-Certificates-Renewal)  
+    - [ACM Certificates Validity](ACM-Certificates-Validity)  
 1. [API Gateway](API-Gateway)  
-    0. [Enable CloudWatch Logs for APIs](Enable-CloudWatch-Logs-for-APIs)  
-    0. [Enable Detailed CloudWatch Metrics for APIs](Enable-Detailed-CloudWatch-Metrics-for-APIs)  
-    0. [API Gateway Private Endpoints](API-Gateway-Private-Endpoints)  
+    - [Enable CloudWatch Logs for APIs](Enable-CloudWatch-Logs-for-APIs)  
+    - [Enable Detailed CloudWatch Metrics for APIs](Enable-Detailed-CloudWatch-Metrics-for-APIs)  
+    - [API Gateway Private Endpoints](API-Gateway-Private-Endpoints)  
 1. [AutoScaling](AutoScaling)  
-    0. [ASG Cooldown Period](ASG-Cooldown-Period)  
-    0. [Enable ASG Notifications](Enable-ASG-Notifications)  
-    0. [App-Tier ASGs with Associated ELB](App-Tier-ASGs-with-Associated-ELB)  
-    0. [CloudWatch Logs Agent for App-Tier ASG In Use](CloudWatch-Logs-Agent-for-App-Tier-ASG-In-Use)  
-    0. [IAM Roles for App-Tier ASG Launch Configurations](IAM-Roles-for-App-Tier-ASG-Launch-Configurations)  
-    0. [Use Approved AMIs for App-Tier ASG Launch Configurations](Use-Approved-AMIs-for-App-Tier-ASG-Launch-Configurations)  
-    0. [Auto Scaling Group Referencing Missing ELB](Auto-Scaling-Group-Referencing-Missing-ELB)  
-    0. [Empty Auto Scaling Groups](Empty-Auto-Scaling-Groups)  
-    0. [Launch Configuration Referencing Missing AMI](Launch-Configuration-Referencing-Missing-AMI)  
-    0. [Launch Configuration Referencing Missing Security Group](Launch-Configuration-Referencing-Missing-Security-Group)  
-    0. [Unused Launch Configuration Templates](Unused-Launch-Configuration-Templates)  
-    0. [Multi-AZ Auto Scaling Groups](Multi-AZ-Auto-Scaling-Groups)  
-    0. [Same ELB Availability Zones](Same-ELB-Availability-Zones)  
-    0. [Suspended Auto Scaling Group Processes](Suspended-Auto-Scaling-Group-Processes)  
-    0. [Web-Tier Auto Scaling Groups with Associated ELBs](Web-Tier-Auto-Scaling-Groups-with-Associated-ELBs)  
-    0. [Use Approved AMIs for Web-Tier ASG Launch Configurations](Use-Approved-AMIs-for-Web-Tier-ASG-Launch-Configurations)  
+    - [ASG Cooldown Period](ASG-Cooldown-Period)  
+    - [Enable ASG Notifications](Enable-ASG-Notifications)  
+    - [App-Tier ASGs with Associated ELB](App-Tier-ASGs-with-Associated-ELB)  
+    - [CloudWatch Logs Agent for App-Tier ASG In Use](CloudWatch-Logs-Agent-for-App-Tier-ASG-In-Use)  
+    - [IAM Roles for App-Tier ASG Launch Configurations](IAM-Roles-for-App-Tier-ASG-Launch-Configurations)  
+    - [Use Approved AMIs for App-Tier ASG Launch Configurations](Use-Approved-AMIs-for-App-Tier-ASG-Launch-Configurations)  
+    - [Auto Scaling Group Referencing Missing ELB](Auto-Scaling-Group-Referencing-Missing-ELB)  
+    - [Empty Auto Scaling Groups](Empty-Auto-Scaling-Groups)  
+    - [Launch Configuration Referencing Missing AMI](Launch-Configuration-Referencing-Missing-AMI)  
+    - [Launch Configuration Referencing Missing Security Group](Launch-Configuration-Referencing-Missing-Security-Group)  
+    - [Unused Launch Configuration Templates](Unused-Launch-Configuration-Templates)  
+    - [Multi-AZ Auto Scaling Groups](Multi-AZ-Auto-Scaling-Groups)  
+    - [Same ELB Availability Zones](Same-ELB-Availability-Zones)  
+    - [Suspended Auto Scaling Group Processes](Suspended-Auto-Scaling-Group-Processes)  
+    - [Web-Tier Auto Scaling Groups with Associated ELBs](Web-Tier-Auto-Scaling-Groups-with-Associated-ELBs)  
+    - [Use Approved AMIs for Web-Tier ASG Launch Configurations](Use-Approved-AMIs-for-Web-Tier-ASG-Launch-Configurations)  
 1. [CloudFront](CloudFront)  
-    0. [CloudFront CDN In Use](CloudFront-CDN-In-Use)  
-    0. [CloudFront WAF Integration](CloudFront-WAF-Integration)  
-    0. [Enable Origin Access Identity for CloudFront Distributions with S3 Origin](Enable-Origin-Access-Identity-for-CloudFront-Distributions-with-S3-Origin)  
-    0. [CloudFront Origin Insecure SSL Protocols](CloudFront-Origin-Insecure-SSL-Protocols)  
-    0. [CloudFront Security Policy](CloudFront-Security-Policy)  
-    0. [Unencrypted CloudFront Traffic](Unencrypted-CloudFront-Traffic)  
-    0. [Use Cloudfront CDN](Use-Cloudfront-CDN)  
+    - [CloudFront CDN In Use](CloudFront-CDN-In-Use)  
+    - [CloudFront WAF Integration](CloudFront-WAF-Integration)  
+    - [Enable Origin Access Identity for CloudFront Distributions with S3 Origin](Enable-Origin-Access-Identity-for-CloudFront-Distributions-with-S3-Origin)  
+    - [CloudFront Origin Insecure SSL Protocols](CloudFront-Origin-Insecure-SSL-Protocols)  
+    - [CloudFront Security Policy](CloudFront-Security-Policy)  
+    - [Unencrypted CloudFront Traffic](Unencrypted-CloudFront-Traffic)  
+    - [Use Cloudfront CDN](Use-Cloudfront-CDN)  
 1. [CloudTrail](CloudTrail)  
-    0. [Enable access logging for CloudTrail buckets](Enable-access-logging-for-CloudTrail-buckets)  
-    0. [Enable MFA Delete for CloudTrail bucket](Enable-MFA-Delete-for-CloudTrail-bucket)  
-    0. [CloudTrail insecure buckets](CloudTrail-insecure-buckets)  
-    0. [Monitor CloudTrail Configuration Changes](Monitor-CloudTrail-Configuration-Changes)  
-    0. [Enable CloudTrail integration with CloudWatch](Enable-CloudTrail-integration-with-CloudWatch)  
-    0. [Enable CloudTrail log file integrity validation](Enable-CloudTrail-log-file-integrity-validation)  
-    0. [Enable CloudTrail log files encryption](Enable-CloudTrail-log-files-encryption)  
-    0. [CloudTrail Log Files Delivery Failing](CloudTrail-Log-Files-Delivery-Failing)  
+    - [Enable access logging for CloudTrail buckets](Enable-access-logging-for-CloudTrail-buckets)  
+    - [Enable MFA Delete for CloudTrail bucket](Enable-MFA-Delete-for-CloudTrail-bucket)  
+    - [CloudTrail insecure buckets](CloudTrail-insecure-buckets)  
+    - [Monitor CloudTrail Configuration Changes](Monitor-CloudTrail-Configuration-Changes)  
+    - [Enable CloudTrail integration with CloudWatch](Enable-CloudTrail-integration-with-CloudWatch)  
+    - [Enable CloudTrail log file integrity validation](Enable-CloudTrail-log-file-integrity-validation)  
+    - [Enable CloudTrail log files encryption](Enable-CloudTrail-log-files-encryption)  
+    - [CloudTrail Log Files Delivery Failing](CloudTrail-Log-Files-Delivery-Failing)  
 1. [CloudWatch](CloudWatch)  
-    0. [Enable AWS Billing Alerts](Enable-AWS-Billing-Alerts)  
-    0. [Enable CloudWatch Billing Alarm](Enable-CloudWatch-Billing-Alarm)  
-    0. [Exposed CloudWatch Event Bus](Exposed-CloudWatch-Event-Bus)  
-    0. [CloudWatch Events In Use](CloudWatch-Events-In-Use)  
-    0. [Alarm for Config Changes](Alarm-for-Config-Changes)  
-    0. [Alarm for Organizations Changes](Alarm-for-Organizations-Changes)  
-    0. [Alarm for multiple Sign-in Failures](Alarm-for-multiple-Sign-in-Failures)  
-    0. [Monitor for AWS Console Sign-In Requests Without MFA](Monitor-for-AWS-Console-Sign-In-Requests-Without-MFA)  
-    0. [Alarm for EC2 Instance Changes](Alarm-for-EC2-Instance-Changes)  
-    0. [Alarm for EC2 Large Instance Changes](Alarm-for-EC2-Large-Instance-Changes)  
-    0. [Alarm for Root Account Usage](Alarm-for-Root-Account-Usage)  
-    0. [Alarm for S3 Bucket Changes](Alarm-for-S3-Bucket-Changes)  
+    - [Enable AWS Billing Alerts](Enable-AWS-Billing-Alerts)  
+    - [Enable CloudWatch Billing Alarm](Enable-CloudWatch-Billing-Alarm)  
+    - [Exposed CloudWatch Event Bus](Exposed-CloudWatch-Event-Bus)  
+    - [CloudWatch Events In Use](CloudWatch-Events-In-Use)  
+    - [Alarm for Config Changes](Alarm-for-Config-Changes)  
+    - [Alarm for Organizations Changes](Alarm-for-Organizations-Changes)  
+    - [Alarm for multiple Sign-in Failures](Alarm-for-multiple-Sign-in-Failures)  
+    - [Monitor for AWS Console Sign-In Requests Without MFA](Monitor-for-AWS-Console-Sign-In-Requests-Without-MFA)  
+    - [Alarm for EC2 Instance Changes](Alarm-for-EC2-Instance-Changes)  
+    - [Alarm for EC2 Large Instance Changes](Alarm-for-EC2-Large-Instance-Changes)  
+    - [Alarm for Root Account Usage](Alarm-for-Root-Account-Usage)  
+    - [Alarm for S3 Bucket Changes](Alarm-for-S3-Bucket-Changes)  
 1. [Config](Config)  
-    0. [Monitor AWS Config configuration changes](Monitor-AWS-Config-configuration-changes)  
-    0. [Enable AWS Config](Enable-AWS-Config)  
-    0. [AWS Config Referencing Missing S3 Bucket](AWS-Config-Referencing-Missing-S3-Bucket)  
-    0. [AWS Config Referencing Missing SNS Topic](AWS-Config-Referencing-Missing-SNS-Topic)  
-    0. [AWS Config Log Files Delivery Failing](AWS-Config-Log-Files-Delivery-Failing)  
-    0. [Include Global Resources into AWS Config Settings](Include-Global-Resources-into-AWS-Config-Settings)  
+    - [Monitor AWS Config configuration changes](Monitor-AWS-Config-configuration-changes)  
+    - [Enable AWS Config](Enable-AWS-Config)  
+    - [AWS Config Referencing Missing S3 Bucket](AWS-Config-Referencing-Missing-S3-Bucket)  
+    - [AWS Config Referencing Missing SNS Topic](AWS-Config-Referencing-Missing-SNS-Topic)  
+    - [AWS Config Log Files Delivery Failing](AWS-Config-Log-Files-Delivery-Failing)  
+    - [Include Global Resources into AWS Config Settings](Include-Global-Resources-into-AWS-Config-Settings)  
 1. [DynamoDB](DynamoDB)  
-    0. [Enable DynamoDB Auto Scaling](Enable-DynamoDB-Auto-Scaling)  
-    0. [DynamoDB Backup and Restore](DynamoDB-Backup-and-Restore)  
-    0. [Enable DynamoDB Continuous Backups](Enable-DynamoDB-Continuous-Backups)  
-    0. [DynamoDB Server-Side Encryption](DynamoDB-Server-Side-Encryption)  
+    - [Enable DynamoDB Auto Scaling](Enable-DynamoDB-Auto-Scaling)  
+    - [DynamoDB Backup and Restore](DynamoDB-Backup-and-Restore)  
+    - [Enable DynamoDB Continuous Backups](Enable-DynamoDB-Continuous-Backups)  
+    - [DynamoDB Server-Side Encryption](DynamoDB-Server-Side-Encryption)  
 1. [EBS](EBS)  
-    0. [Enable EBS Encryption](Enable-EBS-Encryption)  
-    0. [Use KMS Customer Master Keys for EBS encryption](Use-KMS-Customer-Master-Keys-for-EBS-encryption)  
-    0. [EBS Volume Naming Conventions](EBS-Volume-Naming-Conventions)  
-    0. [EBS Public Snapshots](EBS-Public-Snapshots)  
-    0. [EBS volumes recent snapshots](EBS-volumes-recent-snapshots)  
-    0. [Remove EBS old snapshots](Remove-EBS-old-snapshots)  
-    0. [Remove Unattached EC2 EBS volumes](Remove-Unattached-EC2-EBS-volumes)  
-    0. [Enable EBS Snapshot Encryption](Enable-EBS-Snapshot-Encryption)  
-    0. [EBS Volumes Attached to Stopped EC2 Instances](EBS-Volumes-Attached-to-Stopped-EC2-Instances)  
-    0. [Approved/Golden AMI](Approved/Golden-AMI)  
-    0. [AWS Blacklisted AMI](AWS-Blacklisted-AMI)  
-    0. [Enable AMI Encryption](Enable-AMI-Encryption)  
-    0. [AMI Naming Conventions](AMI-Naming-Conventions)  
-    0. [Check for AMI Age](Check-for-AMI-Age)  
-    0. [Unused AMI](Unused-AMI)  
-    0. [Unassociated Elastic IP Addresses](Unassociated-Elastic-IP-Addresses)  
-    0. [Publicly Shared App-Tier AMIs](Publicly-Shared-App-Tier-AMIs)  
-    0. [App-Tier EC2 Instances Without Elastic or Public IP Addresses](App-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
-    0. [Check app-tier ELB subnet connectivity to Internet Gateway](Check-app-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
-    0. [IAM Roles for App-Tier EC2 Instances](IAM-Roles-for-App-Tier-EC2-Instances)  
-    0. [Create and Configure App-Tier Security Group](Create-and-Configure-App-Tier-Security-Group)  
-    0. [EC2 Instances Distribution Across Availability Zones](EC2-Instances-Distribution-Across-Availability-Zones)  
-    0. [EC2-Classic Elastic IP Address Limit](EC2-Classic-Elastic-IP-Address-Limit)  
-    0. [Data-Tier Instances Without Elastic or Public IP Addresses](Data-Tier-Instances-Without-Elastic-or-Public-IP-Addresses)  
-    0. [Create and Configure Data-Tier Security Group](Create-and-Configure-Data-Tier-Security-Group)  
-    0. [Restrict data-tier subnet connectivity to VPC NAT Gateway](Restrict-data-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
-    0. [Unrestricted Default Security Groups](Unrestricted-Default-Security-Groups)  
-    0. [Default EC2 Security Groups In Use](Default-EC2-Security-Groups-In-Use)  
-    0. [Detailed Monitoring for EC2 Instances](Detailed-Monitoring-for-EC2-Instances)  
-    0. [EC2 Desired Instance Type](EC2-Desired-Instance-Type)  
-    0. [Review EC2 Dedicated Instances](Review-EC2-Dedicated-Instances)  
-    0. [EC2 Instance Not In Public Subnet](EC2-Instance-Not-In-Public-Subnet)  
-    0. [Unused EC2 Reserved Instances](Unused-EC2-Reserved-Instances)  
-    0. [Total Number of EC2 Instances](Total-Number-of-EC2-Instances)  
-    0. [EC2 Instance Type Generation](EC2-Instance-Type-Generation)  
-    0. [Instance In Auto Scaling Group](Instance-In-Auto-Scaling-Group)  
-    0. [EC2 Platform](EC2-Platform)  
-    0. [EC2 Instance Limit](EC2-Instance-Limit)  
-    0. [EC2 Instance Naming Conventions](EC2-Instance-Naming-Conventions)  
-    0. [EC2 Instances with Scheduled Events](EC2-Instances-with-Scheduled-Events)  
-    0. [EC2 Instance Security Group Rules Count](EC2-Instance-Security-Group-Rules-Count)  
-    0. [EC2 Instance Tenancy Type](EC2-Instance-Tenancy-Type)  
-    0. [EC2 Instance Termination Protection](EC2-Instance-Termination-Protection)  
-    0. [EC2 Instance Age](EC2-Instance-Age)  
-    0. [EC2 Instance IAM Roles](EC2-Instance-IAM-Roles)  
-    0. [Overutilized EC2 Instances](Overutilized-EC2-Instances)  
-    0. [Publicly Shared AMIs](Publicly-Shared-AMIs)  
-    0. [EC2 Reserved Instance Lease Expiration](EC2-Reserved-Instance-Lease-Expiration)  
-    0. [EC2 Security Groups Count](EC2-Security-Groups-Count)  
-    0. [EC2 Security Group Port Range](EC2-Security-Group-Port-Range)  
-    0. [Underutilized EC2 Instances](Underutilized-EC2-Instances)  
-    0. [EC2 Security Group Unrestricted Access](EC2-Security-Group-Unrestricted-Access)  
-    0. [Unrestricted CIFS Access](Unrestricted-CIFS-Access)  
-    0. [Unrestricted DNS Access](Unrestricted-DNS-Access)  
-    0. [Unrestricted ElasticSearch Access](Unrestricted-ElasticSearch-Access)  
-    0. [Unrestricted FTP Access](Unrestricted-FTP-Access)  
-    0. [Unrestricted HTTP Access](Unrestricted-HTTP-Access)  
-    0. [Unrestricted HTTPS Access](Unrestricted-HTTPS-Access)  
-    0. [Unrestricted ICMP Access](Unrestricted-ICMP-Access)  
-    0. [Unrestricted Inbound Access on Uncommon Ports](Unrestricted-Inbound-Access-on-Uncommon-Ports)  
-    0. [Unrestricted MongoDB Access](Unrestricted-MongoDB-Access)  
-    0. [Unrestricted MSSQL Database Access](Unrestricted-MSSQL-Database-Access)  
-    0. [Unrestricted MySQL Database Access](Unrestricted-MySQL-Database-Access)  
-    0. [Unrestricted NetBIOS Access](Unrestricted-NetBIOS-Access)  
-    0. [Unrestricted Oracle Database Access](Unrestricted-Oracle-Database-Access)  
-    0. [Unrestricted Outbound Access on All Ports](Unrestricted-Outbound-Access-on-All-Ports)  
-    0. [Unrestricted PostgreSQL Database Access](Unrestricted-PostgreSQL-Database-Access)  
-    0. [Unrestricted RDP Access](Unrestricted-RDP-Access)  
-    0. [Unrestricted RPC Access](Unrestricted-RPC-Access)  
-    0. [Unrestricted SMTP Access](Unrestricted-SMTP-Access)  
-    0. [Unrestricted SSH Access](Unrestricted-SSH-Access)  
-    0. [Unrestricted Telnet Access](Unrestricted-Telnet-Access)  
-    0. [Unused Elastic Network Interfaces](Unused-Elastic-Network-Interfaces)  
-    0. [Unused EC2 Key Pairs](Unused-EC2-Key-Pairs)  
-    0. [EC2-VPC Elastic IP Address Limit](EC2-VPC-Elastic-IP-Address-Limit)  
-    0. [Publicly Shared Web-Tier AMIs](Publicly-Shared-Web-Tier-AMIs)  
-    0. [Web-Tier EC2 Instances Without Elastic or Public IP Addresses](Web-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
-    0. [Check web-tier ELB subnet connectivity to Internet Gateway](Check-web-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
-    0. [Attach Policy to IAM Roles Associated with Web-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-Web-Tier-EC2-Instances)  
-    0. [IAM Roles for Web-Tier EC2 Instances](IAM-Roles-for-Web-Tier-EC2-Instances)  
-    0. [Create and Configure Web-Tier Security Group](Create-and-Configure-Web-Tier-Security-Group)  
-    0. [Check web-tier subnet connectivity to VPC NAT Gateway](Check-web-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
+    - [Enable EBS Encryption](Enable-EBS-Encryption)  
+    - [Use KMS Customer Master Keys for EBS encryption](Use-KMS-Customer-Master-Keys-for-EBS-encryption)  
+    - [EBS Volume Naming Conventions](EBS-Volume-Naming-Conventions)  
+    - [EBS Public Snapshots](EBS-Public-Snapshots)  
+    - [EBS volumes recent snapshots](EBS-volumes-recent-snapshots)  
+    - [Remove EBS old snapshots](Remove-EBS-old-snapshots)  
+    - [Remove Unattached EC2 EBS volumes](Remove-Unattached-EC2-EBS-volumes)  
+    - [Enable EBS Snapshot Encryption](Enable-EBS-Snapshot-Encryption)  
+    - [EBS Volumes Attached to Stopped EC2 Instances](EBS-Volumes-Attached-to-Stopped-EC2-Instances)  
+    - [Approved/Golden AMI](Approved/Golden-AMI)  
+    - [AWS Blacklisted AMI](AWS-Blacklisted-AMI)  
+    - [Enable AMI Encryption](Enable-AMI-Encryption)  
+    - [AMI Naming Conventions](AMI-Naming-Conventions)  
+    - [Check for AMI Age](Check-for-AMI-Age)  
+    - [Unused AMI](Unused-AMI)  
+    - [Unassociated Elastic IP Addresses](Unassociated-Elastic-IP-Addresses)  
+    - [Publicly Shared App-Tier AMIs](Publicly-Shared-App-Tier-AMIs)  
+    - [App-Tier EC2 Instances Without Elastic or Public IP Addresses](App-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
+    - [Check app-tier ELB subnet connectivity to Internet Gateway](Check-app-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
+    - [IAM Roles for App-Tier EC2 Instances](IAM-Roles-for-App-Tier-EC2-Instances)  
+    - [Create and Configure App-Tier Security Group](Create-and-Configure-App-Tier-Security-Group)  
+    - [EC2 Instances Distribution Across Availability Zones](EC2-Instances-Distribution-Across-Availability-Zones)  
+    - [EC2-Classic Elastic IP Address Limit](EC2-Classic-Elastic-IP-Address-Limit)  
+    - [Data-Tier Instances Without Elastic or Public IP Addresses](Data-Tier-Instances-Without-Elastic-or-Public-IP-Addresses)  
+    - [Create and Configure Data-Tier Security Group](Create-and-Configure-Data-Tier-Security-Group)  
+    - [Restrict data-tier subnet connectivity to VPC NAT Gateway](Restrict-data-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
+    - [Unrestricted Default Security Groups](Unrestricted-Default-Security-Groups)  
+    - [Default EC2 Security Groups In Use](Default-EC2-Security-Groups-In-Use)  
+    - [Detailed Monitoring for EC2 Instances](Detailed-Monitoring-for-EC2-Instances)  
+    - [EC2 Desired Instance Type](EC2-Desired-Instance-Type)  
+    - [Review EC2 Dedicated Instances](Review-EC2-Dedicated-Instances)  
+    - [EC2 Instance Not In Public Subnet](EC2-Instance-Not-In-Public-Subnet)  
+    - [Unused EC2 Reserved Instances](Unused-EC2-Reserved-Instances)  
+    - [Total Number of EC2 Instances](Total-Number-of-EC2-Instances)  
+    - [EC2 Instance Type Generation](EC2-Instance-Type-Generation)  
+    - [Instance In Auto Scaling Group](Instance-In-Auto-Scaling-Group)  
+    - [EC2 Platform](EC2-Platform)  
+    - [EC2 Instance Limit](EC2-Instance-Limit)  
+    - [EC2 Instance Naming Conventions](EC2-Instance-Naming-Conventions)  
+    - [EC2 Instances with Scheduled Events](EC2-Instances-with-Scheduled-Events)  
+    - [EC2 Instance Security Group Rules Count](EC2-Instance-Security-Group-Rules-Count)  
+    - [EC2 Instance Tenancy Type](EC2-Instance-Tenancy-Type)  
+    - [EC2 Instance Termination Protection](EC2-Instance-Termination-Protection)  
+    - [EC2 Instance Age](EC2-Instance-Age)  
+    - [EC2 Instance IAM Roles](EC2-Instance-IAM-Roles)  
+    - [Overutilized EC2 Instances](Overutilized-EC2-Instances)  
+    - [Publicly Shared AMIs](Publicly-Shared-AMIs)  
+    - [EC2 Reserved Instance Lease Expiration](EC2-Reserved-Instance-Lease-Expiration)  
+    - [EC2 Security Groups Count](EC2-Security-Groups-Count)  
+    - [EC2 Security Group Port Range](EC2-Security-Group-Port-Range)  
+    - [Underutilized EC2 Instances](Underutilized-EC2-Instances)  
+    - [EC2 Security Group Unrestricted Access](EC2-Security-Group-Unrestricted-Access)  
+    - [Unrestricted CIFS Access](Unrestricted-CIFS-Access)  
+    - [Unrestricted DNS Access](Unrestricted-DNS-Access)  
+    - [Unrestricted ElasticSearch Access](Unrestricted-ElasticSearch-Access)  
+    - [Unrestricted FTP Access](Unrestricted-FTP-Access)  
+    - [Unrestricted HTTP Access](Unrestricted-HTTP-Access)  
+    - [Unrestricted HTTPS Access](Unrestricted-HTTPS-Access)  
+    - [Unrestricted ICMP Access](Unrestricted-ICMP-Access)  
+    - [Unrestricted Inbound Access on Uncommon Ports](Unrestricted-Inbound-Access-on-Uncommon-Ports)  
+    - [Unrestricted MongoDB Access](Unrestricted-MongoDB-Access)  
+    - [Unrestricted MSSQL Database Access](Unrestricted-MSSQL-Database-Access)  
+    - [Unrestricted MySQL Database Access](Unrestricted-MySQL-Database-Access)  
+    - [Unrestricted NetBIOS Access](Unrestricted-NetBIOS-Access)  
+    - [Unrestricted Oracle Database Access](Unrestricted-Oracle-Database-Access)  
+    - [Unrestricted Outbound Access on All Ports](Unrestricted-Outbound-Access-on-All-Ports)  
+    - [Unrestricted PostgreSQL Database Access](Unrestricted-PostgreSQL-Database-Access)  
+    - [Unrestricted RDP Access](Unrestricted-RDP-Access)  
+    - [Unrestricted RPC Access](Unrestricted-RPC-Access)  
+    - [Unrestricted SMTP Access](Unrestricted-SMTP-Access)  
+    - [Unrestricted SSH Access](Unrestricted-SSH-Access)  
+    - [Unrestricted Telnet Access](Unrestricted-Telnet-Access)  
+    - [Unused Elastic Network Interfaces](Unused-Elastic-Network-Interfaces)  
+    - [Unused EC2 Key Pairs](Unused-EC2-Key-Pairs)  
+    - [EC2-VPC Elastic IP Address Limit](EC2-VPC-Elastic-IP-Address-Limit)  
+    - [Publicly Shared Web-Tier AMIs](Publicly-Shared-Web-Tier-AMIs)  
+    - [Web-Tier EC2 Instances Without Elastic or Public IP Addresses](Web-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
+    - [Check web-tier ELB subnet connectivity to Internet Gateway](Check-web-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
+    - [Attach Policy to IAM Roles Associated with Web-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-Web-Tier-EC2-Instances)  
+    - [IAM Roles for Web-Tier EC2 Instances](IAM-Roles-for-Web-Tier-EC2-Instances)  
+    - [Create and Configure Web-Tier Security Group](Create-and-Configure-Web-Tier-Security-Group)  
+    - [Check web-tier subnet connectivity to VPC NAT Gateway](Check-web-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
 1. [ECR](ECR)  
-    0. [ECR Unknown Cross Account Access](ECR-Unknown-Cross-Account-Access)  
-    0. [Check for Exposed ECR Repositories](Check-for-Exposed-ECR-Repositories)  
+    - [ECR Unknown Cross Account Access](ECR-Unknown-Cross-Account-Access)  
+    - [Check for Exposed ECR Repositories](Check-for-Exposed-ECR-Repositories)  
 1. [EFS](EFS)  
-    0. [KMS Customer Master Keys for EFS Encryption](KMS-Customer-Master-Keys-for-EFS-Encryption)  
-    0. [Enable EFS Encryption](Enable-EFS-Encryption)  
+    - [KMS Customer Master Keys for EFS Encryption](KMS-Customer-Master-Keys-for-EFS-Encryption)  
+    - [Enable EFS Encryption](Enable-EFS-Encryption)  
 1. [ElasticSearch](ElasticSearch)  
-    0. [ElasticSearch Cluster Status](ElasticSearch-Cluster-Status)  
-    0. [ElasticSearch Instance Type](ElasticSearch-Instance-Type)  
-    0. [ElasticSearch Domain Encrypted with KMS CMKs](ElasticSearch-Domain-Encrypted-with-KMS-CMKs)  
-    0. [ElasticSearch Unknown Cross Account Access](ElasticSearch-Unknown-Cross-Account-Access)  
-    0. [ElasticSearch Exposed Domains](ElasticSearch-Exposed-Domains)  
-    0. [ElasticSearch Domain IP-Based Access](ElasticSearch-Domain-IP-Based-Access)  
-    0. [ElasticSearch General Purpose SSD Node Type](ElasticSearch-General-Purpose-SSD-Node-Type)  
-    0. [ElasticSearch Version](ElasticSearch-Version)  
-    0. [Enable ElasticSearch Zone Awareness](Enable-ElasticSearch-Zone-Awareness)  
-    0. [Enable ElasticSearch Encryption At Rest](Enable-ElasticSearch-Encryption-At-Rest)  
-    0. [ElasticSearch Free Storage Space](ElasticSearch-Free-Storage-Space)  
-    0. [Total Number of ElasticSearch Instances](Total-Number-of-ElasticSearch-Instances)  
-    0. [Enable ElasticSearch Node-to-Node Encryption](Enable-ElasticSearch-Node-to-Node-Encryption)  
-    0. [Enable ElasticSearch Slow Logs](Enable-ElasticSearch-Slow-Logs)  
+    - [ElasticSearch Cluster Status](ElasticSearch-Cluster-Status)  
+    - [ElasticSearch Instance Type](ElasticSearch-Instance-Type)  
+    - [ElasticSearch Domain Encrypted with KMS CMKs](ElasticSearch-Domain-Encrypted-with-KMS-CMKs)  
+    - [ElasticSearch Unknown Cross Account Access](ElasticSearch-Unknown-Cross-Account-Access)  
+    - [ElasticSearch Exposed Domains](ElasticSearch-Exposed-Domains)  
+    - [ElasticSearch Domain IP-Based Access](ElasticSearch-Domain-IP-Based-Access)  
+    - [ElasticSearch General Purpose SSD Node Type](ElasticSearch-General-Purpose-SSD-Node-Type)  
+    - [ElasticSearch Version](ElasticSearch-Version)  
+    - [Enable ElasticSearch Zone Awareness](Enable-ElasticSearch-Zone-Awareness)  
+    - [Enable ElasticSearch Encryption At Rest](Enable-ElasticSearch-Encryption-At-Rest)  
+    - [ElasticSearch Free Storage Space](ElasticSearch-Free-Storage-Space)  
+    - [Total Number of ElasticSearch Instances](Total-Number-of-ElasticSearch-Instances)  
+    - [Enable ElasticSearch Node-to-Node Encryption](Enable-ElasticSearch-Node-to-Node-Encryption)  
+    - [Enable ElasticSearch Slow Logs](Enable-ElasticSearch-Slow-Logs)  
 1. [ELB](ELB)  
-    0. [Enable HTTPS/SSL Listener for App-Tier ELBs](Enable-HTTPS/SSL-Listener-for-App-Tier-ELBs)  
-    0. [Enable Latest SSL Security Policy for App-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-App-Tier-ELBs)  
-    0. [Add SSL/TLS Server Certificates to App-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-App-Tier-ELBs)  
-    0. [App-Tier ELBs Health Check](App-Tier-ELBs-Health-Check)  
-    0. [Enable ELB Access Logging](Enable-ELB-Access-Logging)  
-    0. [AWS Classic Load Balancer](AWS-Classic-Load-Balancer)  
-    0. [Connection Draining Enabled](Connection-Draining-Enabled)  
-    0. [Enable ELB Cross-Zone Load Balancing](Enable-ELB-Cross-Zone-Load-Balancing)  
-    0. [ELB insecure SSL ciphers](ELB-insecure-SSL-ciphers)  
-    0. [ELB insecure SSL protocols](ELB-insecure-SSL-protocols)  
-    0. [ELB Listener Security](ELB-Listener-Security)  
-    0. [ELB minimum number of EC2 instances](ELB-minimum-number-of-EC2-instances)  
-    0. [ELB Security Group](ELB-Security-Group)  
-    0. [ELB Security Policy](ELB-Security-Policy)  
-    0. [Remove unused ELBs](Remove-unused-ELBs)  
-    0. [ELB Instances Distribution Across Availability Zones](ELB-Instances-Distribution-Across-Availability-Zones)  
-    0. [Review AWS Internet Facing Load Balancers](Review-AWS-Internet-Facing-Load-Balancers)  
-    0. [Enable HTTPS/SSL Listener for Web-Tier ELBs](Enable-HTTPS/SSL-Listener-for-Web-Tier-ELBs)  
-    0. [Enable Latest SSL Security Policy for Web-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-Web-Tier-ELBs)  
-    0. [Add SSL/TLS Server Certificates to Web-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-Web-Tier-ELBs)  
-    0. [Web-Tier ELBs Health Check](Web-Tier-ELBs-Health-Check)  
-    0. [Enable ALB (ELBv2)-Access-Logging](Enable-ALB-(ELBv2)-Access-Logging)  
-    0. [Enable Elastic Load Balancing Deletion Protection](Enable-Elastic-Load-Balancing-Deletion-Protection)  
-    0. [ELBv2 Instances Distribution Across Availability Zones](ELBv2-Instances-Distribution-Across-Availability-Zones)  
-    0. [ALB (ELBv2)-Listener-Security](ALB-(ELBv2)-Listener-Security)  
-    0. [Minimum Number of EC2 Target Instances](Minimum-Number-of-EC2-Target-Instances)  
-    0. [ELBv2 Security Groups](ELBv2-Security-Groups)  
-    0. [ALB (ELBv2)-Security-Policy](ALB-(ELBv2)-Security-Policy)  
-    0. [Unused ELBs (ELBv2)](Unused-ELBs-(ELBv2))  
+    - [Enable HTTPS/SSL Listener for App-Tier ELBs](Enable-HTTPS/SSL-Listener-for-App-Tier-ELBs)  
+    - [Enable Latest SSL Security Policy for App-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-App-Tier-ELBs)  
+    - [Add SSL/TLS Server Certificates to App-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-App-Tier-ELBs)  
+    - [App-Tier ELBs Health Check](App-Tier-ELBs-Health-Check)  
+    - [Enable ELB Access Logging](Enable-ELB-Access-Logging)  
+    - [AWS Classic Load Balancer](AWS-Classic-Load-Balancer)  
+    - [Connection Draining Enabled](Connection-Draining-Enabled)  
+    - [Enable ELB Cross-Zone Load Balancing](Enable-ELB-Cross-Zone-Load-Balancing)  
+    - [ELB insecure SSL ciphers](ELB-insecure-SSL-ciphers)  
+    - [ELB insecure SSL protocols](ELB-insecure-SSL-protocols)  
+    - [ELB Listener Security](ELB-Listener-Security)  
+    - [ELB minimum number of EC2 instances](ELB-minimum-number-of-EC2-instances)  
+    - [ELB Security Group](ELB-Security-Group)  
+    - [ELB Security Policy](ELB-Security-Policy)  
+    - [Remove unused ELBs](Remove-unused-ELBs)  
+    - [ELB Instances Distribution Across Availability Zones](ELB-Instances-Distribution-Across-Availability-Zones)  
+    - [Review AWS Internet Facing Load Balancers](Review-AWS-Internet-Facing-Load-Balancers)  
+    - [Enable HTTPS/SSL Listener for Web-Tier ELBs](Enable-HTTPS/SSL-Listener-for-Web-Tier-ELBs)  
+    - [Enable Latest SSL Security Policy for Web-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-Web-Tier-ELBs)  
+    - [Add SSL/TLS Server Certificates to Web-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-Web-Tier-ELBs)  
+    - [Web-Tier ELBs Health Check](Web-Tier-ELBs-Health-Check)  
+    - [Enable ALB (ELBv2)-Access-Logging](Enable-ALB-(ELBv2)-Access-Logging)  
+    - [Enable Elastic Load Balancing Deletion Protection](Enable-Elastic-Load-Balancing-Deletion-Protection)  
+    - [ELBv2 Instances Distribution Across Availability Zones](ELBv2-Instances-Distribution-Across-Availability-Zones)  
+    - [ALB (ELBv2)-Listener-Security](ALB-(ELBv2)-Listener-Security)  
+    - [Minimum Number of EC2 Target Instances](Minimum-Number-of-EC2-Target-Instances)  
+    - [ELBv2 Security Groups](ELBv2-Security-Groups)  
+    - [ALB (ELBv2)-Security-Policy](ALB-(ELBv2)-Security-Policy)  
+    - [Unused ELBs (ELBv2)](Unused-ELBs-(ELBv2))  
 1. [EMR](EMR)  
-    0. [EMR Cluster In VPC](EMR-Cluster-In-VPC)  
-    0. [EMR Desired Instance Type](EMR-Desired-Instance-Type)  
-    0. [EMR Instance Type Generation](EMR-Instance-Type-Generation)  
-    0. [Enable EMR In-Transit and At-Rest Encryption](Enable-EMR-In-Transit-and-At-Rest-Encryption)  
-    0. [Total Number of EMR Instances](Total-Number-of-EMR-Instances)  
+    - [EMR Cluster In VPC](EMR-Cluster-In-VPC)  
+    - [EMR Desired Instance Type](EMR-Desired-Instance-Type)  
+    - [EMR Instance Type Generation](EMR-Instance-Type-Generation)  
+    - [Enable EMR In-Transit and At-Rest Encryption](Enable-EMR-In-Transit-and-At-Rest-Encryption)  
+    - [Total Number of EMR Instances](Total-Number-of-EMR-Instances)  
 1. [GuardDuty](GuardDuty)  
-    0. [GuardDuty Findings](GuardDuty-Findings)  
-    0. [Monitor GuardDuty Configuration Changes](Monitor-GuardDuty-Configuration-Changes)  
-    0. [GuardDuty In Use](GuardDuty-In-Use)  
+    - [GuardDuty Findings](GuardDuty-Findings)  
+    - [Monitor GuardDuty Configuration Changes](Monitor-GuardDuty-Configuration-Changes)  
+    - [GuardDuty In Use](GuardDuty-In-Use)  
 1. [Health](Health)  
-    0. [AWS Health](AWS-Health)  
+    - [AWS Health](AWS-Health)  
 1. [IAM](IAM)  
-    0. [Unused IAM Access Keys](Unused-IAM-Access-Keys)  
-    0. [IAM Access Keys Rotation](IAM-Access-Keys-Rotation)  
-    0. [Unnecessary IAM Access Keys](Unnecessary-IAM-Access-Keys)  
-    0. [Enable Security Challenge Questions for your Account](Enable-Security-Challenge-Questions-for-your-Account)  
-    0. [Attach Policy to IAM Roles Associated with App-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-App-Tier-EC2-Instances)  
-    0. [SSL/TLS Certificate Renewal](SSL/TLS-Certificate-Renewal)  
-    0. [Server Certificate Signature Algorithm](Server-Certificate-Signature-Algorithm)  
-    0. [IAM Server Certificate Size](IAM-Server-Certificate-Size)  
-    0. [Deprecated AWS Managed Policies In Use](Deprecated-AWS-Managed-Policies-In-Use)  
-    0. [IAM Users Unauthorized to Edit Access Policies](IAM-Users-Unauthorized-to-Edit-Access-Policies)  
-    0. [IAM Users with Admin Privileges](IAM-Users-with-Admin-Privileges)  
-    0. [Detect IAM Configuration Changes](Detect-IAM-Configuration-Changes)  
-    0. [IAM Group with Administrator Privileges In Use](IAM-Group-with-Administrator-Privileges-In-Use)  
-    0. [Unused IAM Groups](Unused-IAM-Groups)  
-    0. [Remove IAM Policies with Full Administrative Privileges](Remove-IAM-Policies-with-Full-Administrative-Privileges)  
-    0. [IAM Customer Managed Policy with Administrative Permissions In Use](IAM-Customer-Managed-Policy-with-Administrative-Permissions-In-Use)  
-    0. [IAM Role Policy Too Permissive](IAM-Role-Policy-Too-Permissive)  
-    0. [IAM User Present](IAM-User-Present)  
-    0. [Inactive IAM Users](Inactive-IAM-Users)  
-    0. [Unused IAM Users](Unused-IAM-Users)  
-    0. [IAM Users with Password and Access Keys](IAM-Users-with-Password-and-Access-Keys)  
-    0. [Valid IAM Identity Providers](Valid-IAM-Identity-Providers)  
-    0. [MFA Device Deactivated for IAM Users](MFA-Device-Deactivated-for-IAM-Users)  
-    0. [Enable MFA for IAM Users](Enable-MFA-for-IAM-Users)  
-    0. [IAM Master and IAM Manager Roles](IAM-Master-and-IAM-Manager-Roles)  
-    0. [IAM Password Expiry](IAM-Password-Expiry)  
-    0. [IAM Password Policy](IAM-Password-Policy)  
-    0. [Root Account Access Keys](Root-Account-Access-Keys)  
-    0. [Root Account Credentials Usage](Root-Account-Credentials-Usage)  
-    0. [Root Account Active Signing Certificates](Root-Account-Active-Signing-Certificates)  
-    0. [Enable Hardware MFA for Root Account](Enable-Hardware-MFA-for-Root-Account)  
-    0. [Enable MFA for Root Account](Enable-MFA-for-Root-Account)  
-    0. [IAM SSH Public Keys Rotation (90-Days)](IAM-SSH-Public-Keys-Rotation-(90-Days))  
-    0. [Unnecessary IAM SSH Public Keys](Unnecessary-IAM-SSH-Public-Keys)  
-    0. [IAM Support Role](IAM-Support-Role)  
+    - [Unused IAM Access Keys](Unused-IAM-Access-Keys)  
+    - [IAM Access Keys Rotation](IAM-Access-Keys-Rotation)  
+    - [Unnecessary IAM Access Keys](Unnecessary-IAM-Access-Keys)  
+    - [Enable Security Challenge Questions for your Account](Enable-Security-Challenge-Questions-for-your-Account)  
+    - [Attach Policy to IAM Roles Associated with App-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-App-Tier-EC2-Instances)  
+    - [SSL/TLS Certificate Renewal](SSL/TLS-Certificate-Renewal)  
+    - [Server Certificate Signature Algorithm](Server-Certificate-Signature-Algorithm)  
+    - [IAM Server Certificate Size](IAM-Server-Certificate-Size)  
+    - [Deprecated AWS Managed Policies In Use](Deprecated-AWS-Managed-Policies-In-Use)  
+    - [IAM Users Unauthorized to Edit Access Policies](IAM-Users-Unauthorized-to-Edit-Access-Policies)  
+    - [IAM Users with Admin Privileges](IAM-Users-with-Admin-Privileges)  
+    - [Detect IAM Configuration Changes](Detect-IAM-Configuration-Changes)  
+    - [IAM Group with Administrator Privileges In Use](IAM-Group-with-Administrator-Privileges-In-Use)  
+    - [Unused IAM Groups](Unused-IAM-Groups)  
+    - [Remove IAM Policies with Full Administrative Privileges](Remove-IAM-Policies-with-Full-Administrative-Privileges)  
+    - [IAM Customer Managed Policy with Administrative Permissions In Use](IAM-Customer-Managed-Policy-with-Administrative-Permissions-In-Use)  
+    - [IAM Role Policy Too Permissive](IAM-Role-Policy-Too-Permissive)  
+    - [IAM User Present](IAM-User-Present)  
+    - [Inactive IAM Users](Inactive-IAM-Users)  
+    - [Unused IAM Users](Unused-IAM-Users)  
+    - [IAM Users with Password and Access Keys](IAM-Users-with-Password-and-Access-Keys)  
+    - [Valid IAM Identity Providers](Valid-IAM-Identity-Providers)  
+    - [MFA Device Deactivated for IAM Users](MFA-Device-Deactivated-for-IAM-Users)  
+    - [Enable MFA for IAM Users](Enable-MFA-for-IAM-Users)  
+    - [IAM Master and IAM Manager Roles](IAM-Master-and-IAM-Manager-Roles)  
+    - [IAM Password Expiry](IAM-Password-Expiry)  
+    - [IAM Password Policy](IAM-Password-Policy)  
+    - [Root Account Access Keys](Root-Account-Access-Keys)  
+    - [Root Account Credentials Usage](Root-Account-Credentials-Usage)  
+    - [Root Account Active Signing Certificates](Root-Account-Active-Signing-Certificates)  
+    - [Enable Hardware MFA for Root Account](Enable-Hardware-MFA-for-Root-Account)  
+    - [Enable MFA for Root Account](Enable-MFA-for-Root-Account)  
+    - [IAM SSH Public Keys Rotation (90-Days)](IAM-SSH-Public-Keys-Rotation-(90-Days))  
+    - [Unnecessary IAM SSH Public Keys](Unnecessary-IAM-SSH-Public-Keys)  
+    - [IAM Support Role](IAM-Support-Role)  
 1. [Inspector](Inspector)  
-    0. [AWS Inspector Findings](AWS-Inspector-Findings)  
+    - [AWS Inspector Findings](AWS-Inspector-Findings)  
 1. [KMS](KMS)  
-    0. [App-Tier Customer Master Key In Use](App-Tier-Customer-Master-Key-In-Use)  
-    0. [KMS Customer Master Key In Use](KMS-Customer-Master-Key-In-Use)  
-    0. [Database Tier Customer Master Key In Use](Database-Tier-Customer-Master-Key-In-Use)  
-    0. [Default KMS Key Usage](Default-KMS-Key-Usage)  
-    0. [Disabled KMS keys](Disabled-KMS-keys)  
-    0. [Monitor KMS Configuration Changes](Monitor-KMS-Configuration-Changes)  
-    0. [KMS Unknown Cross Account Access](KMS-Unknown-Cross-Account-Access)  
-    0. [KMS Exposed Keys](KMS-Exposed-Keys)  
-    0. [Recover KMS Customer Master Keys](Recover-KMS-Customer-Master-Keys)  
-    0. [Enable KMS Key Rotation](Enable-KMS-Key-Rotation)  
-    0. [Remove unused KMS keys](Remove-unused-KMS-keys)  
-    0. [Web-Tier Customer Master Key In Use](Web-Tier-Customer-Master-Key-In-Use)  
+    - [App-Tier Customer Master Key In Use](App-Tier-Customer-Master-Key-In-Use)  
+    - [KMS Customer Master Key In Use](KMS-Customer-Master-Key-In-Use)  
+    - [Database Tier Customer Master Key In Use](Database-Tier-Customer-Master-Key-In-Use)  
+    - [Default KMS Key Usage](Default-KMS-Key-Usage)  
+    - [Disabled KMS keys](Disabled-KMS-keys)  
+    - [Monitor KMS Configuration Changes](Monitor-KMS-Configuration-Changes)  
+    - [KMS Unknown Cross Account Access](KMS-Unknown-Cross-Account-Access)  
+    - [KMS Exposed Keys](KMS-Exposed-Keys)  
+    - [Recover KMS Customer Master Keys](Recover-KMS-Customer-Master-Keys)  
+    - [Enable KMS Key Rotation](Enable-KMS-Key-Rotation)  
+    - [Remove unused KMS keys](Remove-unused-KMS-keys)  
+    - [Web-Tier Customer Master Key In Use](Web-Tier-Customer-Master-Key-In-Use)  
 1. [Lambda](Lambda)  
-    0. [Exposed Lambda Functions](Exposed-Lambda-Functions)  
-    0. [Lambda Functions with Admin Privileges](Lambda-Functions-with-Admin-Privileges)  
-    0. [Lambda Unknown Cross Account Access](Lambda-Unknown-Cross-Account-Access)  
-    0. [Lambda Runtime Environment Version](Lambda-Runtime-Environment-Version)  
-    0. [An IAM role for a Lambda Function](An-IAM-role-for-a-Lambda-Function)  
+    - [Exposed Lambda Functions](Exposed-Lambda-Functions)  
+    - [Lambda Functions with Admin Privileges](Lambda-Functions-with-Admin-Privileges)  
+    - [Lambda Unknown Cross Account Access](Lambda-Unknown-Cross-Account-Access)  
+    - [Lambda Runtime Environment Version](Lambda-Runtime-Environment-Version)  
+    - [An IAM role for a Lambda Function](An-IAM-role-for-a-Lambda-Function)  
 1. [Organizations](Organizations)  
-    0. [Monitor AWS Org. Configuration Changes](Monitor-AWS-Org.-Configuration-Changes)  
-    0. [Enable All Features](Enable-All-Features)  
-    0. [AWS Organizations In Use](AWS-Organizations-In-Use)  
+    - [Monitor AWS Org. Configuration Changes](Monitor-AWS-Org.-Configuration-Changes)  
+    - [Enable All Features](Enable-All-Features)  
+    - [AWS Organizations In Use](AWS-Organizations-In-Use)  
 1. [RDS](RDS)  
-    0. [Aurora Database Instance Accessibility](Aurora-Database-Instance-Accessibility)  
-    0. [RDS Auto Minor Version Upgrade](RDS-Auto-Minor-Version-Upgrade)  
-    0. [Enable RDS Automated Backups](Enable-RDS-Automated-Backups)  
-    0. [Enable RDS Deletion Protection](Enable-RDS-Deletion-Protection)  
-    0. [Enable RDS Encryption](Enable-RDS-Encryption)  
-    0. [RDS Free Storage Space](RDS-Free-Storage-Space)  
-    0. [Enable IAM Database Authentication](Enable-IAM-Database-Authentication)  
-    0. [Total Number of Provisioned RDS Instances](Total-Number-of-Provisioned-RDS-Instances)  
-    0. [RDS Multi-AZ](RDS-Multi-AZ)  
-    0. [Overutilized RDS Instances](Overutilized-RDS-Instances)  
-    0. [Publicly Accessible RDS Instances](Publicly-Accessible-RDS-Instances)  
-    0. [Use Data-Tier Security Group for RDS Databases](Use-Data-Tier-Security-Group-for-RDS-Databases)  
-    0. [RDS Database Default Port](RDS-Database-Default-Port)  
-    0. [Use KMS Customer Master Keys for RDS encryption](Use-KMS-Customer-Master-Keys-for-RDS-encryption)  
-    0. [RDS General Purpose SSD Storage Type](RDS-General-Purpose-SSD-Storage-Type)  
-    0. [RDS Instance Not In Public Subnet](RDS-Instance-Not-In-Public-Subnet)  
-    0. [RDS Database Master Username](RDS-Database-Master-Username)  
-    0. [RDS Public Snapshots](RDS-Public-Snapshots)  
-    0. [RDS Sufficient Backup Retention Period](RDS-Sufficient-Backup-Retention-Period)  
-    0. [Enable RDS Transport Encryption](Enable-RDS-Transport-Encryption)  
-    0. [Underutilized RDS Instances](Underutilized-RDS-Instances)  
-    0. [Unrestricted RDS DB Security Group](Unrestricted-RDS-DB-Security-Group)  
-    0. [Enable Route 53 Domain Auto Renew](Enable-Route-53-Domain-Auto-Renew)  
-    0. [Create DNS Alias Record for Root Domain](Create-DNS-Alias-Record-for-Root-Domain)  
-    0. [Remove Route 53 Dangling DNS Records](Remove-Route-53-Dangling-DNS-Records)  
-    0. [Expired Route 53 Domain Names](Expired-Route-53-Domain-Names)  
-    0. [Route 53 Domain Name Renewal](Route-53-Domain-Name-Renewal)  
-    0. [Enable Privacy Protection for Route 53 Domains](Enable-Privacy-Protection-for-Route-53-Domains)  
-    0. [Root Domain Alias Records that Point to ELB](Root-Domain-Alias-Records-that-Point-to-ELB)  
-    0. [Monitor Route 53 Configuration Changes](Monitor-Route-53-Configuration-Changes)  
-    0. [Route 53 DNS In Use](Route-53-DNS-In-Use)  
-    0. [Route 53 SPF DNS Records](Route-53-SPF-DNS-Records)  
-    0. [Enable Route 53 Domain Transfer Lock](Enable-Route-53-Domain-Transfer-Lock)  
-    0. [Monitor Route 53 Domains Configuration Changes](Monitor-Route-53-Domains-Configuration-Changes)  
+    - [Aurora Database Instance Accessibility](Aurora-Database-Instance-Accessibility)  
+    - [RDS Auto Minor Version Upgrade](RDS-Auto-Minor-Version-Upgrade)  
+    - [Enable RDS Automated Backups](Enable-RDS-Automated-Backups)  
+    - [Enable RDS Deletion Protection](Enable-RDS-Deletion-Protection)  
+    - [Enable RDS Encryption](Enable-RDS-Encryption)  
+    - [RDS Free Storage Space](RDS-Free-Storage-Space)  
+    - [Enable IAM Database Authentication](Enable-IAM-Database-Authentication)  
+    - [Total Number of Provisioned RDS Instances](Total-Number-of-Provisioned-RDS-Instances)  
+    - [RDS Multi-AZ](RDS-Multi-AZ)  
+    - [Overutilized RDS Instances](Overutilized-RDS-Instances)  
+    - [Publicly Accessible RDS Instances](Publicly-Accessible-RDS-Instances)  
+    - [Use Data-Tier Security Group for RDS Databases](Use-Data-Tier-Security-Group-for-RDS-Databases)  
+    - [RDS Database Default Port](RDS-Database-Default-Port)  
+    - [Use KMS Customer Master Keys for RDS encryption](Use-KMS-Customer-Master-Keys-for-RDS-encryption)  
+    - [RDS General Purpose SSD Storage Type](RDS-General-Purpose-SSD-Storage-Type)  
+    - [RDS Instance Not In Public Subnet](RDS-Instance-Not-In-Public-Subnet)  
+    - [RDS Database Master Username](RDS-Database-Master-Username)  
+    - [RDS Public Snapshots](RDS-Public-Snapshots)  
+    - [RDS Sufficient Backup Retention Period](RDS-Sufficient-Backup-Retention-Period)  
+    - [Enable RDS Transport Encryption](Enable-RDS-Transport-Encryption)  
+    - [Underutilized RDS Instances](Underutilized-RDS-Instances)  
+    - [Unrestricted RDS DB Security Group](Unrestricted-RDS-DB-Security-Group)  
+    - [Enable Route 53 Domain Auto Renew](Enable-Route-53-Domain-Auto-Renew)  
+    - [Create DNS Alias Record for Root Domain](Create-DNS-Alias-Record-for-Root-Domain)  
+    - [Remove Route 53 Dangling DNS Records](Remove-Route-53-Dangling-DNS-Records)  
+    - [Expired Route 53 Domain Names](Expired-Route-53-Domain-Names)  
+    - [Route 53 Domain Name Renewal](Route-53-Domain-Name-Renewal)  
+    - [Enable Privacy Protection for Route 53 Domains](Enable-Privacy-Protection-for-Route-53-Domains)  
+    - [Root Domain Alias Records that Point to ELB](Root-Domain-Alias-Records-that-Point-to-ELB)  
+    - [Monitor Route 53 Configuration Changes](Monitor-Route-53-Configuration-Changes)  
+    - [Route 53 DNS In Use](Route-53-DNS-In-Use)  
+    - [Route 53 SPF DNS Records](Route-53-SPF-DNS-Records)  
+    - [Enable Route 53 Domain Transfer Lock](Enable-Route-53-Domain-Transfer-Lock)  
+    - [Monitor Route 53 Domains Configuration Changes](Monitor-Route-53-Domains-Configuration-Changes)  
 1. [ResourceGroup](ResourceGroup)  
-    0. [Use tags to organize AWS resources](Use-tags-to-organize-AWS-resources)  
-    0. [S3 Bucket Authenticated ‘FULL_CONTROL’ Access](S3-Bucket-Authenticated-‘FULL_CONTROL’-Access)  
-    0. [S3 Bucket Authenticated ‘READ’ Access](S3-Bucket-Authenticated-‘READ’-Access)  
-    0. [S3 Bucket Authenticated ‘READ_ACP’ Access](S3-Bucket-Authenticated-‘READ_ACP’-Access)  
-    0. [S3 Bucket Authenticated ‘WRITE’ Access](S3-Bucket-Authenticated-‘WRITE’-Access)  
-    0. [S3 Bucket Authenticated ‘WRITE_ACP’ Access](S3-Bucket-Authenticated-‘WRITE_ACP’-Access)  
-    0. [Enable S3 Bucket Default Encryption](Enable-S3-Bucket-Default-Encryption)  
-    0. [Enable Access Logging for S3 Buckets](Enable-Access-Logging-for-S3-Buckets)  
-    0. [Enable MFA Delete for S3 Buckets](Enable-MFA-Delete-for-S3-Buckets)  
-    0. [S3 Bucket Public Access Via Policy](S3-Bucket-Public-Access-Via-Policy)  
-    0. [Publicly Accessible S3 Buckets](Publicly-Accessible-S3-Buckets)  
-    0. [S3 Bucket Public ‘READ’ Access](S3-Bucket-Public-‘READ’-Access)  
-    0. [S3 Bucket Public ‘READ_ACP’ Access](S3-Bucket-Public-‘READ_ACP’-Access)  
-    0. [S3 Bucket Public ‘WRITE’ Access](S3-Bucket-Public-‘WRITE’-Access)  
-    0. [S3 Bucket Public ‘WRITE_ACP’ Access](S3-Bucket-Public-‘WRITE_ACP’-Access)  
-    0. [Enable Versioning for S3 Buckets](Enable-Versioning-for-S3-Buckets)  
-    0. [Review S3 Buckets with Website Configuration Enabled](Review-S3-Buckets-with-Website-Configuration-Enabled)  
-    0. [Detect S3 Configuration Changes](Detect-S3-Configuration-Changes)  
-    0. [S3 Unknown Cross Account Access](S3-Unknown-Cross-Account-Access)  
-    0. [Secure Transport](Secure-Transport)  
-    0. [Server-Side Encryption](Server-Side-Encryption)  
-    0. [Limit S3 Bucket Access by IP Address](Limit-S3-Bucket-Access-by-IP-Address)  
+    - [Use tags to organize AWS resources](Use-tags-to-organize-AWS-resources)  
+    - [S3 Bucket Authenticated ‘FULL_CONTROL’ Access](S3-Bucket-Authenticated-‘FULL_CONTROL’-Access)  
+    - [S3 Bucket Authenticated ‘READ’ Access](S3-Bucket-Authenticated-‘READ’-Access)  
+    - [S3 Bucket Authenticated ‘READ_ACP’ Access](S3-Bucket-Authenticated-‘READ_ACP’-Access)  
+    - [S3 Bucket Authenticated ‘WRITE’ Access](S3-Bucket-Authenticated-‘WRITE’-Access)  
+    - [S3 Bucket Authenticated ‘WRITE_ACP’ Access](S3-Bucket-Authenticated-‘WRITE_ACP’-Access)  
+    - [Enable S3 Bucket Default Encryption](Enable-S3-Bucket-Default-Encryption)  
+    - [Enable Access Logging for S3 Buckets](Enable-Access-Logging-for-S3-Buckets)  
+    - [Enable MFA Delete for S3 Buckets](Enable-MFA-Delete-for-S3-Buckets)  
+    - [S3 Bucket Public Access Via Policy](S3-Bucket-Public-Access-Via-Policy)  
+    - [Publicly Accessible S3 Buckets](Publicly-Accessible-S3-Buckets)  
+    - [S3 Bucket Public ‘READ’ Access](S3-Bucket-Public-‘READ’-Access)  
+    - [S3 Bucket Public ‘READ_ACP’ Access](S3-Bucket-Public-‘READ_ACP’-Access)  
+    - [S3 Bucket Public ‘WRITE’ Access](S3-Bucket-Public-‘WRITE’-Access)  
+    - [S3 Bucket Public ‘WRITE_ACP’ Access](S3-Bucket-Public-‘WRITE_ACP’-Access)  
+    - [Enable Versioning for S3 Buckets](Enable-Versioning-for-S3-Buckets)  
+    - [Review S3 Buckets with Website Configuration Enabled](Review-S3-Buckets-with-Website-Configuration-Enabled)  
+    - [Detect S3 Configuration Changes](Detect-S3-Configuration-Changes)  
+    - [S3 Unknown Cross Account Access](S3-Unknown-Cross-Account-Access)  
+    - [Secure Transport](Secure-Transport)  
+    - [Server-Side Encryption](Server-Side-Encryption)  
+    - [Limit S3 Bucket Access by IP Address](Limit-S3-Bucket-Access-by-IP-Address)  
 1. [SES](SES)  
-    0. [Enable DKIM for SES](Enable-DKIM-for-SES)  
-    0. [Unknown Cross-Account Access](Unknown-Cross-Account-Access)  
-    0. [Exposed SES Identities](Exposed-SES-Identities)  
-    0. [SES Identity Verification Status](SES-Identity-Verification-Status)  
+    - [Enable DKIM for SES](Enable-DKIM-for-SES)  
+    - [Unknown Cross-Account Access](Unknown-Cross-Account-Access)  
+    - [Exposed SES Identities](Exposed-SES-Identities)  
+    - [SES Identity Verification Status](SES-Identity-Verification-Status)  
 1. [Shield](Shield)  
-    0. [AWS Shield In Use](AWS-Shield-In-Use)  
+    - [AWS Shield In Use](AWS-Shield-In-Use)  
 1. [TrustedAdvisor](TrustedAdvisor)  
-    0. [Trusted Advisor Checks](Trusted-Advisor-Checks)  
-    0. [Exposed IAM Access Keys](Exposed-IAM-Access-Keys)  
+    - [Trusted Advisor Checks](Trusted-Advisor-Checks)  
+    - [Exposed IAM Access Keys](Exposed-IAM-Access-Keys)  
 1. [VPC](VPC)  
-    0. [Allocate Elastic IPs for NAT Gateways](Allocate-Elastic-IPs-for-NAT-Gateways)  
-    0. [Create App-Tier VPC Subnets](Create-App-Tier-VPC-Subnets)  
-    0. [Create Data-Tier VPC Subnets](Create-Data-Tier-VPC-Subnets)  
-    0. [Default VPC In Use](Default-VPC-In-Use)  
-    0. [Unused VPC Internet Gateways](Unused-VPC-Internet-Gateways)  
-    0. [Use Managed NAT Gateway for VPC](Use-Managed-NAT-Gateway-for-VPC)  
-    0. [Create NAT Gateways in at Least Two Availability Zones](Create-NAT-Gateways-in-at-Least-Two-Availability-Zones)  
-    0. [Ineffective Network ACL DENY Rules](Ineffective-Network-ACL-DENY-Rules)  
-    0. [Unrestricted Network ACL Inbound Traffic](Unrestricted-Network-ACL-Inbound-Traffic)  
-    0. [Unrestricted Network ACL Outbound Traffic](Unrestricted-Network-ACL-Outbound-Traffic)  
-    0. [Create Route Table for Private Subnets](Create-Route-Table-for-Private-Subnets)  
-    0. [Create Route Table for Public Subnets](Create-Route-Table-for-Public-Subnets)  
-    0. [Enable Flow Logs for VPC Subnets](Enable-Flow-Logs-for-VPC-Subnets)  
-    0. [VPC Endpoint Unknown Cross Account Access](VPC-Endpoint-Unknown-Cross-Account-Access)  
-    0. [VPC Exposed Endpoints](VPC-Exposed-Endpoints)  
-    0. [VPC Endpoints In Use](VPC-Endpoints-In-Use)  
-    0. [Enable VPC Flow Logs](Enable-VPC-Flow-Logs)  
-    0. [VPC Naming Conventions](VPC-Naming-Conventions)  
-    0. [VPC Peering Connection Configuration](VPC-Peering-Connection-Configuration)  
-    0. [Unused Virtual Private Gateways](Unused-Virtual-Private-Gateways)  
-    0. [Create Web-Tier ELB Subnets](Create-Web-Tier-ELB-Subnets)  
-    0. [Create Web-Tier VPC Subnets](Create-Web-Tier-VPC-Subnets)  
+    - [Allocate Elastic IPs for NAT Gateways](Allocate-Elastic-IPs-for-NAT-Gateways)  
+    - [Create App-Tier VPC Subnets](Create-App-Tier-VPC-Subnets)  
+    - [Create Data-Tier VPC Subnets](Create-Data-Tier-VPC-Subnets)  
+    - [Default VPC In Use](Default-VPC-In-Use)  
+    - [Unused VPC Internet Gateways](Unused-VPC-Internet-Gateways)  
+    - [Use Managed NAT Gateway for VPC](Use-Managed-NAT-Gateway-for-VPC)  
+    - [Create NAT Gateways in at Least Two Availability Zones](Create-NAT-Gateways-in-at-Least-Two-Availability-Zones)  
+    - [Ineffective Network ACL DENY Rules](Ineffective-Network-ACL-DENY-Rules)  
+    - [Unrestricted Network ACL Inbound Traffic](Unrestricted-Network-ACL-Inbound-Traffic)  
+    - [Unrestricted Network ACL Outbound Traffic](Unrestricted-Network-ACL-Outbound-Traffic)  
+    - [Create Route Table for Private Subnets](Create-Route-Table-for-Private-Subnets)  
+    - [Create Route Table for Public Subnets](Create-Route-Table-for-Public-Subnets)  
+    - [Enable Flow Logs for VPC Subnets](Enable-Flow-Logs-for-VPC-Subnets)  
+    - [VPC Endpoint Unknown Cross Account Access](VPC-Endpoint-Unknown-Cross-Account-Access)  
+    - [VPC Exposed Endpoints](VPC-Exposed-Endpoints)  
+    - [VPC Endpoints In Use](VPC-Endpoints-In-Use)  
+    - [Enable VPC Flow Logs](Enable-VPC-Flow-Logs)  
+    - [VPC Naming Conventions](VPC-Naming-Conventions)  
+    - [VPC Peering Connection Configuration](VPC-Peering-Connection-Configuration)  
+    - [Unused Virtual Private Gateways](Unused-Virtual-Private-Gateways)  
+    - [Create Web-Tier ELB Subnets](Create-Web-Tier-ELB-Subnets)  
+    - [Create Web-Tier VPC Subnets](Create-Web-Tier-VPC-Subnets)  
 1. [WAF](WAF)  
-    0. [AWS Web Application Firewall In Use](AWS-Web-Application-Firewall-In-Use)  
+    - [AWS Web Application Firewall In Use](AWS-Web-Application-Firewall-In-Use)  
 
