Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and v1.4.0 - AWS Security Hub
CIS AWS Foundations Benchmark v1.2.0CIS AWS Foundations Benchmark v1.4.0CIS AWS Foundations Benchmark v1.2.0 compared to v1.4.0Finding fields format for CIS AWS Foundations Benchmark v1.4.0CIS AWS Foundations Benchmark security checks that aren't supported in Security Hub

Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and v1.4.0

The CIS AWS Foundations Benchmark serves as a set of security configuration best practices for AWS. These industry-accepted best practices provide you with clear, step-by-step implementation and assessment procedures. Ranging from operating systems to cloud services and network devices, the controls in this benchmark help you protect the specific systems that your organization uses.

AWS Security Hub supports CIS AWS Foundations Benchmark v1.2.0 and v1.4.0.

This page lists security control IDs and titles. In the AWS GovCloud (US) Region and China Regions, standard-specific control IDs and titles are used. For a mapping of security control IDs and titles to standard-specific control IDs and titles, see How consolidation impacts control IDs and titles.

Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0

Security Hub has satisfied the requirements of CIS Security Software Certification and has been awarded CIS Security Software Certification for the following CIS Benchmarks:

  • CIS Benchmark for CIS AWS Foundations Benchmark, v1.2.0, Level 1

  • CIS Benchmark for CIS AWS Foundations Benchmark, v1.2.0, Level 2

Controls that apply to CIS AWS Foundations Benchmark v1.2.0

[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events

[CloudTrail.2] CloudTrail should have encryption at-rest enabled

[CloudTrail.4] CloudTrail log file validation should be enabled

[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs

[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user

[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls

[CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA

[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes

[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes

[CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys

[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes

[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes

[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes

[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)

[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways

[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes

[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes

[Config.1] AWS Config should be enabled

[EC2.2] VPC default security groups should not allow inbound or outbound traffic

[EC2.6] VPC flow logging should be enabled in all VPCs

[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22

[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389

[IAM.1] IAM policies should not allow full "*" administrative privileges

[IAM.2] IAM users should not have IAM policies attached

[IAM.3] IAM users' access keys should be rotated every 90 days or less

[IAM.4] IAM root user access key should not exist

[IAM.5] MFA should be enabled for all IAM users that have a console password

[IAM.6] Hardware MFA should be enabled for the root user

[IAM.8] Unused IAM user credentials should be removed

[IAM.9] MFA should be enabled for the root user

[IAM.11] Ensure IAM password policy requires at least one uppercase letter

[IAM.12] Ensure IAM password policy requires at least one lowercase letter

[IAM.13] Ensure IAM password policy requires at least one symbol

[IAM.14] Ensure IAM password policy requires at least one number

[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater

[IAM.16] Ensure IAM password policy prevents password reuse

[IAM.17] Ensure IAM password policy expires passwords within 90 days or less

[IAM.18] Ensure a support role has been created to manage incidents with AWS Support

[KMS.4] AWS KMS key rotation should be enabled

Center for Internet Security (CIS) AWS Foundations Benchmark v1.4.0

Security Hub supports v1.4.0 of the CIS AWS Foundations Benchmark.

Controls that apply to CIS AWS Foundations Benchmark v1.4.0

[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events

[CloudTrail.2] CloudTrail should have encryption at-rest enabled

[CloudTrail.4] CloudTrail log file validation should be enabled

[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs

[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user

[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes

[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes

[CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys

[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes

[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes

[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes

[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)

[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways

[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes

[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes

[Config.1] AWS Config should be enabled

[EC2.2] VPC default security groups should not allow inbound or outbound traffic

[EC2.6] VPC flow logging should be enabled in all VPCs

[EC2.7] EBS default encryption should be enabled

[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389

[IAM.1] IAM policies should not allow full "*" administrative privileges

[IAM.3] IAM users' access keys should be rotated every 90 days or less

[IAM.4] IAM root user access key should not exist

[IAM.5] MFA should be enabled for all IAM users that have a console password

[IAM.6] Hardware MFA should be enabled for the root user

[IAM.9] MFA should be enabled for the root user

[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater

[IAM.16] Ensure IAM password policy prevents password reuse

[IAM.18] Ensure a support role has been created to manage incidents with AWS Support

