Ensure accounts have properly configured monitoring and alerting (e.g. CLoudTrail). This Op is unnecessary if you are using the centralized monitoring configuration.

 
Create an alert that triggers if the policies associated with designated KMS keys are modified.

 
Create an alert that triggers if someone uses the root account in designated accounts.

 
Create an alert that triggers instantly whenever and S3 bucket is made public.

 
Create an alert if CloudTrail and/or Config are disabled or deleted in designated accounts.

 
Create an alert that triggers whenever a security group is created or modified to allow access from the Internet (0.0.0.0/0).

 
Create an alert for any changes to the designated security groups in designated accounts or VPCs.

 
Create an alert for any IAM change in designated accounts.

 
Create an alert that triggers when someone logs into the AWS console without MFA.

 
Link an account into a centralized alerting infrastructure using CloudWatch Logs synchronization to a Kinesis stream. Create everything needed that isn’t there.

 
Enable CloudWatch, CloudTrail, and Config if not enabled and/or add sending logs to a designated central repository (with or without option to still keep local copies).

 
Create a mix of recommended CloudWatch and Config alerts within an account.

 
Set lifecycle policies to migrate logs to Glacier after a designated time period.

 
Create a mix of recommended CloudWatch and Config alerts within an account.

 
Enable Config with best practices.

 
Enable CloudTrail with recommended best practices.

 
Ensure monitoring and alerting are properly configured, including CloudTrail, Config, CloudWatch and any configured alerts.

 
Determine if recommended settings for CloudTrail, Config, CloudWatch, and alerting are enabled.

 
Add alerts, remove alerts, or configure existing security alerts.