Operational Best Practices for NERC CIP BCSI - AWS Config

Operational Best Practices for NERC CIP BCSI

Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.

The following provides a sample mapping between the North American Electric Reliability Corporation Critical Infrastructure Protection Standards (NERC CIP) for BES Cyber System Information (BCSI), CIP-004-7 & CIP-011-3, and AWS Config managed rules. Each AWS Config rule applies to a specific AWS resource, and relates to one or more NERC CIP controls applicable to BCSI. A NERC CIP control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.

Control ID Control Description AWS Config Rule Guidance
CIP-004-7-R6-Part 6.1 Each Responsible Entity shall implement one or more documented access management program(s) to authorize, verify, and revoke provisioned access to BCSI pertaining to the “Applicable Systems” identified in CIP-004-7 Table R6 – Access Management for BES Cyber System Information that collectively include each of the applicable requirement parts in CIP-004-7 Table R6 – Access Management for BES Cyber System Information. To be considered access to BCSI in the context of this requirement, an individual has both the ability to obtain and use BCSI. Provisioned access is to be considered the result of the specific actions taken to provide an individual(s) the means to access BCSI (for example, may include physical keys or access cards, users and associated rights and privileges, encryption keys). Part 6.1: Prior to provisioning, authorize (unless already authorized according to Part 4.1.) based on need, as determined by the Responsible Entity, except for CIP Exceptional Circumstances: 6.1.1. Provisioned electronic access to electronic BCSI

opensearch-access-control-enabled

Ensure fine-grained access control is enabled on your Amazon OpenSearch Service domains. Fine-grained access control provides enhanced authorization mechanisms to achieve least-privileged access to Amazon OpenSearch domains. It allows for role-based access control to the domain, as well as index, document, and field-level security, support for OpenSearch dashboards multi-tenancy, and HTTP basic authentication for OpenSearch and Kibana.
CIP-004-7-R6-Part 6.1 Each Responsible Entity shall implement one or more documented access management program(s) to authorize, verify, and revoke provisioned access to BCSI pertaining to the “Applicable Systems” identified in CIP-004-7 Table R6 – Access Management for BES Cyber System Information that collectively include each of the applicable requirement parts in CIP-004-7 Table R6 – Access Management for BES Cyber System Information. To be considered access to BCSI in the context of this requirement, an individual has both the ability to obtain and use BCSI. Provisioned access is to be considered the result of the specific actions taken to provide an individual(s) the means to access BCSI (for example, may include physical keys or access cards, users and associated rights and privileges, encryption keys). Part 6.1: Prior to provisioning, authorize (unless already authorized according to Part 4.1.) based on need, as determined by the Responsible Entity, except for CIP Exceptional Circumstances: 6.1.1. Provisioned electronic access to electronic BCSI

emr-kerberos-enabled

The access permissions and authorizations can be managed and incorporated with the principles of least privilege and separation of duties, by enabling Kerberos for Amazon EMR clusters. In Kerberos, the services and the users that need to authenticate are known as principals. The principals exist within a Kerberos realm. Within the realm, a Kerberos server is known as the key distribution center (KDC). It provides a means for the principals to authenticate. The KDC authenticates by issuing tickets for authentication. The KDC maintains a database of the principals within its realm, their passwords, and other administrative information about each principal.
CIP-004-7-R6-Part 6.1 Each Responsible Entity shall implement one or more documented access management program(s) to authorize, verify, and revoke provisioned access to BCSI pertaining to the “Applicable Systems” identified in CIP-004-7 Table R6 – Access Management for BES Cyber System Information that collectively include each of the applicable requirement parts in CIP-004-7 Table R6 – Access Management for BES Cyber System Information. To be considered access to BCSI in the context of this requirement, an individual has both the ability to obtain and use BCSI. Provisioned access is to be considered the result of the specific actions taken to provide an individual(s) the means to access BCSI (for example, may include physical keys or access cards, users and associated rights and privileges, encryption keys). Part 6.1: Prior to provisioning, authorize (unless already authorized according to Part 4.1.) based on need, as determined by the Responsible Entity, except for CIP Exceptional Circumstances: 6.1.1. Provisioned electronic access to electronic BCSI

iam-group-has-users-check

AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, by ensuring that IAM groups have at least one user. Placing users in groups based on their associated permissions or job function is one way to incorporate least privilege.
CIP-004-7-R6-Part 6.1 Each Responsible Entity shall implement one or more documented access management program(s) to authorize, verify, and revoke provisioned access to BCSI pertaining to the “Applicable Systems” identified in CIP-004-7 Table R6 – Access Management for BES Cyber System Information that collectively include each of the applicable requirement parts in CIP-004-7 Table R6 – Access Management for BES Cyber System Information. To be considered access to BCSI in the context of this requirement, an individual has both the ability to obtain and use BCSI. Provisioned access is to be considered the result of the specific actions taken to provide an individual(s) the means to access BCSI (for example, may include physical keys or access cards, users and associated rights and privileges, encryption keys). Part 6.1: Prior to provisioning, authorize (unless already authorized according to Part 4.1.) based on need, as determined by the Responsible Entity, except for CIP Exceptional Circumstances: 6.1.1. Provisioned electronic access to electronic BCSI

iam-policy-no-statements-with-admin-access

AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, restricting policies from containing "Effect": "Allow" with "Action": "*" over "Resource": "*". Allowing users to have more privileges than needed to complete a task may violate the principle of least privilege and separation of duties.
CIP-004-7-R6-Part 6.1 Each Responsible Entity shall implement one or more documented access management program(s) to authorize, verify, and revoke provisioned access to BCSI pertaining to the “Applicable Systems” identified in CIP-004-7 Table R6 – Access Management for BES Cyber System Information that collectively include each of the applicable requirement parts in CIP-004-7 Table R6 – Access Management for BES Cyber System Information. To be considered access to BCSI in the context of this requirement, an individual has both the ability to obtain and use BCSI. Provisioned access is to be considered the result of the specific actions taken to provide an individual(s) the means to access BCSI (for example, may include physical keys or access cards, users and associated rights and privileges, encryption keys). Part 6.1: Prior to provisioning, authorize (unless already authorized according to Part 4.1.) based on need, as determined by the Responsible Entity, except for CIP Exceptional Circumstances: 6.1.1. Provisioned electronic access to electronic BCSI

iam-root-access-key-check

Access to systems and assets can be controlled by checking that the root user does not have access keys attached to their AWS Identity and Access Management (IAM) role. Ensure that the root access keys are deleted. Instead, create and use role-based AWS accounts to help to incorporate the principle of least functionality.
CIP-004-7-R6-Part 6.1 Each Responsible Entity shall implement one or more documented access management program(s) to authorize, verify, and revoke provisioned access to BCSI pertaining to the “Applicable Systems” identified in CIP-004-7 Table R6 – Access Management for BES Cyber System Information that collectively include each of the applicable requirement parts in CIP-004-7 Table R6 – Access Management for BES Cyber System Information. To be considered access to BCSI in the context of this requirement, an individual has both the ability to obtain and use BCSI. Provisioned access is to be considered the result of the specific actions taken to provide an individual(s) the means to access BCSI (for example, may include physical keys or access cards, users and associated rights and privileges, encryption keys). Part 6.1: Prior to provisioning, authorize (unless already authorized according to Part 4.1.) based on need, as determined by the Responsible Entity, except for CIP Exceptional Circumstances: 6.1.1. Provisioned electronic access to electronic BCSI

iam-user-group-membership-check

AWS Identity and Access Management (IAM) can help you restrict access permissions and authorizations, by ensuring users are members of at least one group. Allowing users more privileges than needed to complete a task may violate the principle of least privilege and separation of duties.
CIP-004-7-R6-Part 6.1 Each Responsible Entity shall implement one or more documented access management program(s) to authorize, verify, and revoke provisioned access to BCSI pertaining to the “Applicable Systems” identified in CIP-004-7 Table R6 – Access Management for BES Cyber System Information that collectively include each of the applicable requirement parts in CIP-004-7 Table R6 – Access Management for BES Cyber System Information. To be considered access to BCSI in the context of this requirement, an individual has both the ability to obtain and use BCSI. Provisioned access is to be considered the result of the specific actions taken to provide an individual(s) the means to access BCSI (for example, may include physical keys or access cards, users and associated rights and privileges, encryption keys). Part 6.1: Prior to provisioning, authorize (unless already authorized according to Part 4.1.) based on need, as determined by the Responsible Entity, except for CIP Exceptional Circumstances: 6.1.1. Provisioned electronic access to electronic BCSI

iam-user-no-policies-check

This rule ensures AWS Identity and Access Management (IAM) policies are attached only to groups or roles to control access to systems and assets. Assigning privileges at the group or the role level helps to reduce opportunity for an identity to receive or retain excessive privileges.
CIP-004-7-R6-Part 6.1 Each Responsible Entity shall implement one or more documented access management program(s) to authorize, verify, and revoke provisioned access to BCSI pertaining to the “Applicable Systems” identified in CIP-004-7 Table R6 – Access Management for BES Cyber System Information that collectively include each of the applicable requirement parts in CIP-004-7 Table R6 – Access Management for BES Cyber System Information. To be considered access to BCSI in the context of this requirement, an individual has both the ability to obtain and use BCSI. Provisioned access is to be considered the result of the specific actions taken to provide an individual(s) the means to access BCSI (for example, may include physical keys or access cards, users and associated rights and privileges, encryption keys). Part 6.1: Prior to provisioning, authorize (unless already authorized according to Part 4.1.) based on need, as determined by the Responsible Entity, except for CIP Exceptional Circumstances: 6.1.1. Provisioned electronic access to electronic BCSI

s3-bucket-public-read-prohibited

Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets. The management of access should be consistent with the classification of the data.
CIP-004-7-R6-Part 6.1 Each Responsible Entity shall implement one or more documented access management program(s) to authorize, verify, and revoke provisioned access to BCSI pertaining to the “Applicable Systems” identified in CIP-004-7 Table R6 – Access Management for BES Cyber System Information that collectively include each of the applicable requirement parts in CIP-004-7 Table R6 – Access Management for BES Cyber System Information. To be considered access to BCSI in the context of this requirement, an individual has both the ability to obtain and use BCSI. Provisioned access is to be considered the result of the specific actions taken to provide an individual(s) the means to access BCSI (for example, may include physical keys or access cards, users and associated rights and privileges, encryption keys). Part 6.1: Prior to provisioning, authorize (unless already authorized according to Part 4.1.) based on need, as determined by the Responsible Entity, except for CIP Exceptional Circumstances: 6.1.1. Provisioned electronic access to electronic BCSI

s3-bucket-public-write-prohibited

Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets. The management of access should be consistent with the classification of the data.
CIP-004-7-R6-Part 6.1 Each Responsible Entity shall implement one or more documented access management program(s) to authorize, verify, and revoke provisioned access to BCSI pertaining to the “Applicable Systems” identified in CIP-004-7 Table R6 – Access Management for BES Cyber System Information that collectively include each of the applicable requirement parts in CIP-004-7 Table R6 – Access Management for BES Cyber System Information. To be considered access to BCSI in the context of this requirement, an individual has both the ability to obtain and use BCSI. Provisioned access is to be considered the result of the specific actions taken to provide an individual(s) the means to access BCSI (for example, may include physical keys or access cards, users and associated rights and privileges, encryption keys). Part 6.1: Prior to provisioning, authorize (unless already authorized according to Part 4.1.) based on need, as determined by the Responsible Entity, except for CIP Exceptional Circumstances: 6.1.1. Provisioned electronic access to electronic BCSI

s3-bucket-policy-grantee-check

Manage access to the AWS Cloud by enabling s3_ bucket_policy_grantee_check. This rule checks that the access granted by the Amazon S3 bucket is restricted by any of the AWS principals, federated users, service principals, IP addresses, or Amazon Virtual Private Cloud (Amazon VPC) IDs that you provide.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

dms-replication-not-public

Manage access to the AWS Cloud by ensuring DMS replication instances cannot be publicly accessed. DMS replication instances can contain sensitive information and access control is required for such accounts.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

ebs-snapshot-public-restorable-check

Manage access to the AWS Cloud by ensuring EBS snapshots are not publicly restorable. EBS volume snapshots can contain sensitive information and access control is required for such accounts.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

iam-user-unused-credentials-check

AWS Identity and Access Management (IAM) can help you with access permissions and authorizations by checking for IAM passwords and access keys that are not used for a specified time period. If these unused credentials are identified, you should disable and/or remove the credentials, as this may violate the principle of least privilege. This rule requires you to set a value to the maxCredentialUsageAge (Config Default: 90). The actual value should reflect your organization's policies.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

lambda-function-public-access-prohibited

Manage access to resources in the AWS Cloud by ensuring AWS Lambda functions cannot be publicly accessed. Public access can potentially lead to degradation of availability of resources.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

rds-instance-public-access-check

Manage access to resources in the AWS Cloud by ensuring that Amazon Relational Database Service (Amazon RDS) instances are not public. Amazon RDS database instances can contain sensitive information, and principles and access control is required for such accounts.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

rds-snapshots-public-prohibited

Manage access to resources in the AWS Cloud by ensuring that Amazon Relational Database Service (Amazon RDS) instances are not public. Amazon RDS database instances can contain sensitive information and principles and access control is required for such accounts.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

redshift-cluster-public-access-check

Manage access to resources in the AWS Cloud by ensuring that Amazon Redshift clusters are not public. Amazon Redshift clusters can contain sensitive information and principles and access control is required for such accounts.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

s3-account-level-public-access-blocks-periodic

Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed. This rule helps keeping sensitive data safe from unauthorized remote users by preventing public access. This rule allows you to optionally set the ignorePublicAcls (Config Default: True), blockPublicPolicy (Config Default: True), blockPublicAcls (Config Default: True), and restrictPublicBuckets parameters (Config Default: True). The actual values should reflect your organization's policies.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

sagemaker-notebook-no-direct-internet-access

Manage access to resources in the AWS Cloud by ensuring that Amazon SageMaker notebooks do not allow direct internet access. By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

acm-certificate-expiration-check

Ensure network integrity is protected by ensuring X509 certificates are issued by AWS ACM. These certificates must be valid and unexpired. This rule requires a value for daysToExpiration (AWS Foundational Security Best Practices value: 90). The actual value should reflect your organization's policies.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

alb-http-drop-invalid-header-enabled

Ensure that your Elastic Load Balancers (ELB) are configured to drop http headers. Because sensitive data can exist, enable encryption in transit to help protect that data.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

alb-http-to-https-redirection-check

To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS. Because sensitive data can exist, enable encryption in transit to help protect that data.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

api-gw-cache-enabled-and-encrypted

To help protect data at rest, ensure encryption is enabled for your API Gateway stage's cache. Because sensitive data can be captured for the API method, enable encryption at rest to help protect that data.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

cloud-trail-encryption-enabled

Because sensitive data may exist and to help protect data at rest, ensure encryption is enabled for your AWS CloudTrail trails.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

cloudwatch-log-group-encrypted

To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Groups.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

cmk-backing-key-rotation-enabled

Enable key rotation to ensure that keys are rotated once they have reached the end of their crypto period.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

dynamodb-table-encrypted-kms

Ensure that encryption is enabled for your Amazon DynamoDB tables. Because sensitive data can exist at rest in these tables, enable encryption at rest to help protect that data. By default, DynamoDB tables are encrypted with an AWS owned customer master key (CMK).
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

ec2-ebs-encryption-by-default

To help protect data at rest, ensure that encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes. Because sensitive data can exist at rest in these volumes, enable encryption at rest to help protect that data.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

ecr-private-image-scanning-enabled

Amazon Elastic Container Repository (ECR) image scanning assists in identifying software vulnerabilities in your container images. Enabling image scanning on ECR repositories adds a layer of verification for the integrity and safety of the images being stored.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

ecr-private-tag-immutability-enabled

Enable Elastic Container Repository (ECR) Tag Immutability to prevent image tags on your ECR images from being overwritten. Previously, tags could be overwritten requiring manual methodologies to uniquely identify an image.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

ecs-containers-readonly-access

Enabling read only access to Amazon Elastic Container Service (ECS) containers can assist in adhering to the principal of least privilege. This option can reduces attack vectors as the container instance’s filesystem cannot be modified unless it has explicit read-write permissions.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

efs-encrypted-check

Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic File System (EFS).
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

elasticsearch-encrypted-at-rest

Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon OpenSearch Service (OpenSearch Service) domains.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

elasticsearch-node-to-node-encryption-check

Ensure node-to-node encryption for Amazon OpenSearch Service is enabled. Node-to-node encryption enables TLS 1.2 encryption for all communications within the Amazon Virtual Private Cloud (Amazon VPC). Because sensitive data can exist, enable encryption in transit to help protect that data.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

elb-acm-certificate-required

Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing. Use AWS Certificate Manager to manage, provision and deploy public and private SSL/TLS certificates with AWS services and internal resources.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

elb-tls-https-listeners-only

Ensure that your Elastic Load Balancers (ELBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

encrypted-volumes

Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

kinesis-stream-encrypted

Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Kinesis Streams.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

kms-cmk-not-scheduled-for-deletion

To help protect data at rest, ensure necessary customer master keys (CMKs) are not scheduled for deletion in AWS Key Management Service (AWS KMS). Because key deletion is necessary at times, this rule can assist in checking for all keys scheduled for deletion, in case a key was scheduled unintentionally.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

opensearch-audit-logging-enabled

Ensure audit logging is enabled on your Amazon OpenSearch Service domains. Audit logging allows you to track user activity on your OpenSearch domains, including authentication successes and failures, requests to OpenSearch, index changes, and incoming search queries.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

opensearch-encrypted-at-rest

Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon OpenSearch Service domains.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

opensearch-https-required

Because sensitive data can exist and to help protect data in transit, ensure HTTPS is enabled for connections to your Amazon OpenSearch Service domains.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

opensearch-in-vpc-only

Manage access to the AWS Cloud by ensuring Amazon OpenSearch Service domains are within an Amazon Virtual Private Cloud (Amazon VPC). An Amazon OpenSearch Service domain within an Amazon VPC enables secure communication between Amazon OpenSearch and other services within the Amazon VPC without the need for an internet gateway, NAT device, or VPN connection.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

opensearch-logs-to-cloudwatch

Ensure Amazon OpenSearch Service domains have error logs enabled and streamed to Amazon CloudWatch Logs for retention and response. Domain error logs can assist with security and access audits, and can help to diagnose availability issues.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

opensearch-node-to-node-encryption-check

Ensure node-to-node encryption for Amazon OpenSearch Service is enabled. Node-to-node encryption enables TLS 1.2 encryption for all communications within the Amazon Virtual Private Cloud (Amazon VPC). Because sensitive data can exist, enable encryption in transit to help protect that data.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

rds-snapshot-encrypted

Ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) snapshots. Because sensitive data can exist at rest, enable encryption at rest to help protect that data.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

rds-storage-encrypted

To help protect data at rest, ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) instances. Because sensitive data can exist at rest in Amazon RDS instances, enable encryption at rest to help protect that data.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

redshift-audit-logging-enabled

To capture information about connections and user activities on your Amazon Redshift cluster, ensure audit logging is enabled.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

redshift-cluster-configuration-check

To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters. You must also ensure that required configurations are deployed on Amazon Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database. This rule requires that a value is set for clusterDbEncrypted (Config Default : TRUE), and loggingEnabled (Config Default: TRUE). The actual values should reflect your organization's policies.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

redshift-require-tls-ssl

Ensure that your Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. Because sensitive data can exist, enable encryption in transit to help protect that data.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

s3-bucket-server-side-encryption-enabled

To help protect data at rest, ensure encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets. Because sensitive data can exist at rest in Amazon S3 buckets, enable encryption to help protect that data.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

s3-bucket-ssl-requests-only

To help protect data in transit, ensure that your Amazon Simple Storage Service (Amazon S3) buckets require requests to use Secure Socket Layer (SSL). Because sensitive data can exist, enable encryption in transit to help protect that data.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

s3-default-encryption-kms

Ensure that encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets. Because sensitive data can exist at rest in an Amazon S3 bucket, enable encryption at rest to help protect that data.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

s3-event-notifications-enabled

Amazon S3 event notifications can alert relevant personnel of any accidental or intentional modifications on your bucket objects. Example alerts include: new object is creation, object removal, object restoration, lost and replicated objects.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

s3-lifecycle-policy-check

Ensure Amazon S3 lifecycle policies are configured to help define actions that you want Amazon S3 to take during an object's lifetime (for example, transition objects to another storage class, archive them, or delete them after a specified period of time).
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

sagemaker-endpoint-configuration-kms-key-configured

To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker endpoint. Because sensitive data can exist at rest in SageMaker endpoint, enable encryption at rest to help protect that data.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

sagemaker-notebook-instance-kms-key-configured

To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker notebook. Because sensitive data can exist at rest in SageMaker notebook, enable encryption at rest to help protect that data.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

sns-encrypted-kms

To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS). Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

rds-cluster-default-admin-check

As default usernames are public knowledge, changing default usernames can assist in reducing the attack surface for your Amazon Relational Database Service (Amazon RDS) database cluster(s).
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

rds-instance-default-admin-check

As default usernames are public knowledge, changing default usernames can assist in reducing the attack surface for your Amazon Relational Database Service (Amazon RDS) database instance(s).
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

redshift-default-admin-check

As default usernames are public knowledge, changing default usernames can assist in reducing the attack surface for your Amazon Redshift cluster(s).
CIP-011-3-R1-Part 1.2 Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection. Part 1.2: Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality.

s3-bucket-acl-prohibited

This rule checks to see if Access Control Lists (ACLs) are used for access control on Amazon S3 Buckets. ACLs are legacy access control mechanisms for Amazon S3 buckets that predate AWS Identity and Access Management (IAM). Instead of ACLs, it is a best practice to use IAM policies or S3 bucket policies to more easily manage access to your S3 buckets.

Template

The template is available on GitHub: Operational Best Practices for NERC CIP BCSI.