CIS Rules
- Kumar Desai (Unlicensed)
Overview
We've listed CIS rules for your Amazon Web Services (AWS) Cloud Provider.
RULE NAME | RESOURCE TYPE | DESCRIPTION |
CLOUDTRAIL S3 BUCKET IS NOT PUBLIC | CloudTrail | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible |
CLOUDTRAIL IS ENABLED IN ALL REGIONS | CloudTrail | Ensure at least one multi-regional CloudTrail with capturing Management Events with ReadWrite type All |
CHECK FILTER AND ALARM EXISTS FOR UNAUTHORIZED API CALLS | CloudTrail | Ensure a log metric filter and alarm exist for unauthorized API calls |
CHECK FILTER AND ALARM EXIST FOR NON MFA MGMT ACCESS | CloudTrail | Ensure a log metric filter and alarm exist for Management Console sign-in without MFA |
CHECK FILTER AND ALARM EXIST FOR USAGE OF ROOT ACCOUNT | CloudTrail | Ensure a log metric filter and alarm exist for usage of root account |
CHECK FILTER AND ALARM EXIST FOR IAM POLICY CHANGES | CloudTrail | Ensure a log metric filter and alarm exist for IAM policy changes |
CHECK FILTER AND ALARM EXIST FOR CLOUDTRAIL CHANGES | CloudTrail | Ensure a log metric filter and alarm exist for CloudTrail configuration changes |
CHECK FILTER AND ALARM EXIST FOR MGMT CONSOLE AUTH FAILURES | CloudTrail | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures |
CHECK FILTER AND ALARM EXIST FOR DISABLING OR DELETING CMK | CloudTrail | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs |
CHECK FILTER AND ALARM EXIST FOR S3 BUCKET POLICY CHANGES | CloudTrail | Ensure a log metric filter and alarm exist for S3 Bucket policy changes |
CHECK FILTER AND ALARM EXIST FOR CONFIG CONFIGURATION CHANGES | CloudTrail | Ensure a log metric filter and alarm exist for AWS config configuration changes |
CHECK FILTER AND ALARM EXIST FOR SECURITY GROUP CHANGES | CloudTrail | Ensure a log metric filter and alarm exist for Security Group changes |
CHECK FILTER AND ALARM EXIST FOR NACL CHANGES | CloudTrail | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) |
CHECK FILTER AND ALARM EXIST FOR NETWORK GATEWAY CHANGES | CloudTrail | Ensure a log metric filter and alarm exist for changes to Network Gateways |
CHECK FILTER AND ALARM EXIST FOR ROUTE TABLE CHANGES | CloudTrail | Ensure a log metric filter and alarm exist for Route Table changes |
CHECK FILTER AND ALARM EXIST FOR VPC CHANGES | CloudTrail | Ensure a log metric filter and alarm exist for VPC changes |
CLOUDTRAIL S3BUCKET ACCESS LOGGING ENABLED | CloudTrail | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket |
CLOUDTRAIL ENCRYPTED WITH KMS CMK | CloudTrail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
CLOUDTRAIL INTEGRATED WITH CLOUDWATCH | CloudTrail | Ensure CloudTrail are integrated with CloudWatch logs |
CLOUDTRAIL LOGFILE VALIDATION ENABLED | CloudTrail | Ensure CloudTrail log file validation is enabled |
CHECK CONFIG ENABLED FOR ALL REGIONS | Config | Ensure AWS Config is enabled for all regions |
CHECK SECURITY GROUP RDP OPEN TO PUBLIC | EC2 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 |
CHECK SECURITY GROUP SSH OPEN TO PUBLIC | EC2 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 |
CHECK MFA ENABLED FOR ROOT ACCOUNT | IAM | Ensure MFA is enabled for root account |
IAM KEYS OLDER THAN 90 DAYS | IAM | Ensure access keys are rotated every 90 days or less |
CHECK HARDWARE MFA ENABLED FOR ROOT ACCOUNT | IAM | Ensure Hardware MFA is enabled for root account |
CHECK NO IAM POLICY WITH FULL ADMIN PRIVILEGES | IAM | Ensure IAM policies that allow full *.* administrative privileges are not created |
CHECK PWD POLICY PASSWORD EXPIRES IN 90 DAYS | IAM | Ensure IAM password policy expires passwords withing 90 days or less |
CHECK CREDENTIAL UNUSED FOR 90 DAYS | IAM | Ensure no credentials are unused for 90 days are |
CHECK PWD POLICY MIN 14 CHARACTERS | IAM | Ensure IAM password policy requires minimum length of 14 or greater |
CHECK PWD POLICY PREVENTS PASSWORD REUSE | IAM | Ensure IAM password policy prevents last 24 password reuse |
CHECK PWD POLICY MIN ONE NUMBER | IAM | Ensure IAM password policy requires at least one number |
CHECK PWD POLICY MIN ONE SYMBOL | IAM | Ensure IAM password policy requires at least one symbol |
CHECK IAM POLICIES ATTACHED ONLY TO GROUP OR ROLES | IAM | Ensure IAM policies are attached only to groups or roles |
CHECK SUPPORT ROLE EXISTS | IAM | Ensure a support role has been created to manage incidents with AWS support |
CHECK PWD POLICY MIN ONE LOWERCASE LETTER | IAM | Ensure IAM password policy requires at least one lowercase letter |
CHECK PWD POLICY MIN ONE UPPERCASE LETTER | IAM | Ensure IAM password policy requires at least one uppercase letter |
CHECK KEY ROTATION ENABLED FOR CMK | Keys | Ensure rotation for customer created CMKs is enabled |
© 2020 CloudSphere