Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Overview


We've listed CIS rules for your Amazon Web Services (AWS) Cloud Provider.


RULE NAME

RESOURCE TYPE

DESCRIPTION

CLOUDTRAIL S3 BUCKET IS NOT PUBLIC

CloudTrail

Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

CLOUDTRAIL IS ENABLED IN ALL REGIONS

CloudTrail

Ensure at least one multi-regional CloudTrail with capturing Management Events with ReadWrite type All

CHECK FILTER AND ALARM EXISTS FOR UNAUTHORIZED API CALLS

CloudTrail

Ensure a log metric filter and alarm exist for unauthorized API calls

CHECK FILTER AND ALARM EXIST FOR NON MFA MGMT ACCESS

CloudTrail

Ensure a log metric filter and alarm exist for Management Console sign-in without MFA

CHECK FILTER AND ALARM EXIST FOR USAGE OF ROOT ACCOUNT

CloudTrail

Ensure a log metric filter and alarm exist for usage of root account

CHECK FILTER AND ALARM EXIST FOR IAM POLICY CHANGES

CloudTrail

Ensure a log metric filter and alarm exist for IAM policy changes

CHECK FILTER AND ALARM EXIST FOR CLOUDTRAIL CHANGES

CloudTrail

Ensure a log metric filter and alarm exist for CloudTrail configuration changes

CHECK FILTER AND ALARM EXIST FOR MGMT CONSOLE AUTH FAILURES

CloudTrail

Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

CHECK FILTER AND ALARM EXIST FOR DISABLING OR DELETING CMK

CloudTrail

Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs

CHECK FILTER AND ALARM EXIST FOR S3 BUCKET POLICY CHANGES

CloudTrail

Ensure a log metric filter and alarm exist for S3 Bucket policy changes

CHECK FILTER AND ALARM EXIST FOR CONFIG CONFIGURATION CHANGES

CloudTrail

Ensure a log metric filter and alarm exist for AWS config configuration changes

CHECK FILTER AND ALARM EXIST FOR SECURITY GROUP CHANGES

CloudTrail

Ensure a log metric filter and alarm exist for Security Group changes

CHECK FILTER AND ALARM EXIST FOR NACL CHANGES

CloudTrail

Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)

CHECK FILTER AND ALARM EXIST FOR NETWORK GATEWAY CHANGES

CloudTrail

Ensure a log metric filter and alarm exist for changes to Network Gateways

CHECK FILTER AND ALARM EXIST FOR ROUTE TABLE CHANGES

CloudTrail

Ensure a log metric filter and alarm exist for Route Table changes

CHECK FILTER AND ALARM EXIST FOR VPC CHANGES

CloudTrail

Ensure a log metric filter and alarm exist for VPC changes

CLOUDTRAIL S3BUCKET ACCESS LOGGING ENABLED

CloudTrail

Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

CLOUDTRAIL ENCRYPTED WITH KMS CMK

CloudTrail

Ensure CloudTrail logs are encrypted at rest using KMS CMKs

CLOUDTRAIL INTEGRATED WITH CLOUDWATCH

CloudTrail

Ensure CloudTrail are integrated with CloudWatch logs

CLOUDTRAIL LOGFILE VALIDATION ENABLED

CloudTrail

Ensure CloudTrail log file validation is enabled

CHECK CONFIG ENABLED FOR ALL REGIONS

Config

Ensure AWS Config is enabled for all regions

CHECK SECURITY GROUP RDP OPEN TO PUBLIC

EC2

Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

CHECK SECURITY GROUP SSH OPEN TO PUBLIC

EC2

Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

CHECK MFA ENABLED FOR ROOT ACCOUNT

IAM

Ensure MFA is enabled for root account

IAM KEYS OLDER THAN 90 DAYS

IAM

Ensure access keys are rotated every 90 days or less

CHECK HARDWARE MFA ENABLED FOR ROOT ACCOUNT

IAM

Ensure Hardware MFA is enabled for root account

CHECK NO IAM POLICY WITH FULL ADMIN PRIVILEGES

IAM

Ensure IAM policies that allow full *.* administrative privileges are not created

CHECK PWD POLICY PASSWORD EXPIRES IN 90 DAYS

IAM

Ensure IAM password policy expires passwords withing 90 days or less

CHECK CREDENTIAL UNUSED FOR 90 DAYS

IAM

Ensure no credentials are unused for 90 days are

CHECK PWD POLICY MIN 14 CHARACTERS

IAM

Ensure IAM password policy requires minimum length of 14 or greater

CHECK PWD POLICY PREVENTS PASSWORD REUSE

IAM

Ensure IAM password policy prevents last 24 password reuse

CHECK PWD POLICY MIN ONE NUMBER

IAM

Ensure IAM password policy requires at least one number

CHECK PWD POLICY MIN ONE SYMBOL

IAM

Ensure IAM password policy requires at least one symbol

CHECK IAM POLICIES ATTACHED ONLY TO GROUP OR ROLES

IAM

Ensure IAM policies are attached only to groups or roles

CHECK SUPPORT ROLE EXISTS

IAM

Ensure a support role has been created to manage incidents with AWS support

CHECK PWD POLICY MIN ONE LOWERCASE LETTER

IAM

Ensure IAM password policy requires at least one lowercase letter

CHECK PWD POLICY MIN ONE UPPERCASE LETTER

IAM

Ensure IAM password policy requires at least one uppercase letter

CHECK KEY ROTATION ENABLED FOR CMK

Keys

Ensure rotation for customer created CMKs is enabled

  • No labels