Most AWS resources and settings are specific to a single region, IAM being the main exception. A number of the Cloud Profile's rules apply to regional resources but their investigation procedures do not say to check all regions in use. I think that this is all of them:

• 3.4.1 "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket": CloudTrail Trails may be either single-region or multi-region. Multi-region Trails are treated as being part of every region so it doesn't matter what region the user specifies when checking. However, single-region Trails will only be listed if the caller checks for that region. The investigation procedure should say something about checking single-region Trails in all applicable regions.

• 3.5.1 "Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible": see above.

• 4.3.5 "Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports": VPC Subnets are region-specific.

• 4.3.6 "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports": EC2 Security Groups are region-specific.

• 4.3.7 "Ensure no security groups allow ingress from ::/0 to remote server administration ports": see above.

• 5.4.2 "Ensure that encryption is enabled for EFS file systems"

• 6.12.1 "Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances"

• 6.15.8 "Database logging should be enabled": this one doesn't have a reproduction procedure at all.