 
 ---
@@ -518,8 +518,8 @@
 
 ### CloudFront Security Policy
 **Risk**: Medium  
-**Description**: Ensure that CloudFront distributions use a security policy with minimum TLSv0.  or TLSv1.2 and appropriate security ciphers for HTTPS viewer connections.     
-**Resolution**: Enable security policies that enforce TLS version 0.  or 1.2 as the minimum protocol version    
+**Description**: Ensure that CloudFront distributions use a security policy with minimum TLSv-  or TLSv1.2 and appropriate security ciphers for HTTPS viewer connections.     
+**Resolution**: Enable security policies that enforce TLS version -  or 1.2 as the minimum protocol version    
 
 ### Unencrypted CloudFront Traffic
 **Risk**: Medium  

diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
@@ -1,372 +1,372 @@
 # Table of Contents
 
 1. [ACM](ACM)  
-    1. [Expired ACM Certificates](Expired-ACM-Certificates)  
-    1. [ACM Certificates Renewal](ACM-Certificates-Renewal)  
-    1. [ACM Certificates Validity](ACM-Certificates-Validity)  
+    0. [Expired ACM Certificates](Expired-ACM-Certificates)  
+    0. [ACM Certificates Renewal](ACM-Certificates-Renewal)  
+    0. [ACM Certificates Validity](ACM-Certificates-Validity)  
 1. [API Gateway](API-Gateway)  
-    1. [Enable CloudWatch Logs for APIs](Enable-CloudWatch-Logs-for-APIs)  
-    1. [Enable Detailed CloudWatch Metrics for APIs](Enable-Detailed-CloudWatch-Metrics-for-APIs)  
-    1. [API Gateway Private Endpoints](API-Gateway-Private-Endpoints)  
+    0. [Enable CloudWatch Logs for APIs](Enable-CloudWatch-Logs-for-APIs)  
+    0. [Enable Detailed CloudWatch Metrics for APIs](Enable-Detailed-CloudWatch-Metrics-for-APIs)  
+    0. [API Gateway Private Endpoints](API-Gateway-Private-Endpoints)  
 1. [AutoScaling](AutoScaling)  
-    1. [ASG Cooldown Period](ASG-Cooldown-Period)  
-    1. [Enable ASG Notifications](Enable-ASG-Notifications)  
-    1. [App-Tier ASGs with Associated ELB](App-Tier-ASGs-with-Associated-ELB)  
-    1. [CloudWatch Logs Agent for App-Tier ASG In Use](CloudWatch-Logs-Agent-for-App-Tier-ASG-In-Use)  
-    1. [IAM Roles for App-Tier ASG Launch Configurations](IAM-Roles-for-App-Tier-ASG-Launch-Configurations)  
-    1. [Use Approved AMIs for App-Tier ASG Launch Configurations](Use-Approved-AMIs-for-App-Tier-ASG-Launch-Configurations)  
-    1. [Auto Scaling Group Referencing Missing ELB](Auto-Scaling-Group-Referencing-Missing-ELB)  
-    1. [Empty Auto Scaling Groups](Empty-Auto-Scaling-Groups)  
-    1. [Launch Configuration Referencing Missing AMI](Launch-Configuration-Referencing-Missing-AMI)  
-    1. [Launch Configuration Referencing Missing Security Group](Launch-Configuration-Referencing-Missing-Security-Group)  
-    1. [Unused Launch Configuration Templates](Unused-Launch-Configuration-Templates)  
-    1. [Multi-AZ Auto Scaling Groups](Multi-AZ-Auto-Scaling-Groups)  
-    1. [Same ELB Availability Zones](Same-ELB-Availability-Zones)  
-    1. [Suspended Auto Scaling Group Processes](Suspended-Auto-Scaling-Group-Processes)  
-    1. [Web-Tier Auto Scaling Groups with Associated ELBs](Web-Tier-Auto-Scaling-Groups-with-Associated-ELBs)  
-    1. [Use Approved AMIs for Web-Tier ASG Launch Configurations](Use-Approved-AMIs-for-Web-Tier-ASG-Launch-Configurations)  
+    0. [ASG Cooldown Period](ASG-Cooldown-Period)  
+    0. [Enable ASG Notifications](Enable-ASG-Notifications)  
+    0. [App-Tier ASGs with Associated ELB](App-Tier-ASGs-with-Associated-ELB)  
+    0. [CloudWatch Logs Agent for App-Tier ASG In Use](CloudWatch-Logs-Agent-for-App-Tier-ASG-In-Use)  
+    0. [IAM Roles for App-Tier ASG Launch Configurations](IAM-Roles-for-App-Tier-ASG-Launch-Configurations)  
+    0. [Use Approved AMIs for App-Tier ASG Launch Configurations](Use-Approved-AMIs-for-App-Tier-ASG-Launch-Configurations)  
+    0. [Auto Scaling Group Referencing Missing ELB](Auto-Scaling-Group-Referencing-Missing-ELB)  
+    0. [Empty Auto Scaling Groups](Empty-Auto-Scaling-Groups)  
+    0. [Launch Configuration Referencing Missing AMI](Launch-Configuration-Referencing-Missing-AMI)  
+    0. [Launch Configuration Referencing Missing Security Group](Launch-Configuration-Referencing-Missing-Security-Group)  
+    0. [Unused Launch Configuration Templates](Unused-Launch-Configuration-Templates)  
+    0. [Multi-AZ Auto Scaling Groups](Multi-AZ-Auto-Scaling-Groups)  
+    0. [Same ELB Availability Zones](Same-ELB-Availability-Zones)  
+    0. [Suspended Auto Scaling Group Processes](Suspended-Auto-Scaling-Group-Processes)  
+    0. [Web-Tier Auto Scaling Groups with Associated ELBs](Web-Tier-Auto-Scaling-Groups-with-Associated-ELBs)  
+    0. [Use Approved AMIs for Web-Tier ASG Launch Configurations](Use-Approved-AMIs-for-Web-Tier-ASG-Launch-Configurations)  
 1. [CloudFront](CloudFront)  
-    1. [CloudFront CDN In Use](CloudFront-CDN-In-Use)  
-    1. [CloudFront WAF Integration](CloudFront-WAF-Integration)  
-    1. [Enable Origin Access Identity for CloudFront Distributions with S3 Origin](Enable-Origin-Access-Identity-for-CloudFront-Distributions-with-S3-Origin)  
-    1. [CloudFront Origin Insecure SSL Protocols](CloudFront-Origin-Insecure-SSL-Protocols)  
-    1. [CloudFront Security Policy](CloudFront-Security-Policy)  
-    1. [Unencrypted CloudFront Traffic](Unencrypted-CloudFront-Traffic)  
-    1. [Use Cloudfront CDN](Use-Cloudfront-CDN)  
+    0. [CloudFront CDN In Use](CloudFront-CDN-In-Use)  
+    0. [CloudFront WAF Integration](CloudFront-WAF-Integration)  
+    0. [Enable Origin Access Identity for CloudFront Distributions with S3 Origin](Enable-Origin-Access-Identity-for-CloudFront-Distributions-with-S3-Origin)  
+    0. [CloudFront Origin Insecure SSL Protocols](CloudFront-Origin-Insecure-SSL-Protocols)  
+    0. [CloudFront Security Policy](CloudFront-Security-Policy)  
+    0. [Unencrypted CloudFront Traffic](Unencrypted-CloudFront-Traffic)  
+    0. [Use Cloudfront CDN](Use-Cloudfront-CDN)  
 1. [CloudTrail](CloudTrail)  
-    1. [Enable access logging for CloudTrail buckets](Enable-access-logging-for-CloudTrail-buckets)  
-    1. [Enable MFA Delete for CloudTrail bucket](Enable-MFA-Delete-for-CloudTrail-bucket)  
-    1. [CloudTrail insecure buckets](CloudTrail-insecure-buckets)  
-    1. [Monitor CloudTrail Configuration Changes](Monitor-CloudTrail-Configuration-Changes)  
-    1. [Enable CloudTrail integration with CloudWatch](Enable-CloudTrail-integration-with-CloudWatch)  
-    1. [Enable CloudTrail log file integrity validation](Enable-CloudTrail-log-file-integrity-validation)  
-    1. [Enable CloudTrail log files encryption](Enable-CloudTrail-log-files-encryption)  
-    1. [CloudTrail Log Files Delivery Failing](CloudTrail-Log-Files-Delivery-Failing)  
+    0. [Enable access logging for CloudTrail buckets](Enable-access-logging-for-CloudTrail-buckets)  
+    0. [Enable MFA Delete for CloudTrail bucket](Enable-MFA-Delete-for-CloudTrail-bucket)  
+    0. [CloudTrail insecure buckets](CloudTrail-insecure-buckets)  
+    0. [Monitor CloudTrail Configuration Changes](Monitor-CloudTrail-Configuration-Changes)  
+    0. [Enable CloudTrail integration with CloudWatch](Enable-CloudTrail-integration-with-CloudWatch)  
+    0. [Enable CloudTrail log file integrity validation](Enable-CloudTrail-log-file-integrity-validation)  
+    0. [Enable CloudTrail log files encryption](Enable-CloudTrail-log-files-encryption)  
+    0. [CloudTrail Log Files Delivery Failing](CloudTrail-Log-Files-Delivery-Failing)  
 1. [CloudWatch](CloudWatch)  
-    1. [Enable AWS Billing Alerts](Enable-AWS-Billing-Alerts)  
-    1. [Enable CloudWatch Billing Alarm](Enable-CloudWatch-Billing-Alarm)  
-    1. [Exposed CloudWatch Event Bus](Exposed-CloudWatch-Event-Bus)  
-    1. [CloudWatch Events In Use](CloudWatch-Events-In-Use)  
-    1. [Alarm for Config Changes](Alarm-for-Config-Changes)  
-    1. [Alarm for Organizations Changes](Alarm-for-Organizations-Changes)  
-    1. [Alarm for multiple Sign-in Failures](Alarm-for-multiple-Sign-in-Failures)  
-    1. [Monitor for AWS Console Sign-In Requests Without MFA](Monitor-for-AWS-Console-Sign-In-Requests-Without-MFA)  
-    1. [Alarm for EC2 Instance Changes](Alarm-for-EC2-Instance-Changes)  
-    1. [Alarm for EC2 Large Instance Changes](Alarm-for-EC2-Large-Instance-Changes)  
-    1. [Alarm for Root Account Usage](Alarm-for-Root-Account-Usage)  
-    1. [Alarm for S3 Bucket Changes](Alarm-for-S3-Bucket-Changes)  
+    0. [Enable AWS Billing Alerts](Enable-AWS-Billing-Alerts)  
+    0. [Enable CloudWatch Billing Alarm](Enable-CloudWatch-Billing-Alarm)  
+    0. [Exposed CloudWatch Event Bus](Exposed-CloudWatch-Event-Bus)  
+    0. [CloudWatch Events In Use](CloudWatch-Events-In-Use)  
+    0. [Alarm for Config Changes](Alarm-for-Config-Changes)  
+    0. [Alarm for Organizations Changes](Alarm-for-Organizations-Changes)  
+    0. [Alarm for multiple Sign-in Failures](Alarm-for-multiple-Sign-in-Failures)  
+    0. [Monitor for AWS Console Sign-In Requests Without MFA](Monitor-for-AWS-Console-Sign-In-Requests-Without-MFA)  
+    0. [Alarm for EC2 Instance Changes](Alarm-for-EC2-Instance-Changes)  
+    0. [Alarm for EC2 Large Instance Changes](Alarm-for-EC2-Large-Instance-Changes)  
+    0. [Alarm for Root Account Usage](Alarm-for-Root-Account-Usage)  
+    0. [Alarm for S3 Bucket Changes](Alarm-for-S3-Bucket-Changes)  
 1. [Config](Config)  
-    1. [Monitor AWS Config configuration changes](Monitor-AWS-Config-configuration-changes)  
-    1. [Enable AWS Config](Enable-AWS-Config)  
-    1. [AWS Config Referencing Missing S3 Bucket](AWS-Config-Referencing-Missing-S3-Bucket)  
-    1. [AWS Config Referencing Missing SNS Topic](AWS-Config-Referencing-Missing-SNS-Topic)  
-    1. [AWS Config Log Files Delivery Failing](AWS-Config-Log-Files-Delivery-Failing)  
-    1. [Include Global Resources into AWS Config Settings](Include-Global-Resources-into-AWS-Config-Settings)  
+    0. [Monitor AWS Config configuration changes](Monitor-AWS-Config-configuration-changes)  
+    0. [Enable AWS Config](Enable-AWS-Config)  
+    0. [AWS Config Referencing Missing S3 Bucket](AWS-Config-Referencing-Missing-S3-Bucket)  
+    0. [AWS Config Referencing Missing SNS Topic](AWS-Config-Referencing-Missing-SNS-Topic)  
+    0. [AWS Config Log Files Delivery Failing](AWS-Config-Log-Files-Delivery-Failing)  
+    0. [Include Global Resources into AWS Config Settings](Include-Global-Resources-into-AWS-Config-Settings)  
 1. [DynamoDB](DynamoDB)  
-    1. [Enable DynamoDB Auto Scaling](Enable-DynamoDB-Auto-Scaling)  
-    1. [DynamoDB Backup and Restore](DynamoDB-Backup-and-Restore)  
-    1. [Enable DynamoDB Continuous Backups](Enable-DynamoDB-Continuous-Backups)  
-    1. [DynamoDB Server-Side Encryption](DynamoDB-Server-Side-Encryption)  
+    0. [Enable DynamoDB Auto Scaling](Enable-DynamoDB-Auto-Scaling)  
+    0. [DynamoDB Backup and Restore](DynamoDB-Backup-and-Restore)  
+    0. [Enable DynamoDB Continuous Backups](Enable-DynamoDB-Continuous-Backups)  
+    0. [DynamoDB Server-Side Encryption](DynamoDB-Server-Side-Encryption)  
 1. [EBS](EBS)  
-    1. [Enable EBS Encryption](Enable-EBS-Encryption)  
-    1. [Use KMS Customer Master Keys for EBS encryption](Use-KMS-Customer-Master-Keys-for-EBS-encryption)  
-    1. [EBS Volume Naming Conventions](EBS-Volume-Naming-Conventions)  
-    1. [EBS Public Snapshots](EBS-Public-Snapshots)  
-    1. [EBS volumes recent snapshots](EBS-volumes-recent-snapshots)  
-    1. [Remove EBS old snapshots](Remove-EBS-old-snapshots)  
-    1. [Remove Unattached EC2 EBS volumes](Remove-Unattached-EC2-EBS-volumes)  
-    1. [Enable EBS Snapshot Encryption](Enable-EBS-Snapshot-Encryption)  
-    1. [EBS Volumes Attached to Stopped EC2 Instances](EBS-Volumes-Attached-to-Stopped-EC2-Instances)  
-    1. [Approved/Golden AMI](Approved/Golden-AMI)  
-    1. [AWS Blacklisted AMI](AWS-Blacklisted-AMI)  
-    1. [Enable AMI Encryption](Enable-AMI-Encryption)  
-    1. [AMI Naming Conventions](AMI-Naming-Conventions)  
-    1. [Check for AMI Age](Check-for-AMI-Age)  
-    1. [Unused AMI](Unused-AMI)  
-    1. [Unassociated Elastic IP Addresses](Unassociated-Elastic-IP-Addresses)  
-    1. [Publicly Shared App-Tier AMIs](Publicly-Shared-App-Tier-AMIs)  
-    1. [App-Tier EC2 Instances Without Elastic or Public IP Addresses](App-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
-    1. [Check app-tier ELB subnet connectivity to Internet Gateway](Check-app-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
-    1. [IAM Roles for App-Tier EC2 Instances](IAM-Roles-for-App-Tier-EC2-Instances)  
-    1. [Create and Configure App-Tier Security Group](Create-and-Configure-App-Tier-Security-Group)  
-    1. [EC2 Instances Distribution Across Availability Zones](EC2-Instances-Distribution-Across-Availability-Zones)  
-    1. [EC2-Classic Elastic IP Address Limit](EC2-Classic-Elastic-IP-Address-Limit)  
-    1. [Data-Tier Instances Without Elastic or Public IP Addresses](Data-Tier-Instances-Without-Elastic-or-Public-IP-Addresses)  
-    1. [Create and Configure Data-Tier Security Group](Create-and-Configure-Data-Tier-Security-Group)  
-    1. [Restrict data-tier subnet connectivity to VPC NAT Gateway](Restrict-data-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
-    1. [Unrestricted Default Security Groups](Unrestricted-Default-Security-Groups)  
-    1. [Default EC2 Security Groups In Use](Default-EC2-Security-Groups-In-Use)  
-    1. [Detailed Monitoring for EC2 Instances](Detailed-Monitoring-for-EC2-Instances)  
-    1. [EC2 Desired Instance Type](EC2-Desired-Instance-Type)  
-    1. [Review EC2 Dedicated Instances](Review-EC2-Dedicated-Instances)  
-    1. [EC2 Instance Not In Public Subnet](EC2-Instance-Not-In-Public-Subnet)  
-    1. [Unused EC2 Reserved Instances](Unused-EC2-Reserved-Instances)  
-    1. [Total Number of EC2 Instances](Total-Number-of-EC2-Instances)  
-    1. [EC2 Instance Type Generation](EC2-Instance-Type-Generation)  
-    1. [Instance In Auto Scaling Group](Instance-In-Auto-Scaling-Group)  
-    1. [EC2 Platform](EC2-Platform)  
-    1. [EC2 Instance Limit](EC2-Instance-Limit)  
-    1. [EC2 Instance Naming Conventions](EC2-Instance-Naming-Conventions)  
-    1. [EC2 Instances with Scheduled Events](EC2-Instances-with-Scheduled-Events)  
-    1. [EC2 Instance Security Group Rules Count](EC2-Instance-Security-Group-Rules-Count)  
-    1. [EC2 Instance Tenancy Type](EC2-Instance-Tenancy-Type)  
-    1. [EC2 Instance Termination Protection](EC2-Instance-Termination-Protection)  
-    1. [EC2 Instance Age](EC2-Instance-Age)  
-    1. [EC2 Instance IAM Roles](EC2-Instance-IAM-Roles)  
-    1. [Overutilized EC2 Instances](Overutilized-EC2-Instances)  
-    1. [Publicly Shared AMIs](Publicly-Shared-AMIs)  
-    1. [EC2 Reserved Instance Lease Expiration](EC2-Reserved-Instance-Lease-Expiration)  
-    1. [EC2 Security Groups Count](EC2-Security-Groups-Count)  
-    1. [EC2 Security Group Port Range](EC2-Security-Group-Port-Range)  
-    1. [Underutilized EC2 Instances](Underutilized-EC2-Instances)  
-    1. [EC2 Security Group Unrestricted Access](EC2-Security-Group-Unrestricted-Access)  
-    1. [Unrestricted CIFS Access](Unrestricted-CIFS-Access)  
-    1. [Unrestricted DNS Access](Unrestricted-DNS-Access)  
-    1. [Unrestricted ElasticSearch Access](Unrestricted-ElasticSearch-Access)  
-    1. [Unrestricted FTP Access](Unrestricted-FTP-Access)  
-    1. [Unrestricted HTTP Access](Unrestricted-HTTP-Access)  
-    1. [Unrestricted HTTPS Access](Unrestricted-HTTPS-Access)  
-    1. [Unrestricted ICMP Access](Unrestricted-ICMP-Access)  
-    1. [Unrestricted Inbound Access on Uncommon Ports](Unrestricted-Inbound-Access-on-Uncommon-Ports)  
-    1. [Unrestricted MongoDB Access](Unrestricted-MongoDB-Access)  
-    1. [Unrestricted MSSQL Database Access](Unrestricted-MSSQL-Database-Access)  
-    1. [Unrestricted MySQL Database Access](Unrestricted-MySQL-Database-Access)  
-    1. [Unrestricted NetBIOS Access](Unrestricted-NetBIOS-Access)  
-    1. [Unrestricted Oracle Database Access](Unrestricted-Oracle-Database-Access)  
-    1. [Unrestricted Outbound Access on All Ports](Unrestricted-Outbound-Access-on-All-Ports)  
-    1. [Unrestricted PostgreSQL Database Access](Unrestricted-PostgreSQL-Database-Access)  
-    1. [Unrestricted RDP Access](Unrestricted-RDP-Access)  
-    1. [Unrestricted RPC Access](Unrestricted-RPC-Access)  
-    1. [Unrestricted SMTP Access](Unrestricted-SMTP-Access)  
-    1. [Unrestricted SSH Access](Unrestricted-SSH-Access)  
-    1. [Unrestricted Telnet Access](Unrestricted-Telnet-Access)  
-    1. [Unused Elastic Network Interfaces](Unused-Elastic-Network-Interfaces)  
-    1. [Unused EC2 Key Pairs](Unused-EC2-Key-Pairs)  
-    1. [EC2-VPC Elastic IP Address Limit](EC2-VPC-Elastic-IP-Address-Limit)  
-    1. [Publicly Shared Web-Tier AMIs](Publicly-Shared-Web-Tier-AMIs)  
-    1. [Web-Tier EC2 Instances Without Elastic or Public IP Addresses](Web-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
-    1. [Check web-tier ELB subnet connectivity to Internet Gateway](Check-web-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
-    1. [Attach Policy to IAM Roles Associated with Web-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-Web-Tier-EC2-Instances)  
-    1. [IAM Roles for Web-Tier EC2 Instances](IAM-Roles-for-Web-Tier-EC2-Instances)  
-    1. [Create and Configure Web-Tier Security Group](Create-and-Configure-Web-Tier-Security-Group)  
-    1. [Check web-tier subnet connectivity to VPC NAT Gateway](Check-web-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
+    0. [Enable EBS Encryption](Enable-EBS-Encryption)  
+    0. [Use KMS Customer Master Keys for EBS encryption](Use-KMS-Customer-Master-Keys-for-EBS-encryption)  
+    0. [EBS Volume Naming Conventions](EBS-Volume-Naming-Conventions)  
+    0. [EBS Public Snapshots](EBS-Public-Snapshots)  
+    0. [EBS volumes recent snapshots](EBS-volumes-recent-snapshots)  
+    0. [Remove EBS old snapshots](Remove-EBS-old-snapshots)  
+    0. [Remove Unattached EC2 EBS volumes](Remove-Unattached-EC2-EBS-volumes)  
+    0. [Enable EBS Snapshot Encryption](Enable-EBS-Snapshot-Encryption)  
+    0. [EBS Volumes Attached to Stopped EC2 Instances](EBS-Volumes-Attached-to-Stopped-EC2-Instances)  
+    0. [Approved/Golden AMI](Approved/Golden-AMI)  
+    0. [AWS Blacklisted AMI](AWS-Blacklisted-AMI)  
+    0. [Enable AMI Encryption](Enable-AMI-Encryption)  
+    0. [AMI Naming Conventions](AMI-Naming-Conventions)  
+    0. [Check for AMI Age](Check-for-AMI-Age)  
+    0. [Unused AMI](Unused-AMI)  
+    0. [Unassociated Elastic IP Addresses](Unassociated-Elastic-IP-Addresses)  
+    0. [Publicly Shared App-Tier AMIs](Publicly-Shared-App-Tier-AMIs)  
+    0. [App-Tier EC2 Instances Without Elastic or Public IP Addresses](App-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
+    0. [Check app-tier ELB subnet connectivity to Internet Gateway](Check-app-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
+    0. [IAM Roles for App-Tier EC2 Instances](IAM-Roles-for-App-Tier-EC2-Instances)  
+    0. [Create and Configure App-Tier Security Group](Create-and-Configure-App-Tier-Security-Group)  
+    0. [EC2 Instances Distribution Across Availability Zones](EC2-Instances-Distribution-Across-Availability-Zones)  
+    0. [EC2-Classic Elastic IP Address Limit](EC2-Classic-Elastic-IP-Address-Limit)  
+    0. [Data-Tier Instances Without Elastic or Public IP Addresses](Data-Tier-Instances-Without-Elastic-or-Public-IP-Addresses)  
+    0. [Create and Configure Data-Tier Security Group](Create-and-Configure-Data-Tier-Security-Group)  
+    0. [Restrict data-tier subnet connectivity to VPC NAT Gateway](Restrict-data-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
+    0. [Unrestricted Default Security Groups](Unrestricted-Default-Security-Groups)  
+    0. [Default EC2 Security Groups In Use](Default-EC2-Security-Groups-In-Use)  
+    0. [Detailed Monitoring for EC2 Instances](Detailed-Monitoring-for-EC2-Instances)  
+    0. [EC2 Desired Instance Type](EC2-Desired-Instance-Type)  
+    0. [Review EC2 Dedicated Instances](Review-EC2-Dedicated-Instances)  
+    0. [EC2 Instance Not In Public Subnet](EC2-Instance-Not-In-Public-Subnet)  
+    0. [Unused EC2 Reserved Instances](Unused-EC2-Reserved-Instances)  
+    0. [Total Number of EC2 Instances](Total-Number-of-EC2-Instances)  
+    0. [EC2 Instance Type Generation](EC2-Instance-Type-Generation)  
+    0. [Instance In Auto Scaling Group](Instance-In-Auto-Scaling-Group)  
+    0. [EC2 Platform](EC2-Platform)  
+    0. [EC2 Instance Limit](EC2-Instance-Limit)  
+    0. [EC2 Instance Naming Conventions](EC2-Instance-Naming-Conventions)  
+    0. [EC2 Instances with Scheduled Events](EC2-Instances-with-Scheduled-Events)  
+    0. [EC2 Instance Security Group Rules Count](EC2-Instance-Security-Group-Rules-Count)  
+    0. [EC2 Instance Tenancy Type](EC2-Instance-Tenancy-Type)  
+    0. [EC2 Instance Termination Protection](EC2-Instance-Termination-Protection)  
+    0. [EC2 Instance Age](EC2-Instance-Age)  
+    0. [EC2 Instance IAM Roles](EC2-Instance-IAM-Roles)  
+    0. [Overutilized EC2 Instances](Overutilized-EC2-Instances)  
+    0. [Publicly Shared AMIs](Publicly-Shared-AMIs)  
+    0. [EC2 Reserved Instance Lease Expiration](EC2-Reserved-Instance-Lease-Expiration)  
+    0. [EC2 Security Groups Count](EC2-Security-Groups-Count)  
+    0. [EC2 Security Group Port Range](EC2-Security-Group-Port-Range)  
+    0. [Underutilized EC2 Instances](Underutilized-EC2-Instances)  
+    0. [EC2 Security Group Unrestricted Access](EC2-Security-Group-Unrestricted-Access)  
+    0. [Unrestricted CIFS Access](Unrestricted-CIFS-Access)  
+    0. [Unrestricted DNS Access](Unrestricted-DNS-Access)  
+    0. [Unrestricted ElasticSearch Access](Unrestricted-ElasticSearch-Access)  
+    0. [Unrestricted FTP Access](Unrestricted-FTP-Access)  
+    0. [Unrestricted HTTP Access](Unrestricted-HTTP-Access)  
+    0. [Unrestricted HTTPS Access](Unrestricted-HTTPS-Access)  
+    0. [Unrestricted ICMP Access](Unrestricted-ICMP-Access)  
+    0. [Unrestricted Inbound Access on Uncommon Ports](Unrestricted-Inbound-Access-on-Uncommon-Ports)  
+    0. [Unrestricted MongoDB Access](Unrestricted-MongoDB-Access)  
+    0. [Unrestricted MSSQL Database Access](Unrestricted-MSSQL-Database-Access)  
+    0. [Unrestricted MySQL Database Access](Unrestricted-MySQL-Database-Access)  
+    0. [Unrestricted NetBIOS Access](Unrestricted-NetBIOS-Access)  
+    0. [Unrestricted Oracle Database Access](Unrestricted-Oracle-Database-Access)  
+    0. [Unrestricted Outbound Access on All Ports](Unrestricted-Outbound-Access-on-All-Ports)  
+    0. [Unrestricted PostgreSQL Database Access](Unrestricted-PostgreSQL-Database-Access)  
+    0. [Unrestricted RDP Access](Unrestricted-RDP-Access)  
+    0. [Unrestricted RPC Access](Unrestricted-RPC-Access)  
+    0. [Unrestricted SMTP Access](Unrestricted-SMTP-Access)  
+    0. [Unrestricted SSH Access](Unrestricted-SSH-Access)  
+    0. [Unrestricted Telnet Access](Unrestricted-Telnet-Access)  
+    0. [Unused Elastic Network Interfaces](Unused-Elastic-Network-Interfaces)  
+    0. [Unused EC2 Key Pairs](Unused-EC2-Key-Pairs)  
+    0. [EC2-VPC Elastic IP Address Limit](EC2-VPC-Elastic-IP-Address-Limit)  
+    0. [Publicly Shared Web-Tier AMIs](Publicly-Shared-Web-Tier-AMIs)  
+    0. [Web-Tier EC2 Instances Without Elastic or Public IP Addresses](Web-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
+    0. [Check web-tier ELB subnet connectivity to Internet Gateway](Check-web-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
+    0. [Attach Policy to IAM Roles Associated with Web-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-Web-Tier-EC2-Instances)  
+    0. [IAM Roles for Web-Tier EC2 Instances](IAM-Roles-for-Web-Tier-EC2-Instances)  
+    0. [Create and Configure Web-Tier Security Group](Create-and-Configure-Web-Tier-Security-Group)  
+    0. [Check web-tier subnet connectivity to VPC NAT Gateway](Check-web-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
 1. [ECR](ECR)  
-    1. [ECR Unknown Cross Account Access](ECR-Unknown-Cross-Account-Access)  
-    1. [Check for Exposed ECR Repositories](Check-for-Exposed-ECR-Repositories)  
+    0. [ECR Unknown Cross Account Access](ECR-Unknown-Cross-Account-Access)  
+    0. [Check for Exposed ECR Repositories](Check-for-Exposed-ECR-Repositories)  
 1. [EFS](EFS)  
-    1. [KMS Customer Master Keys for EFS Encryption](KMS-Customer-Master-Keys-for-EFS-Encryption)  
-    1. [Enable EFS Encryption](Enable-EFS-Encryption)  
+    0. [KMS Customer Master Keys for EFS Encryption](KMS-Customer-Master-Keys-for-EFS-Encryption)  
+    0. [Enable EFS Encryption](Enable-EFS-Encryption)  
 1. [ElasticSearch](ElasticSearch)  
-    1. [ElasticSearch Cluster Status](ElasticSearch-Cluster-Status)  
-    1. [ElasticSearch Instance Type](ElasticSearch-Instance-Type)  
-    1. [ElasticSearch Domain Encrypted with KMS CMKs](ElasticSearch-Domain-Encrypted-with-KMS-CMKs)  
-    1. [ElasticSearch Unknown Cross Account Access](ElasticSearch-Unknown-Cross-Account-Access)  
-    1. [ElasticSearch Exposed Domains](ElasticSearch-Exposed-Domains)  
-    1. [ElasticSearch Domain IP-Based Access](ElasticSearch-Domain-IP-Based-Access)  
-    1. [ElasticSearch General Purpose SSD Node Type](ElasticSearch-General-Purpose-SSD-Node-Type)  
-    1. [ElasticSearch Version](ElasticSearch-Version)  
-    1. [Enable ElasticSearch Zone Awareness](Enable-ElasticSearch-Zone-Awareness)  
-    1. [Enable ElasticSearch Encryption At Rest](Enable-ElasticSearch-Encryption-At-Rest)  
-    1. [ElasticSearch Free Storage Space](ElasticSearch-Free-Storage-Space)  
-    1. [Total Number of ElasticSearch Instances](Total-Number-of-ElasticSearch-Instances)  
-    1. [Enable ElasticSearch Node-to-Node Encryption](Enable-ElasticSearch-Node-to-Node-Encryption)  
-    1. [Enable ElasticSearch Slow Logs](Enable-ElasticSearch-Slow-Logs)  
+    0. [ElasticSearch Cluster Status](ElasticSearch-Cluster-Status)  
+    0. [ElasticSearch Instance Type](ElasticSearch-Instance-Type)  
+    0. [ElasticSearch Domain Encrypted with KMS CMKs](ElasticSearch-Domain-Encrypted-with-KMS-CMKs)  
+    0. [ElasticSearch Unknown Cross Account Access](ElasticSearch-Unknown-Cross-Account-Access)  
+    0. [ElasticSearch Exposed Domains](ElasticSearch-Exposed-Domains)  
+    0. [ElasticSearch Domain IP-Based Access](ElasticSearch-Domain-IP-Based-Access)  
+    0. [ElasticSearch General Purpose SSD Node Type](ElasticSearch-General-Purpose-SSD-Node-Type)  
+    0. [ElasticSearch Version](ElasticSearch-Version)  
+    0. [Enable ElasticSearch Zone Awareness](Enable-ElasticSearch-Zone-Awareness)  
+    0. [Enable ElasticSearch Encryption At Rest](Enable-ElasticSearch-Encryption-At-Rest)  
+    0. [ElasticSearch Free Storage Space](ElasticSearch-Free-Storage-Space)  
+    0. [Total Number of ElasticSearch Instances](Total-Number-of-ElasticSearch-Instances)  
+    0. [Enable ElasticSearch Node-to-Node Encryption](Enable-ElasticSearch-Node-to-Node-Encryption)  
+    0. [Enable ElasticSearch Slow Logs](Enable-ElasticSearch-Slow-Logs)  
 1. [ELB](ELB)  
-    1. [Enable HTTPS/SSL Listener for App-Tier ELBs](Enable-HTTPS/SSL-Listener-for-App-Tier-ELBs)  
-    1. [Enable Latest SSL Security Policy for App-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-App-Tier-ELBs)  
-    1. [Add SSL/TLS Server Certificates to App-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-App-Tier-ELBs)  
-    1. [App-Tier ELBs Health Check](App-Tier-ELBs-Health-Check)  
-    1. [Enable ELB Access Logging](Enable-ELB-Access-Logging)  
-    1. [AWS Classic Load Balancer](AWS-Classic-Load-Balancer)  
-    1. [Connection Draining Enabled](Connection-Draining-Enabled)  
-    1. [Enable ELB Cross-Zone Load Balancing](Enable-ELB-Cross-Zone-Load-Balancing)  
-    1. [ELB insecure SSL ciphers](ELB-insecure-SSL-ciphers)  
-    1. [ELB insecure SSL protocols](ELB-insecure-SSL-protocols)  
-    1. [ELB Listener Security](ELB-Listener-Security)  
-    1. [ELB minimum number of EC2 instances](ELB-minimum-number-of-EC2-instances)  
-    1. [ELB Security Group](ELB-Security-Group)  
-    1. [ELB Security Policy](ELB-Security-Policy)  
-    1. [Remove unused ELBs](Remove-unused-ELBs)  
-    1. [ELB Instances Distribution Across Availability Zones](ELB-Instances-Distribution-Across-Availability-Zones)  
-    1. [Review AWS Internet Facing Load Balancers](Review-AWS-Internet-Facing-Load-Balancers)  
-    1. [Enable HTTPS/SSL Listener for Web-Tier ELBs](Enable-HTTPS/SSL-Listener-for-Web-Tier-ELBs)  
-    1. [Enable Latest SSL Security Policy for Web-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-Web-Tier-ELBs)  
-    1. [Add SSL/TLS Server Certificates to Web-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-Web-Tier-ELBs)  
-    1. [Web-Tier ELBs Health Check](Web-Tier-ELBs-Health-Check)  
-    1. [Enable ALB (ELBv2)-Access-Logging](Enable-ALB-(ELBv2)-Access-Logging)  
-    1. [Enable Elastic Load Balancing Deletion Protection](Enable-Elastic-Load-Balancing-Deletion-Protection)  
-    1. [ELBv2 Instances Distribution Across Availability Zones](ELBv2-Instances-Distribution-Across-Availability-Zones)  
-    1. [ALB (ELBv2)-Listener-Security](ALB-(ELBv2)-Listener-Security)  
-    1. [Minimum Number of EC2 Target Instances](Minimum-Number-of-EC2-Target-Instances)  
-    1. [ELBv2 Security Groups](ELBv2-Security-Groups)  
-    1. [ALB (ELBv2)-Security-Policy](ALB-(ELBv2)-Security-Policy)  
-    1. [Unused ELBs (ELBv2)](Unused-ELBs-(ELBv2))  
+    0. [Enable HTTPS/SSL Listener for App-Tier ELBs](Enable-HTTPS/SSL-Listener-for-App-Tier-ELBs)  
+    0. [Enable Latest SSL Security Policy for App-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-App-Tier-ELBs)  
+    0. [Add SSL/TLS Server Certificates to App-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-App-Tier-ELBs)  
+    0. [App-Tier ELBs Health Check](App-Tier-ELBs-Health-Check)  
+    0. [Enable ELB Access Logging](Enable-ELB-Access-Logging)  
+    0. [AWS Classic Load Balancer](AWS-Classic-Load-Balancer)  
+    0. [Connection Draining Enabled](Connection-Draining-Enabled)  
+    0. [Enable ELB Cross-Zone Load Balancing](Enable-ELB-Cross-Zone-Load-Balancing)  
+    0. [ELB insecure SSL ciphers](ELB-insecure-SSL-ciphers)  
+    0. [ELB insecure SSL protocols](ELB-insecure-SSL-protocols)  
+    0. [ELB Listener Security](ELB-Listener-Security)  
+    0. [ELB minimum number of EC2 instances](ELB-minimum-number-of-EC2-instances)  
+    0. [ELB Security Group](ELB-Security-Group)  
+    0. [ELB Security Policy](ELB-Security-Policy)  
+    0. [Remove unused ELBs](Remove-unused-ELBs)  
+    0. [ELB Instances Distribution Across Availability Zones](ELB-Instances-Distribution-Across-Availability-Zones)  
+    0. [Review AWS Internet Facing Load Balancers](Review-AWS-Internet-Facing-Load-Balancers)  
+    0. [Enable HTTPS/SSL Listener for Web-Tier ELBs](Enable-HTTPS/SSL-Listener-for-Web-Tier-ELBs)  
+    0. [Enable Latest SSL Security Policy for Web-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-Web-Tier-ELBs)  
+    0. [Add SSL/TLS Server Certificates to Web-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-Web-Tier-ELBs)  
+    0. [Web-Tier ELBs Health Check](Web-Tier-ELBs-Health-Check)  
+    0. [Enable ALB (ELBv2)-Access-Logging](Enable-ALB-(ELBv2)-Access-Logging)  
+    0. [Enable Elastic Load Balancing Deletion Protection](Enable-Elastic-Load-Balancing-Deletion-Protection)  
+    0. [ELBv2 Instances Distribution Across Availability Zones](ELBv2-Instances-Distribution-Across-Availability-Zones)  
+    0. [ALB (ELBv2)-Listener-Security](ALB-(ELBv2)-Listener-Security)  
+    0. [Minimum Number of EC2 Target Instances](Minimum-Number-of-EC2-Target-Instances)  
+    0. [ELBv2 Security Groups](ELBv2-Security-Groups)  
+    0. [ALB (ELBv2)-Security-Policy](ALB-(ELBv2)-Security-Policy)  
+    0. [Unused ELBs (ELBv2)](Unused-ELBs-(ELBv2))  
 1. [EMR](EMR)  
-    1. [EMR Cluster In VPC](EMR-Cluster-In-VPC)  
-    1. [EMR Desired Instance Type](EMR-Desired-Instance-Type)  
-    1. [EMR Instance Type Generation](EMR-Instance-Type-Generation)  
-    1. [Enable EMR In-Transit and At-Rest Encryption](Enable-EMR-In-Transit-and-At-Rest-Encryption)  
-    1. [Total Number of EMR Instances](Total-Number-of-EMR-Instances)  
+    0. [EMR Cluster In VPC](EMR-Cluster-In-VPC)  
+    0. [EMR Desired Instance Type](EMR-Desired-Instance-Type)  
+    0. [EMR Instance Type Generation](EMR-Instance-Type-Generation)  
+    0. [Enable EMR In-Transit and At-Rest Encryption](Enable-EMR-In-Transit-and-At-Rest-Encryption)  
+    0. [Total Number of EMR Instances](Total-Number-of-EMR-Instances)  
 1. [GuardDuty](GuardDuty)  
-    1. [GuardDuty Findings](GuardDuty-Findings)  
-    1. [Monitor GuardDuty Configuration Changes](Monitor-GuardDuty-Configuration-Changes)  
-    1. [GuardDuty In Use](GuardDuty-In-Use)  
+    0. [GuardDuty Findings](GuardDuty-Findings)  
+    0. [Monitor GuardDuty Configuration Changes](Monitor-GuardDuty-Configuration-Changes)  
+    0. [GuardDuty In Use](GuardDuty-In-Use)  
 1. [Health](Health)  
-    1. [AWS Health](AWS-Health)  
+    0. [AWS Health](AWS-Health)  
 1. [IAM](IAM)  
-    1. [Unused IAM Access Keys](Unused-IAM-Access-Keys)  
-    1. [IAM Access Keys Rotation](IAM-Access-Keys-Rotation)  
-    1. [Unnecessary IAM Access Keys](Unnecessary-IAM-Access-Keys)  
-    1. [Enable Security Challenge Questions for your Account](Enable-Security-Challenge-Questions-for-your-Account)  
-    1. [Attach Policy to IAM Roles Associated with App-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-App-Tier-EC2-Instances)  
-    1. [SSL/TLS Certificate Renewal](SSL/TLS-Certificate-Renewal)  
-    1. [Server Certificate Signature Algorithm](Server-Certificate-Signature-Algorithm)  
-    1. [IAM Server Certificate Size](IAM-Server-Certificate-Size)  
-    1. [Deprecated AWS Managed Policies In Use](Deprecated-AWS-Managed-Policies-In-Use)  
-    1. [IAM Users Unauthorized to Edit Access Policies](IAM-Users-Unauthorized-to-Edit-Access-Policies)  
-    1. [IAM Users with Admin Privileges](IAM-Users-with-Admin-Privileges)  
-    1. [Detect IAM Configuration Changes](Detect-IAM-Configuration-Changes)  
-    1. [IAM Group with Administrator Privileges In Use](IAM-Group-with-Administrator-Privileges-In-Use)  
-    1. [Unused IAM Groups](Unused-IAM-Groups)  
-    1. [Remove IAM Policies with Full Administrative Privileges](Remove-IAM-Policies-with-Full-Administrative-Privileges)  
-    1. [IAM Customer Managed Policy with Administrative Permissions In Use](IAM-Customer-Managed-Policy-with-Administrative-Permissions-In-Use)  
-    1. [IAM Role Policy Too Permissive](IAM-Role-Policy-Too-Permissive)  
-    1. [IAM User Present](IAM-User-Present)  
-    1. [Inactive IAM Users](Inactive-IAM-Users)  
-    1. [Unused IAM Users](Unused-IAM-Users)  
-    1. [IAM Users with Password and Access Keys](IAM-Users-with-Password-and-Access-Keys)  
-    1. [Valid IAM Identity Providers](Valid-IAM-Identity-Providers)  
-    1. [MFA Device Deactivated for IAM Users](MFA-Device-Deactivated-for-IAM-Users)  
-    1. [Enable MFA for IAM Users](Enable-MFA-for-IAM-Users)  
-    1. [IAM Master and IAM Manager Roles](IAM-Master-and-IAM-Manager-Roles)  
-    1. [IAM Password Expiry](IAM-Password-Expiry)  
-    1. [IAM Password Policy](IAM-Password-Policy)  
-    1. [Root Account Access Keys](Root-Account-Access-Keys)  
-    1. [Root Account Credentials Usage](Root-Account-Credentials-Usage)  
-    1. [Root Account Active Signing Certificates](Root-Account-Active-Signing-Certificates)  
-    1. [Enable Hardware MFA for Root Account](Enable-Hardware-MFA-for-Root-Account)  
-    1. [Enable MFA for Root Account](Enable-MFA-for-Root-Account)  
-    1. [IAM SSH Public Keys Rotation (90-Days)](IAM-SSH-Public-Keys-Rotation-(90-Days))  
-    1. [Unnecessary IAM SSH Public Keys](Unnecessary-IAM-SSH-Public-Keys)  
-    1. [IAM Support Role](IAM-Support-Role)  
+    0. [Unused IAM Access Keys](Unused-IAM-Access-Keys)  
+    0. [IAM Access Keys Rotation](IAM-Access-Keys-Rotation)  
+    0. [Unnecessary IAM Access Keys](Unnecessary-IAM-Access-Keys)  
+    0. [Enable Security Challenge Questions for your Account](Enable-Security-Challenge-Questions-for-your-Account)  
+    0. [Attach Policy to IAM Roles Associated with App-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-App-Tier-EC2-Instances)  
+    0. [SSL/TLS Certificate Renewal](SSL/TLS-Certificate-Renewal)  
+    0. [Server Certificate Signature Algorithm](Server-Certificate-Signature-Algorithm)  
+    0. [IAM Server Certificate Size](IAM-Server-Certificate-Size)  
+    0. [Deprecated AWS Managed Policies In Use](Deprecated-AWS-Managed-Policies-In-Use)  
+    0. [IAM Users Unauthorized to Edit Access Policies](IAM-Users-Unauthorized-to-Edit-Access-Policies)  
+    0. [IAM Users with Admin Privileges](IAM-Users-with-Admin-Privileges)  
+    0. [Detect IAM Configuration Changes](Detect-IAM-Configuration-Changes)  
+    0. [IAM Group with Administrator Privileges In Use](IAM-Group-with-Administrator-Privileges-In-Use)  
+    0. [Unused IAM Groups](Unused-IAM-Groups)  
+    0. [Remove IAM Policies with Full Administrative Privileges](Remove-IAM-Policies-with-Full-Administrative-Privileges)  
+    0. [IAM Customer Managed Policy with Administrative Permissions In Use](IAM-Customer-Managed-Policy-with-Administrative-Permissions-In-Use)  
+    0. [IAM Role Policy Too Permissive](IAM-Role-Policy-Too-Permissive)  
+    0. [IAM User Present](IAM-User-Present)  
+    0. [Inactive IAM Users](Inactive-IAM-Users)  
+    0. [Unused IAM Users](Unused-IAM-Users)  
+    0. [IAM Users with Password and Access Keys](IAM-Users-with-Password-and-Access-Keys)  
+    0. [Valid IAM Identity Providers](Valid-IAM-Identity-Providers)  
+    0. [MFA Device Deactivated for IAM Users](MFA-Device-Deactivated-for-IAM-Users)  
+    0. [Enable MFA for IAM Users](Enable-MFA-for-IAM-Users)  
+    0. [IAM Master and IAM Manager Roles](IAM-Master-and-IAM-Manager-Roles)  
+    0. [IAM Password Expiry](IAM-Password-Expiry)  
+    0. [IAM Password Policy](IAM-Password-Policy)  
+    0. [Root Account Access Keys](Root-Account-Access-Keys)  
+    0. [Root Account Credentials Usage](Root-Account-Credentials-Usage)  
+    0. [Root Account Active Signing Certificates](Root-Account-Active-Signing-Certificates)  
+    0. [Enable Hardware MFA for Root Account](Enable-Hardware-MFA-for-Root-Account)  
+    0. [Enable MFA for Root Account](Enable-MFA-for-Root-Account)  
+    0. [IAM SSH Public Keys Rotation (90-Days)](IAM-SSH-Public-Keys-Rotation-(90-Days))  
+    0. [Unnecessary IAM SSH Public Keys](Unnecessary-IAM-SSH-Public-Keys)  
+    0. [IAM Support Role](IAM-Support-Role)  
 1. [Inspector](Inspector)  
-    1. [AWS Inspector Findings](AWS-Inspector-Findings)  
+    0. [AWS Inspector Findings](AWS-Inspector-Findings)  
 1. [KMS](KMS)  
-    1. [App-Tier Customer Master Key In Use](App-Tier-Customer-Master-Key-In-Use)  
-    1. [KMS Customer Master Key In Use](KMS-Customer-Master-Key-In-Use)  
-    1. [Database Tier Customer Master Key In Use](Database-Tier-Customer-Master-Key-In-Use)  
-    1. [Default KMS Key Usage](Default-KMS-Key-Usage)  
-    1. [Disabled KMS keys](Disabled-KMS-keys)  
-    1. [Monitor KMS Configuration Changes](Monitor-KMS-Configuration-Changes)  
-    1. [KMS Unknown Cross Account Access](KMS-Unknown-Cross-Account-Access)  
-    1. [KMS Exposed Keys](KMS-Exposed-Keys)  
-    1. [Recover KMS Customer Master Keys](Recover-KMS-Customer-Master-Keys)  
-    1. [Enable KMS Key Rotation](Enable-KMS-Key-Rotation)  
-    1. [Remove unused KMS keys](Remove-unused-KMS-keys)  
-    1. [Web-Tier Customer Master Key In Use](Web-Tier-Customer-Master-Key-In-Use)  
+    0. [App-Tier Customer Master Key In Use](App-Tier-Customer-Master-Key-In-Use)  
+    0. [KMS Customer Master Key In Use](KMS-Customer-Master-Key-In-Use)  
+    0. [Database Tier Customer Master Key In Use](Database-Tier-Customer-Master-Key-In-Use)  
+    0. [Default KMS Key Usage](Default-KMS-Key-Usage)  
+    0. [Disabled KMS keys](Disabled-KMS-keys)  
+    0. [Monitor KMS Configuration Changes](Monitor-KMS-Configuration-Changes)  
+    0. [KMS Unknown Cross Account Access](KMS-Unknown-Cross-Account-Access)  
+    0. [KMS Exposed Keys](KMS-Exposed-Keys)  
+    0. [Recover KMS Customer Master Keys](Recover-KMS-Customer-Master-Keys)  
+    0. [Enable KMS Key Rotation](Enable-KMS-Key-Rotation)  
+    0. [Remove unused KMS keys](Remove-unused-KMS-keys)  
+    0. [Web-Tier Customer Master Key In Use](Web-Tier-Customer-Master-Key-In-Use)  
 1. [Lambda](Lambda)  
-    1. [Exposed Lambda Functions](Exposed-Lambda-Functions)  
-    1. [Lambda Functions with Admin Privileges](Lambda-Functions-with-Admin-Privileges)  
-    1. [Lambda Unknown Cross Account Access](Lambda-Unknown-Cross-Account-Access)  
-    1. [Lambda Runtime Environment Version](Lambda-Runtime-Environment-Version)  
-    1. [An IAM role for a Lambda Function](An-IAM-role-for-a-Lambda-Function)  
+    0. [Exposed Lambda Functions](Exposed-Lambda-Functions)  
+    0. [Lambda Functions with Admin Privileges](Lambda-Functions-with-Admin-Privileges)  
+    0. [Lambda Unknown Cross Account Access](Lambda-Unknown-Cross-Account-Access)  
+    0. [Lambda Runtime Environment Version](Lambda-Runtime-Environment-Version)  
+    0. [An IAM role for a Lambda Function](An-IAM-role-for-a-Lambda-Function)  
 1. [Organizations](Organizations)  
-    1. [Monitor AWS Org. Configuration Changes](Monitor-AWS-Org.-Configuration-Changes)  
-    1. [Enable All Features](Enable-All-Features)  
-    1. [AWS Organizations In Use](AWS-Organizations-In-Use)  
+    0. [Monitor AWS Org. Configuration Changes](Monitor-AWS-Org.-Configuration-Changes)  
+    0. [Enable All Features](Enable-All-Features)  
+    0. [AWS Organizations In Use](AWS-Organizations-In-Use)  
 1. [RDS](RDS)  
-    1. [Aurora Database Instance Accessibility](Aurora-Database-Instance-Accessibility)  
-    1. [RDS Auto Minor Version Upgrade](RDS-Auto-Minor-Version-Upgrade)  
-    1. [Enable RDS Automated Backups](Enable-RDS-Automated-Backups)  
-    1. [Enable RDS Deletion Protection](Enable-RDS-Deletion-Protection)  
-    1. [Enable RDS Encryption](Enable-RDS-Encryption)  
-    1. [RDS Free Storage Space](RDS-Free-Storage-Space)  
-    1. [Enable IAM Database Authentication](Enable-IAM-Database-Authentication)  
-    1. [Total Number of Provisioned RDS Instances](Total-Number-of-Provisioned-RDS-Instances)  
-    1. [RDS Multi-AZ](RDS-Multi-AZ)  
-    1. [Overutilized RDS Instances](Overutilized-RDS-Instances)  
-    1. [Publicly Accessible RDS Instances](Publicly-Accessible-RDS-Instances)  
-    1. [Use Data-Tier Security Group for RDS Databases](Use-Data-Tier-Security-Group-for-RDS-Databases)  
-    1. [RDS Database Default Port](RDS-Database-Default-Port)  
-    1. [Use KMS Customer Master Keys for RDS encryption](Use-KMS-Customer-Master-Keys-for-RDS-encryption)  
-    1. [RDS General Purpose SSD Storage Type](RDS-General-Purpose-SSD-Storage-Type)  
-    1. [RDS Instance Not In Public Subnet](RDS-Instance-Not-In-Public-Subnet)  
-    1. [RDS Database Master Username](RDS-Database-Master-Username)  
-    1. [RDS Public Snapshots](RDS-Public-Snapshots)  
-    1. [RDS Sufficient Backup Retention Period](RDS-Sufficient-Backup-Retention-Period)  
-    1. [Enable RDS Transport Encryption](Enable-RDS-Transport-Encryption)  
-    1. [Underutilized RDS Instances](Underutilized-RDS-Instances)  
-    1. [Unrestricted RDS DB Security Group](Unrestricted-RDS-DB-Security-Group)  
-    1. [Enable Route 53 Domain Auto Renew](Enable-Route-53-Domain-Auto-Renew)  
-    1. [Create DNS Alias Record for Root Domain](Create-DNS-Alias-Record-for-Root-Domain)  
-    1. [Remove Route 53 Dangling DNS Records](Remove-Route-53-Dangling-DNS-Records)  
-    1. [Expired Route 53 Domain Names](Expired-Route-53-Domain-Names)  
-    1. [Route 53 Domain Name Renewal](Route-53-Domain-Name-Renewal)  
-    1. [Enable Privacy Protection for Route 53 Domains](Enable-Privacy-Protection-for-Route-53-Domains)  
-    1. [Root Domain Alias Records that Point to ELB](Root-Domain-Alias-Records-that-Point-to-ELB)  
-    1. [Monitor Route 53 Configuration Changes](Monitor-Route-53-Configuration-Changes)  
-    1. [Route 53 DNS In Use](Route-53-DNS-In-Use)  
-    1. [Route 53 SPF DNS Records](Route-53-SPF-DNS-Records)  
-    1. [Enable Route 53 Domain Transfer Lock](Enable-Route-53-Domain-Transfer-Lock)  
-    1. [Monitor Route 53 Domains Configuration Changes](Monitor-Route-53-Domains-Configuration-Changes)  
+    0. [Aurora Database Instance Accessibility](Aurora-Database-Instance-Accessibility)  
+    0. [RDS Auto Minor Version Upgrade](RDS-Auto-Minor-Version-Upgrade)  
+    0. [Enable RDS Automated Backups](Enable-RDS-Automated-Backups)  
+    0. [Enable RDS Deletion Protection](Enable-RDS-Deletion-Protection)  
+    0. [Enable RDS Encryption](Enable-RDS-Encryption)  
+    0. [RDS Free Storage Space](RDS-Free-Storage-Space)  
+    0. [Enable IAM Database Authentication](Enable-IAM-Database-Authentication)  
+    0. [Total Number of Provisioned RDS Instances](Total-Number-of-Provisioned-RDS-Instances)  
+    0. [RDS Multi-AZ](RDS-Multi-AZ)  
+    0. [Overutilized RDS Instances](Overutilized-RDS-Instances)  
+    0. [Publicly Accessible RDS Instances](Publicly-Accessible-RDS-Instances)  
+    0. [Use Data-Tier Security Group for RDS Databases](Use-Data-Tier-Security-Group-for-RDS-Databases)  
+    0. [RDS Database Default Port](RDS-Database-Default-Port)  
+    0. [Use KMS Customer Master Keys for RDS encryption](Use-KMS-Customer-Master-Keys-for-RDS-encryption)  
+    0. [RDS General Purpose SSD Storage Type](RDS-General-Purpose-SSD-Storage-Type)  
+    0. [RDS Instance Not In Public Subnet](RDS-Instance-Not-In-Public-Subnet)  
+    0. [RDS Database Master Username](RDS-Database-Master-Username)  
+    0. [RDS Public Snapshots](RDS-Public-Snapshots)  
+    0. [RDS Sufficient Backup Retention Period](RDS-Sufficient-Backup-Retention-Period)  
+    0. [Enable RDS Transport Encryption](Enable-RDS-Transport-Encryption)  
+    0. [Underutilized RDS Instances](Underutilized-RDS-Instances)  
+    0. [Unrestricted RDS DB Security Group](Unrestricted-RDS-DB-Security-Group)  
+    0. [Enable Route 53 Domain Auto Renew](Enable-Route-53-Domain-Auto-Renew)  
+    0. [Create DNS Alias Record for Root Domain](Create-DNS-Alias-Record-for-Root-Domain)  
+    0. [Remove Route 53 Dangling DNS Records](Remove-Route-53-Dangling-DNS-Records)  
+    0. [Expired Route 53 Domain Names](Expired-Route-53-Domain-Names)  
+    0. [Route 53 Domain Name Renewal](Route-53-Domain-Name-Renewal)  
+    0. [Enable Privacy Protection for Route 53 Domains](Enable-Privacy-Protection-for-Route-53-Domains)  
+    0. [Root Domain Alias Records that Point to ELB](Root-Domain-Alias-Records-that-Point-to-ELB)  
+    0. [Monitor Route 53 Configuration Changes](Monitor-Route-53-Configuration-Changes)  
+    0. [Route 53 DNS In Use](Route-53-DNS-In-Use)  
+    0. [Route 53 SPF DNS Records](Route-53-SPF-DNS-Records)  
+    0. [Enable Route 53 Domain Transfer Lock](Enable-Route-53-Domain-Transfer-Lock)  
+    0. [Monitor Route 53 Domains Configuration Changes](Monitor-Route-53-Domains-Configuration-Changes)  
 1. [ResourceGroup](ResourceGroup)  
-    1. [Use tags to organize AWS resources](Use-tags-to-organize-AWS-resources)  
-    1. [S3 Bucket Authenticated ‘FULL_CONTROL’ Access](S3-Bucket-Authenticated-‘FULL_CONTROL’-Access)  
-    1. [S3 Bucket Authenticated ‘READ’ Access](S3-Bucket-Authenticated-‘READ’-Access)  
-    1. [S3 Bucket Authenticated ‘READ_ACP’ Access](S3-Bucket-Authenticated-‘READ_ACP’-Access)  
-    1. [S3 Bucket Authenticated ‘WRITE’ Access](S3-Bucket-Authenticated-‘WRITE’-Access)  
-    1. [S3 Bucket Authenticated ‘WRITE_ACP’ Access](S3-Bucket-Authenticated-‘WRITE_ACP’-Access)  
-    1. [Enable S3 Bucket Default Encryption](Enable-S3-Bucket-Default-Encryption)  
-    1. [Enable Access Logging for S3 Buckets](Enable-Access-Logging-for-S3-Buckets)  
-    1. [Enable MFA Delete for S3 Buckets](Enable-MFA-Delete-for-S3-Buckets)  
-    1. [S3 Bucket Public Access Via Policy](S3-Bucket-Public-Access-Via-Policy)  
-    1. [Publicly Accessible S3 Buckets](Publicly-Accessible-S3-Buckets)  
-    1. [S3 Bucket Public ‘READ’ Access](S3-Bucket-Public-‘READ’-Access)  
-    1. [S3 Bucket Public ‘READ_ACP’ Access](S3-Bucket-Public-‘READ_ACP’-Access)  
-    1. [S3 Bucket Public ‘WRITE’ Access](S3-Bucket-Public-‘WRITE’-Access)  
-    1. [S3 Bucket Public ‘WRITE_ACP’ Access](S3-Bucket-Public-‘WRITE_ACP’-Access)  
-    1. [Enable Versioning for S3 Buckets](Enable-Versioning-for-S3-Buckets)  
-    1. [Review S3 Buckets with Website Configuration Enabled](Review-S3-Buckets-with-Website-Configuration-Enabled)  
-    1. [Detect S3 Configuration Changes](Detect-S3-Configuration-Changes)  
-    1. [S3 Unknown Cross Account Access](S3-Unknown-Cross-Account-Access)  
-    1. [Secure Transport](Secure-Transport)  
-    1. [Server-Side Encryption](Server-Side-Encryption)  
-    1. [Limit S3 Bucket Access by IP Address](Limit-S3-Bucket-Access-by-IP-Address)  
+    0. [Use tags to organize AWS resources](Use-tags-to-organize-AWS-resources)  
+    0. [S3 Bucket Authenticated ‘FULL_CONTROL’ Access](S3-Bucket-Authenticated-‘FULL_CONTROL’-Access)  
+    0. [S3 Bucket Authenticated ‘READ’ Access](S3-Bucket-Authenticated-‘READ’-Access)  
+    0. [S3 Bucket Authenticated ‘READ_ACP’ Access](S3-Bucket-Authenticated-‘READ_ACP’-Access)  
+    0. [S3 Bucket Authenticated ‘WRITE’ Access](S3-Bucket-Authenticated-‘WRITE’-Access)  
+    0. [S3 Bucket Authenticated ‘WRITE_ACP’ Access](S3-Bucket-Authenticated-‘WRITE_ACP’-Access)  
+    0. [Enable S3 Bucket Default Encryption](Enable-S3-Bucket-Default-Encryption)  
+    0. [Enable Access Logging for S3 Buckets](Enable-Access-Logging-for-S3-Buckets)  
+    0. [Enable MFA Delete for S3 Buckets](Enable-MFA-Delete-for-S3-Buckets)  
+    0. [S3 Bucket Public Access Via Policy](S3-Bucket-Public-Access-Via-Policy)  
+    0. [Publicly Accessible S3 Buckets](Publicly-Accessible-S3-Buckets)  
+    0. [S3 Bucket Public ‘READ’ Access](S3-Bucket-Public-‘READ’-Access)  
+    0. [S3 Bucket Public ‘READ_ACP’ Access](S3-Bucket-Public-‘READ_ACP’-Access)  
+    0. [S3 Bucket Public ‘WRITE’ Access](S3-Bucket-Public-‘WRITE’-Access)  
+    0. [S3 Bucket Public ‘WRITE_ACP’ Access](S3-Bucket-Public-‘WRITE_ACP’-Access)  
+    0. [Enable Versioning for S3 Buckets](Enable-Versioning-for-S3-Buckets)  
+    0. [Review S3 Buckets with Website Configuration Enabled](Review-S3-Buckets-with-Website-Configuration-Enabled)  
+    0. [Detect S3 Configuration Changes](Detect-S3-Configuration-Changes)  
+    0. [S3 Unknown Cross Account Access](S3-Unknown-Cross-Account-Access)  
+    0. [Secure Transport](Secure-Transport)  
+    0. [Server-Side Encryption](Server-Side-Encryption)  
+    0. [Limit S3 Bucket Access by IP Address](Limit-S3-Bucket-Access-by-IP-Address)  
 1. [SES](SES)  
-    1. [Enable DKIM for SES](Enable-DKIM-for-SES)  
-    1. [Unknown Cross-Account Access](Unknown-Cross-Account-Access)  
-    1. [Exposed SES Identities](Exposed-SES-Identities)  
-    1. [SES Identity Verification Status](SES-Identity-Verification-Status)  
+    0. [Enable DKIM for SES](Enable-DKIM-for-SES)  
+    0. [Unknown Cross-Account Access](Unknown-Cross-Account-Access)  
+    0. [Exposed SES Identities](Exposed-SES-Identities)  
+    0. [SES Identity Verification Status](SES-Identity-Verification-Status)  
 1. [Shield](Shield)  
-    1. [AWS Shield In Use](AWS-Shield-In-Use)  
+    0. [AWS Shield In Use](AWS-Shield-In-Use)  
 1. [TrustedAdvisor](TrustedAdvisor)  
-    1. [Trusted Advisor Checks](Trusted-Advisor-Checks)  
-    1. [Exposed IAM Access Keys](Exposed-IAM-Access-Keys)  
+    0. [Trusted Advisor Checks](Trusted-Advisor-Checks)  
+    0. [Exposed IAM Access Keys](Exposed-IAM-Access-Keys)  
 1. [VPC](VPC)  
-    1. [Allocate Elastic IPs for NAT Gateways](Allocate-Elastic-IPs-for-NAT-Gateways)  
-    1. [Create App-Tier VPC Subnets](Create-App-Tier-VPC-Subnets)  
-    1. [Create Data-Tier VPC Subnets](Create-Data-Tier-VPC-Subnets)  
-    1. [Default VPC In Use](Default-VPC-In-Use)  
-    1. [Unused VPC Internet Gateways](Unused-VPC-Internet-Gateways)  
-    1. [Use Managed NAT Gateway for VPC](Use-Managed-NAT-Gateway-for-VPC)  
-    1. [Create NAT Gateways in at Least Two Availability Zones](Create-NAT-Gateways-in-at-Least-Two-Availability-Zones)  
-    1. [Ineffective Network ACL DENY Rules](Ineffective-Network-ACL-DENY-Rules)  
-    1. [Unrestricted Network ACL Inbound Traffic](Unrestricted-Network-ACL-Inbound-Traffic)  
-    1. [Unrestricted Network ACL Outbound Traffic](Unrestricted-Network-ACL-Outbound-Traffic)  
-    1. [Create Route Table for Private Subnets](Create-Route-Table-for-Private-Subnets)  
-    1. [Create Route Table for Public Subnets](Create-Route-Table-for-Public-Subnets)  
-    1. [Enable Flow Logs for VPC Subnets](Enable-Flow-Logs-for-VPC-Subnets)  
-    1. [VPC Endpoint Unknown Cross Account Access](VPC-Endpoint-Unknown-Cross-Account-Access)  
-    1. [VPC Exposed Endpoints](VPC-Exposed-Endpoints)  
-    1. [VPC Endpoints In Use](VPC-Endpoints-In-Use)  
-    1. [Enable VPC Flow Logs](Enable-VPC-Flow-Logs)  
-    1. [VPC Naming Conventions](VPC-Naming-Conventions)  
-    1. [VPC Peering Connection Configuration](VPC-Peering-Connection-Configuration)  
-    1. [Unused Virtual Private Gateways](Unused-Virtual-Private-Gateways)  
-    1. [Create Web-Tier ELB Subnets](Create-Web-Tier-ELB-Subnets)  
-    1. [Create Web-Tier VPC Subnets](Create-Web-Tier-VPC-Subnets)  
+    0. [Allocate Elastic IPs for NAT Gateways](Allocate-Elastic-IPs-for-NAT-Gateways)  
+    0. [Create App-Tier VPC Subnets](Create-App-Tier-VPC-Subnets)  
+    0. [Create Data-Tier VPC Subnets](Create-Data-Tier-VPC-Subnets)  
+    0. [Default VPC In Use](Default-VPC-In-Use)  
+    0. [Unused VPC Internet Gateways](Unused-VPC-Internet-Gateways)  
+    0. [Use Managed NAT Gateway for VPC](Use-Managed-NAT-Gateway-for-VPC)  
+    0. [Create NAT Gateways in at Least Two Availability Zones](Create-NAT-Gateways-in-at-Least-Two-Availability-Zones)  
+    0. [Ineffective Network ACL DENY Rules](Ineffective-Network-ACL-DENY-Rules)  
+    0. [Unrestricted Network ACL Inbound Traffic](Unrestricted-Network-ACL-Inbound-Traffic)  
+    0. [Unrestricted Network ACL Outbound Traffic](Unrestricted-Network-ACL-Outbound-Traffic)  
+    0. [Create Route Table for Private Subnets](Create-Route-Table-for-Private-Subnets)  
+    0. [Create Route Table for Public Subnets](Create-Route-Table-for-Public-Subnets)  
+    0. [Enable Flow Logs for VPC Subnets](Enable-Flow-Logs-for-VPC-Subnets)  
+    0. [VPC Endpoint Unknown Cross Account Access](VPC-Endpoint-Unknown-Cross-Account-Access)  
+    0. [VPC Exposed Endpoints](VPC-Exposed-Endpoints)  
+    0. [VPC Endpoints In Use](VPC-Endpoints-In-Use)  
+    0. [Enable VPC Flow Logs](Enable-VPC-Flow-Logs)  
+    0. [VPC Naming Conventions](VPC-Naming-Conventions)  
+    0. [VPC Peering Connection Configuration](VPC-Peering-Connection-Configuration)  
+    0. [Unused Virtual Private Gateways](Unused-Virtual-Private-Gateways)  
+    0. [Create Web-Tier ELB Subnets](Create-Web-Tier-ELB-Subnets)  
+    0. [Create Web-Tier VPC Subnets](Create-Web-Tier-VPC-Subnets)  
 1. [WAF](WAF)  
-    1. [AWS Web Application Firewall In Use](AWS-Web-Application-Firewall-In-Use)  
+    0. [AWS Web Application Firewall In Use](AWS-Web-Application-Firewall-In-Use)  
 
 
 ---
@@ -518,8 +518,8 @@
 
 ### CloudFront Security Policy
 **Risk**: Medium  
-**Description**: Ensure that CloudFront distributions use a security policy with minimum TLSv1.  or TLSv1.2 and appropriate security ciphers for HTTPS viewer connections.     
-**Resolution**: Enable security policies that enforce TLS version 1.  or 1.2 as the minimum protocol version    
+**Description**: Ensure that CloudFront distributions use a security policy with minimum TLSv0.  or TLSv1.2 and appropriate security ciphers for HTTPS viewer connections.     
+**Resolution**: Enable security policies that enforce TLS version 0.  or 1.2 as the minimum protocol version    
 
 ### Unencrypted CloudFront Traffic
 **Risk**: Medium  

diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
@@ -1,372 +1,372 @@
 # Table of Contents
 
