Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 2 - AWS Config

Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 2

Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.

The following provides a sample mapping between the Center for Internet Security (CIS) Amazon Web Services Foundation v1.4 Level 2 and AWS managed Config rules/AWS Config Process Checks. Each Config rule applies to a specific AWS resource, and relates to one or more CIS Amazon Web Services Foundation v1.4 Level 2 controls. A CIS Amazon Web Services Foundation v1.4 Level 2 control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.

For more information about process checks, see AWS Config Process Checks Within a Conformance Pack.

AWS Region: All supported AWS Regions except Middle East (Bahrain)

Control ID Control Description AWS Config Rule Guidance
1.1 Maintain current contact details account-contact-details-configured (process check) Ensure the contact email and telephone number for AWS accounts are current and map to more than one individual in your organization. Within the My Account section of the console ensure correct information is specified in the Contact Information section. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.2 Ensure security contact information is registered account-security-contact-configured (Process Check) Ensure the contact email and telephone number for the your organizations security team are current. Within the My Account section of the AWS Management Console ensure the correct information is specified in the Security section. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.3 Ensure security questions are registered in the AWS account account-security-questions-configured (Process Check) Ensure the security questions that can be used to authenticate individuals calling AWS customer service for support are configured. Within the My Account section of the AWS Management Console ensure three security challenge questions are configured. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.4 Ensure no 'root' user account access key exists

iam-root-access-key-check

Access to systems and assets can be controlled by checking that the root user does not have access keys attached to their AWS Identity and Access Management (IAM) role. Ensure that the root access keys are deleted. Instead, create and use role-based AWS accounts to help to incorporate the principle of least functionality.
1.5 Ensure MFA is enabled for the 'root' user account

root-account-mfa-enabled

Manage access to resources in the AWS Cloud by ensuring MFA is enabled for the root user. The root user is the most privileged user in an AWS account. The MFA adds an extra layer of protection for a user name and password. By requiring MFA for the root user, you can reduce the incidents of compromised AWS accounts.
1.6 Ensure hardware MFA is enabled for the 'root' user account

root-account-hardware-mfa-enabled

Manage access to resources in the AWS Cloud by ensuring hardware MFA is enabled for the root user. The root user is the most privileged user in an AWS account. The MFA adds an extra layer of protection for a user name and password. By requiring MFA for the root user, you can reduce the incidents of compromised AWS accounts.
1.7 Eliminate use of the 'root' user for administrative and daily tasks root-account-regular-use (Process Check) Ensure the use of the root account is avoided for everyday tasks. Within IAM, run a credential report to examine when the root user was last used. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.8 Ensure IAM password policy requires minimum length of 14 or greater

iam-password-policy

The identities and the credentials are issued, managed, and verified based on an organizational IAM password policy. They meet or exceed requirements as stated by NIST SP 800-63 and the AWS Foundational Security Best Practices standard for password strength. This rule allows you to optionally set RequireUppercaseCharacters (AWS Foundational Security Best Practices value: true), RequireLowercaseCharacters (AWS Foundational Security Best Practices value: true), RequireSymbols (AWS Foundational Security Best Practices value: true), RequireNumbers (AWS Foundational Security Best Practices value: true), MinimumPasswordLength (AWS Foundational Security Best Practices value: 14), PasswordReusePrevention (AWS Foundational Security Best Practices value: 24), and MaxPasswordAge (AWS Foundational Security Best Practices value: 90) for your IAM Password Policy. The actual values should reflect your organization's policies.
1.9 Ensure IAM password policy prevents password reuse

iam-password-policy

The identities and the credentials are issued, managed, and verified based on an organizational IAM password policy. They meet or exceed requirements as stated by NIST SP 800-63 and the AWS Foundational Security Best Practices standard for password strength. This rule allows you to optionally set RequireUppercaseCharacters (AWS Foundational Security Best Practices value: true), RequireLowercaseCharacters (AWS Foundational Security Best Practices value: true), RequireSymbols (AWS Foundational Security Best Practices value: true), RequireNumbers (AWS Foundational Security Best Practices value: true), MinimumPasswordLength (AWS Foundational Security Best Practices value: 14), PasswordReusePrevention (AWS Foundational Security Best Practices value: 24), and MaxPasswordAge (AWS Foundational Security Best Practices value: 90) for your IAM Password Policy. The actual values should reflect your organization's policies.
1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password

