Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 1
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the Center for Internet Security (CIS) Amazon Web Services Foundation v1.4 Level 1 and AWS managed Config rules/AWS Config Process Checks. Each Config rule applies to a specific AWS resource, and relates to one or more CIS Amazon Web Services Foundation v1.4 Level 1 controls. A CIS Amazon Web Services Foundation v1.4 Level 1 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
For more information about process checks, see process-checks.
| Control ID | Control Description | AWS Config Rule | Guidance |
|---|---|---|---|
| 1.1 | Maintain current contact details | account-contact-details-configured (process check) | Ensure the contact email and telephone number for AWS accounts are current and map to more than one individual in your organization. Within the My Account section of the console ensure correct information is specified in the Contact Information section. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/ |
| 1.2 | Ensure security contact information is registered | account-security-contact-configured (Process Check) | Ensure the contact email and telephone number for the your organizations security team are current. Within the My Account section of the AWS Management Console ensure the correct information is specified in the Security section. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/ |
| 1.4 | Ensure no 'root' user access key exists | Access to systems and assets can be controlled by checking that the root user does not have access keys attached to their AWS Identity and Access Management (IAM) role. Ensure that the root access keys are deleted. Instead, create and use role-based AWS accounts to help to incorporate the principle of least functionality. | |
| 1.5 | Ensure MFA is enabled for the 'root' user | Manage access to resources in the AWS Cloud by ensuring MFA is enabled for the root user. The root user is the most privileged user in an AWS account. The MFA adds an extra layer of protection for a user name and password. By requiring MFA for the root user, you can reduce the incidents of compromised AWS accounts. | |
| 1.7 | Eliminate use of the 'root' user for administrative and daily tasks | root-account-regular-use (Process Check) | Ensure the use of the root account is avoided for everyday tasks. Within IAM, run a credential report to examine when the root user was last used. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/ |
| 1.8 | Ensure IAM password policy requires minimum length of 14 or greater | The identities and the credentials are issued, managed, and verified based on an organizational IAM password policy. They meet or exceed requirements as stated by NIST SP 800-63 and the AWS Foundational Security Best Practices standard for password strength. This rule allows you to optionally set RequireUppercaseCharacters (AWS Foundational Security Best Practices value: true), RequireLowercaseCharacters (AWS Foundational Security Best Practices value: true), RequireSymbols (AWS Foundational Security Best Practices value: true), RequireNumbers (AWS Foundational Security Best Practices value: true), MinimumPasswordLength (AWS Foundational Security Best Practices value: 14), PasswordReusePrevention (AWS Foundational Security Best Practices value: 24), and MaxPasswordAge (AWS Foundational Security Best Practices value: 90) for your IAM Password Policy. The actual values should reflect your organization's policies. | |
| 1.9 | Ensure IAM password policy prevents password reuse | The identities and the credentials are issued, managed, and verified based on an organizational IAM password policy. They meet or exceed requirements as stated by NIST SP 800-63 and the AWS Foundational Security Best Practices standard for password strength. This rule allows you to optionally set RequireUppercaseCharacters (AWS Foundational Security Best Practices value: true), RequireLowercaseCharacters (AWS Foundational Security Best Practices value: true), RequireSymbols (AWS Foundational Security Best Practices value: true), RequireNumbers (AWS Foundational Security Best Practices value: true), MinimumPasswordLength (AWS Foundational Security Best Practices value: 14), PasswordReusePrevention (AWS Foundational Security Best Practices value: 24), and MaxPasswordAge (AWS Foundational Security Best Practices value: 90) for your IAM Password Policy. The actual values should reflect your organization's policies. | |
| 1.10 | Ensure multi-factor authentication (MFA) is enabled for all users that have a console password | Manage access to resources in the AWS Cloud by ensuring that MFA is enabled for all AWS Identity and Access Management (IAM) users that have a console password. MFA adds an extra layer of protection on top of sign-in credentials. By requiring MFA for users, you can reduce incidents of compromised accounts and keep sensitive data from being accessed by unauthorized users. | |
| 1.11 | Do not setup access keys during initial user setup for all users that have a console password | iam-user-console-and-api-access-at-creation (Process Check) | Ensure access keys are not setup during the initial user setup for all users that have a console password. For all users with console access, compare the user 'Creation time` to the Access Key `Created` date. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/ |