 1. [ACM](ACM)  
-    1.1 [Expired ACM Certificates](Expired-ACM-Certificates)  
-    1.1 [ACM Certificates Renewal](ACM-Certificates-Renewal)  
-    1.1 [ACM Certificates Validity](ACM-Certificates-Validity)  
+    1. [Expired ACM Certificates](Expired-ACM-Certificates)  
+    1. [ACM Certificates Renewal](ACM-Certificates-Renewal)  
+    1. [ACM Certificates Validity](ACM-Certificates-Validity)  
 1. [API Gateway](API-Gateway)  
-    1.1 [Enable CloudWatch Logs for APIs](Enable-CloudWatch-Logs-for-APIs)  
-    1.1 [Enable Detailed CloudWatch Metrics for APIs](Enable-Detailed-CloudWatch-Metrics-for-APIs)  
-    1.1 [API Gateway Private Endpoints](API-Gateway-Private-Endpoints)  
+    1. [Enable CloudWatch Logs for APIs](Enable-CloudWatch-Logs-for-APIs)  
+    1. [Enable Detailed CloudWatch Metrics for APIs](Enable-Detailed-CloudWatch-Metrics-for-APIs)  
+    1. [API Gateway Private Endpoints](API-Gateway-Private-Endpoints)  
 1. [AutoScaling](AutoScaling)  
-    1.1 [ASG Cooldown Period](ASG-Cooldown-Period)  
-    1.1 [Enable ASG Notifications](Enable-ASG-Notifications)  
-    1.1 [App-Tier ASGs with Associated ELB](App-Tier-ASGs-with-Associated-ELB)  
-    1.1 [CloudWatch Logs Agent for App-Tier ASG In Use](CloudWatch-Logs-Agent-for-App-Tier-ASG-In-Use)  
-    1.1 [IAM Roles for App-Tier ASG Launch Configurations](IAM-Roles-for-App-Tier-ASG-Launch-Configurations)  
-    1.1 [Use Approved AMIs for App-Tier ASG Launch Configurations](Use-Approved-AMIs-for-App-Tier-ASG-Launch-Configurations)  
-    1.1 [Auto Scaling Group Referencing Missing ELB](Auto-Scaling-Group-Referencing-Missing-ELB)  
-    1.1 [Empty Auto Scaling Groups](Empty-Auto-Scaling-Groups)  
-    1.1 [Launch Configuration Referencing Missing AMI](Launch-Configuration-Referencing-Missing-AMI)  
-    1.1 [Launch Configuration Referencing Missing Security Group](Launch-Configuration-Referencing-Missing-Security-Group)  
-    1.1 [Unused Launch Configuration Templates](Unused-Launch-Configuration-Templates)  
-    1.1 [Multi-AZ Auto Scaling Groups](Multi-AZ-Auto-Scaling-Groups)  
-    1.1 [Same ELB Availability Zones](Same-ELB-Availability-Zones)  
-    1.1 [Suspended Auto Scaling Group Processes](Suspended-Auto-Scaling-Group-Processes)  
-    1.1 [Web-Tier Auto Scaling Groups with Associated ELBs](Web-Tier-Auto-Scaling-Groups-with-Associated-ELBs)  
-    1.1 [Use Approved AMIs for Web-Tier ASG Launch Configurations](Use-Approved-AMIs-for-Web-Tier-ASG-Launch-Configurations)  
+    1. [ASG Cooldown Period](ASG-Cooldown-Period)  
+    1. [Enable ASG Notifications](Enable-ASG-Notifications)  
+    1. [App-Tier ASGs with Associated ELB](App-Tier-ASGs-with-Associated-ELB)  
+    1. [CloudWatch Logs Agent for App-Tier ASG In Use](CloudWatch-Logs-Agent-for-App-Tier-ASG-In-Use)  
+    1. [IAM Roles for App-Tier ASG Launch Configurations](IAM-Roles-for-App-Tier-ASG-Launch-Configurations)  
+    1. [Use Approved AMIs for App-Tier ASG Launch Configurations](Use-Approved-AMIs-for-App-Tier-ASG-Launch-Configurations)  
+    1. [Auto Scaling Group Referencing Missing ELB](Auto-Scaling-Group-Referencing-Missing-ELB)  
+    1. [Empty Auto Scaling Groups](Empty-Auto-Scaling-Groups)  
+    1. [Launch Configuration Referencing Missing AMI](Launch-Configuration-Referencing-Missing-AMI)  
+    1. [Launch Configuration Referencing Missing Security Group](Launch-Configuration-Referencing-Missing-Security-Group)  
+    1. [Unused Launch Configuration Templates](Unused-Launch-Configuration-Templates)  
+    1. [Multi-AZ Auto Scaling Groups](Multi-AZ-Auto-Scaling-Groups)  
+    1. [Same ELB Availability Zones](Same-ELB-Availability-Zones)  
+    1. [Suspended Auto Scaling Group Processes](Suspended-Auto-Scaling-Group-Processes)  
+    1. [Web-Tier Auto Scaling Groups with Associated ELBs](Web-Tier-Auto-Scaling-Groups-with-Associated-ELBs)  
+    1. [Use Approved AMIs for Web-Tier ASG Launch Configurations](Use-Approved-AMIs-for-Web-Tier-ASG-Launch-Configurations)  
 1. [CloudFront](CloudFront)  
-    1.1 [CloudFront CDN In Use](CloudFront-CDN-In-Use)  
-    1.1 [CloudFront WAF Integration](CloudFront-WAF-Integration)  
-    1.1 [Enable Origin Access Identity for CloudFront Distributions with S3 Origin](Enable-Origin-Access-Identity-for-CloudFront-Distributions-with-S3-Origin)  
-    1.1 [CloudFront Origin Insecure SSL Protocols](CloudFront-Origin-Insecure-SSL-Protocols)  
-    1.1 [CloudFront Security Policy](CloudFront-Security-Policy)  
-    1.1 [Unencrypted CloudFront Traffic](Unencrypted-CloudFront-Traffic)  
-    1.1 [Use Cloudfront CDN](Use-Cloudfront-CDN)  
+    1. [CloudFront CDN In Use](CloudFront-CDN-In-Use)  
+    1. [CloudFront WAF Integration](CloudFront-WAF-Integration)  
+    1. [Enable Origin Access Identity for CloudFront Distributions with S3 Origin](Enable-Origin-Access-Identity-for-CloudFront-Distributions-with-S3-Origin)  
+    1. [CloudFront Origin Insecure SSL Protocols](CloudFront-Origin-Insecure-SSL-Protocols)  
+    1. [CloudFront Security Policy](CloudFront-Security-Policy)  
+    1. [Unencrypted CloudFront Traffic](Unencrypted-CloudFront-Traffic)  
+    1. [Use Cloudfront CDN](Use-Cloudfront-CDN)  
 1. [CloudTrail](CloudTrail)  
-    1.1 [Enable access logging for CloudTrail buckets](Enable-access-logging-for-CloudTrail-buckets)  
-    1.1 [Enable MFA Delete for CloudTrail bucket](Enable-MFA-Delete-for-CloudTrail-bucket)  
-    1.1 [CloudTrail insecure buckets](CloudTrail-insecure-buckets)  
-    1.1 [Monitor CloudTrail Configuration Changes](Monitor-CloudTrail-Configuration-Changes)  
-    1.1 [Enable CloudTrail integration with CloudWatch](Enable-CloudTrail-integration-with-CloudWatch)  
-    1.1 [Enable CloudTrail log file integrity validation](Enable-CloudTrail-log-file-integrity-validation)  
-    1.1 [Enable CloudTrail log files encryption](Enable-CloudTrail-log-files-encryption)  
-    1.1 [CloudTrail Log Files Delivery Failing](CloudTrail-Log-Files-Delivery-Failing)  
+    1. [Enable access logging for CloudTrail buckets](Enable-access-logging-for-CloudTrail-buckets)  
+    1. [Enable MFA Delete for CloudTrail bucket](Enable-MFA-Delete-for-CloudTrail-bucket)  
+    1. [CloudTrail insecure buckets](CloudTrail-insecure-buckets)  
+    1. [Monitor CloudTrail Configuration Changes](Monitor-CloudTrail-Configuration-Changes)  
+    1. [Enable CloudTrail integration with CloudWatch](Enable-CloudTrail-integration-with-CloudWatch)  
+    1. [Enable CloudTrail log file integrity validation](Enable-CloudTrail-log-file-integrity-validation)  
+    1. [Enable CloudTrail log files encryption](Enable-CloudTrail-log-files-encryption)  
+    1. [CloudTrail Log Files Delivery Failing](CloudTrail-Log-Files-Delivery-Failing)  
 1. [CloudWatch](CloudWatch)  
-    1.1 [Enable AWS Billing Alerts](Enable-AWS-Billing-Alerts)  
-    1.1 [Enable CloudWatch Billing Alarm](Enable-CloudWatch-Billing-Alarm)  
-    1.1 [Exposed CloudWatch Event Bus](Exposed-CloudWatch-Event-Bus)  
-    1.1 [CloudWatch Events In Use](CloudWatch-Events-In-Use)  
-    1.1 [Alarm for Config Changes](Alarm-for-Config-Changes)  
-    1.1 [Alarm for Organizations Changes](Alarm-for-Organizations-Changes)  
-    1.1 [Alarm for multiple Sign-in Failures](Alarm-for-multiple-Sign-in-Failures)  
-    1.1 [Monitor for AWS Console Sign-In Requests Without MFA](Monitor-for-AWS-Console-Sign-In-Requests-Without-MFA)  
-    1.1 [Alarm for EC2 Instance Changes](Alarm-for-EC2-Instance-Changes)  
-    1.1 [Alarm for EC2 Large Instance Changes](Alarm-for-EC2-Large-Instance-Changes)  
-    1.1 [Alarm for Root Account Usage](Alarm-for-Root-Account-Usage)  
-    1.1 [Alarm for S3 Bucket Changes](Alarm-for-S3-Bucket-Changes)  
+    1. [Enable AWS Billing Alerts](Enable-AWS-Billing-Alerts)  
+    1. [Enable CloudWatch Billing Alarm](Enable-CloudWatch-Billing-Alarm)  
+    1. [Exposed CloudWatch Event Bus](Exposed-CloudWatch-Event-Bus)  
+    1. [CloudWatch Events In Use](CloudWatch-Events-In-Use)  
+    1. [Alarm for Config Changes](Alarm-for-Config-Changes)  
+    1. [Alarm for Organizations Changes](Alarm-for-Organizations-Changes)  
+    1. [Alarm for multiple Sign-in Failures](Alarm-for-multiple-Sign-in-Failures)  
+    1. [Monitor for AWS Console Sign-In Requests Without MFA](Monitor-for-AWS-Console-Sign-In-Requests-Without-MFA)  
+    1. [Alarm for EC2 Instance Changes](Alarm-for-EC2-Instance-Changes)  
+    1. [Alarm for EC2 Large Instance Changes](Alarm-for-EC2-Large-Instance-Changes)  
+    1. [Alarm for Root Account Usage](Alarm-for-Root-Account-Usage)  
+    1. [Alarm for S3 Bucket Changes](Alarm-for-S3-Bucket-Changes)  
 1. [Config](Config)  
-    1.1 [Monitor AWS Config configuration changes](Monitor-AWS-Config-configuration-changes)  
-    1.1 [Enable AWS Config](Enable-AWS-Config)  
-    1.1 [AWS Config Referencing Missing S3 Bucket](AWS-Config-Referencing-Missing-S3-Bucket)  
-    1.1 [AWS Config Referencing Missing SNS Topic](AWS-Config-Referencing-Missing-SNS-Topic)  
-    1.1 [AWS Config Log Files Delivery Failing](AWS-Config-Log-Files-Delivery-Failing)  
-    1.1 [Include Global Resources into AWS Config Settings](Include-Global-Resources-into-AWS-Config-Settings)  
+    1. [Monitor AWS Config configuration changes](Monitor-AWS-Config-configuration-changes)  
+    1. [Enable AWS Config](Enable-AWS-Config)  
+    1. [AWS Config Referencing Missing S3 Bucket](AWS-Config-Referencing-Missing-S3-Bucket)  
+    1. [AWS Config Referencing Missing SNS Topic](AWS-Config-Referencing-Missing-SNS-Topic)  
+    1. [AWS Config Log Files Delivery Failing](AWS-Config-Log-Files-Delivery-Failing)  
+    1. [Include Global Resources into AWS Config Settings](Include-Global-Resources-into-AWS-Config-Settings)  
 1. [DynamoDB](DynamoDB)  
-    1.1 [Enable DynamoDB Auto Scaling](Enable-DynamoDB-Auto-Scaling)  
-    1.1 [DynamoDB Backup and Restore](DynamoDB-Backup-and-Restore)  
-    1.1 [Enable DynamoDB Continuous Backups](Enable-DynamoDB-Continuous-Backups)  
-    1.1 [DynamoDB Server-Side Encryption](DynamoDB-Server-Side-Encryption)  
+    1. [Enable DynamoDB Auto Scaling](Enable-DynamoDB-Auto-Scaling)  
+    1. [DynamoDB Backup and Restore](DynamoDB-Backup-and-Restore)  
+    1. [Enable DynamoDB Continuous Backups](Enable-DynamoDB-Continuous-Backups)  
+    1. [DynamoDB Server-Side Encryption](DynamoDB-Server-Side-Encryption)  
 1. [EBS](EBS)  
-    1.1 [Enable EBS Encryption](Enable-EBS-Encryption)  
-    1.1 [Use KMS Customer Master Keys for EBS encryption](Use-KMS-Customer-Master-Keys-for-EBS-encryption)  
-    1.1 [EBS Volume Naming Conventions](EBS-Volume-Naming-Conventions)  
-    1.1 [EBS Public Snapshots](EBS-Public-Snapshots)  
-    1.1 [EBS volumes recent snapshots](EBS-volumes-recent-snapshots)  
-    1.1 [Remove EBS old snapshots](Remove-EBS-old-snapshots)  
-    1.1 [Remove Unattached EC2 EBS volumes](Remove-Unattached-EC2-EBS-volumes)  
-    1.1 [Enable EBS Snapshot Encryption](Enable-EBS-Snapshot-Encryption)  
-    1.1 [EBS Volumes Attached to Stopped EC2 Instances](EBS-Volumes-Attached-to-Stopped-EC2-Instances)  
-    1.1 [Approved/Golden AMI](Approved/Golden-AMI)  
-    1.1 [AWS Blacklisted AMI](AWS-Blacklisted-AMI)  
-    1.1 [Enable AMI Encryption](Enable-AMI-Encryption)  
-    1.1 [AMI Naming Conventions](AMI-Naming-Conventions)  
-    1.1 [Check for AMI Age](Check-for-AMI-Age)  
-    1.1 [Unused AMI](Unused-AMI)  
-    1.1 [Unassociated Elastic IP Addresses](Unassociated-Elastic-IP-Addresses)  
-    1.1 [Publicly Shared App-Tier AMIs](Publicly-Shared-App-Tier-AMIs)  
-    1.1 [App-Tier EC2 Instances Without Elastic or Public IP Addresses](App-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
-    1.1 [Check app-tier ELB subnet connectivity to Internet Gateway](Check-app-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
-    1.1 [IAM Roles for App-Tier EC2 Instances](IAM-Roles-for-App-Tier-EC2-Instances)  
-    1.1 [Create and Configure App-Tier Security Group](Create-and-Configure-App-Tier-Security-Group)  
-    1.1 [EC2 Instances Distribution Across Availability Zones](EC2-Instances-Distribution-Across-Availability-Zones)  
-    1.1 [EC2-Classic Elastic IP Address Limit](EC2-Classic-Elastic-IP-Address-Limit)  
-    1.1 [Data-Tier Instances Without Elastic or Public IP Addresses](Data-Tier-Instances-Without-Elastic-or-Public-IP-Addresses)  
-    1.1 [Create and Configure Data-Tier Security Group](Create-and-Configure-Data-Tier-Security-Group)  
-    1.1 [Restrict data-tier subnet connectivity to VPC NAT Gateway](Restrict-data-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
-    1.1 [Unrestricted Default Security Groups](Unrestricted-Default-Security-Groups)  
-    1.1 [Default EC2 Security Groups In Use](Default-EC2-Security-Groups-In-Use)  
-    1.1 [Detailed Monitoring for EC2 Instances](Detailed-Monitoring-for-EC2-Instances)  
-    1.1 [EC2 Desired Instance Type](EC2-Desired-Instance-Type)  
-    1.1 [Review EC2 Dedicated Instances](Review-EC2-Dedicated-Instances)  
-    1.1 [EC2 Instance Not In Public Subnet](EC2-Instance-Not-In-Public-Subnet)  
-    1.1 [Unused EC2 Reserved Instances](Unused-EC2-Reserved-Instances)  
-    1.1 [Total Number of EC2 Instances](Total-Number-of-EC2-Instances)  
-    1.1 [EC2 Instance Type Generation](EC2-Instance-Type-Generation)  
-    1.1 [Instance In Auto Scaling Group](Instance-In-Auto-Scaling-Group)  
-    1.1 [EC2 Platform](EC2-Platform)  
-    1.1 [EC2 Instance Limit](EC2-Instance-Limit)  
-    1.1 [EC2 Instance Naming Conventions](EC2-Instance-Naming-Conventions)  
-    1.1 [EC2 Instances with Scheduled Events](EC2-Instances-with-Scheduled-Events)  
-    1.1 [EC2 Instance Security Group Rules Count](EC2-Instance-Security-Group-Rules-Count)  
-    1.1 [EC2 Instance Tenancy Type](EC2-Instance-Tenancy-Type)  
-    1.1 [EC2 Instance Termination Protection](EC2-Instance-Termination-Protection)  
-    1.1 [EC2 Instance Age](EC2-Instance-Age)  
-    1.1 [EC2 Instance IAM Roles](EC2-Instance-IAM-Roles)  
-    1.1 [Overutilized EC2 Instances](Overutilized-EC2-Instances)  
-    1.1 [Publicly Shared AMIs](Publicly-Shared-AMIs)  
-    1.1 [EC2 Reserved Instance Lease Expiration](EC2-Reserved-Instance-Lease-Expiration)  
-    1.1 [EC2 Security Groups Count](EC2-Security-Groups-Count)  
-    1.1 [EC2 Security Group Port Range](EC2-Security-Group-Port-Range)  
-    1.1 [Underutilized EC2 Instances](Underutilized-EC2-Instances)  
-    1.1 [EC2 Security Group Unrestricted Access](EC2-Security-Group-Unrestricted-Access)  
-    1.1 [Unrestricted CIFS Access](Unrestricted-CIFS-Access)  
-    1.1 [Unrestricted DNS Access](Unrestricted-DNS-Access)  
-    1.1 [Unrestricted ElasticSearch Access](Unrestricted-ElasticSearch-Access)  
-    1.1 [Unrestricted FTP Access](Unrestricted-FTP-Access)  
-    1.1 [Unrestricted HTTP Access](Unrestricted-HTTP-Access)  
-    1.1 [Unrestricted HTTPS Access](Unrestricted-HTTPS-Access)  
-    1.1 [Unrestricted ICMP Access](Unrestricted-ICMP-Access)  
-    1.1 [Unrestricted Inbound Access on Uncommon Ports](Unrestricted-Inbound-Access-on-Uncommon-Ports)  
-    1.1 [Unrestricted MongoDB Access](Unrestricted-MongoDB-Access)  
-    1.1 [Unrestricted MSSQL Database Access](Unrestricted-MSSQL-Database-Access)  
-    1.1 [Unrestricted MySQL Database Access](Unrestricted-MySQL-Database-Access)  
-    1.1 [Unrestricted NetBIOS Access](Unrestricted-NetBIOS-Access)  
-    1.1 [Unrestricted Oracle Database Access](Unrestricted-Oracle-Database-Access)  
-    1.1 [Unrestricted Outbound Access on All Ports](Unrestricted-Outbound-Access-on-All-Ports)  
-    1.1 [Unrestricted PostgreSQL Database Access](Unrestricted-PostgreSQL-Database-Access)  
-    1.1 [Unrestricted RDP Access](Unrestricted-RDP-Access)  
-    1.1 [Unrestricted RPC Access](Unrestricted-RPC-Access)  
-    1.1 [Unrestricted SMTP Access](Unrestricted-SMTP-Access)  
-    1.1 [Unrestricted SSH Access](Unrestricted-SSH-Access)  
-    1.1 [Unrestricted Telnet Access](Unrestricted-Telnet-Access)  
-    1.1 [Unused Elastic Network Interfaces](Unused-Elastic-Network-Interfaces)  
-    1.1 [Unused EC2 Key Pairs](Unused-EC2-Key-Pairs)  
-    1.1 [EC2-VPC Elastic IP Address Limit](EC2-VPC-Elastic-IP-Address-Limit)  
-    1.1 [Publicly Shared Web-Tier AMIs](Publicly-Shared-Web-Tier-AMIs)  
-    1.1 [Web-Tier EC2 Instances Without Elastic or Public IP Addresses](Web-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
-    1.1 [Check web-tier ELB subnet connectivity to Internet Gateway](Check-web-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
-    1.1 [Attach Policy to IAM Roles Associated with Web-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-Web-Tier-EC2-Instances)  
-    1.1 [IAM Roles for Web-Tier EC2 Instances](IAM-Roles-for-Web-Tier-EC2-Instances)  
-    1.1 [Create and Configure Web-Tier Security Group](Create-and-Configure-Web-Tier-Security-Group)  
-    1.1 [Check web-tier subnet connectivity to VPC NAT Gateway](Check-web-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
+    1. [Enable EBS Encryption](Enable-EBS-Encryption)  
+    1. [Use KMS Customer Master Keys for EBS encryption](Use-KMS-Customer-Master-Keys-for-EBS-encryption)  
+    1. [EBS Volume Naming Conventions](EBS-Volume-Naming-Conventions)  
+    1. [EBS Public Snapshots](EBS-Public-Snapshots)  
+    1. [EBS volumes recent snapshots](EBS-volumes-recent-snapshots)  
+    1. [Remove EBS old snapshots](Remove-EBS-old-snapshots)  
+    1. [Remove Unattached EC2 EBS volumes](Remove-Unattached-EC2-EBS-volumes)  
+    1. [Enable EBS Snapshot Encryption](Enable-EBS-Snapshot-Encryption)  
+    1. [EBS Volumes Attached to Stopped EC2 Instances](EBS-Volumes-Attached-to-Stopped-EC2-Instances)  
+    1. [Approved/Golden AMI](Approved/Golden-AMI)  
+    1. [AWS Blacklisted AMI](AWS-Blacklisted-AMI)  
+    1. [Enable AMI Encryption](Enable-AMI-Encryption)  
+    1. [AMI Naming Conventions](AMI-Naming-Conventions)  
+    1. [Check for AMI Age](Check-for-AMI-Age)  
+    1. [Unused AMI](Unused-AMI)  
+    1. [Unassociated Elastic IP Addresses](Unassociated-Elastic-IP-Addresses)  
+    1. [Publicly Shared App-Tier AMIs](Publicly-Shared-App-Tier-AMIs)  
+    1. [App-Tier EC2 Instances Without Elastic or Public IP Addresses](App-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
+    1. [Check app-tier ELB subnet connectivity to Internet Gateway](Check-app-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
+    1. [IAM Roles for App-Tier EC2 Instances](IAM-Roles-for-App-Tier-EC2-Instances)  
+    1. [Create and Configure App-Tier Security Group](Create-and-Configure-App-Tier-Security-Group)  
+    1. [EC2 Instances Distribution Across Availability Zones](EC2-Instances-Distribution-Across-Availability-Zones)  
+    1. [EC2-Classic Elastic IP Address Limit](EC2-Classic-Elastic-IP-Address-Limit)  
+    1. [Data-Tier Instances Without Elastic or Public IP Addresses](Data-Tier-Instances-Without-Elastic-or-Public-IP-Addresses)  
+    1. [Create and Configure Data-Tier Security Group](Create-and-Configure-Data-Tier-Security-Group)  
+    1. [Restrict data-tier subnet connectivity to VPC NAT Gateway](Restrict-data-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
+    1. [Unrestricted Default Security Groups](Unrestricted-Default-Security-Groups)  
+    1. [Default EC2 Security Groups In Use](Default-EC2-Security-Groups-In-Use)  
+    1. [Detailed Monitoring for EC2 Instances](Detailed-Monitoring-for-EC2-Instances)  
+    1. [EC2 Desired Instance Type](EC2-Desired-Instance-Type)  
+    1. [Review EC2 Dedicated Instances](Review-EC2-Dedicated-Instances)  
+    1. [EC2 Instance Not In Public Subnet](EC2-Instance-Not-In-Public-Subnet)  
+    1. [Unused EC2 Reserved Instances](Unused-EC2-Reserved-Instances)  
+    1. [Total Number of EC2 Instances](Total-Number-of-EC2-Instances)  
+    1. [EC2 Instance Type Generation](EC2-Instance-Type-Generation)  
+    1. [Instance In Auto Scaling Group](Instance-In-Auto-Scaling-Group)  
+    1. [EC2 Platform](EC2-Platform)  
+    1. [EC2 Instance Limit](EC2-Instance-Limit)  
+    1. [EC2 Instance Naming Conventions](EC2-Instance-Naming-Conventions)  
+    1. [EC2 Instances with Scheduled Events](EC2-Instances-with-Scheduled-Events)  
+    1. [EC2 Instance Security Group Rules Count](EC2-Instance-Security-Group-Rules-Count)  
+    1. [EC2 Instance Tenancy Type](EC2-Instance-Tenancy-Type)  
+    1. [EC2 Instance Termination Protection](EC2-Instance-Termination-Protection)  
+    1. [EC2 Instance Age](EC2-Instance-Age)  
+    1. [EC2 Instance IAM Roles](EC2-Instance-IAM-Roles)  
+    1. [Overutilized EC2 Instances](Overutilized-EC2-Instances)  
+    1. [Publicly Shared AMIs](Publicly-Shared-AMIs)  
+    1. [EC2 Reserved Instance Lease Expiration](EC2-Reserved-Instance-Lease-Expiration)  
+    1. [EC2 Security Groups Count](EC2-Security-Groups-Count)  
+    1. [EC2 Security Group Port Range](EC2-Security-Group-Port-Range)  
+    1. [Underutilized EC2 Instances](Underutilized-EC2-Instances)  
+    1. [EC2 Security Group Unrestricted Access](EC2-Security-Group-Unrestricted-Access)  
+    1. [Unrestricted CIFS Access](Unrestricted-CIFS-Access)  
+    1. [Unrestricted DNS Access](Unrestricted-DNS-Access)  
+    1. [Unrestricted ElasticSearch Access](Unrestricted-ElasticSearch-Access)  
+    1. [Unrestricted FTP Access](Unrestricted-FTP-Access)  
+    1. [Unrestricted HTTP Access](Unrestricted-HTTP-Access)  
+    1. [Unrestricted HTTPS Access](Unrestricted-HTTPS-Access)  
+    1. [Unrestricted ICMP Access](Unrestricted-ICMP-Access)  
+    1. [Unrestricted Inbound Access on Uncommon Ports](Unrestricted-Inbound-Access-on-Uncommon-Ports)  
+    1. [Unrestricted MongoDB Access](Unrestricted-MongoDB-Access)  
+    1. [Unrestricted MSSQL Database Access](Unrestricted-MSSQL-Database-Access)  
+    1. [Unrestricted MySQL Database Access](Unrestricted-MySQL-Database-Access)  
+    1. [Unrestricted NetBIOS Access](Unrestricted-NetBIOS-Access)  
+    1. [Unrestricted Oracle Database Access](Unrestricted-Oracle-Database-Access)  
+    1. [Unrestricted Outbound Access on All Ports](Unrestricted-Outbound-Access-on-All-Ports)  
+    1. [Unrestricted PostgreSQL Database Access](Unrestricted-PostgreSQL-Database-Access)  
+    1. [Unrestricted RDP Access](Unrestricted-RDP-Access)  
+    1. [Unrestricted RPC Access](Unrestricted-RPC-Access)  
+    1. [Unrestricted SMTP Access](Unrestricted-SMTP-Access)  
+    1. [Unrestricted SSH Access](Unrestricted-SSH-Access)  
+    1. [Unrestricted Telnet Access](Unrestricted-Telnet-Access)  
+    1. [Unused Elastic Network Interfaces](Unused-Elastic-Network-Interfaces)  
+    1. [Unused EC2 Key Pairs](Unused-EC2-Key-Pairs)  
+    1. [EC2-VPC Elastic IP Address Limit](EC2-VPC-Elastic-IP-Address-Limit)  
+    1. [Publicly Shared Web-Tier AMIs](Publicly-Shared-Web-Tier-AMIs)  
+    1. [Web-Tier EC2 Instances Without Elastic or Public IP Addresses](Web-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
+    1. [Check web-tier ELB subnet connectivity to Internet Gateway](Check-web-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
+    1. [Attach Policy to IAM Roles Associated with Web-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-Web-Tier-EC2-Instances)  
+    1. [IAM Roles for Web-Tier EC2 Instances](IAM-Roles-for-Web-Tier-EC2-Instances)  
+    1. [Create and Configure Web-Tier Security Group](Create-and-Configure-Web-Tier-Security-Group)  
+    1. [Check web-tier subnet connectivity to VPC NAT Gateway](Check-web-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
 1. [ECR](ECR)  
-    1.1 [ECR Unknown Cross Account Access](ECR-Unknown-Cross-Account-Access)  
-    1.1 [Check for Exposed ECR Repositories](Check-for-Exposed-ECR-Repositories)  
+    1. [ECR Unknown Cross Account Access](ECR-Unknown-Cross-Account-Access)  
+    1. [Check for Exposed ECR Repositories](Check-for-Exposed-ECR-Repositories)  
 1. [EFS](EFS)  
-    1.1 [KMS Customer Master Keys for EFS Encryption](KMS-Customer-Master-Keys-for-EFS-Encryption)  
-    1.1 [Enable EFS Encryption](Enable-EFS-Encryption)  
+    1. [KMS Customer Master Keys for EFS Encryption](KMS-Customer-Master-Keys-for-EFS-Encryption)  
+    1. [Enable EFS Encryption](Enable-EFS-Encryption)  
 1. [ElasticSearch](ElasticSearch)  
-    1.1 [ElasticSearch Cluster Status](ElasticSearch-Cluster-Status)  
-    1.1 [ElasticSearch Instance Type](ElasticSearch-Instance-Type)  
-    1.1 [ElasticSearch Domain Encrypted with KMS CMKs](ElasticSearch-Domain-Encrypted-with-KMS-CMKs)  
-    1.1 [ElasticSearch Unknown Cross Account Access](ElasticSearch-Unknown-Cross-Account-Access)  
-    1.1 [ElasticSearch Exposed Domains](ElasticSearch-Exposed-Domains)  
-    1.1 [ElasticSearch Domain IP-Based Access](ElasticSearch-Domain-IP-Based-Access)  
-    1.1 [ElasticSearch General Purpose SSD Node Type](ElasticSearch-General-Purpose-SSD-Node-Type)  
-    1.1 [ElasticSearch Version](ElasticSearch-Version)  
-    1.1 [Enable ElasticSearch Zone Awareness](Enable-ElasticSearch-Zone-Awareness)  
-    1.1 [Enable ElasticSearch Encryption At Rest](Enable-ElasticSearch-Encryption-At-Rest)  
-    1.1 [ElasticSearch Free Storage Space](ElasticSearch-Free-Storage-Space)  
-    1.1 [Total Number of ElasticSearch Instances](Total-Number-of-ElasticSearch-Instances)  
-    1.1 [Enable ElasticSearch Node-to-Node Encryption](Enable-ElasticSearch-Node-to-Node-Encryption)  
-    1.1 [Enable ElasticSearch Slow Logs](Enable-ElasticSearch-Slow-Logs)  
+    1. [ElasticSearch Cluster Status](ElasticSearch-Cluster-Status)  
+    1. [ElasticSearch Instance Type](ElasticSearch-Instance-Type)  
+    1. [ElasticSearch Domain Encrypted with KMS CMKs](ElasticSearch-Domain-Encrypted-with-KMS-CMKs)  
+    1. [ElasticSearch Unknown Cross Account Access](ElasticSearch-Unknown-Cross-Account-Access)  
+    1. [ElasticSearch Exposed Domains](ElasticSearch-Exposed-Domains)  
+    1. [ElasticSearch Domain IP-Based Access](ElasticSearch-Domain-IP-Based-Access)  
+    1. [ElasticSearch General Purpose SSD Node Type](ElasticSearch-General-Purpose-SSD-Node-Type)  
+    1. [ElasticSearch Version](ElasticSearch-Version)  
+    1. [Enable ElasticSearch Zone Awareness](Enable-ElasticSearch-Zone-Awareness)  
+    1. [Enable ElasticSearch Encryption At Rest](Enable-ElasticSearch-Encryption-At-Rest)  
+    1. [ElasticSearch Free Storage Space](ElasticSearch-Free-Storage-Space)  
+    1. [Total Number of ElasticSearch Instances](Total-Number-of-ElasticSearch-Instances)  
+    1. [Enable ElasticSearch Node-to-Node Encryption](Enable-ElasticSearch-Node-to-Node-Encryption)  
+    1. [Enable ElasticSearch Slow Logs](Enable-ElasticSearch-Slow-Logs)  
 1. [ELB](ELB)  
-    1.1 [Enable HTTPS/SSL Listener for App-Tier ELBs](Enable-HTTPS/SSL-Listener-for-App-Tier-ELBs)  
-    1.1 [Enable Latest SSL Security Policy for App-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-App-Tier-ELBs)  
-    1.1 [Add SSL/TLS Server Certificates to App-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-App-Tier-ELBs)  
-    1.1 [App-Tier ELBs Health Check](App-Tier-ELBs-Health-Check)  
-    1.1 [Enable ELB Access Logging](Enable-ELB-Access-Logging)  
-    1.1 [AWS Classic Load Balancer](AWS-Classic-Load-Balancer)  
-    1.1 [Connection Draining Enabled](Connection-Draining-Enabled)  
-    1.1 [Enable ELB Cross-Zone Load Balancing](Enable-ELB-Cross-Zone-Load-Balancing)  
-    1.1 [ELB insecure SSL ciphers](ELB-insecure-SSL-ciphers)  
-    1.1 [ELB insecure SSL protocols](ELB-insecure-SSL-protocols)  
-    1.1 [ELB Listener Security](ELB-Listener-Security)  
-    1.1 [ELB minimum number of EC2 instances](ELB-minimum-number-of-EC2-instances)  
-    1.1 [ELB Security Group](ELB-Security-Group)  
-    1.1 [ELB Security Policy](ELB-Security-Policy)  
-    1.1 [Remove unused ELBs](Remove-unused-ELBs)  
-    1.1 [ELB Instances Distribution Across Availability Zones](ELB-Instances-Distribution-Across-Availability-Zones)  
-    1.1 [Review AWS Internet Facing Load Balancers](Review-AWS-Internet-Facing-Load-Balancers)  
-    1.1 [Enable HTTPS/SSL Listener for Web-Tier ELBs](Enable-HTTPS/SSL-Listener-for-Web-Tier-ELBs)  
-    1.1 [Enable Latest SSL Security Policy for Web-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-Web-Tier-ELBs)  
-    1.1 [Add SSL/TLS Server Certificates to Web-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-Web-Tier-ELBs)  
-    1.1 [Web-Tier ELBs Health Check](Web-Tier-ELBs-Health-Check)  
-    1.1 [Enable ALB (ELBv2)-Access-Logging](Enable-ALB-(ELBv2)-Access-Logging)  
-    1.1 [Enable Elastic Load Balancing Deletion Protection](Enable-Elastic-Load-Balancing-Deletion-Protection)  
-    1.1 [ELBv2 Instances Distribution Across Availability Zones](ELBv2-Instances-Distribution-Across-Availability-Zones)  
-    1.1 [ALB (ELBv2)-Listener-Security](ALB-(ELBv2)-Listener-Security)  
-    1.1 [Minimum Number of EC2 Target Instances](Minimum-Number-of-EC2-Target-Instances)  
-    1.1 [ELBv2 Security Groups](ELBv2-Security-Groups)  
-    1.1 [ALB (ELBv2)-Security-Policy](ALB-(ELBv2)-Security-Policy)  
-    1.1 [Unused ELBs (ELBv2)](Unused-ELBs-(ELBv2))  
+    1. [Enable HTTPS/SSL Listener for App-Tier ELBs](Enable-HTTPS/SSL-Listener-for-App-Tier-ELBs)  
+    1. [Enable Latest SSL Security Policy for App-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-App-Tier-ELBs)  
+    1. [Add SSL/TLS Server Certificates to App-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-App-Tier-ELBs)  
+    1. [App-Tier ELBs Health Check](App-Tier-ELBs-Health-Check)  
+    1. [Enable ELB Access Logging](Enable-ELB-Access-Logging)  
+    1. [AWS Classic Load Balancer](AWS-Classic-Load-Balancer)  
+    1. [Connection Draining Enabled](Connection-Draining-Enabled)  
+    1. [Enable ELB Cross-Zone Load Balancing](Enable-ELB-Cross-Zone-Load-Balancing)  
+    1. [ELB insecure SSL ciphers](ELB-insecure-SSL-ciphers)  
+    1. [ELB insecure SSL protocols](ELB-insecure-SSL-protocols)  
+    1. [ELB Listener Security](ELB-Listener-Security)  
+    1. [ELB minimum number of EC2 instances](ELB-minimum-number-of-EC2-instances)  
+    1. [ELB Security Group](ELB-Security-Group)  
+    1. [ELB Security Policy](ELB-Security-Policy)  
+    1. [Remove unused ELBs](Remove-unused-ELBs)  
+    1. [ELB Instances Distribution Across Availability Zones](ELB-Instances-Distribution-Across-Availability-Zones)  
+    1. [Review AWS Internet Facing Load Balancers](Review-AWS-Internet-Facing-Load-Balancers)  
+    1. [Enable HTTPS/SSL Listener for Web-Tier ELBs](Enable-HTTPS/SSL-Listener-for-Web-Tier-ELBs)  
+    1. [Enable Latest SSL Security Policy for Web-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-Web-Tier-ELBs)  
+    1. [Add SSL/TLS Server Certificates to Web-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-Web-Tier-ELBs)  
+    1. [Web-Tier ELBs Health Check](Web-Tier-ELBs-Health-Check)  
+    1. [Enable ALB (ELBv2)-Access-Logging](Enable-ALB-(ELBv2)-Access-Logging)  
+    1. [Enable Elastic Load Balancing Deletion Protection](Enable-Elastic-Load-Balancing-Deletion-Protection)  
+    1. [ELBv2 Instances Distribution Across Availability Zones](ELBv2-Instances-Distribution-Across-Availability-Zones)  
+    1. [ALB (ELBv2)-Listener-Security](ALB-(ELBv2)-Listener-Security)  
+    1. [Minimum Number of EC2 Target Instances](Minimum-Number-of-EC2-Target-Instances)  
+    1. [ELBv2 Security Groups](ELBv2-Security-Groups)  
+    1. [ALB (ELBv2)-Security-Policy](ALB-(ELBv2)-Security-Policy)  
+    1. [Unused ELBs (ELBv2)](Unused-ELBs-(ELBv2))  
 1. [EMR](EMR)  
-    1.1 [EMR Cluster In VPC](EMR-Cluster-In-VPC)  
-    1.1 [EMR Desired Instance Type](EMR-Desired-Instance-Type)  
-    1.1 [EMR Instance Type Generation](EMR-Instance-Type-Generation)  
-    1.1 [Enable EMR In-Transit and At-Rest Encryption](Enable-EMR-In-Transit-and-At-Rest-Encryption)  
-    1.1 [Total Number of EMR Instances](Total-Number-of-EMR-Instances)  
+    1. [EMR Cluster In VPC](EMR-Cluster-In-VPC)  
+    1. [EMR Desired Instance Type](EMR-Desired-Instance-Type)  
+    1. [EMR Instance Type Generation](EMR-Instance-Type-Generation)  
+    1. [Enable EMR In-Transit and At-Rest Encryption](Enable-EMR-In-Transit-and-At-Rest-Encryption)  
+    1. [Total Number of EMR Instances](Total-Number-of-EMR-Instances)  
 1. [GuardDuty](GuardDuty)  
-    1.1 [GuardDuty Findings](GuardDuty-Findings)  
-    1.1 [Monitor GuardDuty Configuration Changes](Monitor-GuardDuty-Configuration-Changes)  
-    1.1 [GuardDuty In Use](GuardDuty-In-Use)  
+    1. [GuardDuty Findings](GuardDuty-Findings)  
+    1. [Monitor GuardDuty Configuration Changes](Monitor-GuardDuty-Configuration-Changes)  
+    1. [GuardDuty In Use](GuardDuty-In-Use)  
 1. [Health](Health)  
-    1.1 [AWS Health](AWS-Health)  
+    1. [AWS Health](AWS-Health)  
 1. [IAM](IAM)  
-    1.1 [Unused IAM Access Keys](Unused-IAM-Access-Keys)  
-    1.1 [IAM Access Keys Rotation](IAM-Access-Keys-Rotation)  
-    1.1 [Unnecessary IAM Access Keys](Unnecessary-IAM-Access-Keys)  
-    1.1 [Enable Security Challenge Questions for your Account](Enable-Security-Challenge-Questions-for-your-Account)  
-    1.1 [Attach Policy to IAM Roles Associated with App-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-App-Tier-EC2-Instances)  
-    1.1 [SSL/TLS Certificate Renewal](SSL/TLS-Certificate-Renewal)  
-    1.1 [Server Certificate Signature Algorithm](Server-Certificate-Signature-Algorithm)  
-    1.1 [IAM Server Certificate Size](IAM-Server-Certificate-Size)  
-    1.1 [Deprecated AWS Managed Policies In Use](Deprecated-AWS-Managed-Policies-In-Use)  
-    1.1 [IAM Users Unauthorized to Edit Access Policies](IAM-Users-Unauthorized-to-Edit-Access-Policies)  
-    1.1 [IAM Users with Admin Privileges](IAM-Users-with-Admin-Privileges)  
-    1.1 [Detect IAM Configuration Changes](Detect-IAM-Configuration-Changes)  
-    1.1 [IAM Group with Administrator Privileges In Use](IAM-Group-with-Administrator-Privileges-In-Use)  
-    1.1 [Unused IAM Groups](Unused-IAM-Groups)  
-    1.1 [Remove IAM Policies with Full Administrative Privileges](Remove-IAM-Policies-with-Full-Administrative-Privileges)  
-    1.1 [IAM Customer Managed Policy with Administrative Permissions In Use](IAM-Customer-Managed-Policy-with-Administrative-Permissions-In-Use)  
-    1.1 [IAM Role Policy Too Permissive](IAM-Role-Policy-Too-Permissive)  
-    1.1 [IAM User Present](IAM-User-Present)  
-    1.1 [Inactive IAM Users](Inactive-IAM-Users)  
-    1.1 [Unused IAM Users](Unused-IAM-Users)  
-    1.1 [IAM Users with Password and Access Keys](IAM-Users-with-Password-and-Access-Keys)  
-    1.1 [Valid IAM Identity Providers](Valid-IAM-Identity-Providers)  
-    1.1 [MFA Device Deactivated for IAM Users](MFA-Device-Deactivated-for-IAM-Users)  
-    1.1 [Enable MFA for IAM Users](Enable-MFA-for-IAM-Users)  
-    1.1 [IAM Master and IAM Manager Roles](IAM-Master-and-IAM-Manager-Roles)  
-    1.1 [IAM Password Expiry](IAM-Password-Expiry)  
-    1.1 [IAM Password Policy](IAM-Password-Policy)  
-    1.1 [Root Account Access Keys](Root-Account-Access-Keys)  
-    1.1 [Root Account Credentials Usage](Root-Account-Credentials-Usage)  
-    1.1 [Root Account Active Signing Certificates](Root-Account-Active-Signing-Certificates)  
-    1.1 [Enable Hardware MFA for Root Account](Enable-Hardware-MFA-for-Root-Account)  
-    1.1 [Enable MFA for Root Account](Enable-MFA-for-Root-Account)  
-    1.1 [IAM SSH Public Keys Rotation (90-Days)](IAM-SSH-Public-Keys-Rotation-(90-Days))  
-    1.1 [Unnecessary IAM SSH Public Keys](Unnecessary-IAM-SSH-Public-Keys)  
-    1.1 [IAM Support Role](IAM-Support-Role)  
+    1. [Unused IAM Access Keys](Unused-IAM-Access-Keys)  
+    1. [IAM Access Keys Rotation](IAM-Access-Keys-Rotation)  
+    1. [Unnecessary IAM Access Keys](Unnecessary-IAM-Access-Keys)  
+    1. [Enable Security Challenge Questions for your Account](Enable-Security-Challenge-Questions-for-your-Account)  
+    1. [Attach Policy to IAM Roles Associated with App-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-App-Tier-EC2-Instances)  
+    1. [SSL/TLS Certificate Renewal](SSL/TLS-Certificate-Renewal)  
+    1. [Server Certificate Signature Algorithm](Server-Certificate-Signature-Algorithm)  
+    1. [IAM Server Certificate Size](IAM-Server-Certificate-Size)  
+    1. [Deprecated AWS Managed Policies In Use](Deprecated-AWS-Managed-Policies-In-Use)  
+    1. [IAM Users Unauthorized to Edit Access Policies](IAM-Users-Unauthorized-to-Edit-Access-Policies)  
+    1. [IAM Users with Admin Privileges](IAM-Users-with-Admin-Privileges)  
+    1. [Detect IAM Configuration Changes](Detect-IAM-Configuration-Changes)  
+    1. [IAM Group with Administrator Privileges In Use](IAM-Group-with-Administrator-Privileges-In-Use)  
+    1. [Unused IAM Groups](Unused-IAM-Groups)  
+    1. [Remove IAM Policies with Full Administrative Privileges](Remove-IAM-Policies-with-Full-Administrative-Privileges)  
+    1. [IAM Customer Managed Policy with Administrative Permissions In Use](IAM-Customer-Managed-Policy-with-Administrative-Permissions-In-Use)  
+    1. [IAM Role Policy Too Permissive](IAM-Role-Policy-Too-Permissive)  
+    1. [IAM User Present](IAM-User-Present)  
+    1. [Inactive IAM Users](Inactive-IAM-Users)  
+    1. [Unused IAM Users](Unused-IAM-Users)  
+    1. [IAM Users with Password and Access Keys](IAM-Users-with-Password-and-Access-Keys)  
+    1. [Valid IAM Identity Providers](Valid-IAM-Identity-Providers)  
+    1. [MFA Device Deactivated for IAM Users](MFA-Device-Deactivated-for-IAM-Users)  
+    1. [Enable MFA for IAM Users](Enable-MFA-for-IAM-Users)  
+    1. [IAM Master and IAM Manager Roles](IAM-Master-and-IAM-Manager-Roles)  
+    1. [IAM Password Expiry](IAM-Password-Expiry)  
+    1. [IAM Password Policy](IAM-Password-Policy)  
+    1. [Root Account Access Keys](Root-Account-Access-Keys)  
+    1. [Root Account Credentials Usage](Root-Account-Credentials-Usage)  
+    1. [Root Account Active Signing Certificates](Root-Account-Active-Signing-Certificates)  
+    1. [Enable Hardware MFA for Root Account](Enable-Hardware-MFA-for-Root-Account)  
+    1. [Enable MFA for Root Account](Enable-MFA-for-Root-Account)  
+    1. [IAM SSH Public Keys Rotation (90-Days)](IAM-SSH-Public-Keys-Rotation-(90-Days))  
+    1. [Unnecessary IAM SSH Public Keys](Unnecessary-IAM-SSH-Public-Keys)  
+    1. [IAM Support Role](IAM-Support-Role)  
 1. [Inspector](Inspector)  
-    1.1 [AWS Inspector Findings](AWS-Inspector-Findings)  
+    1. [AWS Inspector Findings](AWS-Inspector-Findings)  
 1. [KMS](KMS)  
-    1.1 [App-Tier Customer Master Key In Use](App-Tier-Customer-Master-Key-In-Use)  
-    1.1 [KMS Customer Master Key In Use](KMS-Customer-Master-Key-In-Use)  
-    1.1 [Database Tier Customer Master Key In Use](Database-Tier-Customer-Master-Key-In-Use)  
-    1.1 [Default KMS Key Usage](Default-KMS-Key-Usage)  
-    1.1 [Disabled KMS keys](Disabled-KMS-keys)  
-    1.1 [Monitor KMS Configuration Changes](Monitor-KMS-Configuration-Changes)  
-    1.1 [KMS Unknown Cross Account Access](KMS-Unknown-Cross-Account-Access)  
-    1.1 [KMS Exposed Keys](KMS-Exposed-Keys)  
-    1.1 [Recover KMS Customer Master Keys](Recover-KMS-Customer-Master-Keys)  
-    1.1 [Enable KMS Key Rotation](Enable-KMS-Key-Rotation)  
-    1.1 [Remove unused KMS keys](Remove-unused-KMS-keys)  
-    1.1 [Web-Tier Customer Master Key In Use](Web-Tier-Customer-Master-Key-In-Use)  
+    1. [App-Tier Customer Master Key In Use](App-Tier-Customer-Master-Key-In-Use)  
+    1. [KMS Customer Master Key In Use](KMS-Customer-Master-Key-In-Use)  
+    1. [Database Tier Customer Master Key In Use](Database-Tier-Customer-Master-Key-In-Use)  
+    1. [Default KMS Key Usage](Default-KMS-Key-Usage)  
+    1. [Disabled KMS keys](Disabled-KMS-keys)  
+    1. [Monitor KMS Configuration Changes](Monitor-KMS-Configuration-Changes)  
+    1. [KMS Unknown Cross Account Access](KMS-Unknown-Cross-Account-Access)  
+    1. [KMS Exposed Keys](KMS-Exposed-Keys)  
+    1. [Recover KMS Customer Master Keys](Recover-KMS-Customer-Master-Keys)  
+    1. [Enable KMS Key Rotation](Enable-KMS-Key-Rotation)  
+    1. [Remove unused KMS keys](Remove-unused-KMS-keys)  
+    1. [Web-Tier Customer Master Key In Use](Web-Tier-Customer-Master-Key-In-Use)  
 1. [Lambda](Lambda)  
-    1.1 [Exposed Lambda Functions](Exposed-Lambda-Functions)  
-    1.1 [Lambda Functions with Admin Privileges](Lambda-Functions-with-Admin-Privileges)  
-    1.1 [Lambda Unknown Cross Account Access](Lambda-Unknown-Cross-Account-Access)  
-    1.1 [Lambda Runtime Environment Version](Lambda-Runtime-Environment-Version)  
-    1.1 [An IAM role for a Lambda Function](An-IAM-role-for-a-Lambda-Function)  
+    1. [Exposed Lambda Functions](Exposed-Lambda-Functions)  
+    1. [Lambda Functions with Admin Privileges](Lambda-Functions-with-Admin-Privileges)  
+    1. [Lambda Unknown Cross Account Access](Lambda-Unknown-Cross-Account-Access)  
+    1. [Lambda Runtime Environment Version](Lambda-Runtime-Environment-Version)  
+    1. [An IAM role for a Lambda Function](An-IAM-role-for-a-Lambda-Function)  
 1. [Organizations](Organizations)  
-    1.1 [Monitor AWS Org. Configuration Changes](Monitor-AWS-Org.-Configuration-Changes)  
-    1.1 [Enable All Features](Enable-All-Features)  
-    1.1 [AWS Organizations In Use](AWS-Organizations-In-Use)  
+    1. [Monitor AWS Org. Configuration Changes](Monitor-AWS-Org.-Configuration-Changes)  
+    1. [Enable All Features](Enable-All-Features)  
+    1. [AWS Organizations In Use](AWS-Organizations-In-Use)  
 1. [RDS](RDS)  
-    1.1 [Aurora Database Instance Accessibility](Aurora-Database-Instance-Accessibility)  
-    1.1 [RDS Auto Minor Version Upgrade](RDS-Auto-Minor-Version-Upgrade)  
-    1.1 [Enable RDS Automated Backups](Enable-RDS-Automated-Backups)  
-    1.1 [Enable RDS Deletion Protection](Enable-RDS-Deletion-Protection)  
-    1.1 [Enable RDS Encryption](Enable-RDS-Encryption)  
-    1.1 [RDS Free Storage Space](RDS-Free-Storage-Space)  
-    1.1 [Enable IAM Database Authentication](Enable-IAM-Database-Authentication)  
-    1.1 [Total Number of Provisioned RDS Instances](Total-Number-of-Provisioned-RDS-Instances)  
-    1.1 [RDS Multi-AZ](RDS-Multi-AZ)  
-    1.1 [Overutilized RDS Instances](Overutilized-RDS-Instances)  
-    1.1 [Publicly Accessible RDS Instances](Publicly-Accessible-RDS-Instances)  
-    1.1 [Use Data-Tier Security Group for RDS Databases](Use-Data-Tier-Security-Group-for-RDS-Databases)  
-    1.1 [RDS Database Default Port](RDS-Database-Default-Port)  
-    1.1 [Use KMS Customer Master Keys for RDS encryption](Use-KMS-Customer-Master-Keys-for-RDS-encryption)  
-    1.1 [RDS General Purpose SSD Storage Type](RDS-General-Purpose-SSD-Storage-Type)  
-    1.1 [RDS Instance Not In Public Subnet](RDS-Instance-Not-In-Public-Subnet)  
-    1.1 [RDS Database Master Username](RDS-Database-Master-Username)  
-    1.1 [RDS Public Snapshots](RDS-Public-Snapshots)  
-    1.1 [RDS Sufficient Backup Retention Period](RDS-Sufficient-Backup-Retention-Period)  
-    1.1 [Enable RDS Transport Encryption](Enable-RDS-Transport-Encryption)  
-    1.1 [Underutilized RDS Instances](Underutilized-RDS-Instances)  
-    1.1 [Unrestricted RDS DB Security Group](Unrestricted-RDS-DB-Security-Group)  
-    1.1 [Enable Route 53 Domain Auto Renew](Enable-Route-53-Domain-Auto-Renew)  
-    1.1 [Create DNS Alias Record for Root Domain](Create-DNS-Alias-Record-for-Root-Domain)  
-    1.1 [Remove Route 53 Dangling DNS Records](Remove-Route-53-Dangling-DNS-Records)  
-    1.1 [Expired Route 53 Domain Names](Expired-Route-53-Domain-Names)  
-    1.1 [Route 53 Domain Name Renewal](Route-53-Domain-Name-Renewal)  
-    1.1 [Enable Privacy Protection for Route 53 Domains](Enable-Privacy-Protection-for-Route-53-Domains)  
-    1.1 [Root Domain Alias Records that Point to ELB](Root-Domain-Alias-Records-that-Point-to-ELB)  
-    1.1 [Monitor Route 53 Configuration Changes](Monitor-Route-53-Configuration-Changes)  
-    1.1 [Route 53 DNS In Use](Route-53-DNS-In-Use)  
-    1.1 [Route 53 SPF DNS Records](Route-53-SPF-DNS-Records)  
-    1.1 [Enable Route 53 Domain Transfer Lock](Enable-Route-53-Domain-Transfer-Lock)  
-    1.1 [Monitor Route 53 Domains Configuration Changes](Monitor-Route-53-Domains-Configuration-Changes)  
+    1. [Aurora Database Instance Accessibility](Aurora-Database-Instance-Accessibility)  
+    1. [RDS Auto Minor Version Upgrade](RDS-Auto-Minor-Version-Upgrade)  
+    1. [Enable RDS Automated Backups](Enable-RDS-Automated-Backups)  
+    1. [Enable RDS Deletion Protection](Enable-RDS-Deletion-Protection)  
+    1. [Enable RDS Encryption](Enable-RDS-Encryption)  
+    1. [RDS Free Storage Space](RDS-Free-Storage-Space)  
+    1. [Enable IAM Database Authentication](Enable-IAM-Database-Authentication)  
+    1. [Total Number of Provisioned RDS Instances](Total-Number-of-Provisioned-RDS-Instances)  
+    1. [RDS Multi-AZ](RDS-Multi-AZ)  
+    1. [Overutilized RDS Instances](Overutilized-RDS-Instances)  
+    1. [Publicly Accessible RDS Instances](Publicly-Accessible-RDS-Instances)  
+    1. [Use Data-Tier Security Group for RDS Databases](Use-Data-Tier-Security-Group-for-RDS-Databases)  
+    1. [RDS Database Default Port](RDS-Database-Default-Port)  
+    1. [Use KMS Customer Master Keys for RDS encryption](Use-KMS-Customer-Master-Keys-for-RDS-encryption)  
+    1. [RDS General Purpose SSD Storage Type](RDS-General-Purpose-SSD-Storage-Type)  
+    1. [RDS Instance Not In Public Subnet](RDS-Instance-Not-In-Public-Subnet)  
+    1. [RDS Database Master Username](RDS-Database-Master-Username)  
+    1. [RDS Public Snapshots](RDS-Public-Snapshots)  
+    1. [RDS Sufficient Backup Retention Period](RDS-Sufficient-Backup-Retention-Period)  
+    1. [Enable RDS Transport Encryption](Enable-RDS-Transport-Encryption)  
+    1. [Underutilized RDS Instances](Underutilized-RDS-Instances)  
+    1. [Unrestricted RDS DB Security Group](Unrestricted-RDS-DB-Security-Group)  
+    1. [Enable Route 53 Domain Auto Renew](Enable-Route-53-Domain-Auto-Renew)  
+    1. [Create DNS Alias Record for Root Domain](Create-DNS-Alias-Record-for-Root-Domain)  
+    1. [Remove Route 53 Dangling DNS Records](Remove-Route-53-Dangling-DNS-Records)  
+    1. [Expired Route 53 Domain Names](Expired-Route-53-Domain-Names)  
+    1. [Route 53 Domain Name Renewal](Route-53-Domain-Name-Renewal)  
+    1. [Enable Privacy Protection for Route 53 Domains](Enable-Privacy-Protection-for-Route-53-Domains)  
+    1. [Root Domain Alias Records that Point to ELB](Root-Domain-Alias-Records-that-Point-to-ELB)  
+    1. [Monitor Route 53 Configuration Changes](Monitor-Route-53-Configuration-Changes)  
+    1. [Route 53 DNS In Use](Route-53-DNS-In-Use)  
+    1. [Route 53 SPF DNS Records](Route-53-SPF-DNS-Records)  
+    1. [Enable Route 53 Domain Transfer Lock](Enable-Route-53-Domain-Transfer-Lock)  
+    1. [Monitor Route 53 Domains Configuration Changes](Monitor-Route-53-Domains-Configuration-Changes)  
 1. [ResourceGroup](ResourceGroup)  
-    1.1 [Use tags to organize AWS resources](Use-tags-to-organize-AWS-resources)  
-    1.1 [S3 Bucket Authenticated ‘FULL_CONTROL’ Access](S3-Bucket-Authenticated-‘FULL_CONTROL’-Access)  
-    1.1 [S3 Bucket Authenticated ‘READ’ Access](S3-Bucket-Authenticated-‘READ’-Access)  
-    1.1 [S3 Bucket Authenticated ‘READ_ACP’ Access](S3-Bucket-Authenticated-‘READ_ACP’-Access)  
-    1.1 [S3 Bucket Authenticated ‘WRITE’ Access](S3-Bucket-Authenticated-‘WRITE’-Access)  
-    1.1 [S3 Bucket Authenticated ‘WRITE_ACP’ Access](S3-Bucket-Authenticated-‘WRITE_ACP’-Access)  
-    1.1 [Enable S3 Bucket Default Encryption](Enable-S3-Bucket-Default-Encryption)  
-    1.1 [Enable Access Logging for S3 Buckets](Enable-Access-Logging-for-S3-Buckets)  
-    1.1 [Enable MFA Delete for S3 Buckets](Enable-MFA-Delete-for-S3-Buckets)  
-    1.1 [S3 Bucket Public Access Via Policy](S3-Bucket-Public-Access-Via-Policy)  
-    1.1 [Publicly Accessible S3 Buckets](Publicly-Accessible-S3-Buckets)  
-    1.1 [S3 Bucket Public ‘READ’ Access](S3-Bucket-Public-‘READ’-Access)  
-    1.1 [S3 Bucket Public ‘READ_ACP’ Access](S3-Bucket-Public-‘READ_ACP’-Access)  
-    1.1 [S3 Bucket Public ‘WRITE’ Access](S3-Bucket-Public-‘WRITE’-Access)  
-    1.1 [S3 Bucket Public ‘WRITE_ACP’ Access](S3-Bucket-Public-‘WRITE_ACP’-Access)  
-    1.1 [Enable Versioning for S3 Buckets](Enable-Versioning-for-S3-Buckets)  
-    1.1 [Review S3 Buckets with Website Configuration Enabled](Review-S3-Buckets-with-Website-Configuration-Enabled)  
-    1.1 [Detect S3 Configuration Changes](Detect-S3-Configuration-Changes)  
-    1.1 [S3 Unknown Cross Account Access](S3-Unknown-Cross-Account-Access)  
-    1.1 [Secure Transport](Secure-Transport)  
-    1.1 [Server-Side Encryption](Server-Side-Encryption)  
-    1.1 [Limit S3 Bucket Access by IP Address](Limit-S3-Bucket-Access-by-IP-Address)  
+    1. [Use tags to organize AWS resources](Use-tags-to-organize-AWS-resources)  
+    1. [S3 Bucket Authenticated ‘FULL_CONTROL’ Access](S3-Bucket-Authenticated-‘FULL_CONTROL’-Access)  
+    1. [S3 Bucket Authenticated ‘READ’ Access](S3-Bucket-Authenticated-‘READ’-Access)  
+    1. [S3 Bucket Authenticated ‘READ_ACP’ Access](S3-Bucket-Authenticated-‘READ_ACP’-Access)  
+    1. [S3 Bucket Authenticated ‘WRITE’ Access](S3-Bucket-Authenticated-‘WRITE’-Access)  
+    1. [S3 Bucket Authenticated ‘WRITE_ACP’ Access](S3-Bucket-Authenticated-‘WRITE_ACP’-Access)  
+    1. [Enable S3 Bucket Default Encryption](Enable-S3-Bucket-Default-Encryption)  
+    1. [Enable Access Logging for S3 Buckets](Enable-Access-Logging-for-S3-Buckets)  
+    1. [Enable MFA Delete for S3 Buckets](Enable-MFA-Delete-for-S3-Buckets)  
+    1. [S3 Bucket Public Access Via Policy](S3-Bucket-Public-Access-Via-Policy)  
+    1. [Publicly Accessible S3 Buckets](Publicly-Accessible-S3-Buckets)  
+    1. [S3 Bucket Public ‘READ’ Access](S3-Bucket-Public-‘READ’-Access)  
+    1. [S3 Bucket Public ‘READ_ACP’ Access](S3-Bucket-Public-‘READ_ACP’-Access)  
+    1. [S3 Bucket Public ‘WRITE’ Access](S3-Bucket-Public-‘WRITE’-Access)  
+    1. [S3 Bucket Public ‘WRITE_ACP’ Access](S3-Bucket-Public-‘WRITE_ACP’-Access)  
+    1. [Enable Versioning for S3 Buckets](Enable-Versioning-for-S3-Buckets)  
+    1. [Review S3 Buckets with Website Configuration Enabled](Review-S3-Buckets-with-Website-Configuration-Enabled)  
+    1. [Detect S3 Configuration Changes](Detect-S3-Configuration-Changes)  
+    1. [S3 Unknown Cross Account Access](S3-Unknown-Cross-Account-Access)  
+    1. [Secure Transport](Secure-Transport)  
+    1. [Server-Side Encryption](Server-Side-Encryption)  
+    1. [Limit S3 Bucket Access by IP Address](Limit-S3-Bucket-Access-by-IP-Address)  
 1. [SES](SES)  
-    1.1 [Enable DKIM for SES](Enable-DKIM-for-SES)  
-    1.1 [Unknown Cross-Account Access](Unknown-Cross-Account-Access)  
-    1.1 [Exposed SES Identities](Exposed-SES-Identities)  
-    1.1 [SES Identity Verification Status](SES-Identity-Verification-Status)  
+    1. [Enable DKIM for SES](Enable-DKIM-for-SES)  
+    1. [Unknown Cross-Account Access](Unknown-Cross-Account-Access)  
+    1. [Exposed SES Identities](Exposed-SES-Identities)  
+    1. [SES Identity Verification Status](SES-Identity-Verification-Status)  
 1. [Shield](Shield)  
-    1.1 [AWS Shield In Use](AWS-Shield-In-Use)  
+    1. [AWS Shield In Use](AWS-Shield-In-Use)  
 1. [TrustedAdvisor](TrustedAdvisor)  
-    1.1 [Trusted Advisor Checks](Trusted-Advisor-Checks)  
-    1.1 [Exposed IAM Access Keys](Exposed-IAM-Access-Keys)  
+    1. [Trusted Advisor Checks](Trusted-Advisor-Checks)  
+    1. [Exposed IAM Access Keys](Exposed-IAM-Access-Keys)  
 1. [VPC](VPC)  
-    1.1 [Allocate Elastic IPs for NAT Gateways](Allocate-Elastic-IPs-for-NAT-Gateways)  
-    1.1 [Create App-Tier VPC Subnets](Create-App-Tier-VPC-Subnets)  
-    1.1 [Create Data-Tier VPC Subnets](Create-Data-Tier-VPC-Subnets)  
-    1.1 [Default VPC In Use](Default-VPC-In-Use)  
-    1.1 [Unused VPC Internet Gateways](Unused-VPC-Internet-Gateways)  
-    1.1 [Use Managed NAT Gateway for VPC](Use-Managed-NAT-Gateway-for-VPC)  
-    1.1 [Create NAT Gateways in at Least Two Availability Zones](Create-NAT-Gateways-in-at-Least-Two-Availability-Zones)  
-    1.1 [Ineffective Network ACL DENY Rules](Ineffective-Network-ACL-DENY-Rules)  
-    1.1 [Unrestricted Network ACL Inbound Traffic](Unrestricted-Network-ACL-Inbound-Traffic)  
-    1.1 [Unrestricted Network ACL Outbound Traffic](Unrestricted-Network-ACL-Outbound-Traffic)  
-    1.1 [Create Route Table for Private Subnets](Create-Route-Table-for-Private-Subnets)  
-    1.1 [Create Route Table for Public Subnets](Create-Route-Table-for-Public-Subnets)  
-    1.1 [Enable Flow Logs for VPC Subnets](Enable-Flow-Logs-for-VPC-Subnets)  
-    1.1 [VPC Endpoint Unknown Cross Account Access](VPC-Endpoint-Unknown-Cross-Account-Access)  
-    1.1 [VPC Exposed Endpoints](VPC-Exposed-Endpoints)  
-    1.1 [VPC Endpoints In Use](VPC-Endpoints-In-Use)  
-    1.1 [Enable VPC Flow Logs](Enable-VPC-Flow-Logs)  
-    1.1 [VPC Naming Conventions](VPC-Naming-Conventions)  
-    1.1 [VPC Peering Connection Configuration](VPC-Peering-Connection-Configuration)  
-    1.1 [Unused Virtual Private Gateways](Unused-Virtual-Private-Gateways)  
-    1.1 [Create Web-Tier ELB Subnets](Create-Web-Tier-ELB-Subnets)  
-    1.1 [Create Web-Tier VPC Subnets](Create-Web-Tier-VPC-Subnets)  
+    1. [Allocate Elastic IPs for NAT Gateways](Allocate-Elastic-IPs-for-NAT-Gateways)  
+    1. [Create App-Tier VPC Subnets](Create-App-Tier-VPC-Subnets)  
+    1. [Create Data-Tier VPC Subnets](Create-Data-Tier-VPC-Subnets)  
+    1. [Default VPC In Use](Default-VPC-In-Use)  
+    1. [Unused VPC Internet Gateways](Unused-VPC-Internet-Gateways)  
+    1. [Use Managed NAT Gateway for VPC](Use-Managed-NAT-Gateway-for-VPC)  
+    1. [Create NAT Gateways in at Least Two Availability Zones](Create-NAT-Gateways-in-at-Least-Two-Availability-Zones)  
+    1. [Ineffective Network ACL DENY Rules](Ineffective-Network-ACL-DENY-Rules)  
+    1. [Unrestricted Network ACL Inbound Traffic](Unrestricted-Network-ACL-Inbound-Traffic)  
+    1. [Unrestricted Network ACL Outbound Traffic](Unrestricted-Network-ACL-Outbound-Traffic)  
+    1. [Create Route Table for Private Subnets](Create-Route-Table-for-Private-Subnets)  
+    1. [Create Route Table for Public Subnets](Create-Route-Table-for-Public-Subnets)  
+    1. [Enable Flow Logs for VPC Subnets](Enable-Flow-Logs-for-VPC-Subnets)  
+    1. [VPC Endpoint Unknown Cross Account Access](VPC-Endpoint-Unknown-Cross-Account-Access)  
+    1. [VPC Exposed Endpoints](VPC-Exposed-Endpoints)  
+    1. [VPC Endpoints In Use](VPC-Endpoints-In-Use)  
+    1. [Enable VPC Flow Logs](Enable-VPC-Flow-Logs)  
+    1. [VPC Naming Conventions](VPC-Naming-Conventions)  
+    1. [VPC Peering Connection Configuration](VPC-Peering-Connection-Configuration)  
+    1. [Unused Virtual Private Gateways](Unused-Virtual-Private-Gateways)  
+    1. [Create Web-Tier ELB Subnets](Create-Web-Tier-ELB-Subnets)  
+    1. [Create Web-Tier VPC Subnets](Create-Web-Tier-VPC-Subnets)  
 1. [WAF](WAF)  
-    1.1 [AWS Web Application Firewall In Use](AWS-Web-Application-Firewall-In-Use)  
+    1. [AWS Web Application Firewall In Use](AWS-Web-Application-Firewall-In-Use)  
 
