Operational Best Practices for CIS AWS Foundations Benchmark v1.3 Level 2 - AWS Config

Operational Best Practices for CIS AWS Foundations Benchmark v1.3 Level 2

Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.

The following provides a sample mapping between the Center for Internet Security (CIS) Amazon Web Services Foundation v1.3 Level 2 and AWS managed Config rules/AWS Config Process Checks. Each Config rule applies to a specific AWS resource, and relates to one or more CIS Amazon Web Services Foundation v1.3 Level 2 controls. A CIS Amazon Web Services Foundation v1.3 Level 2 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.

For more infomation about process checks, see AWS Config Process Checks Within a Conformance Pack.

AWS Region: All supported AWS Regions except Middle East (Bahrain)

Control ID AWS Config Rule Guidance
1.1 account-contact-details-configured (Process Check) Ensure the contact email and telephone number for AWS accounts are current and map to more than one individual in your organization. Within the My Account section of the console ensure correct information is specified in the Contact Information section. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.2 account-security-contact-configured (Process Check) Ensure the contact email and telephone number for the your organizations security team are current. Within the My Account section of the AWS Management Console ensure the correct information is specified in the Security section. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.3 account-security-questions-configured (Process Check) Ensure the security questions that can be used to authenticate individuals calling AWS customer service for support are configured. Within the My Account section of the AWS Management Console ensure three security challenge questions are configured. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.4

iam-root-access-key-check

Access to systems and assets can be controlled by checking that the root user does not have access keys attached to their AWS Identity and Access Management (IAM) role. Ensure that the root access keys are deleted. Instead, create and use role-based AWS accounts to help to incorporate the principle of least functionality.
1.5

root-account-mfa-enabled

Manage access to resources in the AWS Cloud by ensuring MFA is enabled for the root user. The root user is the most privileged user in an AWS account. The MFA adds an extra layer of protection for a user name and password. By requiring MFA for the root user, you can reduce the incidents of compromised AWS accounts.
1.6

root-account-hardware-mfa-enabled

Manage access to resources in the AWS Cloud by ensuring hardware MFA is enabled for the root user. The root user is the most privileged user in an AWS account. The MFA adds an extra layer of protection for a user name and password. By requiring MFA for the root user, you can reduce the incidents of compromised AWS accounts.
1.7 root-account-regular-use (Process Check) Ensure the use of the root account is avoided for everyday tasks. Within IAM, run a credential report to examine when the root user was last used. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.8

iam-password-policy

The identities and the credentials are issued, managed, and verified based on an organizational IAM password policy. They meet or exceed requirements as stated by NIST SP 800-63 and the AWS Foundational Security Best Practices standard for password strength. This rule allows you to optionally set RequireUppercaseCharacters (AWS Foundational Security Best Practices value: true), RequireLowercaseCharacters (AWS Foundational Security Best Practices value: true), RequireSymbols (AWS Foundational Security Best Practices value: true), RequireNumbers (AWS Foundational Security Best Practices value: true), MinimumPasswordLength (AWS Foundational Security Best Practices value: 14), PasswordReusePrevention (AWS Foundational Security Best Practices value: 24), and MaxPasswordAge (AWS Foundational Security Best Practices value: 90) for your IAM Password Policy. The actual values should reflect your organization's policies.
1.9

iam-password-policy

The identities and the credentials are issued, managed, and verified based on an organizational IAM password policy. They meet or exceed requirements as stated by NIST SP 800-63 and the AWS Foundational Security Best Practices standard for password strength. This rule allows you to optionally set RequireUppercaseCharacters (AWS Foundational Security Best Practices value: true), RequireLowercaseCharacters (AWS Foundational Security Best Practices value: true), RequireSymbols (AWS Foundational Security Best Practices value: true), RequireNumbers (AWS Foundational Security Best Practices value: true), MinimumPasswordLength (AWS Foundational Security Best Practices value: 14), PasswordReusePrevention (AWS Foundational Security Best Practices value: 24), and MaxPasswordAge (AWS Foundational Security Best Practices value: 90) for your IAM Password Policy. The actual values should reflect your organization's policies.
1.10

mfa-enabled-for-iam-console-access

Manage access to resources in the AWS Cloud by ensuring that MFA is enabled for all AWS Identity and Access Management (IAM) users that have a console password. MFA adds an extra layer of protection on top of a user name and password. By requiring MFA for IAM users, you can reduce incidents of compromised accounts and keep sensitive data from being accessed by unauthorized users.
1.11 iam-user-console-and-api-access-at-creation (Process Check) Ensure access keys are not setup during the initial user setup for all IAM users that have a console password. For all IAM users with console access, compare the user 'Creation time` to the Access Key `Created` date. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.12

