Amazon Web Services (AWS) is offering experimental Open Security Controls Assessment Language (OSCAL) content for public review and feedback. This OSCAL package is experimental and may contain errors or inconsistencies with other published information. Future versions of this OSCAL content, if any, may not be backwards compatible.
This repository contains OSCAL content in JSON format conforming to OSCAL version 1.2.1. The content is organized into the following directories:
The catalogs/ directory contains OSCAL catalog files. Currently this includes the AWS Security Hub Controls catalog with 77 groups and 452 controls. See the Catalogs README for details.
The component-definitions/ directory contains 230 OSCAL component definition files describing AWS regions and services. Each AWS service is modeled as a component within a file. Service components with Security Hub controls include references to the catalog and associated Config rules.
See the Component Definitions README for a full inventory, or the AWS Component Definitions document for details on the OSCAL representation.
See the Tools document for information on converting OSCAL content between formats.
You may also want to try the OSCAL MCP Server, which can help you understand the content in this project, how to use it, and OSCAL in general.
Our goals for this experiment are to understand customer interest and use-cases for machine-readable compliance artifacts. To that end, AWS needs your feedback about the quality and usefulness of this content. If you have questions, suggestions or concerns, please open an issue.
See CONTRIBUTING for more information.
This project is licensed under the Apache-2.0 License.