 
 ---
@@ -518,8 +518,8 @@
 
 ### CloudFront Security Policy
 **Risk**: Medium  
-**Description**: Ensure that CloudFront distributions use a security policy with minimum TLSv1.1  or TLSv1.2 and appropriate security ciphers for HTTPS viewer connections.     
-**Resolution**: Enable security policies that enforce TLS version 1.1  or 1.2 as the minimum protocol version    
+**Description**: Ensure that CloudFront distributions use a security policy with minimum TLSv1.  or TLSv1.2 and appropriate security ciphers for HTTPS viewer connections.     
+**Resolution**: Enable security policies that enforce TLS version 1.  or 1.2 as the minimum protocol version    
 
 ### Unencrypted CloudFront Traffic
 **Risk**: Medium  

diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
@@ -1,372 +1,372 @@
 # Table of Contents
 
 1. [ACM](ACM)  
-    1.1[Expired ACM Certificates](Expired-ACM-Certificates)  
-    1.1[ACM Certificates Renewal](ACM-Certificates-Renewal)  
-    1.1[ACM Certificates Validity](ACM-Certificates-Validity)  
+    1.1 [Expired ACM Certificates](Expired-ACM-Certificates)  
+    1.1 [ACM Certificates Renewal](ACM-Certificates-Renewal)  
+    1.1 [ACM Certificates Validity](ACM-Certificates-Validity)  
 1. [API Gateway](API-Gateway)  
-    1.1[Enable CloudWatch Logs for APIs](Enable-CloudWatch-Logs-for-APIs)  
-    1.1[Enable Detailed CloudWatch Metrics for APIs](Enable-Detailed-CloudWatch-Metrics-for-APIs)  
-    1.1[API Gateway Private Endpoints](API-Gateway-Private-Endpoints)  
+    1.1 [Enable CloudWatch Logs for APIs](Enable-CloudWatch-Logs-for-APIs)  
+    1.1 [Enable Detailed CloudWatch Metrics for APIs](Enable-Detailed-CloudWatch-Metrics-for-APIs)  
+    1.1 [API Gateway Private Endpoints](API-Gateway-Private-Endpoints)  
 1. [AutoScaling](AutoScaling)  
-    1.1[ASG Cooldown Period](ASG-Cooldown-Period)  
-    1.1[Enable ASG Notifications](Enable-ASG-Notifications)  
-    1.1[App-Tier ASGs with Associated ELB](App-Tier-ASGs-with-Associated-ELB)  
-    1.1[CloudWatch Logs Agent for App-Tier ASG In Use](CloudWatch-Logs-Agent-for-App-Tier-ASG-In-Use)  
-    1.1[IAM Roles for App-Tier ASG Launch Configurations](IAM-Roles-for-App-Tier-ASG-Launch-Configurations)  
-    1.1[Use Approved AMIs for App-Tier ASG Launch Configurations](Use-Approved-AMIs-for-App-Tier-ASG-Launch-Configurations)  
-    1.1[Auto Scaling Group Referencing Missing ELB](Auto-Scaling-Group-Referencing-Missing-ELB)  
-    1.1[Empty Auto Scaling Groups](Empty-Auto-Scaling-Groups)  
-    1.1[Launch Configuration Referencing Missing AMI](Launch-Configuration-Referencing-Missing-AMI)  
-    1.1[Launch Configuration Referencing Missing Security Group](Launch-Configuration-Referencing-Missing-Security-Group)  
-    1.1[Unused Launch Configuration Templates](Unused-Launch-Configuration-Templates)  
-    1.1[Multi-AZ Auto Scaling Groups](Multi-AZ-Auto-Scaling-Groups)  
-    1.1[Same ELB Availability Zones](Same-ELB-Availability-Zones)  
-    1.1[Suspended Auto Scaling Group Processes](Suspended-Auto-Scaling-Group-Processes)  
-    1.1[Web-Tier Auto Scaling Groups with Associated ELBs](Web-Tier-Auto-Scaling-Groups-with-Associated-ELBs)  
-    1.1[Use Approved AMIs for Web-Tier ASG Launch Configurations](Use-Approved-AMIs-for-Web-Tier-ASG-Launch-Configurations)  
+    1.1 [ASG Cooldown Period](ASG-Cooldown-Period)  
+    1.1 [Enable ASG Notifications](Enable-ASG-Notifications)  
+    1.1 [App-Tier ASGs with Associated ELB](App-Tier-ASGs-with-Associated-ELB)  
+    1.1 [CloudWatch Logs Agent for App-Tier ASG In Use](CloudWatch-Logs-Agent-for-App-Tier-ASG-In-Use)  
+    1.1 [IAM Roles for App-Tier ASG Launch Configurations](IAM-Roles-for-App-Tier-ASG-Launch-Configurations)  
+    1.1 [Use Approved AMIs for App-Tier ASG Launch Configurations](Use-Approved-AMIs-for-App-Tier-ASG-Launch-Configurations)  
+    1.1 [Auto Scaling Group Referencing Missing ELB](Auto-Scaling-Group-Referencing-Missing-ELB)  
+    1.1 [Empty Auto Scaling Groups](Empty-Auto-Scaling-Groups)  
+    1.1 [Launch Configuration Referencing Missing AMI](Launch-Configuration-Referencing-Missing-AMI)  
+    1.1 [Launch Configuration Referencing Missing Security Group](Launch-Configuration-Referencing-Missing-Security-Group)  
+    1.1 [Unused Launch Configuration Templates](Unused-Launch-Configuration-Templates)  
+    1.1 [Multi-AZ Auto Scaling Groups](Multi-AZ-Auto-Scaling-Groups)  
+    1.1 [Same ELB Availability Zones](Same-ELB-Availability-Zones)  
+    1.1 [Suspended Auto Scaling Group Processes](Suspended-Auto-Scaling-Group-Processes)  
+    1.1 [Web-Tier Auto Scaling Groups with Associated ELBs](Web-Tier-Auto-Scaling-Groups-with-Associated-ELBs)  
+    1.1 [Use Approved AMIs for Web-Tier ASG Launch Configurations](Use-Approved-AMIs-for-Web-Tier-ASG-Launch-Configurations)  
 1. [CloudFront](CloudFront)  
-    1.1[CloudFront CDN In Use](CloudFront-CDN-In-Use)  
-    1.1[CloudFront WAF Integration](CloudFront-WAF-Integration)  
-    1.1[Enable Origin Access Identity for CloudFront Distributions with S3 Origin](Enable-Origin-Access-Identity-for-CloudFront-Distributions-with-S3-Origin)  
-    1.1[CloudFront Origin Insecure SSL Protocols](CloudFront-Origin-Insecure-SSL-Protocols)  
-    1.1[CloudFront Security Policy](CloudFront-Security-Policy)  
-    1.1[Unencrypted CloudFront Traffic](Unencrypted-CloudFront-Traffic)  
-    1.1[Use Cloudfront CDN](Use-Cloudfront-CDN)  
+    1.1 [CloudFront CDN In Use](CloudFront-CDN-In-Use)  
+    1.1 [CloudFront WAF Integration](CloudFront-WAF-Integration)  
+    1.1 [Enable Origin Access Identity for CloudFront Distributions with S3 Origin](Enable-Origin-Access-Identity-for-CloudFront-Distributions-with-S3-Origin)  
+    1.1 [CloudFront Origin Insecure SSL Protocols](CloudFront-Origin-Insecure-SSL-Protocols)  
+    1.1 [CloudFront Security Policy](CloudFront-Security-Policy)  
+    1.1 [Unencrypted CloudFront Traffic](Unencrypted-CloudFront-Traffic)  
+    1.1 [Use Cloudfront CDN](Use-Cloudfront-CDN)  
 1. [CloudTrail](CloudTrail)  
-    1.1[Enable access logging for CloudTrail buckets](Enable-access-logging-for-CloudTrail-buckets)  
-    1.1[Enable MFA Delete for CloudTrail bucket](Enable-MFA-Delete-for-CloudTrail-bucket)  
-    1.1[CloudTrail insecure buckets](CloudTrail-insecure-buckets)  
-    1.1[Monitor CloudTrail Configuration Changes](Monitor-CloudTrail-Configuration-Changes)  
-    1.1[Enable CloudTrail integration with CloudWatch](Enable-CloudTrail-integration-with-CloudWatch)  
-    1.1[Enable CloudTrail log file integrity validation](Enable-CloudTrail-log-file-integrity-validation)  
-    1.1[Enable CloudTrail log files encryption](Enable-CloudTrail-log-files-encryption)  
-    1.1[CloudTrail Log Files Delivery Failing](CloudTrail-Log-Files-Delivery-Failing)  
+    1.1 [Enable access logging for CloudTrail buckets](Enable-access-logging-for-CloudTrail-buckets)  
+    1.1 [Enable MFA Delete for CloudTrail bucket](Enable-MFA-Delete-for-CloudTrail-bucket)  
+    1.1 [CloudTrail insecure buckets](CloudTrail-insecure-buckets)  
+    1.1 [Monitor CloudTrail Configuration Changes](Monitor-CloudTrail-Configuration-Changes)  
+    1.1 [Enable CloudTrail integration with CloudWatch](Enable-CloudTrail-integration-with-CloudWatch)  
+    1.1 [Enable CloudTrail log file integrity validation](Enable-CloudTrail-log-file-integrity-validation)  
+    1.1 [Enable CloudTrail log files encryption](Enable-CloudTrail-log-files-encryption)  
+    1.1 [CloudTrail Log Files Delivery Failing](CloudTrail-Log-Files-Delivery-Failing)  
 1. [CloudWatch](CloudWatch)  
-    1.1[Enable AWS Billing Alerts](Enable-AWS-Billing-Alerts)  
-    1.1[Enable CloudWatch Billing Alarm](Enable-CloudWatch-Billing-Alarm)  
-    1.1[Exposed CloudWatch Event Bus](Exposed-CloudWatch-Event-Bus)  
-    1.1[CloudWatch Events In Use](CloudWatch-Events-In-Use)  
-    1.1[Alarm for Config Changes](Alarm-for-Config-Changes)  
-    1.1[Alarm for Organizations Changes](Alarm-for-Organizations-Changes)  
-    1.1[Alarm for multiple Sign-in Failures](Alarm-for-multiple-Sign-in-Failures)  
-    1.1[Monitor for AWS Console Sign-In Requests Without MFA](Monitor-for-AWS-Console-Sign-In-Requests-Without-MFA)  
-    1.1[Alarm for EC2 Instance Changes](Alarm-for-EC2-Instance-Changes)  
-    1.1[Alarm for EC2 Large Instance Changes](Alarm-for-EC2-Large-Instance-Changes)  
-    1.1[Alarm for Root Account Usage](Alarm-for-Root-Account-Usage)  
-    1.1[Alarm for S3 Bucket Changes](Alarm-for-S3-Bucket-Changes)  
+    1.1 [Enable AWS Billing Alerts](Enable-AWS-Billing-Alerts)  
+    1.1 [Enable CloudWatch Billing Alarm](Enable-CloudWatch-Billing-Alarm)  
+    1.1 [Exposed CloudWatch Event Bus](Exposed-CloudWatch-Event-Bus)  
+    1.1 [CloudWatch Events In Use](CloudWatch-Events-In-Use)  
+    1.1 [Alarm for Config Changes](Alarm-for-Config-Changes)  
+    1.1 [Alarm for Organizations Changes](Alarm-for-Organizations-Changes)  
+    1.1 [Alarm for multiple Sign-in Failures](Alarm-for-multiple-Sign-in-Failures)  
+    1.1 [Monitor for AWS Console Sign-In Requests Without MFA](Monitor-for-AWS-Console-Sign-In-Requests-Without-MFA)  
+    1.1 [Alarm for EC2 Instance Changes](Alarm-for-EC2-Instance-Changes)  
+    1.1 [Alarm for EC2 Large Instance Changes](Alarm-for-EC2-Large-Instance-Changes)  
+    1.1 [Alarm for Root Account Usage](Alarm-for-Root-Account-Usage)  
+    1.1 [Alarm for S3 Bucket Changes](Alarm-for-S3-Bucket-Changes)  
 1. [Config](Config)  
-    1.1[Monitor AWS Config configuration changes](Monitor-AWS-Config-configuration-changes)  
-    1.1[Enable AWS Config](Enable-AWS-Config)  
-    1.1[AWS Config Referencing Missing S3 Bucket](AWS-Config-Referencing-Missing-S3-Bucket)  
-    1.1[AWS Config Referencing Missing SNS Topic](AWS-Config-Referencing-Missing-SNS-Topic)  
-    1.1[AWS Config Log Files Delivery Failing](AWS-Config-Log-Files-Delivery-Failing)  
-    1.1[Include Global Resources into AWS Config Settings](Include-Global-Resources-into-AWS-Config-Settings)  
+    1.1 [Monitor AWS Config configuration changes](Monitor-AWS-Config-configuration-changes)  
+    1.1 [Enable AWS Config](Enable-AWS-Config)  
+    1.1 [AWS Config Referencing Missing S3 Bucket](AWS-Config-Referencing-Missing-S3-Bucket)  
+    1.1 [AWS Config Referencing Missing SNS Topic](AWS-Config-Referencing-Missing-SNS-Topic)  
+    1.1 [AWS Config Log Files Delivery Failing](AWS-Config-Log-Files-Delivery-Failing)  
+    1.1 [Include Global Resources into AWS Config Settings](Include-Global-Resources-into-AWS-Config-Settings)  
 1. [DynamoDB](DynamoDB)  
-    1.1[Enable DynamoDB Auto Scaling](Enable-DynamoDB-Auto-Scaling)  
-    1.1[DynamoDB Backup and Restore](DynamoDB-Backup-and-Restore)  
-    1.1[Enable DynamoDB Continuous Backups](Enable-DynamoDB-Continuous-Backups)  
-    1.1[DynamoDB Server-Side Encryption](DynamoDB-Server-Side-Encryption)  
+    1.1 [Enable DynamoDB Auto Scaling](Enable-DynamoDB-Auto-Scaling)  
+    1.1 [DynamoDB Backup and Restore](DynamoDB-Backup-and-Restore)  
+    1.1 [Enable DynamoDB Continuous Backups](Enable-DynamoDB-Continuous-Backups)  
+    1.1 [DynamoDB Server-Side Encryption](DynamoDB-Server-Side-Encryption)  
 1. [EBS](EBS)  
-    1.1[Enable EBS Encryption](Enable-EBS-Encryption)  
-    1.1[Use KMS Customer Master Keys for EBS encryption](Use-KMS-Customer-Master-Keys-for-EBS-encryption)  
-    1.1[EBS Volume Naming Conventions](EBS-Volume-Naming-Conventions)  
-    1.1[EBS Public Snapshots](EBS-Public-Snapshots)  
-    1.1[EBS volumes recent snapshots](EBS-volumes-recent-snapshots)  
-    1.1[Remove EBS old snapshots](Remove-EBS-old-snapshots)  
-    1.1[Remove Unattached EC2 EBS volumes](Remove-Unattached-EC2-EBS-volumes)  
-    1.1[Enable EBS Snapshot Encryption](Enable-EBS-Snapshot-Encryption)  
-    1.1[EBS Volumes Attached to Stopped EC2 Instances](EBS-Volumes-Attached-to-Stopped-EC2-Instances)  
-    1.1[Approved/Golden AMI](Approved/Golden-AMI)  
-    1.1[AWS Blacklisted AMI](AWS-Blacklisted-AMI)  
-    1.1[Enable AMI Encryption](Enable-AMI-Encryption)  
-    1.1[AMI Naming Conventions](AMI-Naming-Conventions)  
-    1.1[Check for AMI Age](Check-for-AMI-Age)  
-    1.1[Unused AMI](Unused-AMI)  
-    1.1[Unassociated Elastic IP Addresses](Unassociated-Elastic-IP-Addresses)  
-    1.1[Publicly Shared App-Tier AMIs](Publicly-Shared-App-Tier-AMIs)  
-    1.1[App-Tier EC2 Instances Without Elastic or Public IP Addresses](App-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
-    1.1[Check app-tier ELB subnet connectivity to Internet Gateway](Check-app-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
-    1.1[IAM Roles for App-Tier EC2 Instances](IAM-Roles-for-App-Tier-EC2-Instances)  
-    1.1[Create and Configure App-Tier Security Group](Create-and-Configure-App-Tier-Security-Group)  
-    1.1[EC2 Instances Distribution Across Availability Zones](EC2-Instances-Distribution-Across-Availability-Zones)  
-    1.1[EC2-Classic Elastic IP Address Limit](EC2-Classic-Elastic-IP-Address-Limit)  
-    1.1[Data-Tier Instances Without Elastic or Public IP Addresses](Data-Tier-Instances-Without-Elastic-or-Public-IP-Addresses)  
-    1.1[Create and Configure Data-Tier Security Group](Create-and-Configure-Data-Tier-Security-Group)  
-    1.1[Restrict data-tier subnet connectivity to VPC NAT Gateway](Restrict-data-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
-    1.1[Unrestricted Default Security Groups](Unrestricted-Default-Security-Groups)  
-    1.1[Default EC2 Security Groups In Use](Default-EC2-Security-Groups-In-Use)  
-    1.1[Detailed Monitoring for EC2 Instances](Detailed-Monitoring-for-EC2-Instances)  
-    1.1[EC2 Desired Instance Type](EC2-Desired-Instance-Type)  
-    1.1[Review EC2 Dedicated Instances](Review-EC2-Dedicated-Instances)  
-    1.1[EC2 Instance Not In Public Subnet](EC2-Instance-Not-In-Public-Subnet)  
-    1.1[Unused EC2 Reserved Instances](Unused-EC2-Reserved-Instances)  
-    1.1[Total Number of EC2 Instances](Total-Number-of-EC2-Instances)  
-    1.1[EC2 Instance Type Generation](EC2-Instance-Type-Generation)  
-    1.1[Instance In Auto Scaling Group](Instance-In-Auto-Scaling-Group)  
-    1.1[EC2 Platform](EC2-Platform)  
-    1.1[EC2 Instance Limit](EC2-Instance-Limit)  
-    1.1[EC2 Instance Naming Conventions](EC2-Instance-Naming-Conventions)  
-    1.1[EC2 Instances with Scheduled Events](EC2-Instances-with-Scheduled-Events)  
-    1.1[EC2 Instance Security Group Rules Count](EC2-Instance-Security-Group-Rules-Count)  
-    1.1[EC2 Instance Tenancy Type](EC2-Instance-Tenancy-Type)  
-    1.1[EC2 Instance Termination Protection](EC2-Instance-Termination-Protection)  
-    1.1[EC2 Instance Age](EC2-Instance-Age)  
-    1.1[EC2 Instance IAM Roles](EC2-Instance-IAM-Roles)  
-    1.1[Overutilized EC2 Instances](Overutilized-EC2-Instances)  
-    1.1[Publicly Shared AMIs](Publicly-Shared-AMIs)  
-    1.1[EC2 Reserved Instance Lease Expiration](EC2-Reserved-Instance-Lease-Expiration)  
-    1.1[EC2 Security Groups Count](EC2-Security-Groups-Count)  
-    1.1[EC2 Security Group Port Range](EC2-Security-Group-Port-Range)  
-    1.1[Underutilized EC2 Instances](Underutilized-EC2-Instances)  
-    1.1[EC2 Security Group Unrestricted Access](EC2-Security-Group-Unrestricted-Access)  
-    1.1[Unrestricted CIFS Access](Unrestricted-CIFS-Access)  
-    1.1[Unrestricted DNS Access](Unrestricted-DNS-Access)  
-    1.1[Unrestricted ElasticSearch Access](Unrestricted-ElasticSearch-Access)  
-    1.1[Unrestricted FTP Access](Unrestricted-FTP-Access)  
-    1.1[Unrestricted HTTP Access](Unrestricted-HTTP-Access)  
-    1.1[Unrestricted HTTPS Access](Unrestricted-HTTPS-Access)  
-    1.1[Unrestricted ICMP Access](Unrestricted-ICMP-Access)  
-    1.1[Unrestricted Inbound Access on Uncommon Ports](Unrestricted-Inbound-Access-on-Uncommon-Ports)  
-    1.1[Unrestricted MongoDB Access](Unrestricted-MongoDB-Access)  
-    1.1[Unrestricted MSSQL Database Access](Unrestricted-MSSQL-Database-Access)  
-    1.1[Unrestricted MySQL Database Access](Unrestricted-MySQL-Database-Access)  
-    1.1[Unrestricted NetBIOS Access](Unrestricted-NetBIOS-Access)  
-    1.1[Unrestricted Oracle Database Access](Unrestricted-Oracle-Database-Access)  
-    1.1[Unrestricted Outbound Access on All Ports](Unrestricted-Outbound-Access-on-All-Ports)  
-    1.1[Unrestricted PostgreSQL Database Access](Unrestricted-PostgreSQL-Database-Access)  
-    1.1[Unrestricted RDP Access](Unrestricted-RDP-Access)  
-    1.1[Unrestricted RPC Access](Unrestricted-RPC-Access)  
-    1.1[Unrestricted SMTP Access](Unrestricted-SMTP-Access)  
-    1.1[Unrestricted SSH Access](Unrestricted-SSH-Access)  
-    1.1[Unrestricted Telnet Access](Unrestricted-Telnet-Access)  
-    1.1[Unused Elastic Network Interfaces](Unused-Elastic-Network-Interfaces)  
-    1.1[Unused EC2 Key Pairs](Unused-EC2-Key-Pairs)  
-    1.1[EC2-VPC Elastic IP Address Limit](EC2-VPC-Elastic-IP-Address-Limit)  
-    1.1[Publicly Shared Web-Tier AMIs](Publicly-Shared-Web-Tier-AMIs)  
-    1.1[Web-Tier EC2 Instances Without Elastic or Public IP Addresses](Web-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
-    1.1[Check web-tier ELB subnet connectivity to Internet Gateway](Check-web-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
-    1.1[Attach Policy to IAM Roles Associated with Web-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-Web-Tier-EC2-Instances)  
-    1.1[IAM Roles for Web-Tier EC2 Instances](IAM-Roles-for-Web-Tier-EC2-Instances)  
-    1.1[Create and Configure Web-Tier Security Group](Create-and-Configure-Web-Tier-Security-Group)  
-    1.1[Check web-tier subnet connectivity to VPC NAT Gateway](Check-web-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
+    1.1 [Enable EBS Encryption](Enable-EBS-Encryption)  
+    1.1 [Use KMS Customer Master Keys for EBS encryption](Use-KMS-Customer-Master-Keys-for-EBS-encryption)  
+    1.1 [EBS Volume Naming Conventions](EBS-Volume-Naming-Conventions)  
+    1.1 [EBS Public Snapshots](EBS-Public-Snapshots)  
+    1.1 [EBS volumes recent snapshots](EBS-volumes-recent-snapshots)  
+    1.1 [Remove EBS old snapshots](Remove-EBS-old-snapshots)  
+    1.1 [Remove Unattached EC2 EBS volumes](Remove-Unattached-EC2-EBS-volumes)  
+    1.1 [Enable EBS Snapshot Encryption](Enable-EBS-Snapshot-Encryption)  
+    1.1 [EBS Volumes Attached to Stopped EC2 Instances](EBS-Volumes-Attached-to-Stopped-EC2-Instances)  
+    1.1 [Approved/Golden AMI](Approved/Golden-AMI)  
+    1.1 [AWS Blacklisted AMI](AWS-Blacklisted-AMI)  
+    1.1 [Enable AMI Encryption](Enable-AMI-Encryption)  
+    1.1 [AMI Naming Conventions](AMI-Naming-Conventions)  
+    1.1 [Check for AMI Age](Check-for-AMI-Age)  
+    1.1 [Unused AMI](Unused-AMI)  
+    1.1 [Unassociated Elastic IP Addresses](Unassociated-Elastic-IP-Addresses)  
+    1.1 [Publicly Shared App-Tier AMIs](Publicly-Shared-App-Tier-AMIs)  
+    1.1 [App-Tier EC2 Instances Without Elastic or Public IP Addresses](App-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
+    1.1 [Check app-tier ELB subnet connectivity to Internet Gateway](Check-app-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
+    1.1 [IAM Roles for App-Tier EC2 Instances](IAM-Roles-for-App-Tier-EC2-Instances)  
+    1.1 [Create and Configure App-Tier Security Group](Create-and-Configure-App-Tier-Security-Group)  
+    1.1 [EC2 Instances Distribution Across Availability Zones](EC2-Instances-Distribution-Across-Availability-Zones)  
+    1.1 [EC2-Classic Elastic IP Address Limit](EC2-Classic-Elastic-IP-Address-Limit)  
+    1.1 [Data-Tier Instances Without Elastic or Public IP Addresses](Data-Tier-Instances-Without-Elastic-or-Public-IP-Addresses)  
+    1.1 [Create and Configure Data-Tier Security Group](Create-and-Configure-Data-Tier-Security-Group)  
+    1.1 [Restrict data-tier subnet connectivity to VPC NAT Gateway](Restrict-data-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
+    1.1 [Unrestricted Default Security Groups](Unrestricted-Default-Security-Groups)  
+    1.1 [Default EC2 Security Groups In Use](Default-EC2-Security-Groups-In-Use)  
+    1.1 [Detailed Monitoring for EC2 Instances](Detailed-Monitoring-for-EC2-Instances)  
+    1.1 [EC2 Desired Instance Type](EC2-Desired-Instance-Type)  
+    1.1 [Review EC2 Dedicated Instances](Review-EC2-Dedicated-Instances)  
+    1.1 [EC2 Instance Not In Public Subnet](EC2-Instance-Not-In-Public-Subnet)  
+    1.1 [Unused EC2 Reserved Instances](Unused-EC2-Reserved-Instances)  
+    1.1 [Total Number of EC2 Instances](Total-Number-of-EC2-Instances)  
+    1.1 [EC2 Instance Type Generation](EC2-Instance-Type-Generation)  
+    1.1 [Instance In Auto Scaling Group](Instance-In-Auto-Scaling-Group)  
+    1.1 [EC2 Platform](EC2-Platform)  
+    1.1 [EC2 Instance Limit](EC2-Instance-Limit)  
+    1.1 [EC2 Instance Naming Conventions](EC2-Instance-Naming-Conventions)  
+    1.1 [EC2 Instances with Scheduled Events](EC2-Instances-with-Scheduled-Events)  
+    1.1 [EC2 Instance Security Group Rules Count](EC2-Instance-Security-Group-Rules-Count)  
+    1.1 [EC2 Instance Tenancy Type](EC2-Instance-Tenancy-Type)  
+    1.1 [EC2 Instance Termination Protection](EC2-Instance-Termination-Protection)  
+    1.1 [EC2 Instance Age](EC2-Instance-Age)  
+    1.1 [EC2 Instance IAM Roles](EC2-Instance-IAM-Roles)  
+    1.1 [Overutilized EC2 Instances](Overutilized-EC2-Instances)  
+    1.1 [Publicly Shared AMIs](Publicly-Shared-AMIs)  
+    1.1 [EC2 Reserved Instance Lease Expiration](EC2-Reserved-Instance-Lease-Expiration)  
+    1.1 [EC2 Security Groups Count](EC2-Security-Groups-Count)  
+    1.1 [EC2 Security Group Port Range](EC2-Security-Group-Port-Range)  
+    1.1 [Underutilized EC2 Instances](Underutilized-EC2-Instances)  
+    1.1 [EC2 Security Group Unrestricted Access](EC2-Security-Group-Unrestricted-Access)  
+    1.1 [Unrestricted CIFS Access](Unrestricted-CIFS-Access)  
+    1.1 [Unrestricted DNS Access](Unrestricted-DNS-Access)  
+    1.1 [Unrestricted ElasticSearch Access](Unrestricted-ElasticSearch-Access)  
+    1.1 [Unrestricted FTP Access](Unrestricted-FTP-Access)  
+    1.1 [Unrestricted HTTP Access](Unrestricted-HTTP-Access)  
+    1.1 [Unrestricted HTTPS Access](Unrestricted-HTTPS-Access)  
+    1.1 [Unrestricted ICMP Access](Unrestricted-ICMP-Access)  
+    1.1 [Unrestricted Inbound Access on Uncommon Ports](Unrestricted-Inbound-Access-on-Uncommon-Ports)  
+    1.1 [Unrestricted MongoDB Access](Unrestricted-MongoDB-Access)  
+    1.1 [Unrestricted MSSQL Database Access](Unrestricted-MSSQL-Database-Access)  
+    1.1 [Unrestricted MySQL Database Access](Unrestricted-MySQL-Database-Access)  
+    1.1 [Unrestricted NetBIOS Access](Unrestricted-NetBIOS-Access)  
+    1.1 [Unrestricted Oracle Database Access](Unrestricted-Oracle-Database-Access)  
+    1.1 [Unrestricted Outbound Access on All Ports](Unrestricted-Outbound-Access-on-All-Ports)  
+    1.1 [Unrestricted PostgreSQL Database Access](Unrestricted-PostgreSQL-Database-Access)  
+    1.1 [Unrestricted RDP Access](Unrestricted-RDP-Access)  
+    1.1 [Unrestricted RPC Access](Unrestricted-RPC-Access)  
+    1.1 [Unrestricted SMTP Access](Unrestricted-SMTP-Access)  
+    1.1 [Unrestricted SSH Access](Unrestricted-SSH-Access)  
+    1.1 [Unrestricted Telnet Access](Unrestricted-Telnet-Access)  
+    1.1 [Unused Elastic Network Interfaces](Unused-Elastic-Network-Interfaces)  
+    1.1 [Unused EC2 Key Pairs](Unused-EC2-Key-Pairs)  
+    1.1 [EC2-VPC Elastic IP Address Limit](EC2-VPC-Elastic-IP-Address-Limit)  
+    1.1 [Publicly Shared Web-Tier AMIs](Publicly-Shared-Web-Tier-AMIs)  
+    1.1 [Web-Tier EC2 Instances Without Elastic or Public IP Addresses](Web-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
+    1.1 [Check web-tier ELB subnet connectivity to Internet Gateway](Check-web-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
+    1.1 [Attach Policy to IAM Roles Associated with Web-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-Web-Tier-EC2-Instances)  
+    1.1 [IAM Roles for Web-Tier EC2 Instances](IAM-Roles-for-Web-Tier-EC2-Instances)  
+    1.1 [Create and Configure Web-Tier Security Group](Create-and-Configure-Web-Tier-Security-Group)  
+    1.1 [Check web-tier subnet connectivity to VPC NAT Gateway](Check-web-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
 1. [ECR](ECR)  
-    1.1[ECR Unknown Cross Account Access](ECR-Unknown-Cross-Account-Access)  
-    1.1[Check for Exposed ECR Repositories](Check-for-Exposed-ECR-Repositories)  
+    1.1 [ECR Unknown Cross Account Access](ECR-Unknown-Cross-Account-Access)  
+    1.1 [Check for Exposed ECR Repositories](Check-for-Exposed-ECR-Repositories)  
 1. [EFS](EFS)  
-    1.1[KMS Customer Master Keys for EFS Encryption](KMS-Customer-Master-Keys-for-EFS-Encryption)  
-    1.1[Enable EFS Encryption](Enable-EFS-Encryption)  
+    1.1 [KMS Customer Master Keys for EFS Encryption](KMS-Customer-Master-Keys-for-EFS-Encryption)  
+    1.1 [Enable EFS Encryption](Enable-EFS-Encryption)  
 1. [ElasticSearch](ElasticSearch)  
-    1.1[ElasticSearch Cluster Status](ElasticSearch-Cluster-Status)  
-    1.1[ElasticSearch Instance Type](ElasticSearch-Instance-Type)  
-    1.1[ElasticSearch Domain Encrypted with KMS CMKs](ElasticSearch-Domain-Encrypted-with-KMS-CMKs)  
-    1.1[ElasticSearch Unknown Cross Account Access](ElasticSearch-Unknown-Cross-Account-Access)  
-    1.1[ElasticSearch Exposed Domains](ElasticSearch-Exposed-Domains)  
-    1.1[ElasticSearch Domain IP-Based Access](ElasticSearch-Domain-IP-Based-Access)  
-    1.1[ElasticSearch General Purpose SSD Node Type](ElasticSearch-General-Purpose-SSD-Node-Type)  
-    1.1[ElasticSearch Version](ElasticSearch-Version)  
-    1.1[Enable ElasticSearch Zone Awareness](Enable-ElasticSearch-Zone-Awareness)  
-    1.1[Enable ElasticSearch Encryption At Rest](Enable-ElasticSearch-Encryption-At-Rest)  
-    1.1[ElasticSearch Free Storage Space](ElasticSearch-Free-Storage-Space)  
-    1.1[Total Number of ElasticSearch Instances](Total-Number-of-ElasticSearch-Instances)  
-    1.1[Enable ElasticSearch Node-to-Node Encryption](Enable-ElasticSearch-Node-to-Node-Encryption)  
-    1.1[Enable ElasticSearch Slow Logs](Enable-ElasticSearch-Slow-Logs)  
+    1.1 [ElasticSearch Cluster Status](ElasticSearch-Cluster-Status)  
+    1.1 [ElasticSearch Instance Type](ElasticSearch-Instance-Type)  
+    1.1 [ElasticSearch Domain Encrypted with KMS CMKs](ElasticSearch-Domain-Encrypted-with-KMS-CMKs)  
+    1.1 [ElasticSearch Unknown Cross Account Access](ElasticSearch-Unknown-Cross-Account-Access)  
+    1.1 [ElasticSearch Exposed Domains](ElasticSearch-Exposed-Domains)  
+    1.1 [ElasticSearch Domain IP-Based Access](ElasticSearch-Domain-IP-Based-Access)  
+    1.1 [ElasticSearch General Purpose SSD Node Type](ElasticSearch-General-Purpose-SSD-Node-Type)  
+    1.1 [ElasticSearch Version](ElasticSearch-Version)  
+    1.1 [Enable ElasticSearch Zone Awareness](Enable-ElasticSearch-Zone-Awareness)  
+    1.1 [Enable ElasticSearch Encryption At Rest](Enable-ElasticSearch-Encryption-At-Rest)  
+    1.1 [ElasticSearch Free Storage Space](ElasticSearch-Free-Storage-Space)  
+    1.1 [Total Number of ElasticSearch Instances](Total-Number-of-ElasticSearch-Instances)  
+    1.1 [Enable ElasticSearch Node-to-Node Encryption](Enable-ElasticSearch-Node-to-Node-Encryption)  
+    1.1 [Enable ElasticSearch Slow Logs](Enable-ElasticSearch-Slow-Logs)  
 1. [ELB](ELB)  
-    1.1[Enable HTTPS/SSL Listener for App-Tier ELBs](Enable-HTTPS/SSL-Listener-for-App-Tier-ELBs)  
-    1.1[Enable Latest SSL Security Policy for App-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-App-Tier-ELBs)  
-    1.1[Add SSL/TLS Server Certificates to App-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-App-Tier-ELBs)  
-    1.1[App-Tier ELBs Health Check](App-Tier-ELBs-Health-Check)  
-    1.1[Enable ELB Access Logging](Enable-ELB-Access-Logging)  
-    1.1[AWS Classic Load Balancer](AWS-Classic-Load-Balancer)  
-    1.1[Connection Draining Enabled](Connection-Draining-Enabled)  
