When a manual action is performed to generate each audit log type, then the corresponding audit log type MUST be generated and recorded.

When an attempt is made to disable a log source, then an alert MUST be generated.

When an attempt is made to alter the retention or object lock status of an external data log source or bucket, then an alert MUST be generated.

When audit log buckets are created then verify that server access logging MUST be enabled for the audit log bucket, with logs delivered to a separate, secure logging bucket.

When audit logs are exported, then audit logs MUST be present in the configured data location.

When restricted fields are accessed by unauthorized users, then those fields MUST remain masked.

When a port is exposed for SSH network traffic, all traffic MUST include a SSH handshake AND be encrypted using SSHv2 or higher.

When data is stored, it MUST be encrypted using the latest industry-standard encryption methods.

When an entity attempts to modify the service through a user interface, the authentication process MUST require multiple identifying factors for authentication.

When an entity attempts to modify the service through an API endpoint, the authentication process MUST require a credential such as an API key or token AND originate from within the trust perimeter.

When an entity attempts to view information on the service through a user interface, the authentication process MUST require multiple identifying factors from the user.

When an entity attempts to view information on the service through an API endpoint, the authentication process MUST require a credential such as an API key or token AND originate from within the trust perimeter.

When administrative access or configuration change is attempted on the service or a child resource, the service MUST log the client identity, time, and result of the attempt.

When any attempt is made to modify data on the service or a child resource, the service MUST log the client identity, time, and result of the attempt.

When any attempt is made to read data on the service or a child resource, the service MUST log the client identity, time, and result of the attempt.

When an attempt is made to modify data on the service or a child resource, the service MUST block requests from unauthorized entities.

When administrative access or configuration change is attempted on the service or a child resource, the service MUST refuse requests from unauthorized entities.

When administrative access or configuration change is attempted on the service or a child resource in a multi-tenant environment, the service MUST refuse requests across tenant boundaries unless the origin is explicitly included in a pre-approved allowlist.

When data is requested from outside the trust perimeter, the service MUST refuse requests from unauthorized entities.

When any request is made to the service or a child resource, the service MUST refuse requests from unauthorized entities.

When the service is running, its region and availability zone MUST be included in a list of explicitly trusted or approved locations within the trust perimeter.

When a child resource is deployed, its region and availability zone MUST be included in a list of explicitly trusted or approved locations within the trust perimeter.

When data is created or modified, the data MUST have a complete and recoverable duplicate that is stored in a physically separate data center.

When the service is operational, its logs and any child resource logs MUST NOT be accessible from the resource they record access to.

When the service is operational, disabling the logs for the service or its child resources MUST NOT be possible without also disabling the corresponding resource.

When the service is operational, any attempt to redirect logs for the service or its child resources MUST NOT be possible without halting operation of the corresponding resource and publishing corresponding events to monitored channels.

When backups are created for disaster recovery purposes, the most recent backup MUST have a creation date within the past 30 days.

When IAM roles and key policies are reviewed, Decrypt permission MUST be granted exclusively to documented authorised principals.

When routing weights change, the request MUST originate from an explicitly defined and trusted identity and MUST be logged.

When stickiness is enabled, session cookies MUST expire within 30 minutes of inactivity.

When a new cloud account is created, provider-level audit and network flow logging MUST be enabled by default and directed to the central sink.

When a new cloud compute resource is deployed, it MUST be configured to forward all relevant logs (e.g., OS, application, service logs) to the central log sink.

When a new log bucket or stream is created, its retention policy MUST be configured in accordance with organisation's data retention policy.

When a query is performed to retrieve log events older than the number of days defined in the organisation's data retention policy, it MUST return an empty result.

When a log storage bucket is created, the bucket's access control settings MUST explicitly deny public read and write access.

When an audit log event is recorded that corresponds to a modification of the logging service configuration such as disabling a log trail, deleting a log sink, or altering a log forwarding rule, an alert MUST be generated.

When an External Monitoring system exceeds the anticipated rate of monitoring checks then Rate Limiting MUST be applied and an Audit Alert MUST be generated.

When an Custom or User-Defined Metric starts to flood a collector, then a rate limit MUST be applied to reduce the network impact of traffic and an alert must triggered.

When monitoring dashboards display degraded services which may become potential targets then the dashboard MUST be protected from unauthorised access.

When monitoring services have generated an alert, the service MUST ensure only authorised responders silence or acknowledge the alert.

When systems push metrics or traces they MUST be authenticated for that particular type of metric or trace

When an index lifecycle event is triggered, the service MUST verify that the actor has explicit permissions for the operation type.