| 1.12 | Ensure credentials unused for 45 days or greater are disabled | AWS Identity and Access Management (IAM) can help you with access permissions and authorizations by checking for IAM passwords and access keys that are not used for a specified time period. If these unused credentials are identified, you should disable and/or remove the credentials, as this may violate the principle of least privilege. This rule requires you to set a value to the maxCredentialUsageAge (CIS Standard value: 45). The actual value should reflect your organization's policies. | |
| 1.13 | Ensure there is only one active access key available for any single user | iam-user-single-access-key (Process Check) | Ensure there is only one active access key available for any single user. For all users check that there is only one active key used within the Security Credentials tab for each user within IAM. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/ |
| 1.14 | Ensure access keys are rotated every 90 days or less | The credentials are audited for authorized devices, users, and processes by ensuring IAM access keys are rotated as per organizational policy. Changing the access keys on a regular schedule is a security best practice. It shortens the period an access key is active and reduces the business impact if the keys are compromised. This rule requires an access key rotation value (Config Default: 90). The actual value should reflect your organization's policies. | |
| 1.15 | Ensure users Receive Permissions Only Through Groups | This rule ensures AWS Identity and Access Management (IAM) policies are attached only to groups or roles to control access to systems and assets. Assigning privileges at the group or the role level helps to reduce opportunity for an identity to receive or retain excessive privileges. | |
| 1.15 | Ensure users Receive Permissions Only Through Groups | Ensure an AWS Identity and Access Management (IAM) user, IAM role or IAM group does not have an inline policy to control access to systems and assets. AWS recommends to use managed policies instead of inline policies. The managed policies allow reusability, versioning and rolling back, and delegating permissions management. | |
| 1.15 | Ensure users Receive Permissions Only Through Groups | AWS Identity and Access Management (IAM) can help you restrict access permissions and authorizations, by ensuring users are members of at least one group. Allowing users more privileges than needed to complete a task may violate the principle of least privilege and separation of duties. | |
| 1.16 | Ensure IAM policies that allow full "*:*" administrative privileges are not attached | AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, restricting policies from containing "Effect": "Allow" with "Action": "*" over "Resource": "*". Allowing users to have more privileges than needed to complete a task may violate the principle of least privilege and separation of duties. | |
| 1.17 | Ensure a support role has been created to manage incidents with AWS Support | AWS Identity and Access Management (IAM) can help you manage access permissions and authorizations by ensuring that IAM policies are assigned to the appropriate users, roles, or groups. Restricting these policies also incorporates the principals of least privilege and separation of duties. This rule requires that you set the policyARN to arn:aws:iam::aws:policy/AWSSupportAccess, for incident management with AWS Support. | |
| 1.19 | Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | iam-expired-certificates (Process Check) | Ensure that all the expired SSL/TLS certificates stored in IAM are removed. From the command line with the installed AWS CLI run the 'AWS iam list-server-certificates' command and determine if there are any expired server certificates. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/ |
| 1.20 | Ensure that AWS IAM Access Analyzer is enabled | iam-access-analyzer-enabled (Process Check) | Ensure that IAM Access Analyzer is enabled. Within the IAM section of the console, select Access Analyzer and ensure that the STATUS is set to Active. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/ |
| 2.1.3 | Ensure MFA Delete is enable on S3 buckets | Amazon Simple Storage Service (Amazon S3) bucket versioning helps keep multiple variants of an object in the same Amazon S3 bucket. Adding multi factor authentication (MFA) delete to an S3 bucket requires an additional factor of authentication in order to change the version state of your bucket or to delete and object version. MFA delete can add an additional layer of security in the event security credentials are compromised or unauthorized access is granted. | |
| 2.1.5 | Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' | Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed. This rule helps keeping sensitive data safe from unauthorized remote users by preventing public access. This rule allows you to optionally set the ignorePublicAcls (Config Default: True), blockPublicPolicy (Config Default: True), blockPublicAcls (Config Default: True), and restrictPublicBuckets parameters (Config Default: True). The actual values should reflect your organization's policies. | |
| 2.1.5 | Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' | Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed. This rule helps keeping sensitive data safe from unauthorized remote users by preventing public access at the bucket level. | |
| 2.2.1 | Ensure EBS volume encryption is enabled | Because senstive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes. | |
| 2.2.1 | Ensure EBS volume encryption is enabled | To help protect data at rest, ensure that encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes. Because sensitive data can exist at rest in these volumes, enable encryption at rest to help protect that data. | |