[IAM.22] IAM user credentials unused for 45 days should be removed

[KMS.4] AWS KMS key rotation should be enabled

[RDS.3] RDS DB instances should have encryption at-rest enabled

[S3.1] S3 general purpose buckets should have block public access settings enabled

[S3.5] S3 general purpose buckets should require requests to use SSL

[S3.8] S3 general purpose buckets should block public access

[S3.20] S3 general purpose buckets should have MFA delete enabled

CIS AWS Foundations Benchmark v1.2.0 compared to v1.4.0

This section summarizes the differences between the Center for Internet Security (CIS) AWS Foundations Benchmark v1.4.0 and v1.2.0. Security Hub supports both versions of this standard.

Note

We recommend upgrading to CIS AWS Foundations Benchmark v1.4.0 to stay current on security best practices, but you may have both v1.4.0 and v1.2.0 enabled at the same time. For more information, see Enabling and disabling security standards. If you want to upgrade to v1.4.0, it's best to enable v1.4.0 first before disabling v1.2.0. If you use the Security Hub integration with AWS Organizations to centrally manage multiple accounts and you want to batch enable v1.4.0 across all of them (and optionally disable v1.2.0), you can run a Security Hub multi-account script from the administrator account.

Controls that exist in CIS AWS Foundations Benchmark v1.4.0, but not in v1.2.0

The following controls were added in CIS AWS Foundations Benchmark v1.4.0. These controls are not included in CIS AWS Foundations Benchmark v1.2.0.

Security control ID CISv1.4.0 requirement Control title

EC2.7

2.2.1

Ensure EBS volume encryption is enabled

EC2.21

5.1

Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports

IAM.22

1.12

Ensure credentials unused for 45 days or greater are disabled

RDS.3

2.3.1

Ensure that encryption is enabled for RDS Instances

S3.1

2.1.5.1

S3 Block Public Access setting should be enabled

S3.5

2.1.2

Ensure S3 bucket policy is set to deny HTTP requests

S3.8

2.1.5.2

S3 Block Public Access setting should be enabled at the bucket level

S3.20

2.1.3

S3 general purpose buckets should have MFA delete enabled

Controls that exist in CIS AWS Foundations Benchmark v1.2.0, but not in v1.4.0

The following controls exist only in CIS AWS Foundations Benchmark v1.2.0. These controls are not included in CIS AWS Foundations Benchmark v1.4.0.

Security control ID CISv1.2.0 requirement Control title Reason not included in v1.4.0

CloudWatch.2

3.1

Ensure a log metric filter and alarm exist for unauthorized API calls

Automated check that Security Hub doesn't support

CloudWatch.3

3.2

Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA

Automated check that Security Hub doesn't support

EC2.13

4.1

Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

See instead, [EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389

EC2.14

4.2

Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

Automated check that Security Hub doesn't support

IAM.2

1.16

IAM users should not have IAM policies attached

Automated check that Security Hub doesn't support

IAM.8

1.3

Ensure credentials unused for 90 days or greater are disabled

See instead, [IAM.22] IAM user credentials unused for 45 days should be removed

IAM.11

1.5

Ensure IAM password policy requires at least one uppercase letter

Not a requirement in CISv1.4.0

IAM.12

1.6

Ensure IAM password policy requires at least one lowercase letter

Not a requirement in CISv1.4.0

IAM.13

1.7

Ensure IAM password policy requires at least one symbol

Not a requirement in CISv1.4.0

IAM.14

1.8

Ensure IAM password policy requires at least one number

Not a requirement in CISv1.4.0

IAM.17

1.11

Ensure IAM password policy expires passwords within 90 days or less

Not a requirement in CISv1.4.0

IAM.20

1.1

Avoid the user of the root user

See instead, [CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user

Controls that exist in CIS AWS Foundations Benchmark v1.2.0 and v1.4.0

The following controls exist in both CIS AWS Foundations Benchmark v1.2.0 and v1.4.0. However, the controls IDs and some of the control titles differ in each version.