mfa-enabled-for-iam-console-access

Manage access to resources in the AWS Cloud by ensuring that MFA is enabled for all AWS Identity and Access Management (IAM) users that have a console password. MFA adds an extra layer of protection on top of a user name and password. By requiring MFA for IAM users, you can reduce incidents of compromised accounts and keep sensitive data from being accessed by unauthorized users.
1.11 Do not setup access keys during initial user setup for all IAM users that have a console password iam-user-console-and-api-access-at-creation (Process Check) Ensure access keys are not setup during the initial user setup for all IAM users that have a console password. For all IAM users with console access, compare the user 'Creation time` to the Access Key `Created` date. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.12 Ensure credentials unused for 45 days or greater are disabled

iam-user-unused-credentials-check

AWS Identity and Access Management (IAM) can help you with access permissions and authorizations by checking for IAM passwords and access keys that are not used for a specified time period. If these unused credentials are identified, you should disable and/or remove the credentials, as this may violate the principle of least privilege. This rule requires you to set a value to the maxCredentialUsageAge (CIS Standard value: 45). The actual value should reflect your organization's policies.
1.13 Ensure there is only one active access key available for any single IAM user iam-user-single-access-key (Process Check) Ensure there is only one active access key available for any single IAM user. For all IAM users check that there is only one active key used within the Security Credentials tab for each user within IAM. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.14 Ensure access keys are rotated every 90 days or less

access-keys-rotated

The credentials are audited for authorized devices, users, and processes by ensuring IAM access keys are rotated as per organizational policy. Changing the access keys on a regular schedule is a security best practice. It shortens the period an access key is active and reduces the business impact if the keys are compromised. This rule requires an access key rotation value (Config Default: 90). The actual value should reflect your organization's policies.
1.15 Ensure IAM Users Receive Permissions Only Through Groups

iam-user-no-policies-check

This rule ensures AWS Identity and Access Management (IAM) policies are attached only to groups or roles to control access to systems and assets. Assigning privileges at the group or the role level helps to reduce opportunity for an identity to receive or retain excessive privileges.
1.15 Ensure IAM Users Receive Permissions Only Through Groups

iam-no-inline-policy-check

Ensure an AWS Identity and Access Management (IAM) user, IAM role or IAM group does not have an inline policy to control access to systems and assets. AWS recommends to use managed policies instead of inline policies. The managed policies allow reusability, versioning and rolling back, and delegating permissions management.
1.15 Ensure IAM Users Receive Permissions Only Through Groups

iam-user-group-membership-check

AWS Identity and Access Management (IAM) can help you restrict access permissions and authorizations, by ensuring IAM users are members of at least one group. Allowing users more privileges than needed to complete a task may violate the principle of least privilege and separation of duties.
1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached

iam-policy-no-statements-with-admin-access

AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, restricting policies from containing "Effect": "Allow" with "Action": "*" over "Resource": "*". Allowing users to have more privileges than needed to complete a task may violate the principle of least privilege and separation of duties.
1.17 Ensure a support role has been created to manage incidents with AWS Support

iam-policy-in-use

AWS Identity and Access Management (IAM) can help you manage access permissions and authorizations by ensuring that IAM policies are assigned to the appropriate users, roles, or groups. Restricting these policies also incorporates the principals of least privilege and separation of duties. This rule requires that you set the policyARN to arn:aws:iam::aws:policy/AWSSupportAccess, for incident management with AWS Support.
1.18 Ensure IAM instance roles are used for AWS resource access from instances

ec2-instance-profile-attached

EC2 instance profiles pass an IAM role to an EC2 instance. Attaching an instance profile to your instances can assist with least privilege and permissions management.
1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed iam-expired-certificates (Process Check) Ensure that all the expired SSL/TLS certificates stored in IAM are removed. From the command line with the installed AWS CLI run the 'aws iam list-server-certificates' command and determine if there are any expired server certificates. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.20 Ensure that AWS IAM Access Analyzer is enabled iam-access-analyzer-enabled (Process Check) Ensure that IAM Access Analyzer is enabled. Within the IAM section of the console, select Access Analyzer and ensure that the STATUS is set to Active. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
1.21 Ensure IAM users are managed centrally via the identity federation or AWS Organizations for multi-account environments account-part-of-organizations Centralized management of AWS accounts within AWS Organizations helps to ensure that accounts are compliant. The lack of centralized account governance may lead to inconsistent account configurations, which may expose resources and sensitive data.
2.1.1 Ensure all S3 buckets employ encryption-at-rest

