Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 1 - AWS Config

Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 1

Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.

The following provides a sample mapping between the Center for Internet Security (CIS) Amazon Web Services Foundation v1.4 Level 1 and AWS managed Config rules/AWS Config Process Checks. Each Config rule applies to a specific AWS resource, and relates to one or more CIS Amazon Web Services Foundation v1.4 Level 1 controls. A CIS Amazon Web Services Foundation v1.4 Level 1 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.

For more information about process checks, see process-checks.

Control ID Control Description AWS Config Rule Guidance
1.1 Maintain current contact details account-contact-details-configured (process check) Ensure the contact email and telephone number for AWS accounts are current and map to more than one individual in your organization. Within the My Account section of the console ensure correct information is specified in the Contact Information section. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.2 Ensure security contact information is registered account-security-contact-configured (Process Check) Ensure the contact email and telephone number for the your organizations security team are current. Within the My Account section of the AWS Management Console ensure the correct information is specified in the Security section. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.4 Ensure no 'root' user access key exists

iam-root-access-key-check

Access to systems and assets can be controlled by checking that the root user does not have access keys attached to their AWS Identity and Access Management (IAM) role. Ensure that the root access keys are deleted. Instead, create and use role-based AWS accounts to help to incorporate the principle of least functionality.
1.5 Ensure MFA is enabled for the 'root' user

root-account-mfa-enabled

Manage access to resources in the AWS Cloud by ensuring MFA is enabled for the root user. The root user is the most privileged user in an AWS account. The MFA adds an extra layer of protection for a user name and password. By requiring MFA for the root user, you can reduce the incidents of compromised AWS accounts.
1.7 Eliminate use of the 'root' user for administrative and daily tasks root-account-regular-use (Process Check) Ensure the use of the root account is avoided for everyday tasks. Within IAM, run a credential report to examine when the root user was last used. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.8 Ensure IAM password policy requires minimum length of 14 or greater

iam-password-policy

The identities and the credentials are issued, managed, and verified based on an organizational IAM password policy. They meet or exceed requirements as stated by NIST SP 800-63 and the AWS Foundational Security Best Practices standard for password strength. This rule allows you to optionally set RequireUppercaseCharacters (AWS Foundational Security Best Practices value: true), RequireLowercaseCharacters (AWS Foundational Security Best Practices value: true), RequireSymbols (AWS Foundational Security Best Practices value: true), RequireNumbers (AWS Foundational Security Best Practices value: true), MinimumPasswordLength (AWS Foundational Security Best Practices value: 14), PasswordReusePrevention (AWS Foundational Security Best Practices value: 24), and MaxPasswordAge (AWS Foundational Security Best Practices value: 90) for your IAM Password Policy. The actual values should reflect your organization's policies.
1.9 Ensure IAM password policy prevents password reuse

iam-password-policy

The identities and the credentials are issued, managed, and verified based on an organizational IAM password policy. They meet or exceed requirements as stated by NIST SP 800-63 and the AWS Foundational Security Best Practices standard for password strength. This rule allows you to optionally set RequireUppercaseCharacters (AWS Foundational Security Best Practices value: true), RequireLowercaseCharacters (AWS Foundational Security Best Practices value: true), RequireSymbols (AWS Foundational Security Best Practices value: true), RequireNumbers (AWS Foundational Security Best Practices value: true), MinimumPasswordLength (AWS Foundational Security Best Practices value: 14), PasswordReusePrevention (AWS Foundational Security Best Practices value: 24), and MaxPasswordAge (AWS Foundational Security Best Practices value: 90) for your IAM Password Policy. The actual values should reflect your organization's policies.
1.10 Ensure multi-factor authentication (MFA) is enabled for all users that have a console password

mfa-enabled-for-iam-console-access

Manage access to resources in the AWS Cloud by ensuring that MFA is enabled for all AWS Identity and Access Management (IAM) users that have a console password. MFA adds an extra layer of protection on top of sign-in credentials. By requiring MFA for users, you can reduce incidents of compromised accounts and keep sensitive data from being accessed by unauthorized users.
1.11 Do not setup access keys during initial user setup for all users that have a console password iam-user-console-and-api-access-at-creation (Process Check) Ensure access keys are not setup during the initial user setup for all users that have a console password. For all users with console access, compare the user 'Creation time` to the Access Key `Created` date. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.12 Ensure credentials unused for 45 days or greater are disabled

