> ## Documentation Index
> Fetch the complete documentation index at: https://help.dsalta.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Amazon Web Services (AWS)
> How DSALTA integrates with Amazon Web Services (AWS) — data collected, setup guide, and automated compliance checks.
## Overview
DSALTA connects to Amazon Web Services (AWS) using read-only API access to collect compliance evidence automatically. Data syncs every 24 hours and feeds into your Data Library modules.
**Read-only access.** DSALTA never modifies, creates, or deletes resources in your Amazon Web Services (AWS) environment.
## How to Connect
1. Go to **Integrations** in the DSALTA sidebar.
2. Find **Amazon Web Services (AWS)** and click **Connect**.
3. Authenticate with admin-level access.
4. Select the scope (accounts, projects, or resources to monitor).
5. DSALTA performs an initial sync (5-15 minutes). Checks activate after sync completes.
## Automated Compliance Checks
Each check below runs automatically every 24 hours. Click any check for step-by-step remediation guidance.
| Check | Description |
| -------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ |
| [AWS access should be removed for offboarded users](/integrations/aws/aws-access-should-be-removed-for-offboarded-users) | Checks that AWS access is revoked for offboarded users. |
| [AWS users should have MFA enabled](/integrations/aws/aws-users-should-have-mfa-enabled) | Checks that all AWS IAM users have MFA enabled. |
| [AWS should be on HTTPS](/integrations/aws/aws-should-be-on-https) | Checks that AWS resources are served over HTTPS. |
| [AWS should redirect HTTP to HTTPS](/integrations/aws/aws-should-redirect-http-to-https) | Checks that HTTP traffic is automatically redirected to HTTPS in AWS. |
| [AWS CloudTrail should be enabled](/integrations/aws/aws-cloudtrail-should-be-enabled) | Checks that AWS CloudTrail is enabled to log account activity. |
| [AWS GuardDuty should be enabled](/integrations/aws/aws-guardduty-should-be-enabled) | Checks that AWS GuardDuty is enabled for threat detection. |
| [Reported incidents should be closed in GuardDuty](/integrations/aws/reported-incidents-should-be-closed-in-guardduty) | Checks that incidents reported in GuardDuty are closed and resolved. |
| [AWS credentials not used in last 90 days should be disabled](/integrations/aws/aws-credentials-not-used-in-last-90-days-should-be-disabled) | Checks that AWS credentials unused for 90+ days are disabled. |
| [AWS user access keys should not be older than 90 days](/integrations/aws/aws-user-access-keys-should-not-be-older-than-90-days) | Checks that AWS IAM user access keys are not older than 90 days. |
| [AWS root account should have MFA enabled](/integrations/aws/aws-root-account-should-have-mfa-enabled) | Checks that the AWS root account has MFA enabled. |
| [AWS users should not have attached IAM policies](/integrations/aws/aws-users-should-not-have-attached-iam-policies) | Checks that AWS users do not have IAM policies attached directly. |
| [AWS account password policy should be configured](/integrations/aws/aws-account-password-policy-should-be-configured) | Checks that an AWS account-level password policy is configured. |
| [AWS root account usage should be avoided](/integrations/aws/aws-root-account-usage-should-be-avoided) | Checks that the AWS root account is not being used for routine activity. |
| [AWS server access logs should be retained for 90 days](/integrations/aws/aws-server-access-logs-should-be-retained-for-90-days) | Checks that AWS server access logs are retained for at least 90 days. |
| [AWS S3 server access logging should be enabled](/integrations/aws/aws-s3-server-access-logging-should-be-enabled) | Checks that S3 server access logging is enabled for important buckets. |
| [AWS groups should have at least one IAM policy](/integrations/aws/aws-groups-should-have-at-least-one-iam-policy) | Checks that all AWS IAM groups have at least one policy attached. |
| [Infrastructure entities should be classified](/integrations/aws/infrastructure-entities-should-be-classified) | Checks that all AWS infrastructure entities are classified by criticality. |
| [AWS RDS database free space should be monitored](/integrations/aws/aws-rds-database-free-space-should-be-monitored) | Checks that AWS RDS free storage space is being monitored. |
| [AWS RDS database CPU utilization should be monitored](/integrations/aws/aws-rds-database-cpu-utilization-should-be-monitored) | Checks that AWS RDS CPU utilization is being monitored. |
| [AWS RDS database freeable memory should be monitored](/integrations/aws/aws-rds-database-freeable-memory-should-be-monitored) | Checks that AWS RDS freeable memory is being monitored. |
| [AWS RDS database IO utilization should be monitored](/integrations/aws/aws-rds-database-io-utilization-should-be-monitored) | Checks that AWS RDS I/O utilization is being monitored. |
| [AWS RDS database backup should be enabled](/integrations/aws/aws-rds-database-backup-should-be-enabled) | Checks that automated backups are enabled for AWS RDS databases. |