-    1.1[Enable ELB Cross-Zone Load Balancing](Enable-ELB-Cross-Zone-Load-Balancing)  
-    1.1[ELB insecure SSL ciphers](ELB-insecure-SSL-ciphers)  
-    1.1[ELB insecure SSL protocols](ELB-insecure-SSL-protocols)  
-    1.1[ELB Listener Security](ELB-Listener-Security)  
-    1.1[ELB minimum number of EC2 instances](ELB-minimum-number-of-EC2-instances)  
-    1.1[ELB Security Group](ELB-Security-Group)  
-    1.1[ELB Security Policy](ELB-Security-Policy)  
-    1.1[Remove unused ELBs](Remove-unused-ELBs)  
-    1.1[ELB Instances Distribution Across Availability Zones](ELB-Instances-Distribution-Across-Availability-Zones)  
-    1.1[Review AWS Internet Facing Load Balancers](Review-AWS-Internet-Facing-Load-Balancers)  
-    1.1[Enable HTTPS/SSL Listener for Web-Tier ELBs](Enable-HTTPS/SSL-Listener-for-Web-Tier-ELBs)  
-    1.1[Enable Latest SSL Security Policy for Web-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-Web-Tier-ELBs)  
-    1.1[Add SSL/TLS Server Certificates to Web-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-Web-Tier-ELBs)  
-    1.1[Web-Tier ELBs Health Check](Web-Tier-ELBs-Health-Check)  
-    1.1[Enable ALB (ELBv2)-Access-Logging](Enable-ALB-(ELBv2)-Access-Logging)  
-    1.1[Enable Elastic Load Balancing Deletion Protection](Enable-Elastic-Load-Balancing-Deletion-Protection)  
-    1.1[ELBv2 Instances Distribution Across Availability Zones](ELBv2-Instances-Distribution-Across-Availability-Zones)  
-    1.1[ALB (ELBv2)-Listener-Security](ALB-(ELBv2)-Listener-Security)  
-    1.1[Minimum Number of EC2 Target Instances](Minimum-Number-of-EC2-Target-Instances)  
-    1.1[ELBv2 Security Groups](ELBv2-Security-Groups)  
-    1.1[ALB (ELBv2)-Security-Policy](ALB-(ELBv2)-Security-Policy)  
-    1.1[Unused ELBs (ELBv2)](Unused-ELBs-(ELBv2))  
+    1.1 [Enable HTTPS/SSL Listener for App-Tier ELBs](Enable-HTTPS/SSL-Listener-for-App-Tier-ELBs)  
+    1.1 [Enable Latest SSL Security Policy for App-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-App-Tier-ELBs)  
+    1.1 [Add SSL/TLS Server Certificates to App-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-App-Tier-ELBs)  
+    1.1 [App-Tier ELBs Health Check](App-Tier-ELBs-Health-Check)  
+    1.1 [Enable ELB Access Logging](Enable-ELB-Access-Logging)  
+    1.1 [AWS Classic Load Balancer](AWS-Classic-Load-Balancer)  
+    1.1 [Connection Draining Enabled](Connection-Draining-Enabled)  
+    1.1 [Enable ELB Cross-Zone Load Balancing](Enable-ELB-Cross-Zone-Load-Balancing)  
+    1.1 [ELB insecure SSL ciphers](ELB-insecure-SSL-ciphers)  
+    1.1 [ELB insecure SSL protocols](ELB-insecure-SSL-protocols)  
+    1.1 [ELB Listener Security](ELB-Listener-Security)  
+    1.1 [ELB minimum number of EC2 instances](ELB-minimum-number-of-EC2-instances)  
+    1.1 [ELB Security Group](ELB-Security-Group)  
+    1.1 [ELB Security Policy](ELB-Security-Policy)  
+    1.1 [Remove unused ELBs](Remove-unused-ELBs)  
+    1.1 [ELB Instances Distribution Across Availability Zones](ELB-Instances-Distribution-Across-Availability-Zones)  
+    1.1 [Review AWS Internet Facing Load Balancers](Review-AWS-Internet-Facing-Load-Balancers)  
+    1.1 [Enable HTTPS/SSL Listener for Web-Tier ELBs](Enable-HTTPS/SSL-Listener-for-Web-Tier-ELBs)  
+    1.1 [Enable Latest SSL Security Policy for Web-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-Web-Tier-ELBs)  
+    1.1 [Add SSL/TLS Server Certificates to Web-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-Web-Tier-ELBs)  
+    1.1 [Web-Tier ELBs Health Check](Web-Tier-ELBs-Health-Check)  
+    1.1 [Enable ALB (ELBv2)-Access-Logging](Enable-ALB-(ELBv2)-Access-Logging)  
+    1.1 [Enable Elastic Load Balancing Deletion Protection](Enable-Elastic-Load-Balancing-Deletion-Protection)  
+    1.1 [ELBv2 Instances Distribution Across Availability Zones](ELBv2-Instances-Distribution-Across-Availability-Zones)  
+    1.1 [ALB (ELBv2)-Listener-Security](ALB-(ELBv2)-Listener-Security)  
+    1.1 [Minimum Number of EC2 Target Instances](Minimum-Number-of-EC2-Target-Instances)  
+    1.1 [ELBv2 Security Groups](ELBv2-Security-Groups)  
+    1.1 [ALB (ELBv2)-Security-Policy](ALB-(ELBv2)-Security-Policy)  
+    1.1 [Unused ELBs (ELBv2)](Unused-ELBs-(ELBv2))  
 1. [EMR](EMR)  
-    1.1[EMR Cluster In VPC](EMR-Cluster-In-VPC)  
-    1.1[EMR Desired Instance Type](EMR-Desired-Instance-Type)  
-    1.1[EMR Instance Type Generation](EMR-Instance-Type-Generation)  
-    1.1[Enable EMR In-Transit and At-Rest Encryption](Enable-EMR-In-Transit-and-At-Rest-Encryption)  
-    1.1[Total Number of EMR Instances](Total-Number-of-EMR-Instances)  
+    1.1 [EMR Cluster In VPC](EMR-Cluster-In-VPC)  
+    1.1 [EMR Desired Instance Type](EMR-Desired-Instance-Type)  
+    1.1 [EMR Instance Type Generation](EMR-Instance-Type-Generation)  
+    1.1 [Enable EMR In-Transit and At-Rest Encryption](Enable-EMR-In-Transit-and-At-Rest-Encryption)  
+    1.1 [Total Number of EMR Instances](Total-Number-of-EMR-Instances)  
 1. [GuardDuty](GuardDuty)  
-    1.1[GuardDuty Findings](GuardDuty-Findings)  
-    1.1[Monitor GuardDuty Configuration Changes](Monitor-GuardDuty-Configuration-Changes)  
-    1.1[GuardDuty In Use](GuardDuty-In-Use)  
+    1.1 [GuardDuty Findings](GuardDuty-Findings)  
+    1.1 [Monitor GuardDuty Configuration Changes](Monitor-GuardDuty-Configuration-Changes)  
+    1.1 [GuardDuty In Use](GuardDuty-In-Use)  
 1. [Health](Health)  
-    1.1[AWS Health](AWS-Health)  
+    1.1 [AWS Health](AWS-Health)  
 1. [IAM](IAM)  
-    1.1[Unused IAM Access Keys](Unused-IAM-Access-Keys)  
-    1.1[IAM Access Keys Rotation](IAM-Access-Keys-Rotation)  
-    1.1[Unnecessary IAM Access Keys](Unnecessary-IAM-Access-Keys)  
-    1.1[Enable Security Challenge Questions for your Account](Enable-Security-Challenge-Questions-for-your-Account)  
-    1.1[Attach Policy to IAM Roles Associated with App-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-App-Tier-EC2-Instances)  
-    1.1[SSL/TLS Certificate Renewal](SSL/TLS-Certificate-Renewal)  
-    1.1[Server Certificate Signature Algorithm](Server-Certificate-Signature-Algorithm)  
-    1.1[IAM Server Certificate Size](IAM-Server-Certificate-Size)  
-    1.1[Deprecated AWS Managed Policies In Use](Deprecated-AWS-Managed-Policies-In-Use)  
-    1.1[IAM Users Unauthorized to Edit Access Policies](IAM-Users-Unauthorized-to-Edit-Access-Policies)  
-    1.1[IAM Users with Admin Privileges](IAM-Users-with-Admin-Privileges)  
-    1.1[Detect IAM Configuration Changes](Detect-IAM-Configuration-Changes)  
-    1.1[IAM Group with Administrator Privileges In Use](IAM-Group-with-Administrator-Privileges-In-Use)  
-    1.1[Unused IAM Groups](Unused-IAM-Groups)  
-    1.1[Remove IAM Policies with Full Administrative Privileges](Remove-IAM-Policies-with-Full-Administrative-Privileges)  
-    1.1[IAM Customer Managed Policy with Administrative Permissions In Use](IAM-Customer-Managed-Policy-with-Administrative-Permissions-In-Use)  
-    1.1[IAM Role Policy Too Permissive](IAM-Role-Policy-Too-Permissive)  
-    1.1[IAM User Present](IAM-User-Present)  
-    1.1[Inactive IAM Users](Inactive-IAM-Users)  
-    1.1[Unused IAM Users](Unused-IAM-Users)  
-    1.1[IAM Users with Password and Access Keys](IAM-Users-with-Password-and-Access-Keys)  
-    1.1[Valid IAM Identity Providers](Valid-IAM-Identity-Providers)  
-    1.1[MFA Device Deactivated for IAM Users](MFA-Device-Deactivated-for-IAM-Users)  
-    1.1[Enable MFA for IAM Users](Enable-MFA-for-IAM-Users)  
-    1.1[IAM Master and IAM Manager Roles](IAM-Master-and-IAM-Manager-Roles)  
-    1.1[IAM Password Expiry](IAM-Password-Expiry)  
-    1.1[IAM Password Policy](IAM-Password-Policy)  
-    1.1[Root Account Access Keys](Root-Account-Access-Keys)  
-    1.1[Root Account Credentials Usage](Root-Account-Credentials-Usage)  
-    1.1[Root Account Active Signing Certificates](Root-Account-Active-Signing-Certificates)  
-    1.1[Enable Hardware MFA for Root Account](Enable-Hardware-MFA-for-Root-Account)  
-    1.1[Enable MFA for Root Account](Enable-MFA-for-Root-Account)  
-    1.1[IAM SSH Public Keys Rotation (90-Days)](IAM-SSH-Public-Keys-Rotation-(90-Days))  
-    1.1[Unnecessary IAM SSH Public Keys](Unnecessary-IAM-SSH-Public-Keys)  
-    1.1[IAM Support Role](IAM-Support-Role)  
+    1.1 [Unused IAM Access Keys](Unused-IAM-Access-Keys)  
+    1.1 [IAM Access Keys Rotation](IAM-Access-Keys-Rotation)  
+    1.1 [Unnecessary IAM Access Keys](Unnecessary-IAM-Access-Keys)  
+    1.1 [Enable Security Challenge Questions for your Account](Enable-Security-Challenge-Questions-for-your-Account)  
+    1.1 [Attach Policy to IAM Roles Associated with App-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-App-Tier-EC2-Instances)  
+    1.1 [SSL/TLS Certificate Renewal](SSL/TLS-Certificate-Renewal)  
+    1.1 [Server Certificate Signature Algorithm](Server-Certificate-Signature-Algorithm)  
+    1.1 [IAM Server Certificate Size](IAM-Server-Certificate-Size)  
+    1.1 [Deprecated AWS Managed Policies In Use](Deprecated-AWS-Managed-Policies-In-Use)  
+    1.1 [IAM Users Unauthorized to Edit Access Policies](IAM-Users-Unauthorized-to-Edit-Access-Policies)  
+    1.1 [IAM Users with Admin Privileges](IAM-Users-with-Admin-Privileges)  
+    1.1 [Detect IAM Configuration Changes](Detect-IAM-Configuration-Changes)  
+    1.1 [IAM Group with Administrator Privileges In Use](IAM-Group-with-Administrator-Privileges-In-Use)  
+    1.1 [Unused IAM Groups](Unused-IAM-Groups)  
+    1.1 [Remove IAM Policies with Full Administrative Privileges](Remove-IAM-Policies-with-Full-Administrative-Privileges)  
+    1.1 [IAM Customer Managed Policy with Administrative Permissions In Use](IAM-Customer-Managed-Policy-with-Administrative-Permissions-In-Use)  
+    1.1 [IAM Role Policy Too Permissive](IAM-Role-Policy-Too-Permissive)  
+    1.1 [IAM User Present](IAM-User-Present)  
+    1.1 [Inactive IAM Users](Inactive-IAM-Users)  
+    1.1 [Unused IAM Users](Unused-IAM-Users)  
+    1.1 [IAM Users with Password and Access Keys](IAM-Users-with-Password-and-Access-Keys)  
+    1.1 [Valid IAM Identity Providers](Valid-IAM-Identity-Providers)  
+    1.1 [MFA Device Deactivated for IAM Users](MFA-Device-Deactivated-for-IAM-Users)  
+    1.1 [Enable MFA for IAM Users](Enable-MFA-for-IAM-Users)  
+    1.1 [IAM Master and IAM Manager Roles](IAM-Master-and-IAM-Manager-Roles)  
+    1.1 [IAM Password Expiry](IAM-Password-Expiry)  
+    1.1 [IAM Password Policy](IAM-Password-Policy)  
+    1.1 [Root Account Access Keys](Root-Account-Access-Keys)  
+    1.1 [Root Account Credentials Usage](Root-Account-Credentials-Usage)  
+    1.1 [Root Account Active Signing Certificates](Root-Account-Active-Signing-Certificates)  
+    1.1 [Enable Hardware MFA for Root Account](Enable-Hardware-MFA-for-Root-Account)  
+    1.1 [Enable MFA for Root Account](Enable-MFA-for-Root-Account)  
+    1.1 [IAM SSH Public Keys Rotation (90-Days)](IAM-SSH-Public-Keys-Rotation-(90-Days))  
+    1.1 [Unnecessary IAM SSH Public Keys](Unnecessary-IAM-SSH-Public-Keys)  
+    1.1 [IAM Support Role](IAM-Support-Role)  
 1. [Inspector](Inspector)  
-    1.1[AWS Inspector Findings](AWS-Inspector-Findings)  
+    1.1 [AWS Inspector Findings](AWS-Inspector-Findings)  
 1. [KMS](KMS)  
-    1.1[App-Tier Customer Master Key In Use](App-Tier-Customer-Master-Key-In-Use)  
-    1.1[KMS Customer Master Key In Use](KMS-Customer-Master-Key-In-Use)  
-    1.1[Database Tier Customer Master Key In Use](Database-Tier-Customer-Master-Key-In-Use)  
-    1.1[Default KMS Key Usage](Default-KMS-Key-Usage)  
-    1.1[Disabled KMS keys](Disabled-KMS-keys)  
-    1.1[Monitor KMS Configuration Changes](Monitor-KMS-Configuration-Changes)  
-    1.1[KMS Unknown Cross Account Access](KMS-Unknown-Cross-Account-Access)  
-    1.1[KMS Exposed Keys](KMS-Exposed-Keys)  
-    1.1[Recover KMS Customer Master Keys](Recover-KMS-Customer-Master-Keys)  
-    1.1[Enable KMS Key Rotation](Enable-KMS-Key-Rotation)  
-    1.1[Remove unused KMS keys](Remove-unused-KMS-keys)  
-    1.1[Web-Tier Customer Master Key In Use](Web-Tier-Customer-Master-Key-In-Use)  
+    1.1 [App-Tier Customer Master Key In Use](App-Tier-Customer-Master-Key-In-Use)  
+    1.1 [KMS Customer Master Key In Use](KMS-Customer-Master-Key-In-Use)  
+    1.1 [Database Tier Customer Master Key In Use](Database-Tier-Customer-Master-Key-In-Use)  
+    1.1 [Default KMS Key Usage](Default-KMS-Key-Usage)  
+    1.1 [Disabled KMS keys](Disabled-KMS-keys)  
+    1.1 [Monitor KMS Configuration Changes](Monitor-KMS-Configuration-Changes)  
+    1.1 [KMS Unknown Cross Account Access](KMS-Unknown-Cross-Account-Access)  
+    1.1 [KMS Exposed Keys](KMS-Exposed-Keys)  
+    1.1 [Recover KMS Customer Master Keys](Recover-KMS-Customer-Master-Keys)  
+    1.1 [Enable KMS Key Rotation](Enable-KMS-Key-Rotation)  
+    1.1 [Remove unused KMS keys](Remove-unused-KMS-keys)  
+    1.1 [Web-Tier Customer Master Key In Use](Web-Tier-Customer-Master-Key-In-Use)  
 1. [Lambda](Lambda)  
-    1.1[Exposed Lambda Functions](Exposed-Lambda-Functions)  
-    1.1[Lambda Functions with Admin Privileges](Lambda-Functions-with-Admin-Privileges)  
-    1.1[Lambda Unknown Cross Account Access](Lambda-Unknown-Cross-Account-Access)  
-    1.1[Lambda Runtime Environment Version](Lambda-Runtime-Environment-Version)  
-    1.1[An IAM role for a Lambda Function](An-IAM-role-for-a-Lambda-Function)  
+    1.1 [Exposed Lambda Functions](Exposed-Lambda-Functions)  
+    1.1 [Lambda Functions with Admin Privileges](Lambda-Functions-with-Admin-Privileges)  
+    1.1 [Lambda Unknown Cross Account Access](Lambda-Unknown-Cross-Account-Access)  
+    1.1 [Lambda Runtime Environment Version](Lambda-Runtime-Environment-Version)  
+    1.1 [An IAM role for a Lambda Function](An-IAM-role-for-a-Lambda-Function)  
 1. [Organizations](Organizations)  
-    1.1[Monitor AWS Org. Configuration Changes](Monitor-AWS-Org.-Configuration-Changes)  
-    1.1[Enable All Features](Enable-All-Features)  
-    1.1[AWS Organizations In Use](AWS-Organizations-In-Use)  
+    1.1 [Monitor AWS Org. Configuration Changes](Monitor-AWS-Org.-Configuration-Changes)  
+    1.1 [Enable All Features](Enable-All-Features)  
+    1.1 [AWS Organizations In Use](AWS-Organizations-In-Use)  
 1. [RDS](RDS)  
-    1.1[Aurora Database Instance Accessibility](Aurora-Database-Instance-Accessibility)  
-    1.1[RDS Auto Minor Version Upgrade](RDS-Auto-Minor-Version-Upgrade)  
-    1.1[Enable RDS Automated Backups](Enable-RDS-Automated-Backups)  
-    1.1[Enable RDS Deletion Protection](Enable-RDS-Deletion-Protection)  
-    1.1[Enable RDS Encryption](Enable-RDS-Encryption)  
-    1.1[RDS Free Storage Space](RDS-Free-Storage-Space)  
-    1.1[Enable IAM Database Authentication](Enable-IAM-Database-Authentication)  
-    1.1[Total Number of Provisioned RDS Instances](Total-Number-of-Provisioned-RDS-Instances)  
-    1.1[RDS Multi-AZ](RDS-Multi-AZ)  
-    1.1[Overutilized RDS Instances](Overutilized-RDS-Instances)  
-    1.1[Publicly Accessible RDS Instances](Publicly-Accessible-RDS-Instances)  
-    1.1[Use Data-Tier Security Group for RDS Databases](Use-Data-Tier-Security-Group-for-RDS-Databases)  
-    1.1[RDS Database Default Port](RDS-Database-Default-Port)  
-    1.1[Use KMS Customer Master Keys for RDS encryption](Use-KMS-Customer-Master-Keys-for-RDS-encryption)  
-    1.1[RDS General Purpose SSD Storage Type](RDS-General-Purpose-SSD-Storage-Type)  
-    1.1[RDS Instance Not In Public Subnet](RDS-Instance-Not-In-Public-Subnet)  
-    1.1[RDS Database Master Username](RDS-Database-Master-Username)  
-    1.1[RDS Public Snapshots](RDS-Public-Snapshots)  
-    1.1[RDS Sufficient Backup Retention Period](RDS-Sufficient-Backup-Retention-Period)  
-    1.1[Enable RDS Transport Encryption](Enable-RDS-Transport-Encryption)  
-    1.1[Underutilized RDS Instances](Underutilized-RDS-Instances)  
-    1.1[Unrestricted RDS DB Security Group](Unrestricted-RDS-DB-Security-Group)  
-    1.1[Enable Route 53 Domain Auto Renew](Enable-Route-53-Domain-Auto-Renew)  
-    1.1[Create DNS Alias Record for Root Domain](Create-DNS-Alias-Record-for-Root-Domain)  
-    1.1[Remove Route 53 Dangling DNS Records](Remove-Route-53-Dangling-DNS-Records)  
-    1.1[Expired Route 53 Domain Names](Expired-Route-53-Domain-Names)  
-    1.1[Route 53 Domain Name Renewal](Route-53-Domain-Name-Renewal)  
-    1.1[Enable Privacy Protection for Route 53 Domains](Enable-Privacy-Protection-for-Route-53-Domains)  
-    1.1[Root Domain Alias Records that Point to ELB](Root-Domain-Alias-Records-that-Point-to-ELB)  
-    1.1[Monitor Route 53 Configuration Changes](Monitor-Route-53-Configuration-Changes)  
-    1.1[Route 53 DNS In Use](Route-53-DNS-In-Use)  
-    1.1[Route 53 SPF DNS Records](Route-53-SPF-DNS-Records)  
-    1.1[Enable Route 53 Domain Transfer Lock](Enable-Route-53-Domain-Transfer-Lock)  
-    1.1[Monitor Route 53 Domains Configuration Changes](Monitor-Route-53-Domains-Configuration-Changes)  
+    1.1 [Aurora Database Instance Accessibility](Aurora-Database-Instance-Accessibility)  
+    1.1 [RDS Auto Minor Version Upgrade](RDS-Auto-Minor-Version-Upgrade)  
+    1.1 [Enable RDS Automated Backups](Enable-RDS-Automated-Backups)  
+    1.1 [Enable RDS Deletion Protection](Enable-RDS-Deletion-Protection)  
+    1.1 [Enable RDS Encryption](Enable-RDS-Encryption)  
+    1.1 [RDS Free Storage Space](RDS-Free-Storage-Space)  
+    1.1 [Enable IAM Database Authentication](Enable-IAM-Database-Authentication)  
+    1.1 [Total Number of Provisioned RDS Instances](Total-Number-of-Provisioned-RDS-Instances)  
+    1.1 [RDS Multi-AZ](RDS-Multi-AZ)  
+    1.1 [Overutilized RDS Instances](Overutilized-RDS-Instances)  
+    1.1 [Publicly Accessible RDS Instances](Publicly-Accessible-RDS-Instances)  
+    1.1 [Use Data-Tier Security Group for RDS Databases](Use-Data-Tier-Security-Group-for-RDS-Databases)  
+    1.1 [RDS Database Default Port](RDS-Database-Default-Port)  
+    1.1 [Use KMS Customer Master Keys for RDS encryption](Use-KMS-Customer-Master-Keys-for-RDS-encryption)  
+    1.1 [RDS General Purpose SSD Storage Type](RDS-General-Purpose-SSD-Storage-Type)  
+    1.1 [RDS Instance Not In Public Subnet](RDS-Instance-Not-In-Public-Subnet)  
+    1.1 [RDS Database Master Username](RDS-Database-Master-Username)  
+    1.1 [RDS Public Snapshots](RDS-Public-Snapshots)  
+    1.1 [RDS Sufficient Backup Retention Period](RDS-Sufficient-Backup-Retention-Period)  
+    1.1 [Enable RDS Transport Encryption](Enable-RDS-Transport-Encryption)  
+    1.1 [Underutilized RDS Instances](Underutilized-RDS-Instances)  
+    1.1 [Unrestricted RDS DB Security Group](Unrestricted-RDS-DB-Security-Group)  
+    1.1 [Enable Route 53 Domain Auto Renew](Enable-Route-53-Domain-Auto-Renew)  
+    1.1 [Create DNS Alias Record for Root Domain](Create-DNS-Alias-Record-for-Root-Domain)  
+    1.1 [Remove Route 53 Dangling DNS Records](Remove-Route-53-Dangling-DNS-Records)  
+    1.1 [Expired Route 53 Domain Names](Expired-Route-53-Domain-Names)  
+    1.1 [Route 53 Domain Name Renewal](Route-53-Domain-Name-Renewal)  
+    1.1 [Enable Privacy Protection for Route 53 Domains](Enable-Privacy-Protection-for-Route-53-Domains)  
+    1.1 [Root Domain Alias Records that Point to ELB](Root-Domain-Alias-Records-that-Point-to-ELB)  
+    1.1 [Monitor Route 53 Configuration Changes](Monitor-Route-53-Configuration-Changes)  
+    1.1 [Route 53 DNS In Use](Route-53-DNS-In-Use)  
+    1.1 [Route 53 SPF DNS Records](Route-53-SPF-DNS-Records)  
+    1.1 [Enable Route 53 Domain Transfer Lock](Enable-Route-53-Domain-Transfer-Lock)  
+    1.1 [Monitor Route 53 Domains Configuration Changes](Monitor-Route-53-Domains-Configuration-Changes)  
 1. [ResourceGroup](ResourceGroup)  
-    1.1[Use tags to organize AWS resources](Use-tags-to-organize-AWS-resources)  
-    1.1[S3 Bucket Authenticated ‘FULL_CONTROL’ Access](S3-Bucket-Authenticated-‘FULL_CONTROL’-Access)  
-    1.1[S3 Bucket Authenticated ‘READ’ Access](S3-Bucket-Authenticated-‘READ’-Access)  
-    1.1[S3 Bucket Authenticated ‘READ_ACP’ Access](S3-Bucket-Authenticated-‘READ_ACP’-Access)  
-    1.1[S3 Bucket Authenticated ‘WRITE’ Access](S3-Bucket-Authenticated-‘WRITE’-Access)  
-    1.1[S3 Bucket Authenticated ‘WRITE_ACP’ Access](S3-Bucket-Authenticated-‘WRITE_ACP’-Access)  
-    1.1[Enable S3 Bucket Default Encryption](Enable-S3-Bucket-Default-Encryption)  
-    1.1[Enable Access Logging for S3 Buckets](Enable-Access-Logging-for-S3-Buckets)  
-    1.1[Enable MFA Delete for S3 Buckets](Enable-MFA-Delete-for-S3-Buckets)  
-    1.1[S3 Bucket Public Access Via Policy](S3-Bucket-Public-Access-Via-Policy)  
-    1.1[Publicly Accessible S3 Buckets](Publicly-Accessible-S3-Buckets)  
-    1.1[S3 Bucket Public ‘READ’ Access](S3-Bucket-Public-‘READ’-Access)  
-    1.1[S3 Bucket Public ‘READ_ACP’ Access](S3-Bucket-Public-‘READ_ACP’-Access)  
-    1.1[S3 Bucket Public ‘WRITE’ Access](S3-Bucket-Public-‘WRITE’-Access)  
-    1.1[S3 Bucket Public ‘WRITE_ACP’ Access](S3-Bucket-Public-‘WRITE_ACP’-Access)  
-    1.1[Enable Versioning for S3 Buckets](Enable-Versioning-for-S3-Buckets)  
-    1.1[Review S3 Buckets with Website Configuration Enabled](Review-S3-Buckets-with-Website-Configuration-Enabled)  
-    1.1[Detect S3 Configuration Changes](Detect-S3-Configuration-Changes)  
-    1.1[S3 Unknown Cross Account Access](S3-Unknown-Cross-Account-Access)  
-    1.1[Secure Transport](Secure-Transport)  
-    1.1[Server-Side Encryption](Server-Side-Encryption)  
-    1.1[Limit S3 Bucket Access by IP Address](Limit-S3-Bucket-Access-by-IP-Address)  
+    1.1 [Use tags to organize AWS resources](Use-tags-to-organize-AWS-resources)  
+    1.1 [S3 Bucket Authenticated ‘FULL_CONTROL’ Access](S3-Bucket-Authenticated-‘FULL_CONTROL’-Access)  
+    1.1 [S3 Bucket Authenticated ‘READ’ Access](S3-Bucket-Authenticated-‘READ’-Access)  
+    1.1 [S3 Bucket Authenticated ‘READ_ACP’ Access](S3-Bucket-Authenticated-‘READ_ACP’-Access)  
+    1.1 [S3 Bucket Authenticated ‘WRITE’ Access](S3-Bucket-Authenticated-‘WRITE’-Access)  
+    1.1 [S3 Bucket Authenticated ‘WRITE_ACP’ Access](S3-Bucket-Authenticated-‘WRITE_ACP’-Access)  
+    1.1 [Enable S3 Bucket Default Encryption](Enable-S3-Bucket-Default-Encryption)  
+    1.1 [Enable Access Logging for S3 Buckets](Enable-Access-Logging-for-S3-Buckets)  
+    1.1 [Enable MFA Delete for S3 Buckets](Enable-MFA-Delete-for-S3-Buckets)  
+    1.1 [S3 Bucket Public Access Via Policy](S3-Bucket-Public-Access-Via-Policy)  
+    1.1 [Publicly Accessible S3 Buckets](Publicly-Accessible-S3-Buckets)  
+    1.1 [S3 Bucket Public ‘READ’ Access](S3-Bucket-Public-‘READ’-Access)  
+    1.1 [S3 Bucket Public ‘READ_ACP’ Access](S3-Bucket-Public-‘READ_ACP’-Access)  
+    1.1 [S3 Bucket Public ‘WRITE’ Access](S3-Bucket-Public-‘WRITE’-Access)  
+    1.1 [S3 Bucket Public ‘WRITE_ACP’ Access](S3-Bucket-Public-‘WRITE_ACP’-Access)  
+    1.1 [Enable Versioning for S3 Buckets](Enable-Versioning-for-S3-Buckets)  
+    1.1 [Review S3 Buckets with Website Configuration Enabled](Review-S3-Buckets-with-Website-Configuration-Enabled)  
+    1.1 [Detect S3 Configuration Changes](Detect-S3-Configuration-Changes)  
+    1.1 [S3 Unknown Cross Account Access](S3-Unknown-Cross-Account-Access)  
+    1.1 [Secure Transport](Secure-Transport)  
+    1.1 [Server-Side Encryption](Server-Side-Encryption)  
+    1.1 [Limit S3 Bucket Access by IP Address](Limit-S3-Bucket-Access-by-IP-Address)  
 1. [SES](SES)  
-    1.1[Enable DKIM for SES](Enable-DKIM-for-SES)  
-    1.1[Unknown Cross-Account Access](Unknown-Cross-Account-Access)  
-    1.1[Exposed SES Identities](Exposed-SES-Identities)  
-    1.1[SES Identity Verification Status](SES-Identity-Verification-Status)  
+    1.1 [Enable DKIM for SES](Enable-DKIM-for-SES)  
+    1.1 [Unknown Cross-Account Access](Unknown-Cross-Account-Access)  
+    1.1 [Exposed SES Identities](Exposed-SES-Identities)  
+    1.1 [SES Identity Verification Status](SES-Identity-Verification-Status)  
 1. [Shield](Shield)  
-    1.1[AWS Shield In Use](AWS-Shield-In-Use)  
+    1.1 [AWS Shield In Use](AWS-Shield-In-Use)  
 1. [TrustedAdvisor](TrustedAdvisor)  
-    1.1[Trusted Advisor Checks](Trusted-Advisor-Checks)  
-    1.1[Exposed IAM Access Keys](Exposed-IAM-Access-Keys)  
+    1.1 [Trusted Advisor Checks](Trusted-Advisor-Checks)  
+    1.1 [Exposed IAM Access Keys](Exposed-IAM-Access-Keys)  
 1. [VPC](VPC)  
-    1.1[Allocate Elastic IPs for NAT Gateways](Allocate-Elastic-IPs-for-NAT-Gateways)  
-    1.1[Create App-Tier VPC Subnets](Create-App-Tier-VPC-Subnets)  
-    1.1[Create Data-Tier VPC Subnets](Create-Data-Tier-VPC-Subnets)  
-    1.1[Default VPC In Use](Default-VPC-In-Use)  
-    1.1[Unused VPC Internet Gateways](Unused-VPC-Internet-Gateways)  
-    1.1[Use Managed NAT Gateway for VPC](Use-Managed-NAT-Gateway-for-VPC)  
-    1.1[Create NAT Gateways in at Least Two Availability Zones](Create-NAT-Gateways-in-at-Least-Two-Availability-Zones)  
-    1.1[Ineffective Network ACL DENY Rules](Ineffective-Network-ACL-DENY-Rules)  
-    1.1[Unrestricted Network ACL Inbound Traffic](Unrestricted-Network-ACL-Inbound-Traffic)  
-    1.1[Unrestricted Network ACL Outbound Traffic](Unrestricted-Network-ACL-Outbound-Traffic)  
-    1.1[Create Route Table for Private Subnets](Create-Route-Table-for-Private-Subnets)  
-    1.1[Create Route Table for Public Subnets](Create-Route-Table-for-Public-Subnets)  
-    1.1[Enable Flow Logs for VPC Subnets](Enable-Flow-Logs-for-VPC-Subnets)  
-    1.1[VPC Endpoint Unknown Cross Account Access](VPC-Endpoint-Unknown-Cross-Account-Access)  
-    1.1[VPC Exposed Endpoints](VPC-Exposed-Endpoints)  
-    1.1[VPC Endpoints In Use](VPC-Endpoints-In-Use)  
-    1.1[Enable VPC Flow Logs](Enable-VPC-Flow-Logs)  
-    1.1[VPC Naming Conventions](VPC-Naming-Conventions)  
-    1.1[VPC Peering Connection Configuration](VPC-Peering-Connection-Configuration)  
-    1.1[Unused Virtual Private Gateways](Unused-Virtual-Private-Gateways)  
-    1.1[Create Web-Tier ELB Subnets](Create-Web-Tier-ELB-Subnets)  
-    1.1[Create Web-Tier VPC Subnets](Create-Web-Tier-VPC-Subnets)  
+    1.1 [Allocate Elastic IPs for NAT Gateways](Allocate-Elastic-IPs-for-NAT-Gateways)  
+    1.1 [Create App-Tier VPC Subnets](Create-App-Tier-VPC-Subnets)  
+    1.1 [Create Data-Tier VPC Subnets](Create-Data-Tier-VPC-Subnets)  
+    1.1 [Default VPC In Use](Default-VPC-In-Use)  
+    1.1 [Unused VPC Internet Gateways](Unused-VPC-Internet-Gateways)  
+    1.1 [Use Managed NAT Gateway for VPC](Use-Managed-NAT-Gateway-for-VPC)  
+    1.1 [Create NAT Gateways in at Least Two Availability Zones](Create-NAT-Gateways-in-at-Least-Two-Availability-Zones)  
+    1.1 [Ineffective Network ACL DENY Rules](Ineffective-Network-ACL-DENY-Rules)  
+    1.1 [Unrestricted Network ACL Inbound Traffic](Unrestricted-Network-ACL-Inbound-Traffic)  
+    1.1 [Unrestricted Network ACL Outbound Traffic](Unrestricted-Network-ACL-Outbound-Traffic)  
+    1.1 [Create Route Table for Private Subnets](Create-Route-Table-for-Private-Subnets)  
+    1.1 [Create Route Table for Public Subnets](Create-Route-Table-for-Public-Subnets)  
+    1.1 [Enable Flow Logs for VPC Subnets](Enable-Flow-Logs-for-VPC-Subnets)  
+    1.1 [VPC Endpoint Unknown Cross Account Access](VPC-Endpoint-Unknown-Cross-Account-Access)  
+    1.1 [VPC Exposed Endpoints](VPC-Exposed-Endpoints)  
+    1.1 [VPC Endpoints In Use](VPC-Endpoints-In-Use)  
+    1.1 [Enable VPC Flow Logs](Enable-VPC-Flow-Logs)  
+    1.1 [VPC Naming Conventions](VPC-Naming-Conventions)  
+    1.1 [VPC Peering Connection Configuration](VPC-Peering-Connection-Configuration)  
+    1.1 [Unused Virtual Private Gateways](Unused-Virtual-Private-Gateways)  
+    1.1 [Create Web-Tier ELB Subnets](Create-Web-Tier-ELB-Subnets)  
+    1.1 [Create Web-Tier VPC Subnets](Create-Web-Tier-VPC-Subnets)  
 1. [WAF](WAF)  
-    1.1[AWS Web Application Firewall In Use](AWS-Web-Application-Firewall-In-Use)  
+    1.1 [AWS Web Application Firewall In Use](AWS-Web-Application-Firewall-In-Use)  
 
