Operational Best Practices for ENISA Cybersecurity guide for SMEs
Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.
The following provides a sample mapping between the European Union Agency for Cybersecurity (ENISA) Cybersecurity guide for SMEs and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more ENISA Cybersecurity guide for SMEs controls. An ENISA Cybersecurity guide for SMEs control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.
This sample conformance pack template contains mappings to controls adapted from the ENISA
Cybersecurity guide for SMEs. The ENISA Cybersecurity guide for SMEs is available at Cybersecurity guide for SMEs - 12 steps to securing your business
| Control ID | Control Description | AWS Config Rule | Guidance |
|---|---|---|---|
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: PUBLISH CYBERSECURITY POLICIES | Clear and specific rules should be outlined in cybersecurity | security-awareness-program-exists(Process Check) | Establish and maintain a security awareness program for your organization. Security awareness programs educate employees on how to protect their organization from various security breaches or incidents. |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | If you configure your Network Interfaces with a public IP address, then the associated resources to those Network Interfaces are reachable from the internet. EC2 resources should not be publicly accessible, as this may allow unintended access to your applications or servers. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Manage access to the AWS Cloud by ensuring DMS replication instances cannot be publicly accessed. DMS replication instances can contain sensitive information and access control is required for such accounts. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Manage access to the AWS Cloud by ensuring EBS snapshots are not publicly restorable. EBS volume snapshots can contain sensitive information and access control is required for such accounts. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Manage access to the AWS Cloud by ensuring Amazon Elastic Compute Cloud (Amazon EC2) instances cannot be publicly accessed. Amazon EC2 instances can contain sensitive information and access control is required for such accounts. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Manage access to the AWS Cloud by ensuring Amazon EMR cluster master nodes cannot be publicly accessed. Amazon EMR cluster master nodes can contain sensitive information and access control is required for such accounts. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Manage access to resources in the AWS Cloud by ensuring AWS Lambda functions cannot be publicly accessed. Public access can potentially lead to degradation of availability of resources. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Manage access to resources in the AWS Cloud by ensuring that Amazon Relational Database Service (Amazon RDS) instances are not public. Amazon RDS database instances can contain sensitive information, and principles and access control is required for such accounts. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Manage access to resources in the AWS Cloud by ensuring that Amazon Relational Database Service (Amazon RDS) instances are not public. Amazon RDS database instances can contain sensitive information and principles and access control is required for such accounts. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Manage access to resources in the AWS Cloud by ensuring that Amazon Redshift clusters are not public. Amazon Redshift clusters can contain sensitive information and principles and access control is required for such accounts. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed. This rule helps keeping sensitive data safe from unauthorized remote users by preventing public access. This rule allows you to optionally set the ignorePublicAcls (Config Default: True), blockPublicPolicy (Config Default: True), blockPublicAcls (Config Default: True), and restrictPublicBuckets parameters (Config Default: True). The actual values should reflect your organization's policies. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed. This rule helps keeping sensitive data safe from unauthorized remote users by preventing public access at the bucket level. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets. The management of access should be consistent with the classification of the data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets. The management of access should be consistent with the classification of the data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | This rule checks to see if Access Control Lists (ACLs) are used to for access control on Amazon S3 Buckets. ACLs are legacy access control mechanisms for Amazon S3 buckets that predate AWS Identity and Access Management (IAM). Instead of ACLs, it is a best practice to use IAM policies or S3 bucket policies to more easily manage access to your S3 buckets. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Ensure AWS Systems Manager (SSM) documents are not public, as this may allow unintended access to your SSM documents. A public SSM document can expose information about your account, resources and internal processes. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Manage access to the AWS Cloud by ensuring Amazon Virtual Private Cloud (VPC) subnets are not automatically assigned a public IP address. Amazon Elastic Compute Cloud (EC2) instances that are launched into subnets that have this attribute enabled have a public IP address assigned to their primary network interface. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS. Because sensitive data can exist, enable encryption in transit to help protect that data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Ensure that your Elastic Load Balancers (ELB) are configured to drop http headers. Because sensitive data can exist, enable encryption in transit to help protect that data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | To help protect data at rest, ensure encryption is enabled for your API Gateway stage's cache. Because sensitive data can be captured for the API method, enable encryption at rest to help protect that data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Ensure Amazon API Gateway REST API stages are configured with SSL certificates to allow backend systems to authenticate that requests originate from API Gateway. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Ensure that encryption is enabled for your AWS Backup recovery points. Because sensitive data can exist at rest, enable encryption at rest to help protect that data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Ensure that your AWS Backup recovery points have an attached resource-based policy which prevents deletion of recovery points. Using a resource-based policy to prevent deletion of recovery points can assist in preventing accidental or intentional deletion. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Because sensitive data may exist and to help protect data at rest, ensure encryption is enabled for your AWS CloudTrail trails. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Ensure that encryption is enabled for your Amazon DynamoDB tables. Because sensitive data can exist at rest in these tables, enable encryption at rest to help protect that data. By default, DynamoDB tables are encrypted with an AWS owned customer master key (CMK). | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | To help protect data at rest, ensure that encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes. Because sensitive data can exist at rest in these volumes, enable encryption at rest to help protect that data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic File System (EFS). | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elasticsearch Service (Amazon ES) domains. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Enforcing a root directory for an Amazon Elastic File System (Amazon EFS) access point helps restrict data access by ensuring that users of the access point can only reach files of the specified subdirectory. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | To assist with implementing the principle of least privilege, ensure user enforcement is enabled for your Amazon Elastic File System (Amazon EFS) .When enabled, Amazon EFS replaces the NFS client's user and group IDs with the identity configured on the access point for all file system operations and only grants access to this enforced user identity. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Groups. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | To help protect sensitive data at rest, ensure encryption is enabled for your AWS CodeBuild artifacts. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for AWS Secrets Manager secrets. Because sensitive data can exist at rest in Secrets Manager secrets, enable encryption at rest to help protect that data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | To help protect sensitive data at rest, ensure encryption is enabled for your AWS CodeBuild logs stored in Amazon S3. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon OpenSearch Service domains. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Ensure node-to-node encryption for Amazon Elasticsearch Service is enabled. Node-to-node encryption enables TLS 1.2 encryption for all communications within the Amazon Virtual Private Cloud (Amazon VPC). Because sensitive data can exist, enable encryption in transit to help protect that data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Ensure node-to-node encryption for Amazon OpenSearch Service is enabled. Node-to-node encryption enables TLS 1.2 encryption for all communications within the Amazon Virtual Private Cloud (Amazon VPC). Because sensitive data can exist, enable encryption in transit to help protect that data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Ensure that your Elastic Load Balancers (ELBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing. Use AWS Certificate Manager to manage, provision and deploy public and private SSL/TLS certificates with AWS services and internal resources. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing. Use AWS Certificate Manager to manage, provision and deploy public and private SSL/TLS certificates with AWS services and internal resources. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Kinesis Streams. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, restricting policies from containing "Effect": "Allow" with "Action": "*" over "Resource": "*". Allowing users to have more privileges than needed to complete a task may violate the principle of least privilege and separation of duties. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Ensure IAM Actions are restricted to only those actions that are needed. Allowing users to have more privileges than needed to complete a task may violate the principle of least privilege and separation of duties. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Amazon Elastic Compute Cloud (Amazon EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Not allowing ingress (or remote) traffic from 0.0.0.0/0 to port 22 on your resources help you restricting remote access. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Manage access to resources in the AWS Cloud by ensuring that internet gateways are only attached to authorized Amazon Virtual Private Cloud (Amazon VPC). Internet gateways allow bi-directional internet access to and from the Amazon VPC that can potentially lead to unauthorized access to Amazon VPC resources. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Ensure Amazon EC2 route tables do not have unrestricted routes to an internet gateway. Removing or limiting the access to the internet for workloads within Amazon VPCs can reduce unintended access within your environment. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) snapshots. Because sensitive data can exist at rest, enable encryption at rest to help protect that data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | To help protect data at rest, ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) instances. Because sensitive data can exist at rest in Amazon RDS instances, enable encryption at rest to help protect that data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters. You must also ensure that required configurations are deployed on Amazon Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database. This rule requires that a value is set for clusterDbEncrypted (Config Default : TRUE), and loggingEnabled (Config Default: TRUE). The actual values should reflect your organization's policies. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Ensure that your Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. Because sensitive data can exist, enable encryption in transit to help protect that data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your Amazon Redshift cluster. Because sensitive data can exist at rest in Redshift clusters, enable encryption at rest to help protect that data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Ensure that encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets. Because sensitive data can exist at rest in an Amazon S3 bucket, enable encryption at rest to help protect that data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | To help protect data at rest, ensure encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets. Because sensitive data can exist at rest in Amazon S3 buckets, enable encryption to help protect that data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | To help protect data in transit, ensure that your Amazon Simple Storage Service (Amazon S3) buckets require requests to use Secure Socket Layer (SSL). Because sensitive data can exist, enable encryption in transit to help protect that data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker endpoint. Because sensitive data can exist at rest in SageMaker endpoint, enable encryption at rest to help protect that data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker notebook. Because sensitive data can exist at rest in SageMaker notebook, enable encryption at rest to help protect that data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Manage access to resources in the AWS Cloud by ensuring that Amazon SageMaker notebooks do not allow direct internet access. By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS). Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data. | |
