When audit log buckets are created then verify that server access logging MUST be enabled for the audit log bucket, with logs delivered to a separate, secure logging bucket.

When the retention policy is applied, then data MUST be automatically deleted after the configured number of days.

When an attempt is made to delete data before the object lock period expires, then the deletion MUST be denied.

When audit log storage bucket's are created then, bucket's access control settings MUST explicitly deny public read and write access.

When the URL of a audit log storage bucket's object is accessed publicly then, it should be denied by bucket policy.

When a port is exposed for non-SSH network traffic, all traffic MUST include a TLS handshake AND be encrypted using TLS 1.3 or higher.

When a port is exposed for SSH network traffic, all traffic MUST include a SSH handshake AND be encrypted using SSHv2 or higher.

When the service receives unencrypted traffic, then it MUST either block the request or automatically redirect it to the secure equivalent.

When a port is exposed, the service MUST ensure that the protocol and service officially assigned to that port number by the IANA Service Name and Transport Protocol Port Number Registry, and no other, is run on that port.

When data is stored, it MUST be encrypted using the latest industry-standard encryption methods.

When administrative access or configuration change is attempted on the service or a child resource, the service MUST refuse requests from unauthorized entities.

When administrative access or configuration change is attempted on the service or a child resource in a multi-tenant environment, the service MUST refuse requests across tenant boundaries unless the origin is explicitly included in a pre-approved allowlist.

When data is requested from outside the trust perimeter, the service MUST refuse requests from unauthorized entities.

When any request is made from outside the trust perimeter, the service MUST NOT provide any response that may indicate the service exists.

When the service is running, its region and availability zone MUST be included in a list of explicitly trusted or approved locations within the trust perimeter.

When data is created or modified, the data MUST have a complete and recoverable duplicate that is stored in a physically separate data center.

When data is replicated into a second location, the service MUST be able to accurately represent the replication locations, replication status, and data synchronization status.

When data is replicated, the service MUST ensure that replication only occurs to destinations that are explicitly included within the defined trust perimeter.

When encryption keys are used, the service MUST verify that all encryption keys use the latest industry-standard cryptographic algorithms.

When encryption keys are used, the service MUST rotate active keys within 180 days of issuance.

When encrypting data, the service MUST verify that customer-managed encryption keys (CMEKs) are used.

When encryption keys are accessed, the service MUST verify that access to encryption keys is restricted to authorized personnel and services, following the principle of least privilege.

When encryption keys are used, the service MUST rotate active keys within 365 days of issuance.

When a port is exposed that uses certificate-based encryption, the service MUST rotate active certificates within 180 days of issuance.

When a log storage bucket is created, the bucket's access control settings MUST explicitly deny public read and write access.

When the URL of a log storage bucket's object is accessed publicly, the action MUST be denied by bucket policy.

Verify that MLDE instances containing sensitive data cannot be accessed via public IP addresses.

For MLDE instances without sensitive data requiring public access, ensure that appropriate security controls are in place and access is approved.

Verify that MLDE instances containing sensitive data can only be deployed in approved virtual networks with appropriate security controls.

Ensure that MLDE instances without sensitive data are deployed in networks that meet organizational security standards.

When a request is made to read a bucket, the service MUST prevent any request using KMS keys not listed as trusted by the organization.

When a request is made to read an object, the service MUST prevent any request using KMS keys not listed as trusted by the organization.

When a request is made to write to a bucket, the service MUST prevent any request using KMS keys not listed as trusted by the organization.

When a request is made to write to an object, the service MUST prevent any request using KMS keys not listed as trusted by the organization.

When a permission set is allowed for an object in a bucket, the service MUST allow the same permission set to access all objects in the same bucket.

When a permission set is denied for an object in a bucket, the service MUST deny the same permission set to access all objects in the same bucket.

When an object storage bucket deletion is attempted, the bucket MUST be fully recoverable for a set time-frame after deletion is requested.

When an object is uploaded to the object storage system, the object MUST automatically receive a default retention policy that prevents premature deletion or modification.

When an attempt is made to delete or modify an object that is subject to an active retention policy, the service MUST prevent the action from being completed.

When an object is uploaded to the object storage bucket, the object MUST be stored with a unique identifier.

When an object is modified, the service MUST assign a new unique identifier to the modified object to differentiate it from the previous version.

When an object is modified, the service MUST allow for recovery of previous versions of the object.

When an object is deleted, the service MUST retain other versions of the object to allow for recovery of previous versions.