CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.2.0 - AWS Audit Manager

CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.2.0

AWS Audit Manager provides two prebuilt frameworks that support the CIS AWS Foundations Benchmark v1.2.0:

  • CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.2.0, Level 1

  • CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.2.0, Level 1 and 2

Note

What is CIS?

The Center for Internet Security (CIS) is a nonprofit that developed the CIS AWS Foundations Benchmark. This benchmark serves as a set of security configuration best practices for AWS. These industry-accepted best practices go beyond the high-level security guidance already available in that they provide you with clear, step-by-step implementation and assessment procedures.

For more information, see the CIS AWS Foundations Benchmark blog posts on the AWS Security Blog.

Difference between CIS Benchmarks and CIS Controls

CIS Benchmarks are security best practice guidelines that are specific to vendor products. Ranging from operating systems to cloud services and networks devices, the settings that are applied from a benchmark protect the specific systems that your organization use. CIS Controls are foundational best practice guidelines for organization-level systems to follow to help protect against known cyberattack vectors.

Examples
  • CIS Benchmarks are prescriptive. They typically reference a specific setting that can be reviewed and set in the vendor product.

    Example: CIS Amazon Web Services Foundations Benchmark v1.2.0 - 1.13 Ensure MFA is enabled for the "root user" account

    This recommendation provides prescriptive guidance on how to check for this and how to set this on the root account for the AWS environment.

  • CIS Controls are for your organization as a whole. They aren't specific to only one vendor product.

    Example: CIS Controls v7.1 - Sub-Control 4.5 Use Multi-Factor Authentication for All Administrative Access

    This control describes what's expected to be applied within your organization. It doesn't describe how you should apply it for the systems and workloads that you're running (regardless of where they are).

Using these frameworks to support your audit preparation

You can use the CIS AWS Foundations Benchmark v1.2 frameworks in AWS Audit Manager to help you prepare for CIS audits. You can also customize these frameworks and their controls to support internal audits with specific requirements.

Using the frameworks as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the CIS framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.

The framework details are as follows:

Framework name in AWS Audit Manager Number of automated controls Number of manual controls Number of control sets AWS services in scope
CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.2.0, Level 1

33

3

4

  • Amazon Elastic Compute Cloud

  • AWS CloudTrail

  • AWS Identity and Access Management

  • AWS Security Hub

CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.2.0, Level 1 and 2 45 4 4
  • Amazon Elastic Compute Cloud

  • AWS CloudTrail

  • AWS Identity and Access Management

  • AWS Security Hub

The controls in these frameworks aren't intended to verify if your systems are compliant with the CIS standard. Moreover, they can't guarantee that you'll pass a CIS audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.

You can find these frameworks under the Standard frameworks tab of the Framework library in Audit Manager.

For instructions on how to create an assessment using these frameworks, see Creating an assessment.

When you use the Audit Manager console to create an assessment from these standard frameworks, the list of AWS services in scope is selected by default and can’t be edited. This is because Audit Manager automatically maps and selects the data sources and services for you. This selection is made according to the requirements of the CIS Benchmarks. If you need to edit the list of services in scope for these frameworks, you can do so by using the CreateAssessment or UpdateAssessment API operations. Alternatively, you can customize the standard framework and then create an assessment from the custom framework.

For instructions on how to customize these frameworks to support your specific requirements, see Customizing an existing framework and Customizing an existing control.

Prerequisites for using these frameworks

Many controls in the CIS AWS Foundations Benchmark v1.2 frameworks use AWS Config as a data source type. To support these controls, you must enable AWS Config on all accounts in each AWS Region where you enabled Audit Manager. You must also make sure that specific AWS Config rules are enabled, and that these rules are configured correctly.

The following AWS Config rules and parameters are required to collect the correct evidence and capture an accurate compliance status for the CIS AWS Foundations Benchmark v1.2. For instructions on how to enable or configure a rule, see Working with AWS Config Managed Rules.

Required AWS Config rule Required parameters
ACCESS_KEYS_ROTATED
maxAccessKeyAge
  • The maximum number of days without rotation.

  • Type: Int

  • Default: 90 days

  • Compliance requirement: A maximum of 90 days

CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED Not applicable
CLOUD_TRAIL_ENCRYPTION_ENABLED Not applicable
CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED Not applicable
CMK_BACKING_KEY_ROTATION_ENABLED Not applicable
IAM_PASSWORD_POLICY
MaxPasswordAge (Optional)
  • The number of days before password expiration.