| 1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION | Under the EU General Data Protection Regulation1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place. | Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) Security Groups. Not restricting access on ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems. By restricting access to resources within a security group from the internet (0.0.0.0/0) remote access can be controlled to internal systems. | |
| 2_PROVIDE APPROPRIATE TRAINING | Provide regular cybersecurity awareness trainings for all employees to ensure they can recognize and deal with the various cybersecurity threats. These trainings should be tailored for SME’s and focus on real-life situations. Provide specialized cybersecurity training for those responsible for managing cybersecurity within the business to ensure they will have the skills and competencies required to do their job. | security-awareness-program-exists(Process Check) | Establish and maintain a security awareness program for your organization. Security awareness programs educate employees on how to protect their organization from various security breaches or incidents. |
| 4_DEVELOP AN INCIDENT RESPONSE PLAN | Develop a formal incident response plan, which contains clear guidelines, roles and responsibilities documented to ensure that all security incidents are responded to in a timely, professional and appropriate manner. To respond quickly to security threats, investigate tools that could monitor and create alerts when suspicious activity or security breaches are occurring. | response-plan-exists-maintained(Process Check) | Ensure incident response plans are established, maintained, and distributed to responsible personnel. |
| 5_SECURE ACCESS TO SYSTEMS | Encourage everyone to use a passphrase, a collection of at least three random common words combined into a phrase that provide a very good combination of memorability and security. If you opt for a typical password: - Make it long, with lower and upper case characters, possibly also numbers and special characters. - Avoid obvious, such as “password”, sequences of letters or numbers like “abc”, numbers like “123”. - Avoid using personal info that can be found online. And whether you use passphrases or passwords - Do not reuse them elsewhere. - Do not share them with colleagues. - Enable Multi-Factor Authentication. - Use a dedicated password manager. | The identities and the credentials are issued, managed, and verified based on an organizational IAM password policy. They meet or exceed requirements as stated by NIST SP 800-63 and the AWS Foundational Security Best Practices standard for password strength. This rule allows you to optionally set RequireUppercaseCharacters (AWS Foundational Security Best Practices value: true), RequireLowercaseCharacters (AWS Foundational Security Best Practices value: true), RequireSymbols (AWS Foundational Security Best Practices value: true), RequireNumbers (AWS Foundational Security Best Practices value: true), MinimumPasswordLength (AWS Foundational Security Best Practices value: 14), PasswordReusePrevention (AWS Foundational Security Best Practices value: 24), and MaxPasswordAge (AWS Foundational Security Best Practices value: 90) for your IAM Password Policy. The actual values should reflect your organization's policies. | |
| 5_SECURE ACCESS TO SYSTEMS | Encourage everyone to use a passphrase, a collection of at least three random common words combined into a phrase that provide a very good combination of memorability and security. If you opt for a typical password: - Make it long, with lower and upper case characters, possibly also numbers and special characters. - Avoid obvious, such as “password”, sequences of letters or numbers like “abc”, numbers like “123”. - Avoid using personal info that can be found online. And whether you use passphrases or passwords - Do not reuse them elsewhere. - Do not share them with colleagues. - Enable Multi-Factor Authentication. - Use a dedicated password manager. | Enable this rule to restrict access to resources in the AWS Cloud. This rule ensures multi-factor authentication (MFA) is enabled for all users. MFA adds an extra layer of protection on top of sign-in credentials. Reduce the incidents of compromised accounts by requiring MFA for users. | |
| 5_SECURE ACCESS TO SYSTEMS | Encourage everyone to use a passphrase, a collection of at least three random common words combined into a phrase that provide a very good combination of memorability and security. If you opt for a typical password: - Make it long, with lower and upper case characters, possibly also numbers and special characters. - Avoid obvious, such as “password”, sequences of letters or numbers like “abc”, numbers like “123”. - Avoid using personal info that can be found online. And whether you use passphrases or passwords - Do not reuse them elsewhere. - Do not share them with colleagues. - Enable Multi-Factor Authentication. - Use a dedicated password manager. | Manage access to resources in the AWS Cloud by ensuring that MFA is enabled for all AWS Identity and Access Management (IAM) users that have a console password. MFA adds an extra layer of protection on top of sign-in credentials. By requiring MFA for users, you can reduce incidents of compromised accounts and keep sensitive data from being accessed by unauthorized users. | |
| 5_SECURE ACCESS TO SYSTEMS | Encourage everyone to use a passphrase, a collection of at least three random common words combined into a phrase that provide a very good combination of memorability and security. If you opt for a typical password: - Make it long, with lower and upper case characters, possibly also numbers and special characters. - Avoid obvious, such as “password”, sequences of letters or numbers like “abc”, numbers like “123”. - Avoid using personal info that can be found online. And whether you use passphrases or passwords - Do not reuse them elsewhere. - Do not share them with colleagues. - Enable Multi-Factor Authentication. - Use a dedicated password manager. | Manage access to resources in the AWS Cloud by ensuring hardware MFA is enabled for the root user. The root user is the most privileged user in an AWS account. The MFA adds an extra layer of protection for sign-in credentials. By requiring MFA for the root user, you can reduce the incidents of compromised AWS accounts. | |
| 5_SECURE ACCESS TO SYSTEMS | Encourage everyone to use a passphrase, a collection of at least three random common words combined into a phrase that provide a very good combination of memorability and security. If you opt for a typical password: - Make it long, with lower and upper case characters, possibly also numbers and special characters. - Avoid obvious, such as “password”, sequences of letters or numbers like “abc”, numbers like “123”. - Avoid using personal info that can be found online. And whether you use passphrases or passwords - Do not reuse them elsewhere. - Do not share them with colleagues. - Enable Multi-Factor Authentication. - Use a dedicated password manager. | Manage access to resources in the AWS Cloud by ensuring MFA is enabled for the root user. The root user is the most privileged user in an AWS account. The MFA adds an extra layer of protection for sign-in credentials. By requiring MFA for the root user, you can reduce the incidents of compromised AWS accounts. | |