iam-user-unused-credentials-check

AWS Identity and Access Management (IAM) can help you with access permissions and authorizations by checking for IAM passwords and access keys that are not used for a specified time period. If these unused credentials are identified, you should disable and/or remove the credentials, as this may violate the principle of least privilege. This rule requires you to set a value to the maxCredentialUsageAge (CIS Standard value: 45). The actual value should reflect your organization's policies.
1.13 Ensure there is only one active access key available for any single user iam-user-single-access-key (Process Check) Ensure there is only one active access key available for any single user. For all users check that there is only one active key used within the Security Credentials tab for each user within IAM. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.14 Ensure access keys are rotated every 90 days or less

access-keys-rotated

The credentials are audited for authorized devices, users, and processes by ensuring IAM access keys are rotated as specified by the organizational policy. Changing the access keys on a regular schedule is a security best practice. It shortens the period an access key is active and reduces the business impact if the keys are compromised. This rule requires an access key rotation value (Config Default: 90). The actual value should reflect your organization's policies.
1.15 Ensure users Receive Permissions Only Through Groups

iam-user-no-policies-check

This rule ensures AWS Identity and Access Management (IAM) policies are attached only to groups or roles to control access to systems and assets. Assigning privileges at the group or the role level helps to reduce opportunity for an identity to receive or retain excessive privileges.
1.15 Ensure users Receive Permissions Only Through Groups

iam-no-inline-policy-check

Ensure an AWS Identity and Access Management (IAM) user, IAM role or IAM group does not have an inline policy to control access to systems and assets. AWS recommends to use managed policies instead of inline policies. The managed policies allow reusability, versioning and rolling back, and delegating permissions management.
1.15 Ensure users Receive Permissions Only Through Groups

iam-user-group-membership-check

AWS Identity and Access Management (IAM) can help you restrict access permissions and authorizations, by ensuring users are members of at least one group. Allowing users more privileges than needed to complete a task may violate the principle of least privilege and separation of duties.
1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached

iam-policy-no-statements-with-admin-access

AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, restricting policies from containing "Effect": "Allow" with "Action": "*" over "Resource": "*". Allowing users to have more privileges than needed to complete a task may violate the principle of least privilege and separation of duties.
1.17 Ensure a support role has been created to manage incidents with AWS Support

iam-policy-in-use

AWS Identity and Access Management (IAM) can help you manage access permissions and authorizations by ensuring that IAM policies are assigned to the appropriate users, roles, or groups. Restricting these policies also incorporates the principals of least privilege and separation of duties. This rule requires that you set the policyARN to arn:aws:iam::aws:policy/AWSSupportAccess, for incident management with AWS Support.
1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed iam-expired-certificates (Process Check) Ensure that all the expired SSL/TLS certificates stored in IAM are removed. From the command line with the installed AWS CLI run the 'AWS iam list-server-certificates' command and determine if there are any expired server certificates. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.20 Ensure that AWS IAM Access Analyzer is enabled iam-access-analyzer-enabled (Process Check) Ensure that IAM Access Analyzer is enabled. Within the IAM section of the console, select Access Analyzer and ensure that the STATUS is set to Active. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
2.1.3 Ensure MFA Delete is enable on S3 buckets

s3-bucket-versioning-enabled

Amazon Simple Storage Service (Amazon S3) bucket versioning helps keep multiple variants of an object in the same Amazon S3 bucket. Adding multi factor authentication (MFA) delete to an S3 bucket requires an additional factor of authentication in order to change the version state of your bucket or to delete and object version. MFA delete can add an additional layer of security in the event security credentials are compromised or unauthorized access is granted.
2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'

s3-account-level-public-access-blocks-periodic

Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed. This rule helps keeping sensitive data safe from unauthorized remote users by preventing public access. This rule allows you to optionally set the ignorePublicAcls (Config Default: True), blockPublicPolicy (Config Default: True), blockPublicAcls (Config Default: True), and restrictPublicBuckets parameters (Config Default: True). The actual values should reflect your organization's policies.
2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'

s3-bucket-level-public-access-prohibited

Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed. This rule helps keeping sensitive data safe from unauthorized remote users by preventing public access at the bucket level.
2.2.1 Ensure EBS volume encryption is enabled