iam-user-unused-credentials-check

AWS Identity and Access Management (IAM) can help you with access permissions and authorizations by checking for IAM passwords and access keys that are not used for a specified time period. If these unused credentials are identified, you should disable and/or remove the credentials, as this may violate the principle of least privilege. This rule requires you to set a value to the maxCredentialUsageAge (Config Default: 90). The actual value should reflect your organization's policies.
1.13 iam-user-single-access-key (Process Check) Ensure there is only one active access key available for any single IAM user. For all IAM users check that there is only one active key used within the Security Credentials tab for each user within IAM. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.14

access-keys-rotated

The credentials are audited for authorized devices, users, and processes by ensuring IAM access keys are rotated as per organizational policy. Changing the access keys on a regular schedule is a security best practice. It shortens the period an access key is active and reduces the business impact if the keys are compromised. This rule requires an access key rotation value (Config Default: 90). The actual value should reflect your organization's policies.
1.15

iam-user-no-policies-check

This rule ensures AWS Identity and Access Management (IAM) policies are attached only to groups or roles to control access to systems and assets. Assigning privileges at the group or the role level helps to reduce opportunity for an identity to receive or retain excessive privileges.
1.15

iam-no-inline-policy-check

Ensure an AWS Identity and Access Management (IAM) user, IAM role or IAM group does not have an inline policy to control access to systems and assets. AWS recommends to use managed policies instead of inline policies. The managed policies allow reusability, versioning and rolling back, and delegating permissions management.
1.15

iam-user-group-membership-check

AWS Identity and Access Management (IAM) can help you restrict access permissions and authorizations, by ensuring IAM users are members of at least one group. Allowing users more privileges than needed to complete a task may violate the principle of least privilege and separation of duties.
1.16

iam-policy-no-statements-with-admin-access

AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, restricting policies from containing "Effect": "Allow" with "Action": "*" over "Resource": "*". Allowing users to have more privileges than needed to complete a task may violate the principle of least privilege and separation of duties.
1.17 iam-support-role-created (Process Check) Ensure a support role has been created to manage incidents with AWS Support. Check that the AWSSupportAccess policy is attached to an IAM role. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.18 ec2-instance-role-assigned (Process Check) For instances that are known to perform AWS actions, ensure that they belong to an instance role that has the necessary permissions. Within the EC2 section of the AWS Management Console select the instance and check that the IAM role field is populated. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.19 iam-expired-certificates (Process Check) Ensure that all the expired SSL/TLS certificates stored in IAM are removed. From the command line with the installed AWS CLI run the 'aws iam list-server-certificates' command and determine if there are any expired server certificates. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.20

s3-account-level-public-access-blocks

Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed. This rule helps keeping sensitive data safe from unauthorized remote users by preventing public access. This rule allows you to optionally set the ignorePublicAcls (Config Default: True), blockPublicPolicy (Config Default: True), blockPublicAcls (Config Default: True), and restrictPublicBuckets parameters (Config Default: True). The actual values should reflect your organization's policies.
1.21 iam-access-analyzer-enabled (Process Check) Ensure that IAM Access Analyzer is enabled. Within the IAM section of the console, select Access Analyzer and ensure that the STATUS is set to Active. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.22 iam-central-user-management (Process Check) Ensure IAM users are managed centrally via the identity federation or AWS Organizations for multi-account environments. Within the IAM section of the AWS Management Console, confirm that no IAM users representing individuals are present. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
2.1.1

s3-bucket-server-side-encryption-enabled

To help protect data at rest, ensure encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets. Because sensitive data can exist at rest in Amazon S3 buckets, enable encryption to help protect that data.
2.1.2

s3-bucket-ssl-requests-only

To help protect data in transit, ensure that your Amazon Simple Storage Service (Amazon S3) buckets require requests to use Secure Socket Layer (SSL). Because sensitive data can exist, enable encryption in transit to help protect that data.
2.2.1

ec2-ebs-encryption-by-default

To help protect data at rest, ensure that encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes. Because sensitive data can exist at rest in these volumes, enable encryption at rest to help protect that data.
2.2.1

encrypted-volumes

Because senstive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes.
3.1

multi-region-cloudtrail-enabled

AWS CloudTrail records AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from where the calls were made, and when the calls occurred. CloudTrail will deliver log files from all AWS Regions to your S3 bucket if MULTI_REGION_CLOUD_TRAIL_ENABLED is enabled. Additionally, when AWS launches a new Region, CloudTrail will create the same trail in the new Region. As a result, you will receive log files containing API activity for the new Region without taking any action.
3.2

cloud-trail-log-file-validation-enabled

Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.
3.3

s3-bucket-public-read-prohibited

Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets. The management of access should be consistent with the classification of the data.
3.3

s3-bucket-public-write-prohibited

Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets. The management of access should be consistent with the classification of the data.
3.3

s3-account-level-public-access-blocks

Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed. This rule helps keeping sensitive data safe from unauthorized remote users by preventing public access. This rule allows you to optionally set the ignorePublicAcls (Config Default: True), blockPublicPolicy (Config Default: True), blockPublicAcls (Config Default: True), and restrictPublicBuckets parameters (Config Default: True). The actual values should reflect your organization's policies.
3.3