s3-bucket-server-side-encryption-enabled

To help protect data at rest, ensure encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets. Because sensitive data can exist at rest in Amazon S3 buckets, enable encryption to help protect that data.
2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests

s3-bucket-ssl-requests-only

To help protect data in transit, ensure that your Amazon Simple Storage Service (Amazon S3) buckets require requests to use Secure Socket Layer (SSL). Because sensitive data can exist, enable encryption in transit to help protect that data.
2.1.3 Ensure MFA Delete is enable on S3 buckets

s3-bucket-versioning-enabled

*DOCUMENTATION TEAM TO REVIEW*Amazon Simple Storage Service (Amazon S3) bucket versioning helps keep multiple variants of an object in the same Amazon S3 bucket. Adding multi factor authentication (MFA) delete to an S3 bucket requires an additional factor of authentication in order to change the version state of your bucket or to delete and object version. MFA delete can add an additional layer of security in the event security credentials are compromised or unauthorized access is granted.
2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'

s3-account-level-public-access-blocks-periodic

Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed. This rule helps keeping sensitive data safe from unauthorized remote users by preventing public access. This rule allows you to optionally set the ignorePublicAcls (Config Default: True), blockPublicPolicy (Config Default: True), blockPublicAcls (Config Default: True), and restrictPublicBuckets parameters (Config Default: True). The actual values should reflect your organization's policies.
2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'

s3-bucket-level-public-access-prohibited

Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed. This rule helps keeping sensitive data safe from unauthorized remote users by preventing public access at the bucket level.
2.2.1 Ensure EBS volume encryption is enabled

encrypted-volumes

Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes.
2.2.1 Ensure EBS volume encryption is enabled

ec2-ebs-encryption-by-default

To help protect data at rest, ensure that encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes. Because sensitive data can exist at rest in these volumes, enable encryption at rest to help protect that data.
2.3.1 Ensure that encryption is enabled for RDS Instances

rds-snapshot-encrypted

Ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) snapshots. Because sensitive data can exist at rest, enable encryption at rest to help protect that data.
2.3.1 Ensure that encryption is enabled for RDS Instances

rds-storage-encrypted

To help protect data at rest, ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) instances. Because sensitive data can exist at rest in Amazon RDS instances, enable encryption at rest to help protect that data.
3.1 Ensure CloudTrail is enabled in all regions

multi-region-cloudtrail-enabled

AWS CloudTrail records AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from where the calls were made, and when the calls occurred. CloudTrail will deliver log files from all AWS Regions to your S3 bucket if MULTI_REGION_CLOUD_TRAIL_ENABLED is enabled. Additionally, when AWS launches a new Region, CloudTrail will create the same trail in the new Region. As a result, you will receive log files containing API activity for the new Region without taking any action.
3.2 Ensure CloudTrail log file validation is enabled

cloud-trail-log-file-validation-enabled

Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.
3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

s3-bucket-public-read-prohibited

Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets. The management of access should be consistent with the classification of the data.
3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

s3-bucket-public-write-prohibited

Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets. The management of access should be consistent with the classification of the data.
3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

s3-bucket-level-public-access-prohibited

Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed. This rule helps keeping sensitive data safe from unauthorized remote users by preventing public access at the bucket level.
3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs

cloud-trail-cloud-watch-logs-enabled

Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account.
3.5 Ensure AWS Config is enabled in all regions config-enabled-all-regions (Process Check) Ensure AWS Config is enabled in all AWS Regions. Within the AWS Config section of the console, for each Region enabled ensure the AWS Config recorder is configured correctly. Ensure recording of global AWS resources is enabled at least in one Region. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

s3-bucket-logging-enabled

Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events. The events are monitored by capturing detailed records for the requests that are made to an Amazon S3 bucket. Each access log record provides details about a single access request. The details include the requester, bucket name, request time, request action, response status, and an error code, if relevant.
3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs

cloud-trail-encryption-enabled

Because sensitive data may exist and to help protect data at rest, ensure encryption is enabled for your AWS CloudTrail trails.
3.8 Ensure rotation for customer created CMKs is enabled

cmk-backing-key-rotation-enabled

Enable key rotation to ensure that keys are rotated once they have reached the end of their crypto period.
3.9 Ensure VPC flow logging is enabled in all VPCs