 
 ---
@@ -518,8 +518,8 @@
 
 ### CloudFront Security Policy
 **Risk**: Medium  
-**Description**: Ensure that CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2 and appropriate security ciphers for HTTPS viewer connections.     
-**Resolution**: Enable security policies that enforce TLS version 1.1 or 1.2 as the minimum protocol version    
+**Description**: Ensure that CloudFront distributions use a security policy with minimum TLSv1.1  or TLSv1.2 and appropriate security ciphers for HTTPS viewer connections.     
+**Resolution**: Enable security policies that enforce TLS version 1.1  or 1.2 as the minimum protocol version    
 
 ### Unencrypted CloudFront Traffic
 **Risk**: Medium  

diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
@@ -1,372 +1,372 @@
 # Table of Contents
 
-1. [ACM](ACM)
-    1.1[Expired ACM Certificates](Expired-ACM-Certificates)
-    1.1[ACM Certificates Renewal](ACM-Certificates-Renewal)
-    1.1[ACM Certificates Validity](ACM-Certificates-Validity)
-1. [API Gateway](API-Gateway)
-    1.1[Enable CloudWatch Logs for APIs](Enable-CloudWatch-Logs-for-APIs)
-    1.1[Enable Detailed CloudWatch Metrics for APIs](Enable-Detailed-CloudWatch-Metrics-for-APIs)
-    1.1[API Gateway Private Endpoints](API-Gateway-Private-Endpoints)
-1. [AutoScaling](AutoScaling)
-    1.1[ASG Cooldown Period](ASG-Cooldown-Period)
-    1.1[Enable ASG Notifications](Enable-ASG-Notifications)
-    1.1[App-Tier ASGs with Associated ELB](App-Tier-ASGs-with-Associated-ELB)
-    1.1[CloudWatch Logs Agent for App-Tier ASG In Use](CloudWatch-Logs-Agent-for-App-Tier-ASG-In-Use)
-    1.1[IAM Roles for App-Tier ASG Launch Configurations](IAM-Roles-for-App-Tier-ASG-Launch-Configurations)
-    1.1[Use Approved AMIs for App-Tier ASG Launch Configurations](Use-Approved-AMIs-for-App-Tier-ASG-Launch-Configurations)
-    1.1[Auto Scaling Group Referencing Missing ELB](Auto-Scaling-Group-Referencing-Missing-ELB)
-    1.1[Empty Auto Scaling Groups](Empty-Auto-Scaling-Groups)
-    1.1[Launch Configuration Referencing Missing AMI](Launch-Configuration-Referencing-Missing-AMI)
-    1.1[Launch Configuration Referencing Missing Security Group](Launch-Configuration-Referencing-Missing-Security-Group)
-    1.1[Unused Launch Configuration Templates](Unused-Launch-Configuration-Templates)
-    1.1[Multi-AZ Auto Scaling Groups](Multi-AZ-Auto-Scaling-Groups)
-    1.1[Same ELB Availability Zones](Same-ELB-Availability-Zones)
-    1.1[Suspended Auto Scaling Group Processes](Suspended-Auto-Scaling-Group-Processes)
-    1.1[Web-Tier Auto Scaling Groups with Associated ELBs](Web-Tier-Auto-Scaling-Groups-with-Associated-ELBs)
-    1.1[Use Approved AMIs for Web-Tier ASG Launch Configurations](Use-Approved-AMIs-for-Web-Tier-ASG-Launch-Configurations)
-1. [CloudFront](CloudFront)
-    1.1[CloudFront CDN In Use](CloudFront-CDN-In-Use)
-    1.1[CloudFront WAF Integration](CloudFront-WAF-Integration)
-    1.1[Enable Origin Access Identity for CloudFront Distributions with S3 Origin](Enable-Origin-Access-Identity-for-CloudFront-Distributions-with-S3-Origin)
-    1.1[CloudFront Origin Insecure SSL Protocols](CloudFront-Origin-Insecure-SSL-Protocols)
-    1.1[CloudFront Security Policy](CloudFront-Security-Policy)
-    1.1[Unencrypted CloudFront Traffic](Unencrypted-CloudFront-Traffic)
-    1.1[Use Cloudfront CDN](Use-Cloudfront-CDN)
-1. [CloudTrail](CloudTrail)
-    1.1[Enable access logging for CloudTrail buckets](Enable-access-logging-for-CloudTrail-buckets)
-    1.1[Enable MFA Delete for CloudTrail bucket](Enable-MFA-Delete-for-CloudTrail-bucket)
-    1.1[CloudTrail insecure buckets](CloudTrail-insecure-buckets)
-    1.1[Monitor CloudTrail Configuration Changes](Monitor-CloudTrail-Configuration-Changes)
-    1.1[Enable CloudTrail integration with CloudWatch](Enable-CloudTrail-integration-with-CloudWatch)
-    1.1[Enable CloudTrail log file integrity validation](Enable-CloudTrail-log-file-integrity-validation)
-    1.1[Enable CloudTrail log files encryption](Enable-CloudTrail-log-files-encryption)
-    1.1[CloudTrail Log Files Delivery Failing](CloudTrail-Log-Files-Delivery-Failing)
-1. [CloudWatch](CloudWatch)
-    1.1[Enable AWS Billing Alerts](Enable-AWS-Billing-Alerts)
-    1.1[Enable CloudWatch Billing Alarm](Enable-CloudWatch-Billing-Alarm)
-    1.1[Exposed CloudWatch Event Bus](Exposed-CloudWatch-Event-Bus)
-    1.1[CloudWatch Events In Use](CloudWatch-Events-In-Use)
-    1.1[Alarm for Config Changes](Alarm-for-Config-Changes)
-    1.1[Alarm for Organizations Changes](Alarm-for-Organizations-Changes)
-    1.1[Alarm for multiple Sign-in Failures](Alarm-for-multiple-Sign-in-Failures)
-    1.1[Monitor for AWS Console Sign-In Requests Without MFA](Monitor-for-AWS-Console-Sign-In-Requests-Without-MFA)
-    1.1[Alarm for EC2 Instance Changes](Alarm-for-EC2-Instance-Changes)
-    1.1[Alarm for EC2 Large Instance Changes](Alarm-for-EC2-Large-Instance-Changes)
-    1.1[Alarm for Root Account Usage](Alarm-for-Root-Account-Usage)
-    1.1[Alarm for S3 Bucket Changes](Alarm-for-S3-Bucket-Changes)
-1. [Config](Config)
-    1.1[Monitor AWS Config configuration changes](Monitor-AWS-Config-configuration-changes)
-    1.1[Enable AWS Config](Enable-AWS-Config)
-    1.1[AWS Config Referencing Missing S3 Bucket](AWS-Config-Referencing-Missing-S3-Bucket)
-    1.1[AWS Config Referencing Missing SNS Topic](AWS-Config-Referencing-Missing-SNS-Topic)
-    1.1[AWS Config Log Files Delivery Failing](AWS-Config-Log-Files-Delivery-Failing)
-    1.1[Include Global Resources into AWS Config Settings](Include-Global-Resources-into-AWS-Config-Settings)
-1. [DynamoDB](DynamoDB)
-    1.1[Enable DynamoDB Auto Scaling](Enable-DynamoDB-Auto-Scaling)
-    1.1[DynamoDB Backup and Restore](DynamoDB-Backup-and-Restore)
-    1.1[Enable DynamoDB Continuous Backups](Enable-DynamoDB-Continuous-Backups)
-    1.1[DynamoDB Server-Side Encryption](DynamoDB-Server-Side-Encryption)
-1. [EBS](EBS)
-    1.1[Enable EBS Encryption](Enable-EBS-Encryption)
-    1.1[Use KMS Customer Master Keys for EBS encryption](Use-KMS-Customer-Master-Keys-for-EBS-encryption)
-    1.1[EBS Volume Naming Conventions](EBS-Volume-Naming-Conventions)
-    1.1[EBS Public Snapshots](EBS-Public-Snapshots)
-    1.1[EBS volumes recent snapshots](EBS-volumes-recent-snapshots)
-    1.1[Remove EBS old snapshots](Remove-EBS-old-snapshots)
-    1.1[Remove Unattached EC2 EBS volumes](Remove-Unattached-EC2-EBS-volumes)
-    1.1[Enable EBS Snapshot Encryption](Enable-EBS-Snapshot-Encryption)
-    1.1[EBS Volumes Attached to Stopped EC2 Instances](EBS-Volumes-Attached-to-Stopped-EC2-Instances)
-    1.1[Approved/Golden AMI](Approved/Golden-AMI)
-    1.1[AWS Blacklisted AMI](AWS-Blacklisted-AMI)
-    1.1[Enable AMI Encryption](Enable-AMI-Encryption)
-    1.1[AMI Naming Conventions](AMI-Naming-Conventions)
-    1.1[Check for AMI Age](Check-for-AMI-Age)
-    1.1[Unused AMI](Unused-AMI)
-    1.1[Unassociated Elastic IP Addresses](Unassociated-Elastic-IP-Addresses)
-    1.1[Publicly Shared App-Tier AMIs](Publicly-Shared-App-Tier-AMIs)
-    1.1[App-Tier EC2 Instances Without Elastic or Public IP Addresses](App-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)
-    1.1[Check app-tier ELB subnet connectivity to Internet Gateway](Check-app-tier-ELB-subnet-connectivity-to-Internet-Gateway)
-    1.1[IAM Roles for App-Tier EC2 Instances](IAM-Roles-for-App-Tier-EC2-Instances)
-    1.1[Create and Configure App-Tier Security Group](Create-and-Configure-App-Tier-Security-Group)
-    1.1[EC2 Instances Distribution Across Availability Zones](EC2-Instances-Distribution-Across-Availability-Zones)
-    1.1[EC2-Classic Elastic IP Address Limit](EC2-Classic-Elastic-IP-Address-Limit)
-    1.1[Data-Tier Instances Without Elastic or Public IP Addresses](Data-Tier-Instances-Without-Elastic-or-Public-IP-Addresses)
-    1.1[Create and Configure Data-Tier Security Group](Create-and-Configure-Data-Tier-Security-Group)
-    1.1[Restrict data-tier subnet connectivity to VPC NAT Gateway](Restrict-data-tier-subnet-connectivity-to-VPC-NAT-Gateway)
-    1.1[Unrestricted Default Security Groups](Unrestricted-Default-Security-Groups)
-    1.1[Default EC2 Security Groups In Use](Default-EC2-Security-Groups-In-Use)
-    1.1[Detailed Monitoring for EC2 Instances](Detailed-Monitoring-for-EC2-Instances)
-    1.1[EC2 Desired Instance Type](EC2-Desired-Instance-Type)
-    1.1[Review EC2 Dedicated Instances](Review-EC2-Dedicated-Instances)
-    1.1[EC2 Instance Not In Public Subnet](EC2-Instance-Not-In-Public-Subnet)
-    1.1[Unused EC2 Reserved Instances](Unused-EC2-Reserved-Instances)
-    1.1[Total Number of EC2 Instances](Total-Number-of-EC2-Instances)
-    1.1[EC2 Instance Type Generation](EC2-Instance-Type-Generation)
-    1.1[Instance In Auto Scaling Group](Instance-In-Auto-Scaling-Group)
-    1.1[EC2 Platform](EC2-Platform)
-    1.1[EC2 Instance Limit](EC2-Instance-Limit)
-    1.1[EC2 Instance Naming Conventions](EC2-Instance-Naming-Conventions)
-    1.1[EC2 Instances with Scheduled Events](EC2-Instances-with-Scheduled-Events)
-    1.1[EC2 Instance Security Group Rules Count](EC2-Instance-Security-Group-Rules-Count)
-    1.1[EC2 Instance Tenancy Type](EC2-Instance-Tenancy-Type)
-    1.1[EC2 Instance Termination Protection](EC2-Instance-Termination-Protection)
-    1.1[EC2 Instance Age](EC2-Instance-Age)
-    1.1[EC2 Instance IAM Roles](EC2-Instance-IAM-Roles)
-    1.1[Overutilized EC2 Instances](Overutilized-EC2-Instances)
-    1.1[Publicly Shared AMIs](Publicly-Shared-AMIs)
-    1.1[EC2 Reserved Instance Lease Expiration](EC2-Reserved-Instance-Lease-Expiration)
-    1.1[EC2 Security Groups Count](EC2-Security-Groups-Count)
-    1.1[EC2 Security Group Port Range](EC2-Security-Group-Port-Range)
-    1.1[Underutilized EC2 Instances](Underutilized-EC2-Instances)
-    1.1[EC2 Security Group Unrestricted Access](EC2-Security-Group-Unrestricted-Access)
-    1.1[Unrestricted CIFS Access](Unrestricted-CIFS-Access)
-    1.1[Unrestricted DNS Access](Unrestricted-DNS-Access)
-    1.1[Unrestricted ElasticSearch Access](Unrestricted-ElasticSearch-Access)
-    1.1[Unrestricted FTP Access](Unrestricted-FTP-Access)
-    1.1[Unrestricted HTTP Access](Unrestricted-HTTP-Access)
-    1.1[Unrestricted HTTPS Access](Unrestricted-HTTPS-Access)
-    1.1[Unrestricted ICMP Access](Unrestricted-ICMP-Access)
-    1.1[Unrestricted Inbound Access on Uncommon Ports](Unrestricted-Inbound-Access-on-Uncommon-Ports)
-    1.1[Unrestricted MongoDB Access](Unrestricted-MongoDB-Access)
-    1.1[Unrestricted MSSQL Database Access](Unrestricted-MSSQL-Database-Access)
-    1.1[Unrestricted MySQL Database Access](Unrestricted-MySQL-Database-Access)
-    1.1[Unrestricted NetBIOS Access](Unrestricted-NetBIOS-Access)
-    1.1[Unrestricted Oracle Database Access](Unrestricted-Oracle-Database-Access)
-    1.1[Unrestricted Outbound Access on All Ports](Unrestricted-Outbound-Access-on-All-Ports)
-    1.1[Unrestricted PostgreSQL Database Access](Unrestricted-PostgreSQL-Database-Access)
-    1.1[Unrestricted RDP Access](Unrestricted-RDP-Access)
-    1.1[Unrestricted RPC Access](Unrestricted-RPC-Access)
-    1.1[Unrestricted SMTP Access](Unrestricted-SMTP-Access)
-    1.1[Unrestricted SSH Access](Unrestricted-SSH-Access)
-    1.1[Unrestricted Telnet Access](Unrestricted-Telnet-Access)
-    1.1[Unused Elastic Network Interfaces](Unused-Elastic-Network-Interfaces)
-    1.1[Unused EC2 Key Pairs](Unused-EC2-Key-Pairs)
-    1.1[EC2-VPC Elastic IP Address Limit](EC2-VPC-Elastic-IP-Address-Limit)
-    1.1[Publicly Shared Web-Tier AMIs](Publicly-Shared-Web-Tier-AMIs)
-    1.1[Web-Tier EC2 Instances Without Elastic or Public IP Addresses](Web-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)
-    1.1[Check web-tier ELB subnet connectivity to Internet Gateway](Check-web-tier-ELB-subnet-connectivity-to-Internet-Gateway)
-    1.1[Attach Policy to IAM Roles Associated with Web-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-Web-Tier-EC2-Instances)
-    1.1[IAM Roles for Web-Tier EC2 Instances](IAM-Roles-for-Web-Tier-EC2-Instances)
-    1.1[Create and Configure Web-Tier Security Group](Create-and-Configure-Web-Tier-Security-Group)
-    1.1[Check web-tier subnet connectivity to VPC NAT Gateway](Check-web-tier-subnet-connectivity-to-VPC-NAT-Gateway)
-1. [ECR](ECR)
-    1.1[ECR Unknown Cross Account Access](ECR-Unknown-Cross-Account-Access)
-    1.1[Check for Exposed ECR Repositories](Check-for-Exposed-ECR-Repositories)
-1. [EFS](EFS)
-    1.1[KMS Customer Master Keys for EFS Encryption](KMS-Customer-Master-Keys-for-EFS-Encryption)
-    1.1[Enable EFS Encryption](Enable-EFS-Encryption)
-1. [ElasticSearch](ElasticSearch)
-    1.1[ElasticSearch Cluster Status](ElasticSearch-Cluster-Status)
-    1.1[ElasticSearch Instance Type](ElasticSearch-Instance-Type)
-    1.1[ElasticSearch Domain Encrypted with KMS CMKs](ElasticSearch-Domain-Encrypted-with-KMS-CMKs)
-    1.1[ElasticSearch Unknown Cross Account Access](ElasticSearch-Unknown-Cross-Account-Access)
-    1.1[ElasticSearch Exposed Domains](ElasticSearch-Exposed-Domains)
-    1.1[ElasticSearch Domain IP-Based Access](ElasticSearch-Domain-IP-Based-Access)
-    1.1[ElasticSearch General Purpose SSD Node Type](ElasticSearch-General-Purpose-SSD-Node-Type)
-    1.1[ElasticSearch Version](ElasticSearch-Version)
-    1.1[Enable ElasticSearch Zone Awareness](Enable-ElasticSearch-Zone-Awareness)
-    1.1[Enable ElasticSearch Encryption At Rest](Enable-ElasticSearch-Encryption-At-Rest)
-    1.1[ElasticSearch Free Storage Space](ElasticSearch-Free-Storage-Space)
-    1.1[Total Number of ElasticSearch Instances](Total-Number-of-ElasticSearch-Instances)
-    1.1[Enable ElasticSearch Node-to-Node Encryption](Enable-ElasticSearch-Node-to-Node-Encryption)
-    1.1[Enable ElasticSearch Slow Logs](Enable-ElasticSearch-Slow-Logs)
-1. [ELB](ELB)
-    1.1[Enable HTTPS/SSL Listener for App-Tier ELBs](Enable-HTTPS/SSL-Listener-for-App-Tier-ELBs)
-    1.1[Enable Latest SSL Security Policy for App-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-App-Tier-ELBs)
-    1.1[Add SSL/TLS Server Certificates to App-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-App-Tier-ELBs)
-    1.1[App-Tier ELBs Health Check](App-Tier-ELBs-Health-Check)
-    1.1[Enable ELB Access Logging](Enable-ELB-Access-Logging)
-    1.1[AWS Classic Load Balancer](AWS-Classic-Load-Balancer)
-    1.1[Connection Draining Enabled](Connection-Draining-Enabled)
-    1.1[Enable ELB Cross-Zone Load Balancing](Enable-ELB-Cross-Zone-Load-Balancing)
-    1.1[ELB insecure SSL ciphers](ELB-insecure-SSL-ciphers)
-    1.1[ELB insecure SSL protocols](ELB-insecure-SSL-protocols)
-    1.1[ELB Listener Security](ELB-Listener-Security)
-    1.1[ELB minimum number of EC2 instances](ELB-minimum-number-of-EC2-instances)
-    1.1[ELB Security Group](ELB-Security-Group)
-    1.1[ELB Security Policy](ELB-Security-Policy)
-    1.1[Remove unused ELBs](Remove-unused-ELBs)
-    1.1[ELB Instances Distribution Across Availability Zones](ELB-Instances-Distribution-Across-Availability-Zones)
-    1.1[Review AWS Internet Facing Load Balancers](Review-AWS-Internet-Facing-Load-Balancers)
-    1.1[Enable HTTPS/SSL Listener for Web-Tier ELBs](Enable-HTTPS/SSL-Listener-for-Web-Tier-ELBs)
-    1.1[Enable Latest SSL Security Policy for Web-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-Web-Tier-ELBs)
-    1.1[Add SSL/TLS Server Certificates to Web-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-Web-Tier-ELBs)
-    1.1[Web-Tier ELBs Health Check](Web-Tier-ELBs-Health-Check)
-    1.1[Enable ALB (ELBv2)-Access-Logging](Enable-ALB-(ELBv2)-Access-Logging)
-    1.1[Enable Elastic Load Balancing Deletion Protection](Enable-Elastic-Load-Balancing-Deletion-Protection)
-    1.1[ELBv2 Instances Distribution Across Availability Zones](ELBv2-Instances-Distribution-Across-Availability-Zones)
-    1.1[ALB (ELBv2)-Listener-Security](ALB-(ELBv2)-Listener-Security)
-    1.1[Minimum Number of EC2 Target Instances](Minimum-Number-of-EC2-Target-Instances)
-    1.1[ELBv2 Security Groups](ELBv2-Security-Groups)
-    1.1[ALB (ELBv2)-Security-Policy](ALB-(ELBv2)-Security-Policy)
-    1.1[Unused ELBs (ELBv2)](Unused-ELBs-(ELBv2))
-1. [EMR](EMR)
-    1.1[EMR Cluster In VPC](EMR-Cluster-In-VPC)
-    1.1[EMR Desired Instance Type](EMR-Desired-Instance-Type)
-    1.1[EMR Instance Type Generation](EMR-Instance-Type-Generation)
-    1.1[Enable EMR In-Transit and At-Rest Encryption](Enable-EMR-In-Transit-and-At-Rest-Encryption)
-    1.1[Total Number of EMR Instances](Total-Number-of-EMR-Instances)
-1. [GuardDuty](GuardDuty)
-    1.1[GuardDuty Findings](GuardDuty-Findings)
-    1.1[Monitor GuardDuty Configuration Changes](Monitor-GuardDuty-Configuration-Changes)
-    1.1[GuardDuty In Use](GuardDuty-In-Use)
-1. [Health](Health)
-    1.1[AWS Health](AWS-Health)
-1. [IAM](IAM)
-    1.1[Unused IAM Access Keys](Unused-IAM-Access-Keys)
-    1.1[IAM Access Keys Rotation](IAM-Access-Keys-Rotation)
-    1.1[Unnecessary IAM Access Keys](Unnecessary-IAM-Access-Keys)
-    1.1[Enable Security Challenge Questions for your Account](Enable-Security-Challenge-Questions-for-your-Account)
-    1.1[Attach Policy to IAM Roles Associated with App-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-App-Tier-EC2-Instances)
-    1.1[SSL/TLS Certificate Renewal](SSL/TLS-Certificate-Renewal)
-    1.1[Server Certificate Signature Algorithm](Server-Certificate-Signature-Algorithm)
-    1.1[IAM Server Certificate Size](IAM-Server-Certificate-Size)
-    1.1[Deprecated AWS Managed Policies In Use](Deprecated-AWS-Managed-Policies-In-Use)
-    1.1[IAM Users Unauthorized to Edit Access Policies](IAM-Users-Unauthorized-to-Edit-Access-Policies)
-    1.1[IAM Users with Admin Privileges](IAM-Users-with-Admin-Privileges)
-    1.1[Detect IAM Configuration Changes](Detect-IAM-Configuration-Changes)
-    1.1[IAM Group with Administrator Privileges In Use](IAM-Group-with-Administrator-Privileges-In-Use)
-    1.1[Unused IAM Groups](Unused-IAM-Groups)
-    1.1[Remove IAM Policies with Full Administrative Privileges](Remove-IAM-Policies-with-Full-Administrative-Privileges)
-    1.1[IAM Customer Managed Policy with Administrative Permissions In Use](IAM-Customer-Managed-Policy-with-Administrative-Permissions-In-Use)
-    1.1[IAM Role Policy Too Permissive](IAM-Role-Policy-Too-Permissive)
-    1.1[IAM User Present](IAM-User-Present)
-    1.1[Inactive IAM Users](Inactive-IAM-Users)
-    1.1[Unused IAM Users](Unused-IAM-Users)
-    1.1[IAM Users with Password and Access Keys](IAM-Users-with-Password-and-Access-Keys)
-    1.1[Valid IAM Identity Providers](Valid-IAM-Identity-Providers)
-    1.1[MFA Device Deactivated for IAM Users](MFA-Device-Deactivated-for-IAM-Users)
-    1.1[Enable MFA for IAM Users](Enable-MFA-for-IAM-Users)
-    1.1[IAM Master and IAM Manager Roles](IAM-Master-and-IAM-Manager-Roles)
-    1.1[IAM Password Expiry](IAM-Password-Expiry)
-    1.1[IAM Password Policy](IAM-Password-Policy)
-    1.1[Root Account Access Keys](Root-Account-Access-Keys)
-    1.1[Root Account Credentials Usage](Root-Account-Credentials-Usage)
-    1.1[Root Account Active Signing Certificates](Root-Account-Active-Signing-Certificates)
-    1.1[Enable Hardware MFA for Root Account](Enable-Hardware-MFA-for-Root-Account)
-    1.1[Enable MFA for Root Account](Enable-MFA-for-Root-Account)
-    1.1[IAM SSH Public Keys Rotation (90-Days)](IAM-SSH-Public-Keys-Rotation-(90-Days))
-    1.1[Unnecessary IAM SSH Public Keys](Unnecessary-IAM-SSH-Public-Keys)
-    1.1[IAM Support Role](IAM-Support-Role)
-1. [Inspector](Inspector)
-    1.1[AWS Inspector Findings](AWS-Inspector-Findings)
-1. [KMS](KMS)
-    1.1[App-Tier Customer Master Key In Use](App-Tier-Customer-Master-Key-In-Use)
-    1.1[KMS Customer Master Key In Use](KMS-Customer-Master-Key-In-Use)
-    1.1[Database Tier Customer Master Key In Use](Database-Tier-Customer-Master-Key-In-Use)
-    1.1[Default KMS Key Usage](Default-KMS-Key-Usage)
-    1.1[Disabled KMS keys](Disabled-KMS-keys)
-    1.1[Monitor KMS Configuration Changes](Monitor-KMS-Configuration-Changes)
-    1.1[KMS Unknown Cross Account Access](KMS-Unknown-Cross-Account-Access)
-    1.1[KMS Exposed Keys](KMS-Exposed-Keys)
-    1.1[Recover KMS Customer Master Keys](Recover-KMS-Customer-Master-Keys)
-    1.1[Enable KMS Key Rotation](Enable-KMS-Key-Rotation)
-    1.1[Remove unused KMS keys](Remove-unused-KMS-keys)
-    1.1[Web-Tier Customer Master Key In Use](Web-Tier-Customer-Master-Key-In-Use)
-1. [Lambda](Lambda)
-    1.1[Exposed Lambda Functions](Exposed-Lambda-Functions)
-    1.1[Lambda Functions with Admin Privileges](Lambda-Functions-with-Admin-Privileges)
-    1.1[Lambda Unknown Cross Account Access](Lambda-Unknown-Cross-Account-Access)
-    1.1[Lambda Runtime Environment Version](Lambda-Runtime-Environment-Version)
-    1.1[An IAM role for a Lambda Function](An-IAM-role-for-a-Lambda-Function)
-1. [Organizations](Organizations)
-    1.1[Monitor AWS Org. Configuration Changes](Monitor-AWS-Org.-Configuration-Changes)
-    1.1[Enable All Features](Enable-All-Features)
-    1.1[AWS Organizations In Use](AWS-Organizations-In-Use)
-1. [RDS](RDS)
-    1.1[Aurora Database Instance Accessibility](Aurora-Database-Instance-Accessibility)
-    1.1[RDS Auto Minor Version Upgrade](RDS-Auto-Minor-Version-Upgrade)
-    1.1[Enable RDS Automated Backups](Enable-RDS-Automated-Backups)
-    1.1[Enable RDS Deletion Protection](Enable-RDS-Deletion-Protection)
-    1.1[Enable RDS Encryption](Enable-RDS-Encryption)
-    1.1[RDS Free Storage Space](RDS-Free-Storage-Space)
-    1.1[Enable IAM Database Authentication](Enable-IAM-Database-Authentication)
-    1.1[Total Number of Provisioned RDS Instances](Total-Number-of-Provisioned-RDS-Instances)
-    1.1[RDS Multi-AZ](RDS-Multi-AZ)
-    1.1[Overutilized RDS Instances](Overutilized-RDS-Instances)
-    1.1[Publicly Accessible RDS Instances](Publicly-Accessible-RDS-Instances)
-    1.1[Use Data-Tier Security Group for RDS Databases](Use-Data-Tier-Security-Group-for-RDS-Databases)
-    1.1[RDS Database Default Port](RDS-Database-Default-Port)
-    1.1[Use KMS Customer Master Keys for RDS encryption](Use-KMS-Customer-Master-Keys-for-RDS-encryption)
-    1.1[RDS General Purpose SSD Storage Type](RDS-General-Purpose-SSD-Storage-Type)
-    1.1[RDS Instance Not In Public Subnet](RDS-Instance-Not-In-Public-Subnet)
-    1.1[RDS Database Master Username](RDS-Database-Master-Username)
-    1.1[RDS Public Snapshots](RDS-Public-Snapshots)
-    1.1[RDS Sufficient Backup Retention Period](RDS-Sufficient-Backup-Retention-Period)
-    1.1[Enable RDS Transport Encryption](Enable-RDS-Transport-Encryption)
-    1.1[Underutilized RDS Instances](Underutilized-RDS-Instances)
-    1.1[Unrestricted RDS DB Security Group](Unrestricted-RDS-DB-Security-Group)
-    1.1[Enable Route 53 Domain Auto Renew](Enable-Route-53-Domain-Auto-Renew)
-    1.1[Create DNS Alias Record for Root Domain](Create-DNS-Alias-Record-for-Root-Domain)
-    1.1[Remove Route 53 Dangling DNS Records](Remove-Route-53-Dangling-DNS-Records)
-    1.1[Expired Route 53 Domain Names](Expired-Route-53-Domain-Names)
-    1.1[Route 53 Domain Name Renewal](Route-53-Domain-Name-Renewal)
-    1.1[Enable Privacy Protection for Route 53 Domains](Enable-Privacy-Protection-for-Route-53-Domains)
-    1.1[Root Domain Alias Records that Point to ELB](Root-Domain-Alias-Records-that-Point-to-ELB)
-    1.1[Monitor Route 53 Configuration Changes](Monitor-Route-53-Configuration-Changes)
-    1.1[Route 53 DNS In Use](Route-53-DNS-In-Use)
-    1.1[Route 53 SPF DNS Records](Route-53-SPF-DNS-Records)
-    1.1[Enable Route 53 Domain Transfer Lock](Enable-Route-53-Domain-Transfer-Lock)
-    1.1[Monitor Route 53 Domains Configuration Changes](Monitor-Route-53-Domains-Configuration-Changes)
-1. [ResourceGroup](ResourceGroup)
-    1.1[Use tags to organize AWS resources](Use-tags-to-organize-AWS-resources)
-    1.1[S3 Bucket Authenticated ‘FULL_CONTROL’ Access](S3-Bucket-Authenticated-‘FULL_CONTROL’-Access)
-    1.1[S3 Bucket Authenticated ‘READ’ Access](S3-Bucket-Authenticated-‘READ’-Access)
-    1.1[S3 Bucket Authenticated ‘READ_ACP’ Access](S3-Bucket-Authenticated-‘READ_ACP’-Access)
-    1.1[S3 Bucket Authenticated ‘WRITE’ Access](S3-Bucket-Authenticated-‘WRITE’-Access)
-    1.1[S3 Bucket Authenticated ‘WRITE_ACP’ Access](S3-Bucket-Authenticated-‘WRITE_ACP’-Access)
-    1.1[Enable S3 Bucket Default Encryption](Enable-S3-Bucket-Default-Encryption)
-    1.1[Enable Access Logging for S3 Buckets](Enable-Access-Logging-for-S3-Buckets)
-    1.1[Enable MFA Delete for S3 Buckets](Enable-MFA-Delete-for-S3-Buckets)
-    1.1[S3 Bucket Public Access Via Policy](S3-Bucket-Public-Access-Via-Policy)
-    1.1[Publicly Accessible S3 Buckets](Publicly-Accessible-S3-Buckets)
-    1.1[S3 Bucket Public ‘READ’ Access](S3-Bucket-Public-‘READ’-Access)
-    1.1[S3 Bucket Public ‘READ_ACP’ Access](S3-Bucket-Public-‘READ_ACP’-Access)
-    1.1[S3 Bucket Public ‘WRITE’ Access](S3-Bucket-Public-‘WRITE’-Access)
-    1.1[S3 Bucket Public ‘WRITE_ACP’ Access](S3-Bucket-Public-‘WRITE_ACP’-Access)
-    1.1[Enable Versioning for S3 Buckets](Enable-Versioning-for-S3-Buckets)
-    1.1[Review S3 Buckets with Website Configuration Enabled](Review-S3-Buckets-with-Website-Configuration-Enabled)
-    1.1[Detect S3 Configuration Changes](Detect-S3-Configuration-Changes)
-    1.1[S3 Unknown Cross Account Access](S3-Unknown-Cross-Account-Access)
-    1.1[Secure Transport](Secure-Transport)
-    1.1[Server-Side Encryption](Server-Side-Encryption)
-    1.1[Limit S3 Bucket Access by IP Address](Limit-S3-Bucket-Access-by-IP-Address)
-1. [SES](SES)
-    1.1[Enable DKIM for SES](Enable-DKIM-for-SES)
-    1.1[Unknown Cross-Account Access](Unknown-Cross-Account-Access)
-    1.1[Exposed SES Identities](Exposed-SES-Identities)
-    1.1[SES Identity Verification Status](SES-Identity-Verification-Status)
-1. [Shield](Shield)
-    1.1[AWS Shield In Use](AWS-Shield-In-Use)
-1. [TrustedAdvisor](TrustedAdvisor)
-    1.1[Trusted Advisor Checks](Trusted-Advisor-Checks)
-    1.1[Exposed IAM Access Keys](Exposed-IAM-Access-Keys)
-1. [VPC](VPC)
-    1.1[Allocate Elastic IPs for NAT Gateways](Allocate-Elastic-IPs-for-NAT-Gateways)
-    1.1[Create App-Tier VPC Subnets](Create-App-Tier-VPC-Subnets)
-    1.1[Create Data-Tier VPC Subnets](Create-Data-Tier-VPC-Subnets)
-    1.1[Default VPC In Use](Default-VPC-In-Use)
-    1.1[Unused VPC Internet Gateways](Unused-VPC-Internet-Gateways)
-    1.1[Use Managed NAT Gateway for VPC](Use-Managed-NAT-Gateway-for-VPC)
-    1.1[Create NAT Gateways in at Least Two Availability Zones](Create-NAT-Gateways-in-at-Least-Two-Availability-Zones)
-    1.1[Ineffective Network ACL DENY Rules](Ineffective-Network-ACL-DENY-Rules)
-    1.1[Unrestricted Network ACL Inbound Traffic](Unrestricted-Network-ACL-Inbound-Traffic)
-    1.1[Unrestricted Network ACL Outbound Traffic](Unrestricted-Network-ACL-Outbound-Traffic)
-    1.1[Create Route Table for Private Subnets](Create-Route-Table-for-Private-Subnets)
-    1.1[Create Route Table for Public Subnets](Create-Route-Table-for-Public-Subnets)
-    1.1[Enable Flow Logs for VPC Subnets](Enable-Flow-Logs-for-VPC-Subnets)
-    1.1[VPC Endpoint Unknown Cross Account Access](VPC-Endpoint-Unknown-Cross-Account-Access)
-    1.1[VPC Exposed Endpoints](VPC-Exposed-Endpoints)
-    1.1[VPC Endpoints In Use](VPC-Endpoints-In-Use)
-    1.1[Enable VPC Flow Logs](Enable-VPC-Flow-Logs)
-    1.1[VPC Naming Conventions](VPC-Naming-Conventions)
-    1.1[VPC Peering Connection Configuration](VPC-Peering-Connection-Configuration)
-    1.1[Unused Virtual Private Gateways](Unused-Virtual-Private-Gateways)
-    1.1[Create Web-Tier ELB Subnets](Create-Web-Tier-ELB-Subnets)
-    1.1[Create Web-Tier VPC Subnets](Create-Web-Tier-VPC-Subnets)
-1. [WAF](WAF)
-    1.1[AWS Web Application Firewall In Use](AWS-Web-Application-Firewall-In-Use)
+1. [ACM](ACM)  
+    1.1[Expired ACM Certificates](Expired-ACM-Certificates)  
+    1.1[ACM Certificates Renewal](ACM-Certificates-Renewal)  
+    1.1[ACM Certificates Validity](ACM-Certificates-Validity)  
+1. [API Gateway](API-Gateway)  
+    1.1[Enable CloudWatch Logs for APIs](Enable-CloudWatch-Logs-for-APIs)  
+    1.1[Enable Detailed CloudWatch Metrics for APIs](Enable-Detailed-CloudWatch-Metrics-for-APIs)  