  • Type: int

  • Default: 90

  • Compliance requirement: A maximum of 90 days

IAM_PASSWORD_POLICY
MinimumPasswordLength (Optional)
  • The minimum length of the password.

  • Type: int

  • Default: 14

  • Compliance requirement: A minimum of 14 characters

IAM_PASSWORD_POLICY
PasswordReusePrevention (Optional)
  • The number of passwords before allowing reuse.

  • Type: int

  • Default: 24

  • Compliance requirement: A minimum of 24 passwords before reuse

IAM_PASSWORD_POLICY
RequireLowercaseCharacters (Optional)
  • Require at least one lowercase character in password.

  • Type: Boolean

  • Default: True

  • Compliance requirement: At least one lowercase character

IAM_PASSWORD_POLICY
RequireNumbers (Optional)
  • Require at least one number in password.

  • Type: Boolean

  • Default: True

  • Compliance requirement: At least one number character

IAM_PASSWORD_POLICY
RequireSymbols (Optional)
  • Require at least one symbol in password.

  • Type: Boolean

  • Default: True

  • Compliance requirement: At least one symbol character

IAM_PASSWORD_POLICY
RequireUppercaseCharacters (Optional)
  • Require at least one uppercase character in password.

  • Type: Boolean

  • Default: True

  • Compliance requirement: At least one uppercase character

IAM_POLICY_IN_USE

policyARN
  • An IAM policy ARN to be checked.

  • Type: String

  • Compliance requirement: Creates an IAM role for managing incidents with AWS.

policyUsageType (Optional)
  • Specifies whether you expect the policy to be attached to a user, group, or role.

  • Type: String

  • Valid values: IAM_USER | IAM_GROUP | IAM_ROLE | ANY

  • Default value: ANY

  • Compliance requirement: Attach the trust policy to the created IAM role

IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS Not applicable
IAM_ROOT_ACCESS_KEY_CHECK Not applicable
IAM_USER_NO_POLICIES_CHECK Not applicable
IAM_USER_UNUSED_CREDENTIALS_CHECK
maxCredentialUsageAge
  • The maximum number of days that a credential can't be used.

  • Type: Int

  • Default: 90 days

  • Compliance requirement: 90 days or greater

INCOMING_SSH_DISABLED Not applicable
MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS Not applicable
MULTI_REGION_CLOUD_TRAIL_ENABLED Not applicable
RESTRICTED_INCOMING_TRAFFIC
blockedPort1 (Optional)
  • The blocked TCP port number.

  • Type: int

  • Default: 20

  • Compliance requirement: Ensure that no security groups allow ingress on blocked ports

blockedPort2 (Optional)
  • The blocked TCP port number.

  • Type: int

  • Default: 21

  • Compliance requirement: Ensure that no security groups allow ingress on blocked ports

blockedPort3 (Optional)
  • The blocked TCP port number.

  • Type: int

  • Default: 3389

  • Compliance requirement: Ensure that no security groups allow ingress on blocked ports

blockedPort4 (Optional)
  • The blocked TCP port number.

  • Type: int

  • Default: 3306

  • Compliance requirement: Ensure that no security groups allow ingress on blocked ports

blockedPort5 (Optional)
  • The blocked TCP port number.

  • Type: int

  • Default: 4333

  • Compliance requirement: Ensure that no security groups allow ingress on blocked ports

ROOT_ACCOUNT_HARDWARE_MFA_ENABLED Not applicable
ROOT_ACCOUNT_MFA_ENABLED Not applicable
S3_BUCKET_LOGGING_ENABLED
targetBucket (Optional)
  • The target S3 bucket for storing server access logs.

  • Type: String

  • Compliance requirement: Enable logging

targetPrefix (Optional)
  • The prefix of the S3 bucket for storing server access logs.

  • Type: String

  • Compliance requirement: Identify the S3 bucket for CloudTrail logging

S3_BUCKET_PUBLIC_READ_PROHIBITED Not applicable
VPC_DEFAULT_SECURITY_GROUP_CLOSED Not applicable
VPC_FLOW_LOGS_ENABLED
trafficType (Optional)
  • The trafficType of the flow logs.

  • Type: String

  • Compliance requirement: Flow logging is enabled

More CIS resources