s3-bucket-policy-grantee-check

Manage access to the AWS Cloud by enabling s3_ bucket_policy_grantee_check. This rule checks that the access granted by the Amazon S3 bucket is restricted by any of the AWS principals, federated users, service principals, IP addresses, or Amazon Virtual Private Cloud (Amazon VPC) IDs that you provide.
3.4

cloud-trail-cloud-watch-logs-enabled

Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account.
3.5 config-enabled-all-regions (Process Check) Ensure AWS Config is enabled in all AWS Regions. Within the AWS Config section of the console, for each Region enabled ensure the AWS Config recorder is configured correctly. Ensure recording of global AWS resources is enabled at least in one Region. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
3.6

s3-bucket-logging-enabled

Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events. The events are monitored by capturing detailed records for the requests that are made to an Amazon S3 bucket. Each access log record provides details about a single access request. The details include the requester, bucket name, request time, request action, response status, and an error code, if relevant.
3.7

cloud-trail-encryption-enabled

Because sensitive data may exist and to help protect data at rest, ensure encryption is enabled for your AWS CloudTrail trails.
3.8

cmk-backing-key-rotation-enabled

Enable key rotation to ensure that keys are rotated once they have reached the end of their crypto period.
3.9

vpc-flow-logs-enabled

The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC). By default, the flow log record includes values for the different components of the IP flow, including the source, destination, and protocol.
3.10

cloudtrail-s3-dataevents-enabled

The collection of Simple Storage Service (Amazon S3) data events helps in detecting any anomalous activity. The details include AWS account information that accessed an Amazon S3 bucket, IP address, and time of event.
3.11

cloudtrail-s3-dataevents-enabled

The collection of Simple Storage Service (Amazon S3) data events helps in detecting any anomalous activity. The details include AWS account information that accessed an Amazon S3 bucket, IP address, and time of event.
4.1 alarm-unauthorized-api-calls (Process Check) Ensure a log metric filter and an alarm exists for unauthorized API calls. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.2 alarm-sign-in-without-mfa (Process Check) Ensure a log metric filter and an alarm exists for AWS Management Console sign-in without Multi-Factor Authentication (MFA). For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.3 alarm-root-account-use (Process Check) Ensure a log metric filter and an alarm exists for usage of the root account. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.4 alarm-iam-policy-change (Process Check) Ensure a log metric filter and an alarm exists for IAM policy changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.5 alarm-cloudtrail-config-change (Process Check) Ensure a log metric filter and an alarm exists for AWS CloudTrail configuration changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.6 alarm-console-auth-failures (Process Check) Ensure a log metric filter and an alarm exists for AWS Management Console authentication failures. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.7 alarm-kms-disable-or-delete-cmk (Process Check) Ensure a log metric filter and an alarm exists for disabling or scheduled deletion of customer created CMKs. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.8 alarm-s3-bucket-policy-change (Process Check) Ensure a log metric filter and an alarm exists for Amazon S3 bucket policy changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.9 alarm-aws-config-change (Process Check) Ensure a log metric filter and an alarm exists for AWS Config configuration changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.10 alarm-vpc-secrity-group-change (Process Check) Ensure a log metric filter and an alarm exists for security group changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.11 alarm-vpc-nacl-change (Process Check) Ensure a log metric filter and an alarm exists for changes to Network Access Control Lists (NACL). For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.12 alarm-vpc-network-gateway-change (Process Check) Ensure a log metric filter and an alarm exists for changes to network gateways. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.13 alarm-vpc-route-table-change (Process Check) Ensure a log metric filter and an alarm exists for route table changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.14 alarm-vpc-change (Process Check) Ensure a log metric filter and an alarm exists for Amazon Virtual Private Cloud (VPC) changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.15 alarm-organizations-change (Process Check) Ensure a log metric filter and an alarm exists for AWS Organizations changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
5.1 vpc-networkacl-open-admin-ports (Process Check) Ensure no network ACLs allow public ingress to the remote server administration ports. Within the VPC section of the console, ensure there are network ACLs with a source of '0.0.0.0/0' with allowing ports or port ranges including remote server admin ports. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
5.2

restricted-common-ports

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems. This rule allows you to optionally set blockedPort1 - blockedPort5 parameters (Config Defaults: 20,21,3389,3306,4333). The actual values should reflect your organization's policies.
5.3

vpc-default-security-group-closed

Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Restricting all the traffic on the default security group helps in restricting remote access to your AWS resources.
5.4 vpc-networkacl-open-admin-ports (Process Check) Ensure the routing tables for Amazon VPC peering are "least access". Within the VPC section of the console, examine the route table entries to ensure that the least number of subnets or hosts are required to accomplish the purpose for peering are routable. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.3.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/

Template

The template is available on GitHub: Operational Best Practices for CIS AWS Foundations Benchmark v1.3 Level 2.