+    1.1[API Gateway Private Endpoints](API-Gateway-Private-Endpoints)  
+1. [AutoScaling](AutoScaling)  
+    1.1[ASG Cooldown Period](ASG-Cooldown-Period)  
+    1.1[Enable ASG Notifications](Enable-ASG-Notifications)  
+    1.1[App-Tier ASGs with Associated ELB](App-Tier-ASGs-with-Associated-ELB)  
+    1.1[CloudWatch Logs Agent for App-Tier ASG In Use](CloudWatch-Logs-Agent-for-App-Tier-ASG-In-Use)  
+    1.1[IAM Roles for App-Tier ASG Launch Configurations](IAM-Roles-for-App-Tier-ASG-Launch-Configurations)  
+    1.1[Use Approved AMIs for App-Tier ASG Launch Configurations](Use-Approved-AMIs-for-App-Tier-ASG-Launch-Configurations)  
+    1.1[Auto Scaling Group Referencing Missing ELB](Auto-Scaling-Group-Referencing-Missing-ELB)  
+    1.1[Empty Auto Scaling Groups](Empty-Auto-Scaling-Groups)  
+    1.1[Launch Configuration Referencing Missing AMI](Launch-Configuration-Referencing-Missing-AMI)  
+    1.1[Launch Configuration Referencing Missing Security Group](Launch-Configuration-Referencing-Missing-Security-Group)  
+    1.1[Unused Launch Configuration Templates](Unused-Launch-Configuration-Templates)  
+    1.1[Multi-AZ Auto Scaling Groups](Multi-AZ-Auto-Scaling-Groups)  
+    1.1[Same ELB Availability Zones](Same-ELB-Availability-Zones)  
+    1.1[Suspended Auto Scaling Group Processes](Suspended-Auto-Scaling-Group-Processes)  
+    1.1[Web-Tier Auto Scaling Groups with Associated ELBs](Web-Tier-Auto-Scaling-Groups-with-Associated-ELBs)  
+    1.1[Use Approved AMIs for Web-Tier ASG Launch Configurations](Use-Approved-AMIs-for-Web-Tier-ASG-Launch-Configurations)  
+1. [CloudFront](CloudFront)  
+    1.1[CloudFront CDN In Use](CloudFront-CDN-In-Use)  
+    1.1[CloudFront WAF Integration](CloudFront-WAF-Integration)  
+    1.1[Enable Origin Access Identity for CloudFront Distributions with S3 Origin](Enable-Origin-Access-Identity-for-CloudFront-Distributions-with-S3-Origin)  
+    1.1[CloudFront Origin Insecure SSL Protocols](CloudFront-Origin-Insecure-SSL-Protocols)  
+    1.1[CloudFront Security Policy](CloudFront-Security-Policy)  
+    1.1[Unencrypted CloudFront Traffic](Unencrypted-CloudFront-Traffic)  
+    1.1[Use Cloudfront CDN](Use-Cloudfront-CDN)  
+1. [CloudTrail](CloudTrail)  
+    1.1[Enable access logging for CloudTrail buckets](Enable-access-logging-for-CloudTrail-buckets)  
+    1.1[Enable MFA Delete for CloudTrail bucket](Enable-MFA-Delete-for-CloudTrail-bucket)  
+    1.1[CloudTrail insecure buckets](CloudTrail-insecure-buckets)  
+    1.1[Monitor CloudTrail Configuration Changes](Monitor-CloudTrail-Configuration-Changes)  
+    1.1[Enable CloudTrail integration with CloudWatch](Enable-CloudTrail-integration-with-CloudWatch)  
+    1.1[Enable CloudTrail log file integrity validation](Enable-CloudTrail-log-file-integrity-validation)  
+    1.1[Enable CloudTrail log files encryption](Enable-CloudTrail-log-files-encryption)  
+    1.1[CloudTrail Log Files Delivery Failing](CloudTrail-Log-Files-Delivery-Failing)  
+1. [CloudWatch](CloudWatch)  
+    1.1[Enable AWS Billing Alerts](Enable-AWS-Billing-Alerts)  
+    1.1[Enable CloudWatch Billing Alarm](Enable-CloudWatch-Billing-Alarm)  
+    1.1[Exposed CloudWatch Event Bus](Exposed-CloudWatch-Event-Bus)  
+    1.1[CloudWatch Events In Use](CloudWatch-Events-In-Use)  
+    1.1[Alarm for Config Changes](Alarm-for-Config-Changes)  
+    1.1[Alarm for Organizations Changes](Alarm-for-Organizations-Changes)  
+    1.1[Alarm for multiple Sign-in Failures](Alarm-for-multiple-Sign-in-Failures)  
+    1.1[Monitor for AWS Console Sign-In Requests Without MFA](Monitor-for-AWS-Console-Sign-In-Requests-Without-MFA)  
+    1.1[Alarm for EC2 Instance Changes](Alarm-for-EC2-Instance-Changes)  
+    1.1[Alarm for EC2 Large Instance Changes](Alarm-for-EC2-Large-Instance-Changes)  
+    1.1[Alarm for Root Account Usage](Alarm-for-Root-Account-Usage)  
+    1.1[Alarm for S3 Bucket Changes](Alarm-for-S3-Bucket-Changes)  
+1. [Config](Config)  
+    1.1[Monitor AWS Config configuration changes](Monitor-AWS-Config-configuration-changes)  
+    1.1[Enable AWS Config](Enable-AWS-Config)  
+    1.1[AWS Config Referencing Missing S3 Bucket](AWS-Config-Referencing-Missing-S3-Bucket)  
+    1.1[AWS Config Referencing Missing SNS Topic](AWS-Config-Referencing-Missing-SNS-Topic)  
+    1.1[AWS Config Log Files Delivery Failing](AWS-Config-Log-Files-Delivery-Failing)  
+    1.1[Include Global Resources into AWS Config Settings](Include-Global-Resources-into-AWS-Config-Settings)  
+1. [DynamoDB](DynamoDB)  
+    1.1[Enable DynamoDB Auto Scaling](Enable-DynamoDB-Auto-Scaling)  
+    1.1[DynamoDB Backup and Restore](DynamoDB-Backup-and-Restore)  
+    1.1[Enable DynamoDB Continuous Backups](Enable-DynamoDB-Continuous-Backups)  
+    1.1[DynamoDB Server-Side Encryption](DynamoDB-Server-Side-Encryption)  
+1. [EBS](EBS)  
+    1.1[Enable EBS Encryption](Enable-EBS-Encryption)  
+    1.1[Use KMS Customer Master Keys for EBS encryption](Use-KMS-Customer-Master-Keys-for-EBS-encryption)  
+    1.1[EBS Volume Naming Conventions](EBS-Volume-Naming-Conventions)  
+    1.1[EBS Public Snapshots](EBS-Public-Snapshots)  
+    1.1[EBS volumes recent snapshots](EBS-volumes-recent-snapshots)  
+    1.1[Remove EBS old snapshots](Remove-EBS-old-snapshots)  
+    1.1[Remove Unattached EC2 EBS volumes](Remove-Unattached-EC2-EBS-volumes)  
+    1.1[Enable EBS Snapshot Encryption](Enable-EBS-Snapshot-Encryption)  
+    1.1[EBS Volumes Attached to Stopped EC2 Instances](EBS-Volumes-Attached-to-Stopped-EC2-Instances)  
+    1.1[Approved/Golden AMI](Approved/Golden-AMI)  
+    1.1[AWS Blacklisted AMI](AWS-Blacklisted-AMI)  
+    1.1[Enable AMI Encryption](Enable-AMI-Encryption)  
+    1.1[AMI Naming Conventions](AMI-Naming-Conventions)  
+    1.1[Check for AMI Age](Check-for-AMI-Age)  
+    1.1[Unused AMI](Unused-AMI)  
+    1.1[Unassociated Elastic IP Addresses](Unassociated-Elastic-IP-Addresses)  
+    1.1[Publicly Shared App-Tier AMIs](Publicly-Shared-App-Tier-AMIs)  
+    1.1[App-Tier EC2 Instances Without Elastic or Public IP Addresses](App-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
+    1.1[Check app-tier ELB subnet connectivity to Internet Gateway](Check-app-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
+    1.1[IAM Roles for App-Tier EC2 Instances](IAM-Roles-for-App-Tier-EC2-Instances)  
+    1.1[Create and Configure App-Tier Security Group](Create-and-Configure-App-Tier-Security-Group)  
+    1.1[EC2 Instances Distribution Across Availability Zones](EC2-Instances-Distribution-Across-Availability-Zones)  
+    1.1[EC2-Classic Elastic IP Address Limit](EC2-Classic-Elastic-IP-Address-Limit)  
+    1.1[Data-Tier Instances Without Elastic or Public IP Addresses](Data-Tier-Instances-Without-Elastic-or-Public-IP-Addresses)  
+    1.1[Create and Configure Data-Tier Security Group](Create-and-Configure-Data-Tier-Security-Group)  
+    1.1[Restrict data-tier subnet connectivity to VPC NAT Gateway](Restrict-data-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
+    1.1[Unrestricted Default Security Groups](Unrestricted-Default-Security-Groups)  
+    1.1[Default EC2 Security Groups In Use](Default-EC2-Security-Groups-In-Use)  
+    1.1[Detailed Monitoring for EC2 Instances](Detailed-Monitoring-for-EC2-Instances)  
+    1.1[EC2 Desired Instance Type](EC2-Desired-Instance-Type)  
+    1.1[Review EC2 Dedicated Instances](Review-EC2-Dedicated-Instances)  
+    1.1[EC2 Instance Not In Public Subnet](EC2-Instance-Not-In-Public-Subnet)  
+    1.1[Unused EC2 Reserved Instances](Unused-EC2-Reserved-Instances)  
+    1.1[Total Number of EC2 Instances](Total-Number-of-EC2-Instances)  
+    1.1[EC2 Instance Type Generation](EC2-Instance-Type-Generation)  
+    1.1[Instance In Auto Scaling Group](Instance-In-Auto-Scaling-Group)  
+    1.1[EC2 Platform](EC2-Platform)  
+    1.1[EC2 Instance Limit](EC2-Instance-Limit)  
+    1.1[EC2 Instance Naming Conventions](EC2-Instance-Naming-Conventions)  
+    1.1[EC2 Instances with Scheduled Events](EC2-Instances-with-Scheduled-Events)  
+    1.1[EC2 Instance Security Group Rules Count](EC2-Instance-Security-Group-Rules-Count)  
+    1.1[EC2 Instance Tenancy Type](EC2-Instance-Tenancy-Type)  
+    1.1[EC2 Instance Termination Protection](EC2-Instance-Termination-Protection)  
+    1.1[EC2 Instance Age](EC2-Instance-Age)  
+    1.1[EC2 Instance IAM Roles](EC2-Instance-IAM-Roles)  
+    1.1[Overutilized EC2 Instances](Overutilized-EC2-Instances)  
+    1.1[Publicly Shared AMIs](Publicly-Shared-AMIs)  
+    1.1[EC2 Reserved Instance Lease Expiration](EC2-Reserved-Instance-Lease-Expiration)  
+    1.1[EC2 Security Groups Count](EC2-Security-Groups-Count)  
+    1.1[EC2 Security Group Port Range](EC2-Security-Group-Port-Range)  
+    1.1[Underutilized EC2 Instances](Underutilized-EC2-Instances)  
+    1.1[EC2 Security Group Unrestricted Access](EC2-Security-Group-Unrestricted-Access)  
+    1.1[Unrestricted CIFS Access](Unrestricted-CIFS-Access)  
+    1.1[Unrestricted DNS Access](Unrestricted-DNS-Access)  
+    1.1[Unrestricted ElasticSearch Access](Unrestricted-ElasticSearch-Access)  
+    1.1[Unrestricted FTP Access](Unrestricted-FTP-Access)  
+    1.1[Unrestricted HTTP Access](Unrestricted-HTTP-Access)  
+    1.1[Unrestricted HTTPS Access](Unrestricted-HTTPS-Access)  
+    1.1[Unrestricted ICMP Access](Unrestricted-ICMP-Access)  
+    1.1[Unrestricted Inbound Access on Uncommon Ports](Unrestricted-Inbound-Access-on-Uncommon-Ports)  
+    1.1[Unrestricted MongoDB Access](Unrestricted-MongoDB-Access)  
+    1.1[Unrestricted MSSQL Database Access](Unrestricted-MSSQL-Database-Access)  
+    1.1[Unrestricted MySQL Database Access](Unrestricted-MySQL-Database-Access)  
+    1.1[Unrestricted NetBIOS Access](Unrestricted-NetBIOS-Access)  
+    1.1[Unrestricted Oracle Database Access](Unrestricted-Oracle-Database-Access)  
+    1.1[Unrestricted Outbound Access on All Ports](Unrestricted-Outbound-Access-on-All-Ports)  
+    1.1[Unrestricted PostgreSQL Database Access](Unrestricted-PostgreSQL-Database-Access)  
+    1.1[Unrestricted RDP Access](Unrestricted-RDP-Access)  
+    1.1[Unrestricted RPC Access](Unrestricted-RPC-Access)  
+    1.1[Unrestricted SMTP Access](Unrestricted-SMTP-Access)  
+    1.1[Unrestricted SSH Access](Unrestricted-SSH-Access)  
+    1.1[Unrestricted Telnet Access](Unrestricted-Telnet-Access)  
+    1.1[Unused Elastic Network Interfaces](Unused-Elastic-Network-Interfaces)  
+    1.1[Unused EC2 Key Pairs](Unused-EC2-Key-Pairs)  
+    1.1[EC2-VPC Elastic IP Address Limit](EC2-VPC-Elastic-IP-Address-Limit)  
+    1.1[Publicly Shared Web-Tier AMIs](Publicly-Shared-Web-Tier-AMIs)  
+    1.1[Web-Tier EC2 Instances Without Elastic or Public IP Addresses](Web-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)  
+    1.1[Check web-tier ELB subnet connectivity to Internet Gateway](Check-web-tier-ELB-subnet-connectivity-to-Internet-Gateway)  
+    1.1[Attach Policy to IAM Roles Associated with Web-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-Web-Tier-EC2-Instances)  
+    1.1[IAM Roles for Web-Tier EC2 Instances](IAM-Roles-for-Web-Tier-EC2-Instances)  
+    1.1[Create and Configure Web-Tier Security Group](Create-and-Configure-Web-Tier-Security-Group)  
+    1.1[Check web-tier subnet connectivity to VPC NAT Gateway](Check-web-tier-subnet-connectivity-to-VPC-NAT-Gateway)  
+1. [ECR](ECR)  
+    1.1[ECR Unknown Cross Account Access](ECR-Unknown-Cross-Account-Access)  
+    1.1[Check for Exposed ECR Repositories](Check-for-Exposed-ECR-Repositories)  
+1. [EFS](EFS)  
+    1.1[KMS Customer Master Keys for EFS Encryption](KMS-Customer-Master-Keys-for-EFS-Encryption)  
+    1.1[Enable EFS Encryption](Enable-EFS-Encryption)  
+1. [ElasticSearch](ElasticSearch)  
+    1.1[ElasticSearch Cluster Status](ElasticSearch-Cluster-Status)  
+    1.1[ElasticSearch Instance Type](ElasticSearch-Instance-Type)  
+    1.1[ElasticSearch Domain Encrypted with KMS CMKs](ElasticSearch-Domain-Encrypted-with-KMS-CMKs)  
+    1.1[ElasticSearch Unknown Cross Account Access](ElasticSearch-Unknown-Cross-Account-Access)  
+    1.1[ElasticSearch Exposed Domains](ElasticSearch-Exposed-Domains)  
+    1.1[ElasticSearch Domain IP-Based Access](ElasticSearch-Domain-IP-Based-Access)  
+    1.1[ElasticSearch General Purpose SSD Node Type](ElasticSearch-General-Purpose-SSD-Node-Type)  
+    1.1[ElasticSearch Version](ElasticSearch-Version)  
+    1.1[Enable ElasticSearch Zone Awareness](Enable-ElasticSearch-Zone-Awareness)  
+    1.1[Enable ElasticSearch Encryption At Rest](Enable-ElasticSearch-Encryption-At-Rest)  
+    1.1[ElasticSearch Free Storage Space](ElasticSearch-Free-Storage-Space)  
+    1.1[Total Number of ElasticSearch Instances](Total-Number-of-ElasticSearch-Instances)  
+    1.1[Enable ElasticSearch Node-to-Node Encryption](Enable-ElasticSearch-Node-to-Node-Encryption)  
+    1.1[Enable ElasticSearch Slow Logs](Enable-ElasticSearch-Slow-Logs)  
+1. [ELB](ELB)  
+    1.1[Enable HTTPS/SSL Listener for App-Tier ELBs](Enable-HTTPS/SSL-Listener-for-App-Tier-ELBs)  
+    1.1[Enable Latest SSL Security Policy for App-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-App-Tier-ELBs)  
+    1.1[Add SSL/TLS Server Certificates to App-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-App-Tier-ELBs)  
+    1.1[App-Tier ELBs Health Check](App-Tier-ELBs-Health-Check)  
+    1.1[Enable ELB Access Logging](Enable-ELB-Access-Logging)  
+    1.1[AWS Classic Load Balancer](AWS-Classic-Load-Balancer)  
+    1.1[Connection Draining Enabled](Connection-Draining-Enabled)  
+    1.1[Enable ELB Cross-Zone Load Balancing](Enable-ELB-Cross-Zone-Load-Balancing)  
+    1.1[ELB insecure SSL ciphers](ELB-insecure-SSL-ciphers)  
+    1.1[ELB insecure SSL protocols](ELB-insecure-SSL-protocols)  
+    1.1[ELB Listener Security](ELB-Listener-Security)  
+    1.1[ELB minimum number of EC2 instances](ELB-minimum-number-of-EC2-instances)  
+    1.1[ELB Security Group](ELB-Security-Group)  
+    1.1[ELB Security Policy](ELB-Security-Policy)  
+    1.1[Remove unused ELBs](Remove-unused-ELBs)  
+    1.1[ELB Instances Distribution Across Availability Zones](ELB-Instances-Distribution-Across-Availability-Zones)  
+    1.1[Review AWS Internet Facing Load Balancers](Review-AWS-Internet-Facing-Load-Balancers)  
+    1.1[Enable HTTPS/SSL Listener for Web-Tier ELBs](Enable-HTTPS/SSL-Listener-for-Web-Tier-ELBs)  
+    1.1[Enable Latest SSL Security Policy for Web-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-Web-Tier-ELBs)  
+    1.1[Add SSL/TLS Server Certificates to Web-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-Web-Tier-ELBs)  
+    1.1[Web-Tier ELBs Health Check](Web-Tier-ELBs-Health-Check)  
+    1.1[Enable ALB (ELBv2)-Access-Logging](Enable-ALB-(ELBv2)-Access-Logging)  
+    1.1[Enable Elastic Load Balancing Deletion Protection](Enable-Elastic-Load-Balancing-Deletion-Protection)  
+    1.1[ELBv2 Instances Distribution Across Availability Zones](ELBv2-Instances-Distribution-Across-Availability-Zones)  
+    1.1[ALB (ELBv2)-Listener-Security](ALB-(ELBv2)-Listener-Security)  
+    1.1[Minimum Number of EC2 Target Instances](Minimum-Number-of-EC2-Target-Instances)  
+    1.1[ELBv2 Security Groups](ELBv2-Security-Groups)  
+    1.1[ALB (ELBv2)-Security-Policy](ALB-(ELBv2)-Security-Policy)  
+    1.1[Unused ELBs (ELBv2)](Unused-ELBs-(ELBv2))  
+1. [EMR](EMR)  
+    1.1[EMR Cluster In VPC](EMR-Cluster-In-VPC)  
+    1.1[EMR Desired Instance Type](EMR-Desired-Instance-Type)  
+    1.1[EMR Instance Type Generation](EMR-Instance-Type-Generation)  
+    1.1[Enable EMR In-Transit and At-Rest Encryption](Enable-EMR-In-Transit-and-At-Rest-Encryption)  
+    1.1[Total Number of EMR Instances](Total-Number-of-EMR-Instances)  
+1. [GuardDuty](GuardDuty)  
+    1.1[GuardDuty Findings](GuardDuty-Findings)  
+    1.1[Monitor GuardDuty Configuration Changes](Monitor-GuardDuty-Configuration-Changes)  
+    1.1[GuardDuty In Use](GuardDuty-In-Use)  
+1. [Health](Health)  
+    1.1[AWS Health](AWS-Health)  
+1. [IAM](IAM)  
+    1.1[Unused IAM Access Keys](Unused-IAM-Access-Keys)  
+    1.1[IAM Access Keys Rotation](IAM-Access-Keys-Rotation)  
+    1.1[Unnecessary IAM Access Keys](Unnecessary-IAM-Access-Keys)  
+    1.1[Enable Security Challenge Questions for your Account](Enable-Security-Challenge-Questions-for-your-Account)  
+    1.1[Attach Policy to IAM Roles Associated with App-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-App-Tier-EC2-Instances)  
+    1.1[SSL/TLS Certificate Renewal](SSL/TLS-Certificate-Renewal)  
+    1.1[Server Certificate Signature Algorithm](Server-Certificate-Signature-Algorithm)  
+    1.1[IAM Server Certificate Size](IAM-Server-Certificate-Size)  
+    1.1[Deprecated AWS Managed Policies In Use](Deprecated-AWS-Managed-Policies-In-Use)  
+    1.1[IAM Users Unauthorized to Edit Access Policies](IAM-Users-Unauthorized-to-Edit-Access-Policies)  
+    1.1[IAM Users with Admin Privileges](IAM-Users-with-Admin-Privileges)  
+    1.1[Detect IAM Configuration Changes](Detect-IAM-Configuration-Changes)  
+    1.1[IAM Group with Administrator Privileges In Use](IAM-Group-with-Administrator-Privileges-In-Use)  
+    1.1[Unused IAM Groups](Unused-IAM-Groups)  
+    1.1[Remove IAM Policies with Full Administrative Privileges](Remove-IAM-Policies-with-Full-Administrative-Privileges)  
+    1.1[IAM Customer Managed Policy with Administrative Permissions In Use](IAM-Customer-Managed-Policy-with-Administrative-Permissions-In-Use)  
+    1.1[IAM Role Policy Too Permissive](IAM-Role-Policy-Too-Permissive)  
+    1.1[IAM User Present](IAM-User-Present)  
+    1.1[Inactive IAM Users](Inactive-IAM-Users)  
+    1.1[Unused IAM Users](Unused-IAM-Users)  
+    1.1[IAM Users with Password and Access Keys](IAM-Users-with-Password-and-Access-Keys)  
+    1.1[Valid IAM Identity Providers](Valid-IAM-Identity-Providers)  
+    1.1[MFA Device Deactivated for IAM Users](MFA-Device-Deactivated-for-IAM-Users)  
+    1.1[Enable MFA for IAM Users](Enable-MFA-for-IAM-Users)  
+    1.1[IAM Master and IAM Manager Roles](IAM-Master-and-IAM-Manager-Roles)  
+    1.1[IAM Password Expiry](IAM-Password-Expiry)  
+    1.1[IAM Password Policy](IAM-Password-Policy)  
+    1.1[Root Account Access Keys](Root-Account-Access-Keys)  
+    1.1[Root Account Credentials Usage](Root-Account-Credentials-Usage)  
+    1.1[Root Account Active Signing Certificates](Root-Account-Active-Signing-Certificates)  
+    1.1[Enable Hardware MFA for Root Account](Enable-Hardware-MFA-for-Root-Account)  
+    1.1[Enable MFA for Root Account](Enable-MFA-for-Root-Account)  
+    1.1[IAM SSH Public Keys Rotation (90-Days)](IAM-SSH-Public-Keys-Rotation-(90-Days))  
+    1.1[Unnecessary IAM SSH Public Keys](Unnecessary-IAM-SSH-Public-Keys)  
+    1.1[IAM Support Role](IAM-Support-Role)  
+1. [Inspector](Inspector)  
+    1.1[AWS Inspector Findings](AWS-Inspector-Findings)  
+1. [KMS](KMS)  
+    1.1[App-Tier Customer Master Key In Use](App-Tier-Customer-Master-Key-In-Use)  
+    1.1[KMS Customer Master Key In Use](KMS-Customer-Master-Key-In-Use)  
+    1.1[Database Tier Customer Master Key In Use](Database-Tier-Customer-Master-Key-In-Use)  
+    1.1[Default KMS Key Usage](Default-KMS-Key-Usage)  
+    1.1[Disabled KMS keys](Disabled-KMS-keys)  
+    1.1[Monitor KMS Configuration Changes](Monitor-KMS-Configuration-Changes)  
+    1.1[KMS Unknown Cross Account Access](KMS-Unknown-Cross-Account-Access)  
+    1.1[KMS Exposed Keys](KMS-Exposed-Keys)  
+    1.1[Recover KMS Customer Master Keys](Recover-KMS-Customer-Master-Keys)  
+    1.1[Enable KMS Key Rotation](Enable-KMS-Key-Rotation)  
+    1.1[Remove unused KMS keys](Remove-unused-KMS-keys)  
+    1.1[Web-Tier Customer Master Key In Use](Web-Tier-Customer-Master-Key-In-Use)  
+1. [Lambda](Lambda)  
+    1.1[Exposed Lambda Functions](Exposed-Lambda-Functions)  
+    1.1[Lambda Functions with Admin Privileges](Lambda-Functions-with-Admin-Privileges)  
+    1.1[Lambda Unknown Cross Account Access](Lambda-Unknown-Cross-Account-Access)  
+    1.1[Lambda Runtime Environment Version](Lambda-Runtime-Environment-Version)  
+    1.1[An IAM role for a Lambda Function](An-IAM-role-for-a-Lambda-Function)  
+1. [Organizations](Organizations)  
+    1.1[Monitor AWS Org. Configuration Changes](Monitor-AWS-Org.-Configuration-Changes)  
+    1.1[Enable All Features](Enable-All-Features)  
+    1.1[AWS Organizations In Use](AWS-Organizations-In-Use)  
+1. [RDS](RDS)  
+    1.1[Aurora Database Instance Accessibility](Aurora-Database-Instance-Accessibility)  
+    1.1[RDS Auto Minor Version Upgrade](RDS-Auto-Minor-Version-Upgrade)  
+    1.1[Enable RDS Automated Backups](Enable-RDS-Automated-Backups)  
+    1.1[Enable RDS Deletion Protection](Enable-RDS-Deletion-Protection)  
+    1.1[Enable RDS Encryption](Enable-RDS-Encryption)  
+    1.1[RDS Free Storage Space](RDS-Free-Storage-Space)  
+    1.1[Enable IAM Database Authentication](Enable-IAM-Database-Authentication)  
+    1.1[Total Number of Provisioned RDS Instances](Total-Number-of-Provisioned-RDS-Instances)  
+    1.1[RDS Multi-AZ](RDS-Multi-AZ)  
+    1.1[Overutilized RDS Instances](Overutilized-RDS-Instances)  
+    1.1[Publicly Accessible RDS Instances](Publicly-Accessible-RDS-Instances)  
+    1.1[Use Data-Tier Security Group for RDS Databases](Use-Data-Tier-Security-Group-for-RDS-Databases)  
+    1.1[RDS Database Default Port](RDS-Database-Default-Port)  
+    1.1[Use KMS Customer Master Keys for RDS encryption](Use-KMS-Customer-Master-Keys-for-RDS-encryption)  
+    1.1[RDS General Purpose SSD Storage Type](RDS-General-Purpose-SSD-Storage-Type)  
+    1.1[RDS Instance Not In Public Subnet](RDS-Instance-Not-In-Public-Subnet)  
+    1.1[RDS Database Master Username](RDS-Database-Master-Username)  
+    1.1[RDS Public Snapshots](RDS-Public-Snapshots)  
+    1.1[RDS Sufficient Backup Retention Period](RDS-Sufficient-Backup-Retention-Period)  
+    1.1[Enable RDS Transport Encryption](Enable-RDS-Transport-Encryption)  
+    1.1[Underutilized RDS Instances](Underutilized-RDS-Instances)  
+    1.1[Unrestricted RDS DB Security Group](Unrestricted-RDS-DB-Security-Group)  
+    1.1[Enable Route 53 Domain Auto Renew](Enable-Route-53-Domain-Auto-Renew)  
+    1.1[Create DNS Alias Record for Root Domain](Create-DNS-Alias-Record-for-Root-Domain)  
+    1.1[Remove Route 53 Dangling DNS Records](Remove-Route-53-Dangling-DNS-Records)  
+    1.1[Expired Route 53 Domain Names](Expired-Route-53-Domain-Names)  
+    1.1[Route 53 Domain Name Renewal](Route-53-Domain-Name-Renewal)  
+    1.1[Enable Privacy Protection for Route 53 Domains](Enable-Privacy-Protection-for-Route-53-Domains)  
+    1.1[Root Domain Alias Records that Point to ELB](Root-Domain-Alias-Records-that-Point-to-ELB)  
+    1.1[Monitor Route 53 Configuration Changes](Monitor-Route-53-Configuration-Changes)  
+    1.1[Route 53 DNS In Use](Route-53-DNS-In-Use)  
+    1.1[Route 53 SPF DNS Records](Route-53-SPF-DNS-Records)  
+    1.1[Enable Route 53 Domain Transfer Lock](Enable-Route-53-Domain-Transfer-Lock)  
+    1.1[Monitor Route 53 Domains Configuration Changes](Monitor-Route-53-Domains-Configuration-Changes)  
+1. [ResourceGroup](ResourceGroup)  
+    1.1[Use tags to organize AWS resources](Use-tags-to-organize-AWS-resources)  
+    1.1[S3 Bucket Authenticated ‘FULL_CONTROL’ Access](S3-Bucket-Authenticated-‘FULL_CONTROL’-Access)  
+    1.1[S3 Bucket Authenticated ‘READ’ Access](S3-Bucket-Authenticated-‘READ’-Access)  
+    1.1[S3 Bucket Authenticated ‘READ_ACP’ Access](S3-Bucket-Authenticated-‘READ_ACP’-Access)  
+    1.1[S3 Bucket Authenticated ‘WRITE’ Access](S3-Bucket-Authenticated-‘WRITE’-Access)  
+    1.1[S3 Bucket Authenticated ‘WRITE_ACP’ Access](S3-Bucket-Authenticated-‘WRITE_ACP’-Access)  
+    1.1[Enable S3 Bucket Default Encryption](Enable-S3-Bucket-Default-Encryption)  
+    1.1[Enable Access Logging for S3 Buckets](Enable-Access-Logging-for-S3-Buckets)  
+    1.1[Enable MFA Delete for S3 Buckets](Enable-MFA-Delete-for-S3-Buckets)  
+    1.1[S3 Bucket Public Access Via Policy](S3-Bucket-Public-Access-Via-Policy)  
+    1.1[Publicly Accessible S3 Buckets](Publicly-Accessible-S3-Buckets)  
+    1.1[S3 Bucket Public ‘READ’ Access](S3-Bucket-Public-‘READ’-Access)  
+    1.1[S3 Bucket Public ‘READ_ACP’ Access](S3-Bucket-Public-‘READ_ACP’-Access)  
+    1.1[S3 Bucket Public ‘WRITE’ Access](S3-Bucket-Public-‘WRITE’-Access)  
+    1.1[S3 Bucket Public ‘WRITE_ACP’ Access](S3-Bucket-Public-‘WRITE_ACP’-Access)  
+    1.1[Enable Versioning for S3 Buckets](Enable-Versioning-for-S3-Buckets)  
+    1.1[Review S3 Buckets with Website Configuration Enabled](Review-S3-Buckets-with-Website-Configuration-Enabled)  
+    1.1[Detect S3 Configuration Changes](Detect-S3-Configuration-Changes)  
+    1.1[S3 Unknown Cross Account Access](S3-Unknown-Cross-Account-Access)  
+    1.1[Secure Transport](Secure-Transport)  
+    1.1[Server-Side Encryption](Server-Side-Encryption)  
+    1.1[Limit S3 Bucket Access by IP Address](Limit-S3-Bucket-Access-by-IP-Address)  
+1. [SES](SES)  
+    1.1[Enable DKIM for SES](Enable-DKIM-for-SES)  
+    1.1[Unknown Cross-Account Access](Unknown-Cross-Account-Access)  
+    1.1[Exposed SES Identities](Exposed-SES-Identities)  
+    1.1[SES Identity Verification Status](SES-Identity-Verification-Status)  
+1. [Shield](Shield)  
+    1.1[AWS Shield In Use](AWS-Shield-In-Use)  
+1. [TrustedAdvisor](TrustedAdvisor)  
+    1.1[Trusted Advisor Checks](Trusted-Advisor-Checks)  
+    1.1[Exposed IAM Access Keys](Exposed-IAM-Access-Keys)  
+1. [VPC](VPC)  
+    1.1[Allocate Elastic IPs for NAT Gateways](Allocate-Elastic-IPs-for-NAT-Gateways)  
+    1.1[Create App-Tier VPC Subnets](Create-App-Tier-VPC-Subnets)  
+    1.1[Create Data-Tier VPC Subnets](Create-Data-Tier-VPC-Subnets)  
+    1.1[Default VPC In Use](Default-VPC-In-Use)  
+    1.1[Unused VPC Internet Gateways](Unused-VPC-Internet-Gateways)  
+    1.1[Use Managed NAT Gateway for VPC](Use-Managed-NAT-Gateway-for-VPC)  
+    1.1[Create NAT Gateways in at Least Two Availability Zones](Create-NAT-Gateways-in-at-Least-Two-Availability-Zones)  
+    1.1[Ineffective Network ACL DENY Rules](Ineffective-Network-ACL-DENY-Rules)  
+    1.1[Unrestricted Network ACL Inbound Traffic](Unrestricted-Network-ACL-Inbound-Traffic)  
+    1.1[Unrestricted Network ACL Outbound Traffic](Unrestricted-Network-ACL-Outbound-Traffic)  
+    1.1[Create Route Table for Private Subnets](Create-Route-Table-for-Private-Subnets)  
+    1.1[Create Route Table for Public Subnets](Create-Route-Table-for-Public-Subnets)  
+    1.1[Enable Flow Logs for VPC Subnets](Enable-Flow-Logs-for-VPC-Subnets)  
+    1.1[VPC Endpoint Unknown Cross Account Access](VPC-Endpoint-Unknown-Cross-Account-Access)  
+    1.1[VPC Exposed Endpoints](VPC-Exposed-Endpoints)  
+    1.1[VPC Endpoints In Use](VPC-Endpoints-In-Use)  
+    1.1[Enable VPC Flow Logs](Enable-VPC-Flow-Logs)  
+    1.1[VPC Naming Conventions](VPC-Naming-Conventions)  
+    1.1[VPC Peering Connection Configuration](VPC-Peering-Connection-Configuration)  
+    1.1[Unused Virtual Private Gateways](Unused-Virtual-Private-Gateways)  
+    1.1[Create Web-Tier ELB Subnets](Create-Web-Tier-ELB-Subnets)  
+    1.1[Create Web-Tier VPC Subnets](Create-Web-Tier-VPC-Subnets)  
+1. [WAF](WAF)  
+    1.1[AWS Web Application Firewall In Use](AWS-Web-Application-Firewall-In-Use)  
 
 
 ---
@@ -513,13 +513,13 @@
 
 ### CloudFront Origin Insecure SSL Protocols
 **Risk**: Medium  
-**Description**: Ensure that Cloudfront CDN distributions aren’t using insecure SSL protocols (i.e. SSLv3) for HTTPS communication between CloudFront edge locations and your custom origins. We recommend using TLSv1.0 or later (ideally   use only TLSv1.2 if your origins support it) and avoid using the SSLv3 protocol.
+**Description**: Ensure that Cloudfront CDN distributions aren’t using insecure SSL protocols (i.e. SSLv3) for HTTPS communication between CloudFront edge locations and your custom origins. We recommend using TLSv1.0 or later (ideally     use only TLSv1.2 if your origins support it) and avoid using the SSLv3 protocol.  
 **Resolution**: To remove the deprecated SSLv3 protocol from your Cloudfront distributions origin.  
 