vpc-flow-logs-enabled

The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC). By default, the flow log record includes values for the different components of the IP flow, including the source, destination, and protocol.
3.10 Ensure that Object-level logging for write events is enabled for S3 bucket

cloudtrail-s3-dataevents-enabled

The collection of Simple Storage Service (Amazon S3) data events helps in detecting any anomalous activity. The details include AWS account information that accessed an Amazon S3 bucket, IP address, and time of event.
3.11 Ensure that Object-level logging for read events is enabled for S3 bucket

cloudtrail-s3-dataevents-enabled

The collection of Simple Storage Service (Amazon S3) data events helps in detecting any anomalous activity. The details include AWS account information that accessed an Amazon S3 bucket, IP address, and time of event.
4.1 Ensure a log metric filter and alarm exist for unauthorized API calls alarm-unauthorized-api-calls (Process Check) Ensure a log metric filter and an alarm exists for unauthorized API calls. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA alarm-sign-in-without-mfa (Process Check) Ensure a log metric filter and an alarm exists for AWS Management Console sign-in without Multi-Factor Authentication (MFA). For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.3 Ensure a log metric filter and alarm exist for usage of 'root' account alarm-root-account-use (Process Check) Ensure a log metric filter and an alarm exists for usage of the root account. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.4 Ensure a log metric filter and alarm exist for IAM policy changes alarm-iam-policy-change (Process Check) Ensure a log metric filter and an alarm exists for IAM policy changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes alarm-cloudtrail-config-change (Process Check) Ensure a log metric filter and an alarm exists for AWS CloudTrail configuration changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures alarm-console-auth-failures (Process Check) Ensure a log metric filter and an alarm exists for AWS Management Console authentication failures. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs alarm-kms-disable-or-delete-cmk (Process Check) Ensure a log metric filter and an alarm exists for disabling or scheduled deletion of customer created CMKs. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes alarm-s3-bucket-policy-change (Process Check) Ensure a log metric filter and an alarm exists for Amazon S3 bucket policy changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes alarm-aws-config-change (Process Check) Ensure a log metric filter and an alarm exists for AWS Config configuration changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.10 Ensure a log metric filter and alarm exist for security group changes alarm-vpc-secrity-group-change (Process Check) Ensure a log metric filter and an alarm exists for security group changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) alarm-vpc-nacl-change (Process Check) Ensure a log metric filter and an alarm exists for changes to Network Access Control Lists (NACL). For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.12 Ensure a log metric filter and alarm exist for changes to network gateways alarm-vpc-network-gateway-change (Process Check) Ensure a log metric filter and an alarm exists for changes to network gateways. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.13 Ensure a log metric filter and alarm exist for route table changes alarm-vpc-route-table-change (Process Check) Ensure a log metric filter and an alarm exists for route table changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.14 Ensure a log metric filter and alarm exist for VPC changes alarm-vpc-change (Process Check) Ensure a log metric filter and an alarm exists for Amazon Virtual Private Cloud (VPC) changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes alarm-organizations-change (Process Check) Ensure a log metric filter and an alarm exists for AWS Organizations changes. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports vpc-networkacl-open-admin-ports (Process Check) Ensure no network ACLs allow public ingress to the remote server administration ports. Within the VPC section of the console, ensure there are network ACLs with a source of '0.0.0.0/0' with allowing ports or port ranges including remote server admin ports. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/
5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports

restricted-ssh

Amazon Elastic Compute Cloud (Amazon EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Not allowing ingress (or remote) traffic from 0.0.0.0/0 to port 22 on your resources help you restricting remote access.
5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports

restricted-common-ports

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems. This rule allows you to optionally set blockedPort1 - blockedPort5 parameters (CIS Standard value: 3389). The actual values should reflect your organization's policies.
5.3 Ensure the default security group of every VPC restricts all traffic

vpc-default-security-group-closed

Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Restricting all the traffic on the default security group helps in restricting remote access to your AWS resources.
5.4 Ensure routing tables for VPC peering are "least access" vpc-peering-least-access (Process Check) Ensure the routing tables for Amazon VPC peering are "least access". Within the VPC section of the console, examine the route table entries to ensure that the least number of subnets or hosts are required to accomplish the purpose for peering are routable. For further details on the auditing of this control please refer to the CIS Amazon Web Services Foundations Benchmark version 1.4.0 document available at https://www.cisecurity.org/benchmark/amazon_web_services/

Template

The template is available on GitHub: Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 2.