| 6_SECURE DEVICES: KEEP SOFTWARE PATCHED AND UP TO DATE | Ideally using a centralized platform to manage patching. It is highly recommended for SMEs to: - Regularly update all of their software. - Turn on automatic updates whenever possible. - Identify software and hardware that requires manual updates. - Take into account mobile and IoT devices. | Use AWS Systems Manager Associations to help with inventory of software platforms and applications within an organization. AWS Systems Manager assigns a configuration state to your managed instances and allows you to set baselines of operating system patch levels, software installations, application configurations, and other details about your environment. | |
| 6_SECURE DEVICES: KEEP SOFTWARE PATCHED AND UP TO DATE | Ideally using a centralized platform to manage patching. It is highly recommended for SMEs to: - Regularly update all of their software. - Turn on automatic updates whenever possible. - Identify software and hardware that requires manual updates. - Take into account mobile and IoT devices. | Enable this rule to help with identification and documentation of Amazon Elastic Compute Cloud (Amazon EC2) vulnerabilities. The rule checks if Amazon EC2 instance patch compliance in AWS Systems Manager as required by your organization's policies and procedures. | |
| 6_SECURE DEVICES: KEEP SOFTWARE PATCHED AND UP TO DATE | Ideally using a centralized platform to manage patching. It is highly recommended for SMEs to: - Regularly update all of their software. - Turn on automatic updates whenever possible. - Identify software and hardware that requires manual updates. - Take into account mobile and IoT devices. | An inventory of the software platforms and applications within the organization is possible by managing Amazon Elastic Compute Cloud (Amazon EC2) instances with AWS Systems Manager. Use AWS Systems Manager to provide detailed system configurations, operating system patch levels, services name and type, software installations, application name, publisher and version, and other details about your environment. | |
| 6_SECURE DEVICES: KEEP SOFTWARE PATCHED AND UP TO DATE | Ideally using a centralized platform to manage patching. It is highly recommended for SMEs to: - Regularly update all of their software. - Turn on automatic updates whenever possible. - Identify software and hardware that requires manual updates. - Take into account mobile and IoT devices. | Security updates and patches are deployed automatically for your AWS Fargate tasks. If a security issue is found that affects an AWS Fargate platform version, AWS patches the platform version. To assist in patch management of your Amazon Elastic Container Service (ECS) tasks running AWS Fargate, update your services standalone tasks to use the most recent platform version. | |
| 6_SECURE DEVICES: KEEP SOFTWARE PATCHED AND UP TO DATE | Ideally using a centralized platform to manage patching. It is highly recommended for SMEs to: - Regularly update all of their software. - Turn on automatic updates whenever possible. - Identify software and hardware that requires manual updates. - Take into account mobile and IoT devices. | Enabling managed platform updates for an Amazon Elastic Beanstalk environment ensures that the latest available platform fixes, updates, and features for the environment are installed. Keeping up to date with patch installation is a best practice in securing systems. | |
| 6_SECURE DEVICES: KEEP SOFTWARE PATCHED AND UP TO DATE | Ideally using a centralized platform to manage patching. It is highly recommended for SMEs to: - Regularly update all of their software. - Turn on automatic updates whenever possible. - Identify software and hardware that requires manual updates. - Take into account mobile and IoT devices. | Enable automatic minor version upgrades on your Amazon Relational Database Service (RDS) instances to ensure the latest minor version updates to the Relational Database Management System (RDBMS) are installed, which may include security patches and bug fixes. | |
| 6_SECURE DEVICES: KEEP SOFTWARE PATCHED AND UP TO DATE | Ideally using a centralized platform to manage patching. It is highly recommended for SMEs to: - Regularly update all of their software. - Turn on automatic updates whenever possible. - Identify software and hardware that requires manual updates. - Take into account mobile and IoT devices. | This rule ensures that Amazon Redshift clusters have the preferred settings for your organization. Specifically, that they have preferred maintenance windows and automated snapshot retention periods for the database. This rule requires you to set the allowVersionUpgrade. The default is true. It also lets you optionally set the preferredMaintenanceWindow (the default is sat:16:00-sat:16:30), and the automatedSnapshotRetentionPeriod (the default is 1). The actual values should reflect your organization's policies. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | To help protect data at rest, ensure encryption is enabled for your API Gateway stage's cache. Because sensitive data can be captured for the API method, enable encryption at rest to help protect that data. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | Ensure that encryption is enabled for your AWS Backup recovery points. Because sensitive data can exist at rest, enable encryption at rest to help protect that data. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | Because sensitive data may exist and to help protect data at rest, ensure encryption is enabled for your AWS CloudTrail trails. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Groups. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | To help protect sensitive data at rest, ensure encryption is enabled for your AWS CodeBuild artifacts. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | To help protect sensitive data at rest, ensure encryption is enabled for your AWS CodeBuild logs stored in Amazon S3. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | Ensure that encryption is enabled for your Amazon DynamoDB tables. Because sensitive data can exist at rest in these tables, enable encryption at rest to help protect that data. By default, DynamoDB tables are encrypted with an AWS owned customer master key (CMK). | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | To help protect data at rest, ensure that encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes. Because sensitive data can exist at rest in these volumes, enable encryption at rest to help protect that data. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic File System (EFS). | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elasticsearch Service (Amazon ES) domains. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing. Use AWS Certificate Manager to manage, provision and deploy public and private SSL/TLS certificates with AWS services and internal resources. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing. Use AWS Certificate Manager to manage, provision and deploy public and private SSL/TLS certificates with AWS services and internal resources. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon OpenSearch Service domains. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | Ensure node-to-node encryption for Amazon Elasticsearch Service is enabled. Node-to-node encryption enables TLS 1.2 encryption for all communications within the Amazon Virtual Private Cloud (Amazon VPC). Because sensitive data can exist, enable encryption in transit to help protect that data. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | Ensure node-to-node encryption for Amazon OpenSearch Service is enabled. Node-to-node encryption enables TLS 1.2 encryption for all communications within the Amazon Virtual Private Cloud (Amazon VPC). Because sensitive data can exist, enable encryption in transit to help protect that data. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | Because sensitive data can exist and to help protect data in transit, ensure HTTPS is enabled for connections to your Amazon OpenSearch Service domains. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for AWS Secrets Manager secrets. Because sensitive data can exist at rest in Secrets Manager secrets, enable encryption at rest to help protect that data. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Kinesis Streams. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | Ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) snapshots. Because sensitive data can exist at rest, enable encryption at rest to help protect that data. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | To help protect data at rest, ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) instances. Because sensitive data can exist at rest in Amazon RDS instances, enable encryption at rest to help protect that data. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | To help protect data at rest, ensure encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets. Because sensitive data can exist at rest in Amazon S3 buckets, enable encryption to help protect that data. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS). Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your Amazon Redshift cluster. Because sensitive data can exist at rest in Redshift clusters, enable encryption at rest to help protect that data. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | Ensure that encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets. Because sensitive data can exist at rest in an Amazon S3 bucket, enable encryption at rest to help protect that data. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker endpoint. Because sensitive data can exist at rest in SageMaker endpoint, enable encryption at rest to help protect that data. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker notebook. Because sensitive data can exist at rest in SageMaker notebook, enable encryption at rest to help protect that data. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS. Because sensitive data can exist, enable encryption in transit to help protect that data. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | Ensure that your Elastic Load Balancers (ELBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | Ensure Amazon API Gateway REST API stages are configured with SSL certificates to allow backend systems to authenticate that requests originate from API Gateway. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | Ensure that your Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. Because sensitive data can exist, enable encryption in transit to help protect that data. | |
| 6_SECURE DEVICES: ENCRYPTION | Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport WiFi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet. | To help protect data in transit, ensure that your Amazon Simple Storage Service (Amazon S3) buckets require requests to use Secure Socket Layer (SSL). Because sensitive data can exist, enable encryption in transit to help protect that data. | |
| 7_SECURE YOUR NETWORK: EMPLOY FIREWALLS | Firewalls manage the traffic that enters and leaves a network and are a critical tool in protecting SMEs systems. Firewalls should be deployed to protect all critical systems, in particular a firewall should be employed to protect the SME’s network from the Internet. | Amazon Elastic Compute Cloud (Amazon EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Not allowing ingress (or remote) traffic from 0.0.0.0/0 to port 22 on your resources help you restricting remote access. | |
| 7_SECURE YOUR NETWORK: EMPLOY FIREWALLS | Firewalls manage the traffic that enters and leaves a network and are a critical tool in protecting SMEs systems. Firewalls should be deployed to protect all critical systems, in particular a firewall should be employed to protect the SME’s network from the Internet. | Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems. This rule allows you to optionally set blockedPort1 - blockedPort5 parameters (Config Defaults: 20,21,3389,3306,4333). The actual values should reflect your organization's policies. | |
| 7_SECURE YOUR NETWORK: EMPLOY FIREWALLS | Firewalls manage the traffic that enters and leaves a network and are a critical tool in protecting SMEs systems. Firewalls should be deployed to protect all critical systems, in particular a firewall should be employed to protect the SME’s network from the Internet. | Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Restricting all the traffic on the default security group helps in restricting remote access to your AWS resources. | |
| 7_SECURE YOUR NETWORK: EMPLOY FIREWALLS | Firewalls manage the traffic that enters and leaves a network and are a critical tool in protecting SMEs systems. Firewalls should be deployed to protect all critical systems, in particular a firewall should be employed to protect the SME’s network from the Internet. | Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) Security Groups. Not restricting access on ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems. By restricting access to resources within a security group from the internet (0.0.0.0/0) remote access can be controlled to internal systems. | |
| 7_SECURE YOUR NETWORK: EMPLOY FIREWALLS | Firewalls manage the traffic that enters and leaves a network and are a critical tool in protecting SMEs systems. Firewalls should be deployed to protect all critical systems, in particular a firewall should be employed to protect the SME’s network from the Internet. | Ensure AWS WAF is enabled on Elastic Load Balancers (ELB) to help protect web applications. A WAF helps to protect your web applications or APIs against common web exploits. These web exploits may affect availability, compromise security, or consume excessive resources within your environment. | |
| 7_SECURE YOUR NETWORK: EMPLOY FIREWALLS | Firewalls manage the traffic that enters and leaves a network and are a critical tool in protecting SMEs systems. Firewalls should be deployed to protect all critical systems, in particular a firewall should be employed to protect the SME’s network from the Internet. | AWS WAF enables you to configure a set of rules (called a web access control list (web ACL)) that allow, block, or count web requests based on customizable web security rules and conditions that you define. Ensure your Amazon API Gateway stage is associated with a WAF Web ACL to protect it from malicious attacks | |