 ### CloudFront Security Policy
 **Risk**: Medium  
-**Description**: Ensure that CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2 and appropriate security ciphers for HTTPS viewer connections.   
-**Resolution**: Enable security policies that enforce TLS version 1.1 or 1.2 as the minimum protocol version  
+**Description**: Ensure that CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2 and appropriate security ciphers for HTTPS viewer connections.     
+**Resolution**: Enable security policies that enforce TLS version 1.1 or 1.2 as the minimum protocol version    
 
 ### Unencrypted CloudFront Traffic
 **Risk**: Medium  
@@ -1798,7 +1798,7 @@ ELBv2
 ### Enable RDS Transport Encryption
 **Risk**: High  
 **Description**: Ensure that Microsoft SQL Server instances provisioned with RDS have Transport Encryption feature enabled in order to meet security and compliance requirements.   
-**Resolution**: To enable the Transport Encryption feature for your Microsoft SQL Server database instances, you need to update the necessary RDS parameter group and change the rds.force_ssl parameter value to 1.  
+**Resolution**: To enable the Transport Encryption feature for your Microsoft SQL Server database instances, you need to update the necessary RDS parameter group and change the rds.force_ssl parameter value to 1.    
 
 ### Underutilized RDS Instances
 **Risk**: Recommendation  

diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
@@ -1,34 +1,372 @@
-
-# AWS - Services
-
-1. [ACM](#ACM)  
-1. [API Gateway](#API-Gateway)  
-1. [AutoScaling](#AutoScaling)  
-1. [CloudFront](#CloudFront)  
-1. [CloudTrail](#CloudTrail)  
-1. [CloudWatch](#CloudWatch)  
-1. [Config](#Config)  
-1. [DynamoDB](#DynamoDB)  
-1. [EBS](#EBS)  
-1. [ECR](#ECR)  
-1. [EFS](#EFS)  
-1. [ElasticSearch](#ElasticSearch)  
-1. [ELB](#ELB)  
-1. [EMR](#EMR)  
-1. [GuardDuty](#GuardDuty)  
-1. [Health](#Health)  
-1. [IAM](#IAM)  
-1. [Inspector](#Inspector)  
-1. [KMS](#KMS)  
-1. [Lambda](#Lambda)  
-1. [Organizations](#Organizations)  
-1. [RDS](#RDS)  
-1. [ResourceGroup](#ResourceGroup)  
-1. [SES](#SES)  
-1. [Shield](#Shield)  
-1. [TrustedAdvisor](#TrustedAdvisor)  
-1. [VPC](#VPC)  
-1. [WAF](#WAF)  
+# Table of Contents
+
+1. [ACM](ACM)
+    1.1[Expired ACM Certificates](Expired-ACM-Certificates)
+    1.1[ACM Certificates Renewal](ACM-Certificates-Renewal)
+    1.1[ACM Certificates Validity](ACM-Certificates-Validity)
+1. [API Gateway](API-Gateway)
+    1.1[Enable CloudWatch Logs for APIs](Enable-CloudWatch-Logs-for-APIs)
+    1.1[Enable Detailed CloudWatch Metrics for APIs](Enable-Detailed-CloudWatch-Metrics-for-APIs)
+    1.1[API Gateway Private Endpoints](API-Gateway-Private-Endpoints)
+1. [AutoScaling](AutoScaling)
+    1.1[ASG Cooldown Period](ASG-Cooldown-Period)
+    1.1[Enable ASG Notifications](Enable-ASG-Notifications)
+    1.1[App-Tier ASGs with Associated ELB](App-Tier-ASGs-with-Associated-ELB)
+    1.1[CloudWatch Logs Agent for App-Tier ASG In Use](CloudWatch-Logs-Agent-for-App-Tier-ASG-In-Use)
+    1.1[IAM Roles for App-Tier ASG Launch Configurations](IAM-Roles-for-App-Tier-ASG-Launch-Configurations)
+    1.1[Use Approved AMIs for App-Tier ASG Launch Configurations](Use-Approved-AMIs-for-App-Tier-ASG-Launch-Configurations)
+    1.1[Auto Scaling Group Referencing Missing ELB](Auto-Scaling-Group-Referencing-Missing-ELB)
+    1.1[Empty Auto Scaling Groups](Empty-Auto-Scaling-Groups)
+    1.1[Launch Configuration Referencing Missing AMI](Launch-Configuration-Referencing-Missing-AMI)
+    1.1[Launch Configuration Referencing Missing Security Group](Launch-Configuration-Referencing-Missing-Security-Group)
+    1.1[Unused Launch Configuration Templates](Unused-Launch-Configuration-Templates)
+    1.1[Multi-AZ Auto Scaling Groups](Multi-AZ-Auto-Scaling-Groups)
+    1.1[Same ELB Availability Zones](Same-ELB-Availability-Zones)
+    1.1[Suspended Auto Scaling Group Processes](Suspended-Auto-Scaling-Group-Processes)
+    1.1[Web-Tier Auto Scaling Groups with Associated ELBs](Web-Tier-Auto-Scaling-Groups-with-Associated-ELBs)
+    1.1[Use Approved AMIs for Web-Tier ASG Launch Configurations](Use-Approved-AMIs-for-Web-Tier-ASG-Launch-Configurations)
+1. [CloudFront](CloudFront)
+    1.1[CloudFront CDN In Use](CloudFront-CDN-In-Use)
+    1.1[CloudFront WAF Integration](CloudFront-WAF-Integration)
+    1.1[Enable Origin Access Identity for CloudFront Distributions with S3 Origin](Enable-Origin-Access-Identity-for-CloudFront-Distributions-with-S3-Origin)
+    1.1[CloudFront Origin Insecure SSL Protocols](CloudFront-Origin-Insecure-SSL-Protocols)
+    1.1[CloudFront Security Policy](CloudFront-Security-Policy)
+    1.1[Unencrypted CloudFront Traffic](Unencrypted-CloudFront-Traffic)
+    1.1[Use Cloudfront CDN](Use-Cloudfront-CDN)
+1. [CloudTrail](CloudTrail)
+    1.1[Enable access logging for CloudTrail buckets](Enable-access-logging-for-CloudTrail-buckets)
+    1.1[Enable MFA Delete for CloudTrail bucket](Enable-MFA-Delete-for-CloudTrail-bucket)
+    1.1[CloudTrail insecure buckets](CloudTrail-insecure-buckets)
+    1.1[Monitor CloudTrail Configuration Changes](Monitor-CloudTrail-Configuration-Changes)
+    1.1[Enable CloudTrail integration with CloudWatch](Enable-CloudTrail-integration-with-CloudWatch)
+    1.1[Enable CloudTrail log file integrity validation](Enable-CloudTrail-log-file-integrity-validation)
+    1.1[Enable CloudTrail log files encryption](Enable-CloudTrail-log-files-encryption)
+    1.1[CloudTrail Log Files Delivery Failing](CloudTrail-Log-Files-Delivery-Failing)
+1. [CloudWatch](CloudWatch)
+    1.1[Enable AWS Billing Alerts](Enable-AWS-Billing-Alerts)
+    1.1[Enable CloudWatch Billing Alarm](Enable-CloudWatch-Billing-Alarm)
+    1.1[Exposed CloudWatch Event Bus](Exposed-CloudWatch-Event-Bus)
+    1.1[CloudWatch Events In Use](CloudWatch-Events-In-Use)
+    1.1[Alarm for Config Changes](Alarm-for-Config-Changes)
+    1.1[Alarm for Organizations Changes](Alarm-for-Organizations-Changes)
+    1.1[Alarm for multiple Sign-in Failures](Alarm-for-multiple-Sign-in-Failures)
+    1.1[Monitor for AWS Console Sign-In Requests Without MFA](Monitor-for-AWS-Console-Sign-In-Requests-Without-MFA)
+    1.1[Alarm for EC2 Instance Changes](Alarm-for-EC2-Instance-Changes)
+    1.1[Alarm for EC2 Large Instance Changes](Alarm-for-EC2-Large-Instance-Changes)
+    1.1[Alarm for Root Account Usage](Alarm-for-Root-Account-Usage)
+    1.1[Alarm for S3 Bucket Changes](Alarm-for-S3-Bucket-Changes)
+1. [Config](Config)
+    1.1[Monitor AWS Config configuration changes](Monitor-AWS-Config-configuration-changes)
+    1.1[Enable AWS Config](Enable-AWS-Config)
+    1.1[AWS Config Referencing Missing S3 Bucket](AWS-Config-Referencing-Missing-S3-Bucket)
+    1.1[AWS Config Referencing Missing SNS Topic](AWS-Config-Referencing-Missing-SNS-Topic)
+    1.1[AWS Config Log Files Delivery Failing](AWS-Config-Log-Files-Delivery-Failing)
+    1.1[Include Global Resources into AWS Config Settings](Include-Global-Resources-into-AWS-Config-Settings)
+1. [DynamoDB](DynamoDB)
+    1.1[Enable DynamoDB Auto Scaling](Enable-DynamoDB-Auto-Scaling)
+    1.1[DynamoDB Backup and Restore](DynamoDB-Backup-and-Restore)
+    1.1[Enable DynamoDB Continuous Backups](Enable-DynamoDB-Continuous-Backups)
+    1.1[DynamoDB Server-Side Encryption](DynamoDB-Server-Side-Encryption)
+1. [EBS](EBS)
+    1.1[Enable EBS Encryption](Enable-EBS-Encryption)
+    1.1[Use KMS Customer Master Keys for EBS encryption](Use-KMS-Customer-Master-Keys-for-EBS-encryption)
+    1.1[EBS Volume Naming Conventions](EBS-Volume-Naming-Conventions)
+    1.1[EBS Public Snapshots](EBS-Public-Snapshots)
+    1.1[EBS volumes recent snapshots](EBS-volumes-recent-snapshots)
+    1.1[Remove EBS old snapshots](Remove-EBS-old-snapshots)
+    1.1[Remove Unattached EC2 EBS volumes](Remove-Unattached-EC2-EBS-volumes)
+    1.1[Enable EBS Snapshot Encryption](Enable-EBS-Snapshot-Encryption)
+    1.1[EBS Volumes Attached to Stopped EC2 Instances](EBS-Volumes-Attached-to-Stopped-EC2-Instances)
+    1.1[Approved/Golden AMI](Approved/Golden-AMI)
+    1.1[AWS Blacklisted AMI](AWS-Blacklisted-AMI)
+    1.1[Enable AMI Encryption](Enable-AMI-Encryption)
+    1.1[AMI Naming Conventions](AMI-Naming-Conventions)
+    1.1[Check for AMI Age](Check-for-AMI-Age)
+    1.1[Unused AMI](Unused-AMI)
+    1.1[Unassociated Elastic IP Addresses](Unassociated-Elastic-IP-Addresses)
+    1.1[Publicly Shared App-Tier AMIs](Publicly-Shared-App-Tier-AMIs)
+    1.1[App-Tier EC2 Instances Without Elastic or Public IP Addresses](App-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)
+    1.1[Check app-tier ELB subnet connectivity to Internet Gateway](Check-app-tier-ELB-subnet-connectivity-to-Internet-Gateway)
+    1.1[IAM Roles for App-Tier EC2 Instances](IAM-Roles-for-App-Tier-EC2-Instances)
+    1.1[Create and Configure App-Tier Security Group](Create-and-Configure-App-Tier-Security-Group)
+    1.1[EC2 Instances Distribution Across Availability Zones](EC2-Instances-Distribution-Across-Availability-Zones)
+    1.1[EC2-Classic Elastic IP Address Limit](EC2-Classic-Elastic-IP-Address-Limit)
+    1.1[Data-Tier Instances Without Elastic or Public IP Addresses](Data-Tier-Instances-Without-Elastic-or-Public-IP-Addresses)
+    1.1[Create and Configure Data-Tier Security Group](Create-and-Configure-Data-Tier-Security-Group)
+    1.1[Restrict data-tier subnet connectivity to VPC NAT Gateway](Restrict-data-tier-subnet-connectivity-to-VPC-NAT-Gateway)
+    1.1[Unrestricted Default Security Groups](Unrestricted-Default-Security-Groups)
+    1.1[Default EC2 Security Groups In Use](Default-EC2-Security-Groups-In-Use)
+    1.1[Detailed Monitoring for EC2 Instances](Detailed-Monitoring-for-EC2-Instances)
+    1.1[EC2 Desired Instance Type](EC2-Desired-Instance-Type)
+    1.1[Review EC2 Dedicated Instances](Review-EC2-Dedicated-Instances)
+    1.1[EC2 Instance Not In Public Subnet](EC2-Instance-Not-In-Public-Subnet)
+    1.1[Unused EC2 Reserved Instances](Unused-EC2-Reserved-Instances)
+    1.1[Total Number of EC2 Instances](Total-Number-of-EC2-Instances)
+    1.1[EC2 Instance Type Generation](EC2-Instance-Type-Generation)
+    1.1[Instance In Auto Scaling Group](Instance-In-Auto-Scaling-Group)
+    1.1[EC2 Platform](EC2-Platform)
+    1.1[EC2 Instance Limit](EC2-Instance-Limit)
+    1.1[EC2 Instance Naming Conventions](EC2-Instance-Naming-Conventions)
+    1.1[EC2 Instances with Scheduled Events](EC2-Instances-with-Scheduled-Events)
+    1.1[EC2 Instance Security Group Rules Count](EC2-Instance-Security-Group-Rules-Count)
+    1.1[EC2 Instance Tenancy Type](EC2-Instance-Tenancy-Type)
+    1.1[EC2 Instance Termination Protection](EC2-Instance-Termination-Protection)
+    1.1[EC2 Instance Age](EC2-Instance-Age)
+    1.1[EC2 Instance IAM Roles](EC2-Instance-IAM-Roles)
+    1.1[Overutilized EC2 Instances](Overutilized-EC2-Instances)
+    1.1[Publicly Shared AMIs](Publicly-Shared-AMIs)
+    1.1[EC2 Reserved Instance Lease Expiration](EC2-Reserved-Instance-Lease-Expiration)
+    1.1[EC2 Security Groups Count](EC2-Security-Groups-Count)
+    1.1[EC2 Security Group Port Range](EC2-Security-Group-Port-Range)
+    1.1[Underutilized EC2 Instances](Underutilized-EC2-Instances)
+    1.1[EC2 Security Group Unrestricted Access](EC2-Security-Group-Unrestricted-Access)
+    1.1[Unrestricted CIFS Access](Unrestricted-CIFS-Access)
+    1.1[Unrestricted DNS Access](Unrestricted-DNS-Access)
+    1.1[Unrestricted ElasticSearch Access](Unrestricted-ElasticSearch-Access)
+    1.1[Unrestricted FTP Access](Unrestricted-FTP-Access)
+    1.1[Unrestricted HTTP Access](Unrestricted-HTTP-Access)
+    1.1[Unrestricted HTTPS Access](Unrestricted-HTTPS-Access)
+    1.1[Unrestricted ICMP Access](Unrestricted-ICMP-Access)
+    1.1[Unrestricted Inbound Access on Uncommon Ports](Unrestricted-Inbound-Access-on-Uncommon-Ports)
+    1.1[Unrestricted MongoDB Access](Unrestricted-MongoDB-Access)
+    1.1[Unrestricted MSSQL Database Access](Unrestricted-MSSQL-Database-Access)
+    1.1[Unrestricted MySQL Database Access](Unrestricted-MySQL-Database-Access)
+    1.1[Unrestricted NetBIOS Access](Unrestricted-NetBIOS-Access)
+    1.1[Unrestricted Oracle Database Access](Unrestricted-Oracle-Database-Access)
+    1.1[Unrestricted Outbound Access on All Ports](Unrestricted-Outbound-Access-on-All-Ports)
+    1.1[Unrestricted PostgreSQL Database Access](Unrestricted-PostgreSQL-Database-Access)
+    1.1[Unrestricted RDP Access](Unrestricted-RDP-Access)
+    1.1[Unrestricted RPC Access](Unrestricted-RPC-Access)
+    1.1[Unrestricted SMTP Access](Unrestricted-SMTP-Access)
+    1.1[Unrestricted SSH Access](Unrestricted-SSH-Access)
+    1.1[Unrestricted Telnet Access](Unrestricted-Telnet-Access)
+    1.1[Unused Elastic Network Interfaces](Unused-Elastic-Network-Interfaces)
+    1.1[Unused EC2 Key Pairs](Unused-EC2-Key-Pairs)
+    1.1[EC2-VPC Elastic IP Address Limit](EC2-VPC-Elastic-IP-Address-Limit)
+    1.1[Publicly Shared Web-Tier AMIs](Publicly-Shared-Web-Tier-AMIs)
+    1.1[Web-Tier EC2 Instances Without Elastic or Public IP Addresses](Web-Tier-EC2-Instances-Without-Elastic-or-Public-IP-Addresses)
+    1.1[Check web-tier ELB subnet connectivity to Internet Gateway](Check-web-tier-ELB-subnet-connectivity-to-Internet-Gateway)
+    1.1[Attach Policy to IAM Roles Associated with Web-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-Web-Tier-EC2-Instances)
+    1.1[IAM Roles for Web-Tier EC2 Instances](IAM-Roles-for-Web-Tier-EC2-Instances)
+    1.1[Create and Configure Web-Tier Security Group](Create-and-Configure-Web-Tier-Security-Group)
+    1.1[Check web-tier subnet connectivity to VPC NAT Gateway](Check-web-tier-subnet-connectivity-to-VPC-NAT-Gateway)
+1. [ECR](ECR)
+    1.1[ECR Unknown Cross Account Access](ECR-Unknown-Cross-Account-Access)
+    1.1[Check for Exposed ECR Repositories](Check-for-Exposed-ECR-Repositories)
+1. [EFS](EFS)
+    1.1[KMS Customer Master Keys for EFS Encryption](KMS-Customer-Master-Keys-for-EFS-Encryption)
+    1.1[Enable EFS Encryption](Enable-EFS-Encryption)
+1. [ElasticSearch](ElasticSearch)
+    1.1[ElasticSearch Cluster Status](ElasticSearch-Cluster-Status)
+    1.1[ElasticSearch Instance Type](ElasticSearch-Instance-Type)
+    1.1[ElasticSearch Domain Encrypted with KMS CMKs](ElasticSearch-Domain-Encrypted-with-KMS-CMKs)
+    1.1[ElasticSearch Unknown Cross Account Access](ElasticSearch-Unknown-Cross-Account-Access)
+    1.1[ElasticSearch Exposed Domains](ElasticSearch-Exposed-Domains)
+    1.1[ElasticSearch Domain IP-Based Access](ElasticSearch-Domain-IP-Based-Access)
+    1.1[ElasticSearch General Purpose SSD Node Type](ElasticSearch-General-Purpose-SSD-Node-Type)
+    1.1[ElasticSearch Version](ElasticSearch-Version)
+    1.1[Enable ElasticSearch Zone Awareness](Enable-ElasticSearch-Zone-Awareness)
+    1.1[Enable ElasticSearch Encryption At Rest](Enable-ElasticSearch-Encryption-At-Rest)
+    1.1[ElasticSearch Free Storage Space](ElasticSearch-Free-Storage-Space)
+    1.1[Total Number of ElasticSearch Instances](Total-Number-of-ElasticSearch-Instances)
+    1.1[Enable ElasticSearch Node-to-Node Encryption](Enable-ElasticSearch-Node-to-Node-Encryption)
+    1.1[Enable ElasticSearch Slow Logs](Enable-ElasticSearch-Slow-Logs)
+1. [ELB](ELB)
+    1.1[Enable HTTPS/SSL Listener for App-Tier ELBs](Enable-HTTPS/SSL-Listener-for-App-Tier-ELBs)
+    1.1[Enable Latest SSL Security Policy for App-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-App-Tier-ELBs)
+    1.1[Add SSL/TLS Server Certificates to App-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-App-Tier-ELBs)
+    1.1[App-Tier ELBs Health Check](App-Tier-ELBs-Health-Check)
+    1.1[Enable ELB Access Logging](Enable-ELB-Access-Logging)
+    1.1[AWS Classic Load Balancer](AWS-Classic-Load-Balancer)
+    1.1[Connection Draining Enabled](Connection-Draining-Enabled)
+    1.1[Enable ELB Cross-Zone Load Balancing](Enable-ELB-Cross-Zone-Load-Balancing)
+    1.1[ELB insecure SSL ciphers](ELB-insecure-SSL-ciphers)
+    1.1[ELB insecure SSL protocols](ELB-insecure-SSL-protocols)
+    1.1[ELB Listener Security](ELB-Listener-Security)
+    1.1[ELB minimum number of EC2 instances](ELB-minimum-number-of-EC2-instances)
+    1.1[ELB Security Group](ELB-Security-Group)
+    1.1[ELB Security Policy](ELB-Security-Policy)
+    1.1[Remove unused ELBs](Remove-unused-ELBs)
+    1.1[ELB Instances Distribution Across Availability Zones](ELB-Instances-Distribution-Across-Availability-Zones)
+    1.1[Review AWS Internet Facing Load Balancers](Review-AWS-Internet-Facing-Load-Balancers)
+    1.1[Enable HTTPS/SSL Listener for Web-Tier ELBs](Enable-HTTPS/SSL-Listener-for-Web-Tier-ELBs)
+    1.1[Enable Latest SSL Security Policy for Web-Tier ELBs](Enable-Latest-SSL-Security-Policy-for-Web-Tier-ELBs)
+    1.1[Add SSL/TLS Server Certificates to Web-Tier ELBs](Add-SSL/TLS-Server-Certificates-to-Web-Tier-ELBs)
+    1.1[Web-Tier ELBs Health Check](Web-Tier-ELBs-Health-Check)
+    1.1[Enable ALB (ELBv2)-Access-Logging](Enable-ALB-(ELBv2)-Access-Logging)
+    1.1[Enable Elastic Load Balancing Deletion Protection](Enable-Elastic-Load-Balancing-Deletion-Protection)
+    1.1[ELBv2 Instances Distribution Across Availability Zones](ELBv2-Instances-Distribution-Across-Availability-Zones)
+    1.1[ALB (ELBv2)-Listener-Security](ALB-(ELBv2)-Listener-Security)
+    1.1[Minimum Number of EC2 Target Instances](Minimum-Number-of-EC2-Target-Instances)
+    1.1[ELBv2 Security Groups](ELBv2-Security-Groups)
+    1.1[ALB (ELBv2)-Security-Policy](ALB-(ELBv2)-Security-Policy)
+    1.1[Unused ELBs (ELBv2)](Unused-ELBs-(ELBv2))
+1. [EMR](EMR)
+    1.1[EMR Cluster In VPC](EMR-Cluster-In-VPC)
+    1.1[EMR Desired Instance Type](EMR-Desired-Instance-Type)
+    1.1[EMR Instance Type Generation](EMR-Instance-Type-Generation)
+    1.1[Enable EMR In-Transit and At-Rest Encryption](Enable-EMR-In-Transit-and-At-Rest-Encryption)
+    1.1[Total Number of EMR Instances](Total-Number-of-EMR-Instances)
+1. [GuardDuty](GuardDuty)
+    1.1[GuardDuty Findings](GuardDuty-Findings)
+    1.1[Monitor GuardDuty Configuration Changes](Monitor-GuardDuty-Configuration-Changes)
+    1.1[GuardDuty In Use](GuardDuty-In-Use)
+1. [Health](Health)
+    1.1[AWS Health](AWS-Health)
+1. [IAM](IAM)
+    1.1[Unused IAM Access Keys](Unused-IAM-Access-Keys)
+    1.1[IAM Access Keys Rotation](IAM-Access-Keys-Rotation)
+    1.1[Unnecessary IAM Access Keys](Unnecessary-IAM-Access-Keys)
+    1.1[Enable Security Challenge Questions for your Account](Enable-Security-Challenge-Questions-for-your-Account)
+    1.1[Attach Policy to IAM Roles Associated with App-Tier EC2 Instances](Attach-Policy-to-IAM-Roles-Associated-with-App-Tier-EC2-Instances)
+    1.1[SSL/TLS Certificate Renewal](SSL/TLS-Certificate-Renewal)
+    1.1[Server Certificate Signature Algorithm](Server-Certificate-Signature-Algorithm)
+    1.1[IAM Server Certificate Size](IAM-Server-Certificate-Size)
+    1.1[Deprecated AWS Managed Policies In Use](Deprecated-AWS-Managed-Policies-In-Use)
+    1.1[IAM Users Unauthorized to Edit Access Policies](IAM-Users-Unauthorized-to-Edit-Access-Policies)
+    1.1[IAM Users with Admin Privileges](IAM-Users-with-Admin-Privileges)
+    1.1[Detect IAM Configuration Changes](Detect-IAM-Configuration-Changes)
+    1.1[IAM Group with Administrator Privileges In Use](IAM-Group-with-Administrator-Privileges-In-Use)
+    1.1[Unused IAM Groups](Unused-IAM-Groups)
+    1.1[Remove IAM Policies with Full Administrative Privileges](Remove-IAM-Policies-with-Full-Administrative-Privileges)
+    1.1[IAM Customer Managed Policy with Administrative Permissions In Use](IAM-Customer-Managed-Policy-with-Administrative-Permissions-In-Use)
+    1.1[IAM Role Policy Too Permissive](IAM-Role-Policy-Too-Permissive)
+    1.1[IAM User Present](IAM-User-Present)
+    1.1[Inactive IAM Users](Inactive-IAM-Users)
+    1.1[Unused IAM Users](Unused-IAM-Users)
+    1.1[IAM Users with Password and Access Keys](IAM-Users-with-Password-and-Access-Keys)
+    1.1[Valid IAM Identity Providers](Valid-IAM-Identity-Providers)
+    1.1[MFA Device Deactivated for IAM Users](MFA-Device-Deactivated-for-IAM-Users)
+    1.1[Enable MFA for IAM Users](Enable-MFA-for-IAM-Users)
+    1.1[IAM Master and IAM Manager Roles](IAM-Master-and-IAM-Manager-Roles)
+    1.1[IAM Password Expiry](IAM-Password-Expiry)
+    1.1[IAM Password Policy](IAM-Password-Policy)
+    1.1[Root Account Access Keys](Root-Account-Access-Keys)
+    1.1[Root Account Credentials Usage](Root-Account-Credentials-Usage)
+    1.1[Root Account Active Signing Certificates](Root-Account-Active-Signing-Certificates)
+    1.1[Enable Hardware MFA for Root Account](Enable-Hardware-MFA-for-Root-Account)
+    1.1[Enable MFA for Root Account](Enable-MFA-for-Root-Account)
+    1.1[IAM SSH Public Keys Rotation (90-Days)](IAM-SSH-Public-Keys-Rotation-(90-Days))
+    1.1[Unnecessary IAM SSH Public Keys](Unnecessary-IAM-SSH-Public-Keys)
+    1.1[IAM Support Role](IAM-Support-Role)
+1. [Inspector](Inspector)
+    1.1[AWS Inspector Findings](AWS-Inspector-Findings)
+1. [KMS](KMS)
+    1.1[App-Tier Customer Master Key In Use](App-Tier-Customer-Master-Key-In-Use)
+    1.1[KMS Customer Master Key In Use](KMS-Customer-Master-Key-In-Use)
+    1.1[Database Tier Customer Master Key In Use](Database-Tier-Customer-Master-Key-In-Use)
+    1.1[Default KMS Key Usage](Default-KMS-Key-Usage)
+    1.1[Disabled KMS keys](Disabled-KMS-keys)
+    1.1[Monitor KMS Configuration Changes](Monitor-KMS-Configuration-Changes)
+    1.1[KMS Unknown Cross Account Access](KMS-Unknown-Cross-Account-Access)
+    1.1[KMS Exposed Keys](KMS-Exposed-Keys)
+    1.1[Recover KMS Customer Master Keys](Recover-KMS-Customer-Master-Keys)
+    1.1[Enable KMS Key Rotation](Enable-KMS-Key-Rotation)
+    1.1[Remove unused KMS keys](Remove-unused-KMS-keys)
+    1.1[Web-Tier Customer Master Key In Use](Web-Tier-Customer-Master-Key-In-Use)
+1. [Lambda](Lambda)
+    1.1[Exposed Lambda Functions](Exposed-Lambda-Functions)
+    1.1[Lambda Functions with Admin Privileges](Lambda-Functions-with-Admin-Privileges)
+    1.1[Lambda Unknown Cross Account Access](Lambda-Unknown-Cross-Account-Access)
+    1.1[Lambda Runtime Environment Version](Lambda-Runtime-Environment-Version)
+    1.1[An IAM role for a Lambda Function](An-IAM-role-for-a-Lambda-Function)
+1. [Organizations](Organizations)
+    1.1[Monitor AWS Org. Configuration Changes](Monitor-AWS-Org.-Configuration-Changes)
+    1.1[Enable All Features](Enable-All-Features)
+    1.1[AWS Organizations In Use](AWS-Organizations-In-Use)
+1. [RDS](RDS)
+    1.1[Aurora Database Instance Accessibility](Aurora-Database-Instance-Accessibility)
+    1.1[RDS Auto Minor Version Upgrade](RDS-Auto-Minor-Version-Upgrade)
+    1.1[Enable RDS Automated Backups](Enable-RDS-Automated-Backups)
+    1.1[Enable RDS Deletion Protection](Enable-RDS-Deletion-Protection)
+    1.1[Enable RDS Encryption](Enable-RDS-Encryption)
+    1.1[RDS Free Storage Space](RDS-Free-Storage-Space)
+    1.1[Enable IAM Database Authentication](Enable-IAM-Database-Authentication)
+    1.1[Total Number of Provisioned RDS Instances](Total-Number-of-Provisioned-RDS-Instances)
+    1.1[RDS Multi-AZ](RDS-Multi-AZ)
+    1.1[Overutilized RDS Instances](Overutilized-RDS-Instances)
+    1.1[Publicly Accessible RDS Instances](Publicly-Accessible-RDS-Instances)
+    1.1[Use Data-Tier Security Group for RDS Databases](Use-Data-Tier-Security-Group-for-RDS-Databases)
+    1.1[RDS Database Default Port](RDS-Database-Default-Port)
+    1.1[Use KMS Customer Master Keys for RDS encryption](Use-KMS-Customer-Master-Keys-for-RDS-encryption)
+    1.1[RDS General Purpose SSD Storage Type](RDS-General-Purpose-SSD-Storage-Type)
+    1.1[RDS Instance Not In Public Subnet](RDS-Instance-Not-In-Public-Subnet)
+    1.1[RDS Database Master Username](RDS-Database-Master-Username)
+    1.1[RDS Public Snapshots](RDS-Public-Snapshots)
+    1.1[RDS Sufficient Backup Retention Period](RDS-Sufficient-Backup-Retention-Period)
+    1.1[Enable RDS Transport Encryption](Enable-RDS-Transport-Encryption)
+    1.1[Underutilized RDS Instances](Underutilized-RDS-Instances)
+    1.1[Unrestricted RDS DB Security Group](Unrestricted-RDS-DB-Security-Group)
+    1.1[Enable Route 53 Domain Auto Renew](Enable-Route-53-Domain-Auto-Renew)
+    1.1[Create DNS Alias Record for Root Domain](Create-DNS-Alias-Record-for-Root-Domain)
+    1.1[Remove Route 53 Dangling DNS Records](Remove-Route-53-Dangling-DNS-Records)
+    1.1[Expired Route 53 Domain Names](Expired-Route-53-Domain-Names)
+    1.1[Route 53 Domain Name Renewal](Route-53-Domain-Name-Renewal)
+    1.1[Enable Privacy Protection for Route 53 Domains](Enable-Privacy-Protection-for-Route-53-Domains)
+    1.1[Root Domain Alias Records that Point to ELB](Root-Domain-Alias-Records-that-Point-to-ELB)
+    1.1[Monitor Route 53 Configuration Changes](Monitor-Route-53-Configuration-Changes)
+    1.1[Route 53 DNS In Use](Route-53-DNS-In-Use)
+    1.1[Route 53 SPF DNS Records](Route-53-SPF-DNS-Records)
+    1.1[Enable Route 53 Domain Transfer Lock](Enable-Route-53-Domain-Transfer-Lock)
+    1.1[Monitor Route 53 Domains Configuration Changes](Monitor-Route-53-Domains-Configuration-Changes)
+1. [ResourceGroup](ResourceGroup)
+    1.1[Use tags to organize AWS resources](Use-tags-to-organize-AWS-resources)
+    1.1[S3 Bucket Authenticated ‘FULL_CONTROL’ Access](S3-Bucket-Authenticated-‘FULL_CONTROL’-Access)
+    1.1[S3 Bucket Authenticated ‘READ’ Access](S3-Bucket-Authenticated-‘READ’-Access)
+    1.1[S3 Bucket Authenticated ‘READ_ACP’ Access](S3-Bucket-Authenticated-‘READ_ACP’-Access)
+    1.1[S3 Bucket Authenticated ‘WRITE’ Access](S3-Bucket-Authenticated-‘WRITE’-Access)
+    1.1[S3 Bucket Authenticated ‘WRITE_ACP’ Access](S3-Bucket-Authenticated-‘WRITE_ACP’-Access)
+    1.1[Enable S3 Bucket Default Encryption](Enable-S3-Bucket-Default-Encryption)
+    1.1[Enable Access Logging for S3 Buckets](Enable-Access-Logging-for-S3-Buckets)
+    1.1[Enable MFA Delete for S3 Buckets](Enable-MFA-Delete-for-S3-Buckets)
+    1.1[S3 Bucket Public Access Via Policy](S3-Bucket-Public-Access-Via-Policy)
+    1.1[Publicly Accessible S3 Buckets](Publicly-Accessible-S3-Buckets)
+    1.1[S3 Bucket Public ‘READ’ Access](S3-Bucket-Public-‘READ’-Access)
+    1.1[S3 Bucket Public ‘READ_ACP’ Access](S3-Bucket-Public-‘READ_ACP’-Access)
+    1.1[S3 Bucket Public ‘WRITE’ Access](S3-Bucket-Public-‘WRITE’-Access)
+    1.1[S3 Bucket Public ‘WRITE_ACP’ Access](S3-Bucket-Public-‘WRITE_ACP’-Access)
+    1.1[Enable Versioning for S3 Buckets](Enable-Versioning-for-S3-Buckets)
+    1.1[Review S3 Buckets with Website Configuration Enabled](Review-S3-Buckets-with-Website-Configuration-Enabled)
+    1.1[Detect S3 Configuration Changes](Detect-S3-Configuration-Changes)
+    1.1[S3 Unknown Cross Account Access](S3-Unknown-Cross-Account-Access)
+    1.1[Secure Transport](Secure-Transport)
+    1.1[Server-Side Encryption](Server-Side-Encryption)
+    1.1[Limit S3 Bucket Access by IP Address](Limit-S3-Bucket-Access-by-IP-Address)
+1. [SES](SES)
+    1.1[Enable DKIM for SES](Enable-DKIM-for-SES)
+    1.1[Unknown Cross-Account Access](Unknown-Cross-Account-Access)
+    1.1[Exposed SES Identities](Exposed-SES-Identities)
+    1.1[SES Identity Verification Status](SES-Identity-Verification-Status)
+1. [Shield](Shield)
+    1.1[AWS Shield In Use](AWS-Shield-In-Use)
+1. [TrustedAdvisor](TrustedAdvisor)
+    1.1[Trusted Advisor Checks](Trusted-Advisor-Checks)
+    1.1[Exposed IAM Access Keys](Exposed-IAM-Access-Keys)
+1. [VPC](VPC)
+    1.1[Allocate Elastic IPs for NAT Gateways](Allocate-Elastic-IPs-for-NAT-Gateways)
+    1.1[Create App-Tier VPC Subnets](Create-App-Tier-VPC-Subnets)
+    1.1[Create Data-Tier VPC Subnets](Create-Data-Tier-VPC-Subnets)
+    1.1[Default VPC In Use](Default-VPC-In-Use)
+    1.1[Unused VPC Internet Gateways](Unused-VPC-Internet-Gateways)
+    1.1[Use Managed NAT Gateway for VPC](Use-Managed-NAT-Gateway-for-VPC)
+    1.1[Create NAT Gateways in at Least Two Availability Zones](Create-NAT-Gateways-in-at-Least-Two-Availability-Zones)
+    1.1[Ineffective Network ACL DENY Rules](Ineffective-Network-ACL-DENY-Rules)
+    1.1[Unrestricted Network ACL Inbound Traffic](Unrestricted-Network-ACL-Inbound-Traffic)
+    1.1[Unrestricted Network ACL Outbound Traffic](Unrestricted-Network-ACL-Outbound-Traffic)
+    1.1[Create Route Table for Private Subnets](Create-Route-Table-for-Private-Subnets)
+    1.1[Create Route Table for Public Subnets](Create-Route-Table-for-Public-Subnets)
+    1.1[Enable Flow Logs for VPC Subnets](Enable-Flow-Logs-for-VPC-Subnets)
+    1.1[VPC Endpoint Unknown Cross Account Access](VPC-Endpoint-Unknown-Cross-Account-Access)
+    1.1[VPC Exposed Endpoints](VPC-Exposed-Endpoints)
+    1.1[VPC Endpoints In Use](VPC-Endpoints-In-Use)
+    1.1[Enable VPC Flow Logs](Enable-VPC-Flow-Logs)
+    1.1[VPC Naming Conventions](VPC-Naming-Conventions)
+    1.1[VPC Peering Connection Configuration](VPC-Peering-Connection-Configuration)
+    1.1[Unused Virtual Private Gateways](Unused-Virtual-Private-Gateways)
+    1.1[Create Web-Tier ELB Subnets](Create-Web-Tier-ELB-Subnets)
+    1.1[Create Web-Tier VPC Subnets](Create-Web-Tier-VPC-Subnets)
+1. [WAF](WAF)
+    1.1[AWS Web Application Firewall In Use](AWS-Web-Application-Firewall-In-Use)
 
 
 ---

diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
@@ -1,8 +1,8 @@
 
-# Table of Contents
+# AWS - Services
 
 1. [ACM](#ACM)  
-1. [API Gateway](#API_Gateway)  
+1. [API Gateway](#API-Gateway)  
 1. [AutoScaling](#AutoScaling)  
 1. [CloudFront](#CloudFront)  
 1. [CloudTrail](#CloudTrail)  

diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
@@ -1,34 +1,34 @@
 
 # Table of Contents
 
-0. [ACM](#ACM)  
-0. [API Gateway](#API_Gateway)  
-0. [AutoScaling](#AutoScaling)  
-0. [CloudFront](#CloudFront)  
-0. [CloudTrail](#CloudTrail)  
-0. [CloudWatch](#CloudWatch)  
-0. [Config](#Config)  
-0. [DynamoDB](#DynamoDB)  
-0. [EBS](#EBS)  
-0. [ECR](#ECR)  
-0. [EFS](#EFS)  
-0. [ElasticSearch](#ElasticSearch)  
-0. [ELB](#ELB)  
-0. [EMR](#EMR)  
-0. [GuardDuty](#GuardDuty)  
-0. [Health](#Health)  
-0. [IAM](#IAM)  
-0. [Inspector](#Inspector)  
-0. [KMS](#KMS)  
-0. [Lambda](#Lambda)  
-0. [Organizations](#Organizations)  
-0. [RDS](#RDS)  
-0. [ResourceGroup](#ResourceGroup)  
-0. [SES](#SES)  
-0. [Shield](#Shield)  
-0. [TrustedAdvisor](#TrustedAdvisor)  
-0. [VPC](#VPC)  
-0. [WAF](#WAF)  
+1. [ACM](#ACM)  
+1. [API Gateway](#API_Gateway)  
+1. [AutoScaling](#AutoScaling)  
+1. [CloudFront](#CloudFront)  
+1. [CloudTrail](#CloudTrail)  
+1. [CloudWatch](#CloudWatch)  
+1. [Config](#Config)  
+1. [DynamoDB](#DynamoDB)  
+1. [EBS](#EBS)  
+1. [ECR](#ECR)  
+1. [EFS](#EFS)  
+1. [ElasticSearch](#ElasticSearch)  
+1. [ELB](#ELB)  
+1. [EMR](#EMR)  
+1. [GuardDuty](#GuardDuty)  
+1. [Health](#Health)  
+1. [IAM](#IAM)  
+1. [Inspector](#Inspector)  
+1. [KMS](#KMS)  
+1. [Lambda](#Lambda)  
+1. [Organizations](#Organizations)  
+1. [RDS](#RDS)  
+1. [ResourceGroup](#ResourceGroup)  
+1. [SES](#SES)  
+1. [Shield](#Shield)  
+1. [TrustedAdvisor](#TrustedAdvisor)  
+1. [VPC](#VPC)  
+1. [WAF](#WAF)  
 
 
 ---

diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
@@ -2,7 +2,7 @@
 # Table of Contents
 
 0. [ACM](#ACM)  
-0. [API Gateway](#API Gateway)  
+0. [API Gateway](#API_Gateway)  
 0. [AutoScaling](#AutoScaling)  
 0. [CloudFront](#CloudFront)  
 0. [CloudTrail](#CloudTrail)  

diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
@@ -1,4 +1,39 @@
-ACM
+
+# Table of Contents
+
+0. [ACM](#ACM)  
+0. [API Gateway](#API Gateway)  
+0. [AutoScaling](#AutoScaling)  
+0. [CloudFront](#CloudFront)  
+0. [CloudTrail](#CloudTrail)  
+0. [CloudWatch](#CloudWatch)  
+0. [Config](#Config)  
+0. [DynamoDB](#DynamoDB)  
+0. [EBS](#EBS)  
+0. [ECR](#ECR)  
+0. [EFS](#EFS)  
+0. [ElasticSearch](#ElasticSearch)  
+0. [ELB](#ELB)  
+0. [EMR](#EMR)  
+0. [GuardDuty](#GuardDuty)  
+0. [Health](#Health)  
+0. [IAM](#IAM)  
+0. [Inspector](#Inspector)  
+0. [KMS](#KMS)  
+0. [Lambda](#Lambda)  
+0. [Organizations](#Organizations)  
+0. [RDS](#RDS)  
+0. [ResourceGroup](#ResourceGroup)  
+0. [SES](#SES)  
+0. [Shield](#Shield)  
+0. [TrustedAdvisor](#TrustedAdvisor)  
+0. [VPC](#VPC)  
+0. [WAF](#WAF)  
+
+
+---
+
+# ACM
 
 ### Expired ACM Certificates
 **Risk**: High

diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md
diff --git a/aws_sercurity_test.md b/aws_sercurity_test.md