encrypted-volumes

Because senstive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes.
2.2.1 Ensure EBS volume encryption is enabled

ec2-ebs-encryption-by-default

To help protect data at rest, ensure that encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes. Because sensitive data can exist at rest in these volumes, enable encryption at rest to help protect that data.
2.3.1 Ensure that encryption is enabled for RDS Instances

rds-snapshot-encrypted

Ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) snapshots. Because sensitive data can exist at rest, enable encryption at rest to help protect that data.
2.3.1 Ensure that encryption is enabled for RDS Instances

rds-storage-encrypted

To help protect data at rest, ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) instances. Because sensitive data can exist at rest in Amazon RDS instances, enable encryption at rest to help protect that data.
3.1 Ensure CloudTrail is enabled in all regions

multi-region-cloudtrail-enabled

AWS CloudTrail records AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from where the calls were made, and when the calls occurred. CloudTrail will deliver log files from all AWS Regions to your S3 bucket if MULTI_REGION_CLOUD_TRAIL_ENABLED is enabled. Additionally, when AWS launches a new Region, CloudTrail will create the same trail in the new Region. As a result, you will receive log files containing API activity for the new Region without taking any action.
3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

s3-bucket-public-read-prohibited

Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets. The management of access should be consistent with the classification of the data.
3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

s3-bucket-public-write-prohibited

Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets. The management of access should be consistent with the classification of the data.
3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

s3-bucket-level-public-access-prohibited

Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed. This rule helps keeping sensitive data safe from unauthorized remote users by preventing public access at the bucket level.
3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs

cloud-trail-cloud-watch-logs-enabled

Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account.
3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

s3-bucket-logging-enabled

Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events. The events are monitored by capturing detailed records for the requests that are made to an Amazon S3 bucket. Each access log record provides details about a single access request. The details include the requester, bucket name, request time, request action, response status, and an error code, if relevant.
4.1 Ensure a log metric filter and alarm exist for unauthorized API calls alarm-unauthorized-api-calls (Process Check) Ensure a log metric filter and an alarm exists for unauthorized API calls. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA alarm-sign-in-without-mfa (Process Check) Ensure a log metric filter and an alarm exists for AWS Management Console sign-in without Multi-Factor Authentication (MFA). For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.3 Ensure a log metric filter and alarm exist for usage of 'root' account alarm-root-account-use (Process Check) Ensure a log metric filter and an alarm exists for usage of the root account. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.4 Ensure a log metric filter and alarm exist for IAM policy changes alarm-iam-policy-change (Process Check) Ensure a log metric filter and an alarm exists for IAM policy changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes alarm-cloudtrail-config-change (Process Check) Ensure a log metric filter and an alarm exists for AWS CloudTrail configuration changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes alarm-s3-bucket-policy-change (Process Check) Ensure a log metric filter and an alarm exists for Amazon S3 bucket policy changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.12 Ensure a log metric filter and alarm exist for changes to network gateways alarm-vpc-network-gateway-change (Process Check) Ensure a log metric filter and an alarm exists for changes to network gateways. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.13 Ensure a log metric filter and alarm exist for route table changes alarm-vpc-route-table-change (Process Check) Ensure a log metric filter and an alarm exists for route table changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.14 Ensure a log metric filter and alarm exist for VPC changes alarm-vpc-change (Process Check) Ensure a log metric filter and an alarm exists for Amazon Virtual Private Cloud (VPC) changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes alarm-organizations-change (Process Check) Ensure a log metric filter and an alarm exists for AWS Organizations changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports

nacl-no-unrestricted-ssh-rdp

Ensure no network ACLs allow public ingress to the remote server administration ports. Within the VPC section of the console, ensure there are network ACLs with a source of '0.0.0.0/0' with allowing ports or port ranges including remote server admin ports. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports

restricted-ssh

Amazon Elastic Compute Cloud (Amazon EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Not allowing ingress (or remote) traffic from 0.0.0.0/0 to port 22 on your resources help you restricting remote access.
5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports

restricted-common-ports

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems. This rule allows you to optionally set blockedPort1 - blockedPort5 parameters (CIS Standard value: 3389). The actual values should reflect your organization's policies.

Template

The template is available on GitHub: Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 1.