| [AWS RDS database storage should be encrypted](/integrations/aws/aws-rds-database-storage-should-be-encrypted) | Checks that AWS RDS database storage is encrypted at rest. |
| [AWS RDS database should be protected from direct internet traffic](/integrations/aws/aws-rds-no-public-access) | Checks that AWS RDS databases are not directly exposed to the internet. |
| [AWS ElastiCache CPU utilization should be monitored](/integrations/aws/aws-elasticache-cpu-utilization-should-be-monitored) | Checks that AWS ElastiCache CPU utilization is being monitored. |
| [AWS ElastiCache current connections should be monitored](/integrations/aws/aws-elasticache-current-connections-should-be-monitored) | Checks that AWS ElastiCache current connection count is being monitored. |
| [AWS ElastiCache freeable memory should be monitored](/integrations/aws/aws-elasticache-freeable-memory-should-be-monitored) | Checks that AWS ElastiCache freeable memory is being monitored. |
| [AWS Redshift cluster backup should be enabled](/integrations/aws/aws-redshift-cluster-backup-should-be-enabled) | Checks that automated backups are enabled for AWS Redshift clusters. |
| [AWS Redshift cluster should be encrypted](/integrations/aws/aws-redshift-cluster-should-be-encrypted) | Checks that AWS Redshift clusters are encrypted at rest. |
| [AWS Redshift CPU utilization should be monitored](/integrations/aws/aws-redshift-cpu-utilization-should-be-monitored) | Checks that AWS Redshift CPU utilization is being monitored. |
| [AWS Redshift health should be monitored](/integrations/aws/aws-redshift-health-should-be-monitored) | Checks that AWS Redshift cluster health status is being monitored. |
| [AWS EC2 instances should be protected from direct internet traffic](/integrations/aws/aws-ec2-no-public-access) | Checks that AWS EC2 instances are not directly exposed to the internet. |
| [AWS EC2 instance CPU utilization should be monitored](/integrations/aws/aws-ec2-instance-cpu-utilization-should-be-monitored) | Checks that AWS EC2 instance CPU utilization is being monitored. |
| [AWS EBS volume backup should be enabled](/integrations/aws/aws-ebs-volume-backup-should-be-enabled) | Checks that EBS volume snapshots (backups) are enabled. |
| [AWS EBS volumes should be encrypted](/integrations/aws/aws-ebs-volumes-should-be-encrypted) | Checks that AWS EBS volumes are encrypted at rest. |
| [AWS EFS storage backup should be enabled](/integrations/aws/aws-efs-storage-backup-should-be-enabled) | Checks that AWS EFS storage has backups enabled. |
| [AWS FSx File System storage backup should be enabled](/integrations/aws/aws-fsx-file-system-storage-backup-should-be-enabled) | Checks that AWS FSx File System has backups enabled. |
| [AWS EFS storage should be encrypted](/integrations/aws/aws-efs-storage-should-be-encrypted) | Checks that AWS EFS storage is encrypted at rest. |
| [AWS FSx File System storage should be encrypted](/integrations/aws/aws-fsx-file-system-storage-should-be-encrypted) | Checks that AWS FSx File System storage is encrypted at rest. |
| [AWS VPC flow logs should be captured](/integrations/aws/aws-vpc-flow-logs-should-be-captured) | Checks that VPC flow logs are enabled to capture network traffic. |
| [AWS S3 storage buckets should be encrypted](/integrations/aws/aws-s3-storage-buckets-should-be-encrypted) | Checks that AWS S3 buckets are encrypted at rest. |
| [AWS S3 bucket public access should be blocked](/integrations/aws/aws-s3-bucket-public-access-should-be-blocked) | Checks that AWS S3 bucket public access block is enabled. |
| [AWS S3 buckets should be versioned](/integrations/aws/aws-s3-buckets-should-be-versioned) | Checks that AWS S3 bucket versioning is enabled. |
| [AWS SQS message visibility should be monitored](/integrations/aws/aws-sqs-message-visibility-should-be-monitored) | Checks that AWS SQS message visibility timeout is being monitored. |
| [AWS SQS message age should be monitored](/integrations/aws/aws-sqs-message-age-should-be-monitored) | Checks that AWS SQS message age is being monitored. |
| [AWS Firehose stream throttling should be monitored](/integrations/aws/aws-firehose-stream-throttling-should-be-monitored) | Checks that AWS Firehose stream throttling is being monitored. |
| [AWS DynamoDB latency should be monitored](/integrations/aws/aws-dynamodb-latency-should-be-monitored) | Checks that AWS DynamoDB read/write latency is being monitored. |
| [AWS DynamoDB point-in-time recovery should be enabled](/integrations/aws/aws-dynamodb-point-in-time-recovery-should-be-enabled) | Checks that AWS DynamoDB point-in-time recovery (PITR) is enabled. |
| [AWS DynamoDB should be encrypted](/integrations/aws/aws-dynamodb-should-be-encrypted) | Checks that AWS DynamoDB tables are encrypted at rest. |
| [AWS DynamoDB read capacity should be monitored](/integrations/aws/aws-dynamodb-read-capacity-should-be-monitored) | Checks that AWS DynamoDB read capacity utilization is being monitored. |