| 2.3.1 | Ensure that encryption is enabled for RDS Instances | Ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) snapshots. Because sensitive data can exist at rest, enable encryption at rest to help protect that data. | |
| 2.3.1 | Ensure that encryption is enabled for RDS Instances | To help protect data at rest, ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) instances. Because sensitive data can exist at rest in Amazon RDS instances, enable encryption at rest to help protect that data. | |
| 3.1 | Ensure CloudTrail is enabled in all regions | AWS CloudTrail records AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from where the calls were made, and when the calls occurred. CloudTrail will deliver log files from all AWS Regions to your S3 bucket if MULTI_REGION_CLOUD_TRAIL_ENABLED is enabled. Additionally, when AWS launches a new Region, CloudTrail will create the same trail in the new Region. As a result, you will receive log files containing API activity for the new Region without taking any action. | |
| 3.3 | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets. The management of access should be consistent with the classification of the data. | |
| 3.3 | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets. The management of access should be consistent with the classification of the data. | |
| 3.3 | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed. This rule helps keeping sensitive data safe from unauthorized remote users by preventing public access at the bucket level. | |
| 3.4 | Ensure CloudTrail trails are integrated with CloudWatch Logs | Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account. | |
| 3.6 | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events. The events are monitored by capturing detailed records for the requests that are made to an Amazon S3 bucket. Each access log record provides details about a single access request. The details include the requester, bucket name, request time, request action, response status, and an error code, if relevant. | |
| 4.1 | Ensure a log metric filter and alarm exist for unauthorized API calls | alarm-unauthorized-api-calls (Process Check) | Ensure a log metric filter and an alarm exists for unauthorized API calls. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/ |
| 4.2 | Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | alarm-sign-in-without-mfa (Process Check) | Ensure a log metric filter and an alarm exists for AWS Management Console sign-in without Multi-Factor Authentication (MFA). For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/ |
| 4.3 | Ensure a log metric filter and alarm exist for usage of 'root' account | alarm-root-account-use (Process Check) | Ensure a log metric filter and an alarm exists for usage of the root account. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/ |
| 4.4 | Ensure a log metric filter and alarm exist for IAM policy changes | alarm-iam-policy-change (Process Check) | Ensure a log metric filter and an alarm exists for IAM policy changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/ |
| 4.5 | Ensure a log metric filter and alarm exist for CloudTrail configuration changes | alarm-cloudtrail-config-change (Process Check) | Ensure a log metric filter and an alarm exists for AWS CloudTrail configuration changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/ |
| 4.8 | Ensure a log metric filter and alarm exist for S3 bucket policy changes | alarm-s3-bucket-policy-change (Process Check) | Ensure a log metric filter and an alarm exists for Amazon S3 bucket policy changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/ |
| 4.12 | Ensure a log metric filter and alarm exist for changes to network gateways | alarm-vpc-network-gateway-change (Process Check) | Ensure a log metric filter and an alarm exists for changes to network gateways. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/ |
| 4.13 | Ensure a log metric filter and alarm exist for route table changes | alarm-vpc-route-table-change (Process Check) | Ensure a log metric filter and an alarm exists for route table changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/ |
| 4.14 | Ensure a log metric filter and alarm exist for VPC changes | alarm-vpc-change (Process Check) | Ensure a log metric filter and an alarm exists for Amazon Virtual Private Cloud (VPC) changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/ |
| 4.15 | Ensure a log metric filter and alarm exists for AWS Organizations changes | alarm-organizations-change (Process Check) | Ensure a log metric filter and an alarm exists for AWS Organizations changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/ |
| 5.1 | Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | Ensure no network ACLs allow public ingress to the remote server administration ports. Within the VPC section of the console, ensure there are network ACLs with a source of '0.0.0.0/0' with allowing ports or port ranges including remote server admin ports. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/ | |
| 5.2 | Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | Amazon Elastic Compute Cloud (Amazon EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Not allowing ingress (or remote) traffic from 0.0.0.0/0 to port 22 on your resources help you restricting remote access. | |
| 5.2 | Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems. This rule allows you to optionally set blockedPort1 - blockedPort5 parameters (CIS Standard value: 3389). The actual values should reflect your organization's policies. |
Template
The template is available on GitHub: Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level
1