| 7_SECURE YOUR NETWORK: EMPLOY FIREWALLS | Firewalls manage the traffic that enters and leaves a network and are a critical tool in protecting SMEs systems. Firewalls should be deployed to protect all critical systems, in particular a firewall should be employed to protect the SME’s network from the Internet. | An AWS Network Firewall policy defines how your firewall monitors and handles traffic in an Amazon VPC. You configure stateless and stateful rule groups to filter packets and traffic flows, and you define default traffic handling. | |
| 7_SECURE YOUR NETWORK: EMPLOY FIREWALLS | Firewalls manage the traffic that enters and leaves a network and are a critical tool in protecting SMEs systems. Firewalls should be deployed to protect all critical systems, in particular a firewall should be employed to protect the SME’s network from the Internet. | An AWS Network Firewall rule group contains rules that define how your firewall processes traffic in your VPC. An empty stateless rule group when present in a firewall policy does not process traffic. | |
| 7_SECURE YOUR NETWORK: EMPLOY FIREWALLS | Firewalls manage the traffic that enters and leaves a network and are a critical tool in protecting SMEs systems. Firewalls should be deployed to protect all critical systems, in particular a firewall should be employed to protect the SME’s network from the Internet. | Ensure your AWS WAF has a rule that is not empty. A rule with no conditions could result in unintended behavior. | |
| 7_SECURE YOUR NETWORK: EMPLOY FIREWALLS | Firewalls manage the traffic that enters and leaves a network and are a critical tool in protecting SMEs systems. Firewalls should be deployed to protect all critical systems, in particular a firewall should be employed to protect the SME’s network from the Internet. | Ensure your AWS WAF has a rule group that is not empty. A rule group that is empty could result in unintended behavior. | |
| 7_SECURE YOUR NETWORK: EMPLOY FIREWALLS | Firewalls manage the traffic that enters and leaves a network and are a critical tool in protecting SMEs systems. Firewalls should be deployed to protect all critical systems, in particular a firewall should be employed to protect the SME’s network from the Internet. | A Web ACL attached to an AWS WAF can contain a collection of rules and rule groups to inspect and control web requests. If a Web ACL is empty, the web traffic passes without being detected or acted upon by the WAF. | |
| 7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS | SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity. | The identities and the credentials are issued, managed, and verified based on an organizational IAM password policy. They meet or exceed requirements as stated by NIST SP 800-63 and the AWS Foundational Security Best Practices standard for password strength. This rule allows you to optionally set RequireUppercaseCharacters (AWS Foundational Security Best Practices value: true), RequireLowercaseCharacters (AWS Foundational Security Best Practices value: true), RequireSymbols (AWS Foundational Security Best Practices value: true), RequireNumbers (AWS Foundational Security Best Practices value: true), MinimumPasswordLength (AWS Foundational Security Best Practices value: 14), PasswordReusePrevention (AWS Foundational Security Best Practices value: 24), and MaxPasswordAge (AWS Foundational Security Best Practices value: 90) for your IAM Password Policy. The actual values should reflect your organization's policies. | |
| 7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS | SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity. | Enable this rule to restrict access to resources in the AWS Cloud. This rule ensures multi-factor authentication (MFA) is enabled for all users. MFA adds an extra layer of protection on top of sign-in credentials. Reduce the incidents of compromised accounts by requiring MFA for users. | |
| 7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS | SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity. | Manage access to resources in the AWS Cloud by ensuring that MFA is enabled for all AWS Identity and Access Management (IAM) users that have a console password. MFA adds an extra layer of protection on top of sign-in credentials. By requiring MFA for users, you can reduce incidents of compromised accounts and keep sensitive data from being accessed by unauthorized users. | |
| 7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS | SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity. | Manage access to resources in the AWS Cloud by ensuring hardware MFA is enabled for the root user. The root user is the most privileged user in an AWS account. The MFA adds an extra layer of protection for sign-in credentials. By requiring MFA for the root user, you can reduce the incidents of compromised AWS accounts. | |
| 7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS | SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity. | Manage access to resources in the AWS Cloud by ensuring MFA is enabled for the root user. The root user is the most privileged user in an AWS account. The MFA adds an extra layer of protection for sign-in credentials. By requiring MFA for the root user, you can reduce the incidents of compromised AWS accounts. | |
| 7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS | SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity. | API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API. This insight enables visibility of user activities. | |
| 7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS | SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity. | Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account. | |
| 7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS | SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity. | Ensure Amazon Elasticsearch service domains have error logs enabled and streamed to Amazon CloudWatch Logs for retention and response. Domain error logs can assist with security and access audits, and can help to diagnose availability issues. | |
| 7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS | SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity. | AWS CloudTrail can help in non-repudiation by recording AWS Management Console actions and API calls. You can identify the users and AWS accounts that called an AWS service, the source IP address where the calls generated, and the timings of the calls. Details of captured data are seen within AWS CloudTrail Record Contents. | |
| 7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS | SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity. | Ensure Amazon OpenSearch Service domains have error logs enabled and streamed to Amazon CloudWatch Logs for retention and response. OpenSearch Service error logs can assist with security and access audits, and can help to diagnose availability issues. | |
| 7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS | SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity. | Elastic Load Balancing activity is a central point of communication within an environment. Ensure ELB logging is enabled. The collected data provides detailed information about requests sent to the ELB. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. | |
| 7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS | SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity. | To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging is enabled. With Amazon RDS logging, you can capture events such as connections, disconnections, queries, or tables queried. | |
| 7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS | SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity. | Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events. The events are monitored by capturing detailed records for the requests that are made to an Amazon S3 bucket. Each access log record provides details about a single access request. The details include the requester, bucket name, request time, request action, response status, and an error code, if relevant. | |
| 7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS | SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity. | AWS Security Hub helps to monitor unauthorized personnel, connections, devices, and software. AWS Security Hub aggregates, organizes, and prioritizes the security alerts, or findings, from multiple AWS services. Some such services are Amazon Security Hub, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, and AWS Partner solutions. | |
| 7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS | SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity. | The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC). By default, the flow log record includes values for the different components of the IP flow, including the source, destination, and protocol. | |
| 7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS | SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity. | To help with logging and monitoring within your environment, enable AWS WAF (V2) logging on regional and global web ACLs. AWS WAF logging provides detailed information about the traffic that is analyzed by your web ACL. The logs record the time that AWS WAF received the request from your AWS resource, information about the request, and an action for the rule that each request matched. | |
| 7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS | SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity. | Amazon CloudWatch alarms alert when a metric breaches the threshold for a specified number of evaluation periods. The alarm performs one or more actions based on the value of the metric or expression relative to a threshold over a number of time periods. This rule requires a value for alarmActionRequired (Config Default: True), insufficientDataActionRequired (Config Default: True), okActionRequired (Config Default: False). The actual value should reflect the alarm actions for your environment. | |
| 7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS | SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity. | To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters. You must also ensure that required configurations are deployed on Amazon Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database. This rule requires that a value is set for clusterDbEncrypted (Config Default : TRUE), and loggingEnabled (Config Default: TRUE). The actual values should reflect your organization's policies. | |
| 7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS | SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity. | Enhanced VPC routing forces all COPY and UNLOAD traffic between the cluster and data repositories to go through your Amazon VPC. You can then use VPC features such as security groups and network access control lists to secure network traffic. You can also use VPC flow logs to monitor network traffic. | |
| 9_SECURE BACKUPS | To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: - backup is regular and automated whenever possible, - backup is held separately from the SME’s production environment, - backups are encrypted, especially if they are going to be moved between locations, - the ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done. | To help with data back-up processes, ensure your Amazon Aurora resources are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements. | |
| 9_SECURE BACKUPS | To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: - backup is regular and automated whenever possible, - backup is held separately from the SME’s production environment, - backups are encrypted, especially if they are going to be moved between locations, - the ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done. | To help with data back-up processes, ensure your AWS Backup plan is set for a minimum frequency and retention. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements. This rule allows you to set the requiredFrequencyValue (Config default: 1), requiredRetentionDays (Config default: 35) and requiredFrequencyUnit (Config default: days) parameters. The actual value should reflect your organizations requirements. | |
| 9_SECURE BACKUPS | To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: - backup is regular and automated whenever possible, - backup is held separately from the SME’s production environment, - backups are encrypted, especially if they are going to be moved between locations, - the ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done. | Ensure that encryption is enabled for your AWS Backup recovery points. Because sensitive data can exist at rest, enable encryption at rest to help protect that data. | |
| 9_SECURE BACKUPS | To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: - backup is regular and automated whenever possible, - backup is held separately from the SME’s production environment, - backups are encrypted, especially if they are going to be moved between locations, - the ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done. | Ensure that your AWS Backup recovery points have an attached resource-based policy which prevents deletion of recovery points. Using a resource-based policy to prevent deletion of recovery points can assist in preventing accidental or intentional deletion. | |
| 9_SECURE BACKUPS | To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: - backup is regular and automated whenever possible, - backup is held separately from the SME’s production environment, - backups are encrypted, especially if they are going to be moved between locations, - the ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done. | To help with data back-up processes, ensure your AWS Backup recovery points have a minimum retention period set. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements. This rule allows you to set the requiredRetentionDays (config default: 35) parameter. The actual value should reflect your organizations requirements. | |
| 9_SECURE BACKUPS | To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: - backup is regular and automated whenever possible, - backup is held separately from the SME’s production environment, - backups are encrypted, especially if they are going to be moved between locations, - the ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done. | The backup feature of Amazon RDS creates backups of your databases and transaction logs. Amazon RDS automatically creates a storage volume snapshot of your DB instance, backing up the entire DB instance. The system allows you to set specific retention periods to meet your resilience requirements. | |
| 9_SECURE BACKUPS | To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: - backup is regular and automated whenever possible, - backup is held separately from the SME’s production environment, - backups are encrypted, especially if they are going to be moved between locations, - the ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done. | To help with data back-up processes, ensure your Amazon DynamoDB tables are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements. | |
| 9_SECURE BACKUPS | To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: - backup is regular and automated whenever possible, - backup is held separately from the SME’s production environment, - backups are encrypted, especially if they are going to be moved between locations, - the ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done. | Enable this rule to check that information has been backed up. It also maintains the backups by ensuring that point-in-time recovery is enabled in Amazon DynamoDB. The recovery maintains continuous backups of your table for the last 35 days. | |
| 9_SECURE BACKUPS | To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: - backup is regular and automated whenever possible, - backup is held separately from the SME’s production environment, - backups are encrypted, especially if they are going to be moved between locations, - the ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done. | To help with data back-up processes, ensure your Amazon Elastic Block Store (Amazon EBS) volumes are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements. | |
| 9_SECURE BACKUPS | To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: - backup is regular and automated whenever possible, - backup is held separately from the SME’s production environment, - backups are encrypted, especially if they are going to be moved between locations, - the ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done. | To help with data back-up processes, ensure your Amazon Elastic Compute Cloud (Amazon EC2) resources are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements. | |
| 9_SECURE BACKUPS | To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: - backup is regular and automated whenever possible, - backup is held separately from the SME’s production environment, - backups are encrypted, especially if they are going to be moved between locations, - the ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done. | To help with data back-up processes, ensure your Amazon Elastic File System (Amazon EFS) file systems are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements. | |
| 9_SECURE BACKUPS | To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: - backup is regular and automated whenever possible, - backup is held separately from the SME’s production environment, - backups are encrypted, especially if they are going to be moved between locations, - the ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done. | When automatic backups are enabled, Amazon ElastiCache creates a backup of the cluster on a daily basis. The backup can be retained for a number of days as specified by your organization. Automatic backups can help guard against data loss. If a failure occurs, you can create a new cluster, which restores your data from the most recent backup. | |
| 9_SECURE BACKUPS | To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: - backup is regular and automated whenever possible, - backup is held separately from the SME’s production environment, - backups are encrypted, especially if they are going to be moved between locations, - the ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done. | To help with data back-up processes, ensure your Amazon FSx file systems are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements. | |
| 9_SECURE BACKUPS | To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: - backup is regular and automated whenever possible, - backup is held separately from the SME’s production environment, - backups are encrypted, especially if they are going to be moved between locations, - the ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done. | To help with data back-up processes, ensure your Amazon Relational Database Service (Amazon RDS) instances are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements. | |
| 9_SECURE BACKUPS | To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: - backup is regular and automated whenever possible, - backup is held separately from the SME’s production environment, - backups are encrypted, especially if they are going to be moved between locations, - the ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done. | To help with data back-up processes, ensure your Amazon Relational Database Service (Amazon RDS) resources are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements. | |
| 9_SECURE BACKUPS | To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: - backup is regular and automated whenever possible, - backup is held separately from the SME’s production environment, - backups are encrypted, especially if they are going to be moved between locations, - the ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done. | To help with data back-up processes, ensure your Amazon Redshift clusters have automated snapshots. When automated snapshots are enabled for a cluster, Redshift periodically takes snapshots of that cluster. By default, Redshift takes a snapshot every eight hours or every 5 GB per node of data changes, or whichever comes first. | |
| 9_SECURE BACKUPS | To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: - backup is regular and automated whenever possible, - backup is held separately from the SME’s production environment, - backups are encrypted, especially if they are going to be moved between locations, - the ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done. | Amazon Simple Storage Service (Amazon S3) Cross-Region Replication (CRR) supports maintaining adequate capacity and availability. CRR enables automatic, asynchronous copying of objects across Amazon S3 buckets to help ensure that data availability is maintained. | |
| 11_SECURE ONLINE SITES | It is essential that SMEs ensure that their online websites are configured and maintained in a secure manner and that any personal data or financial details, such as credit card data, is appropriately protected. This will entail running regular security tests against the websites to identify any potential security weaknesses and conducting regular reviews to ensure the site is maintained and updated properly. | vuln-management-plan-exists(Process Check) | Ensure a vulnerability management plan is developed and implemented in order to have a formally defined processes to address vulnerabilities in your environment. |
Template
The template is available on GitHub: Operational Best Practices for ENISA Cybersecurity guide for SMEs