| [AWS DynamoDB write capacity should be monitored](/integrations/aws/aws-dynamodb-write-capacity-should-be-monitored) | Checks that AWS DynamoDB write capacity utilization is being monitored. |
| [AWS DynamoDB backup should be enabled](/integrations/aws/aws-dynamodb-backup-should-be-enabled) | Checks that AWS DynamoDB backups are enabled. |
| [AWS API Gateway V2 errors should be monitored](/integrations/aws/aws-api-gateway-v2-errors-should-be-monitored) | Checks that AWS API Gateway V2 errors are being monitored. |
| [AWS ECS CPU utilization should be monitored](/integrations/aws/aws-ecs-cpu-utilization-should-be-monitored) | Checks that AWS ECS CPU utilization is being monitored. |
| [AWS ECS memory utilization should be monitored](/integrations/aws/aws-ecs-memory-utilization-should-be-monitored) | Checks that AWS ECS memory utilization is being monitored. |
| [AWS ECR repositories should be encrypted](/integrations/aws/aws-ecr-repositories-should-be-encrypted) | Checks that AWS ECR container repositories are encrypted at rest. |
| [AWS Elasticsearch cluster free space should be monitored](/integrations/aws/aws-elasticsearch-cluster-free-space-should-be-monitored) | Checks that AWS Elasticsearch cluster free storage space is being monitored. |
| [AWS FSx File System free space should be monitored](/integrations/aws/aws-fsx-file-system-free-space-should-be-monitored) | Checks that AWS FSx File System free space is being monitored. |
| [AWS Elasticsearch cluster CPU utilization should be monitored](/integrations/aws/aws-elasticsearch-cpu-monitoring) | Checks that AWS Elasticsearch cluster CPU utilization is being monitored. |
| [AWS Elasticsearch cluster health should be monitored](/integrations/aws/aws-elasticsearch-cluster-health-should-be-monitored) | Checks that AWS Elasticsearch cluster health status is being monitored. |
| [AWS EBS health should be monitored](/integrations/aws/aws-ebs-health-should-be-monitored) | Checks that AWS EBS volume health status is being monitored. |
| [AWS load balancer errors should be monitored](/integrations/aws/aws-load-balancer-errors-should-be-monitored) | Checks that AWS load balancer error rates are being monitored. |
| [AWS load balancer latency should be monitored](/integrations/aws/aws-load-balancer-latency-should-be-monitored) | Checks that AWS load balancer latency is being monitored. |
| [AWS classic load balancer errors should be monitored](/integrations/aws/aws-classic-load-balancer-errors-should-be-monitored) | Checks that AWS classic load balancer error rates are being monitored. |
| [AWS classic load balancer latency should be monitored](/integrations/aws/aws-classic-load-balancer-latency-should-be-monitored) | Checks that AWS classic load balancer latency is being monitored. |
| [AWS load balancer should redirect HTTP to HTTPS](/integrations/aws/aws-load-balancer-should-redirect-http-to-https) | Checks that AWS load balancers redirect HTTP traffic to HTTPS. |
| [AWS load balancer healthy host count should be monitored](/integrations/aws/aws-load-balancer-healthy-host-count-should-be-monitored) | Checks that AWS load balancer healthy host count is being monitored. |
| [AWS load balancer should have valid configuration](/integrations/aws/aws-load-balancer-should-have-valid-configuration) | Checks that AWS load balancer configuration is valid and correct. |
| [AWS load balancer host health should be monitored](/integrations/aws/aws-load-balancer-host-health-should-be-monitored) | Checks that AWS load balancer backend host health is being monitored. |
| [AWS application load balancer should be protected from direct internet traffic](/integrations/aws/aws-alb-no-public-access) | Checks that AWS application load balancers are not directly exposed to the internet. |
| [AWS Lightsail instance CPU utilization should be monitored](/integrations/aws/aws-lightsail-instance-cpu-utilization-should-be-monitored) | Checks that AWS Lightsail instance CPU utilization is being monitored. |
| [AWS Lightsail disk backup should be enabled](/integrations/aws/aws-lightsail-disk-backup-should-be-enabled) | Checks that AWS Lightsail disk backups are enabled. |
| [AWS Lightsail disks should be encrypted](/integrations/aws/aws-lightsail-disks-should-be-encrypted) | Checks that AWS Lightsail disks are encrypted at rest. |
| [AWS CloudTrail log file integrity validation should be enabled](/integrations/aws/aws-cloudtrail-log-integrity) | Checks that AWS CloudTrail log file integrity validation is enabled. |
| [AWS CloudTrail S3 logging bucket access logging should be enabled](/integrations/aws/aws-cloudtrail-s3-access-logging) | Checks that access logging is enabled on the S3 bucket used by CloudTrail. |
| [AWS CloudTrail logging bucket should be protected from direct internet traffic](/integrations/aws/aws-cloudtrail-bucket-no-public) | Checks that the CloudTrail logging S3 bucket is not publicly accessible. |
## Troubleshooting
Re-authenticate from **Integrations → Amazon Web Services (AWS) → Reconnect**. This usually happens when API tokens expire.
Verify the connected account has admin permissions. Try a manual sync from the integration settings.