Security control ID CISv1.2.0 requirement Control title in CISv1.2.0 CISv1.4.0 requirement Control title in CISv1.4.0

CloudTrail.1

2.1

Ensure CloudTrail is enabled in all Regions

3.1

Ensure CloudTrail is enabled in all Regions

CloudTrail.2

2.7

Ensure CloudTrail logs are encrypted at rest using AWS KMS keys

3.7

Ensure CloudTrail logs are encrypted at rest using AWS KMS keys

CloudTrail.4

2.2

Ensure CloudTrail log file validation is enabled

3.2

Ensure CloudTrail log file validation is enabled

CloudTrail.5

2.4

Ensure CloudTrail trails are integrated with CloudWatch Logs

3.4

Ensure CloudTrail trails are integrated with CloudWatch Logs

CloudTrail.6

2.3

Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

3.3

Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

CloudTrail.7

2.6

Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

3.6

Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

CloudWatch.1

1.1

3.3

1.1 – Avoid the use of the root user

3.3 – Ensure a log metric filter and alarm exist for usage of root user

1.7

Eliminate use of the root user for administrative and daily tasks

CloudWatch.4

3.4

Ensure a log metric filter and alarm exist for IAM policy changes

4.4

Ensure a log metric filter and alarm exist for IAM policy changes

CloudWatch.5

3.5

Ensure a log metric filter and alarm exist for CloudTrail configuration change

4.5

Ensure a log metric filter and alarm exist for CloudTrail configuration change

CloudWatch.6

3.6

Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

4.6

Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

CloudWatch.7

3.7

Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys

4.7

Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys

CloudWatch.8

3.8

Ensure a log metric filter and alarm exist for S3 bucket policy changes

4.8

Ensure a log metric filter and alarm exist for S3 bucket policy changes

CloudWatch.9

3.9

Ensure a log metric filter and alarm exist for AWS Config configuration changes

4.9

Ensure a log metric filter and alarm exist for AWS Config configuration changes

CloudWatch.10

3.10

Ensure a log metric filter and alarm exist for security group changes

4.10

Ensure a log metric filter and alarm exist for security group changes

CloudWatch.11

3.11

Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)

4.11

Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)

CloudWatch.12

3.12

Ensure a log metric filter and alarm exist for changes to network gateways

4.12

Ensure a log metric filter and alarm exist for changes to network gateways

CloudWatch.13

3.13

Ensure a log metric filter and alarm exist for route table changes

4.13

Ensure a log metric filter and alarm exist for route table changes

CloudWatch.14

3.14

Ensure a log metric filter and alarm exist for VPC changes

4.14

Ensure a log metric filter and alarm exist for VPC changes

Config.1

2.5

Ensure AWS Config is enabled

3.5

Ensure AWS Config is enabled in all Regions

EC2.2

4.3

Ensure the default security group of every VPC restricts all traffic

5.3

Ensure the default security group of every VPC restricts all traffic

EC2.6

2.9

Ensure VPC flow logging is enabled in all VPCs

3.9

Ensure VPC flow logging is enabled in all VPCs

IAM.1

1.22

Ensure IAM policies that allow full "*:*" administrative privileges are not created

1.16

Ensure IAM policies that allow full "*:*" administrative privileges are not attached

IAM.3

1.4

Ensure access keys are rotated every 90 days or less

1.14

Ensure access keys are rotated every 90 days or less

IAM.4

1.12

Ensure no root user access key exists

1.4

Ensure no root user account access key exists

IAM.5

1.2

Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password

1.10

Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password

IAM.6

1.14

Ensure hardware MFA is enabled for the root user

1.6

Ensure hardware MFA is enabled for the root user account

IAM.9

1.13

Ensure MFA is enabled for the root user

1.5

Ensure MFA is enabled for the root user account

IAM.15

1.9

Ensure IAM password policy requires minimum password length of 14 or greater

1.8

Ensure IAM password policy requires minimum length of 14 or greater

IAM.16

1.10

Ensure IAM password policy prevents password reuse

1.9

Ensure IAM password policy prevents password reuse

IAM.18

1.20

Ensure a support role has been created to manage incidents with AWS Support

1.17

Ensure a support role has been created to manage incidents with AWS Support

KMS.4

2.8

Ensure rotation for customer-created KMS keys is enabled

3.8

Ensure rotation for customer-created KMS keys is enabled

Finding fields format for CIS AWS Foundations Benchmark v1.4.0

When you enable CIS AWS Foundations Benchmark v1.4.0, you'll begin receiving findings in the AWS Security Finding Format (ASFF). For these findings, standard-specific fields will reference v1.4.0. For CIS AWS Foundations Benchmark v1.4.0, note the following format for GeneratorID and any ASFF fields that reference the standard Amazon Resource Name (ARN).

  • Standard ARNarn:partition:securityhub:region:account-id:standards/cis-aws-foundations-benchmark/v/1.4.0

  • GeneratorIDcis-aws-foundations-benchmark/v/1.4.0/control ID

You can call the GetEnabledStandards API operation to find out the ARN of a standard.

Note

When you enable CIS AWS Foundations Benchmark v1.4.0, Security Hub may take up to 18 hours to generate findings for controls that use the same AWS Config service-linked rule as enabled controls in other enabled standards. For more information, see Schedule for running security checks.

Finding fields will differ if you've turned on consolidated control findings. For more information about these differences, see Impact of consolidation on ASFF fields and values. For sample CIS control findings with consolidation turned on and off, see Sample control findings.

CIS AWS Foundations Benchmark security checks that aren't supported in Security Hub

This section summarizes CIS requirements that are not currently supported in Security Hub. The Center for Internet Security (CIS) is an independent, nonprofit organization that establishes these requirements.

CIS AWS Foundations Benchmark v1.2.0 security checks that aren't supported in Security Hub

The following CIS AWS Foundations Benchmark v1.2.0 requirements are not currently supported in Security Hub.

Manual checks that aren't supported

Security Hub focuses on automated security checks. As a result, Security Hub doesn't support the following requirements of CIS AWS Foundations Benchmark v1.2.0 because they require manual checks of your resources:

  • 1.15 – Ensure security questions are registered in the AWS account

  • 1.17 – Maintain current contact details

  • 1.18 – Ensure security contact information is registered

  • 1.19 – Ensure IAM instance roles are used for AWS resource access from instances

  • 1.21 – Do not setup access keys during initial user setup for all IAM users that have a console password

  • 4.4 – Ensure routing tables for VPC peering are "least access"

Security Hub supports all automated checks for CIS AWS Foundations Benchmark v1.2.0.

CIS AWS Foundations Benchmark v1.4.0 security checks that aren't supported in Security Hub

The following CIS AWS Foundations Benchmark v1.4.0 requirements are not currently supported in Security Hub.

Manual checks that aren't supported

Security Hub focuses on automated security checks. As a result, Security Hub doesn't support the following requirements of CIS AWS Foundations Benchmark v1.4.0 because they require manual checks of your resources:

  • 1.1 – Maintain current contact details

  • 1.2 – Ensure security contact information is registered

  • 1.3 – Ensure security questions are registered in the AWS account

  • 1.11 – Do not setup access keys during initial user setup for all IAM users that have a console password

  • 1.18 – Ensure IAM instance roles are used for AWS resource access from instances

  • 1.21 – Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments

  • 2.1.4 – Ensure all data in Amazon S3 has been discovered, classified, and secured when required

  • 5.4 – Ensure routing tables for VPC peering are "least access"

Automated checks that aren't supported

Security Hub doesn't support the following requirements of CIS AWS Foundations Benchmark v1.4.0 that rely on automated checks:

  • 1.13 – Ensure there is only one active access key available for any single IAM user

  • 1.15 – Ensure IAM users receive permissions only through groups

  • 1.19 – Ensure that all the expired SSL/TLS certificates stored in IAM are removed

  • 1.20 – Ensure that IAM Access Analyzer is enabled for all Regions

  • 3.10 – Ensure that Object-level logging for write events is enabled for S3 buckets

  • 3.11 – Ensure that Object-level logging for read events is enabled for S3 buckets

  • 4.1 – Ensure a log metric filter and alarm exist for unauthorized API calls

  • 4.2 – Ensure a log metric filter and alarm exist for Management Console sign-in without MFA

  • 4.3 – Ensure a log metric filter and alarm exist for usage of root account (this is similar to automated requirement, 1.7 - Eliminate use of the root user for administrative and daily tasks, which is supported in Security Hub)

  • 4.15 – Ensure a log metric filter and alarm exists for AWS Organizations changes

  • 5.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports