Checks We Perform
Below is a list of all the checks we perform. Select one to view more information.
- All (56)
- Logical Access (15)
- Management Control (1)
- Data Security (9)
- Vulnerability Management (3)
- Network Monitoring (21)
- Incident Response (7)
Logical Access
1.1 Avoid Use of the Root Account
Description:
Recommendation 1.1 of the CIS AWS Foundations Benchmark states that because the root account has unrestricted access to all resources in the AWS account, use of this account should be avoided. The root account is the most privileged AWS account. Minimizing the use of this account and adopting the principle of least privilege for access management will reduce the risk of accidental changes and unintended disclosure of highly privileged credentials.
For more information, visit the AWS documentation on AWS root accounts.
Logical Access
1.2 Ensure MFA is Enabled for All IAM Users
Description:
Recommendation 1.2 of the CIS AWS Foundations Benchmark states that because MFA adds an extra layer of protection on top of a user name and password, MFA needs to be enabled for all IAM users with a console password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.
Logical Access
1.3 Ensure Credentials Unused for 90+ Days are Disabled
Description:
Recommendation 1.3 of the CIS AWS Foundations Benchmark states that all credentials that have been unused in 90 or greater days should be removed or deactivated. Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.
Logical Access
1.4 Ensure IAM Password Policies Require At Least 1 Lowercase Letter, 1 Uppercase Letter, 1 Number, 1 Symbol, and is At Least 10 Characters Long
Description:
The CIS AWS Foundations Benchmark explains that password policies need to enforce password complexity requirements in order to increase account resiliency against brute force login attempts. Industry best practice is to ensure that IAM password policies require at least one lowercase letter, one uppercase letter, one number, one symbol, and a minimum length of 10 characters.
Logical Access
1.5 Ensure IAM Password Policies Prevent Password Reuse for the Last 24 Passwords
Description:
Industry best practices is to ensure that IAM password policies prevent password reuse for the last 24 passwords. The CIS AWS Foundations Benchmark explains that password policies need to prevent password reuse in order to increase account resiliency against brute force login attempts.
Logical Access
1.6 Ensure IAM Policies are Attached Only to Groups or Roles
Description:
Recommendation 1.16 of the CIS AWS Foundations Benchmark states that by default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. To that end, IAM policies should only be attached to groups or roles – not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.
Logical Access
1.7 Ensure IAM Instance Roles are Used for AWS Resource Access
Description:
Recommendation 1.19 of the CIS AWS Foundations Benchmark states that by ensuring IAM instance roles are used for AWS resource access, you reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it. Additionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials.
Logical Access
1.8 Ensure IAM Policies that Allow Full "*:*" Administrative Privileges are Not Created
Description:
Following the industry standard of least privilege, recommendation 1.22 of the CIS AWS Foundations Benchmark states that IAM policies that allow full administrative privileges should not be created. The CIS recommends to first determine what users need to do, and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Specifically, IAM policies that have a statement with "Effect": "Allow" with "Action": "*" over "Resource": "*" should be removed.
Logical Access
1.9 Ensure S3 IAM Policies Do Not Grant Access to All Buckets
Description:
S3 bucket policies and user policies are what determine the permissions and access to S3. S3 bucket policies are attached at the bucket level and apply to all objects within that bucket. Our recommendation is to ensure that S3 bucket policies do no grant access to all buckets.
Logical Access
1.10 Ensure an Organization Has Been Created Within AWS to House Accounts
Description:
To securely create a multi-account AWS environment, we recommend housing AWS accounts within an organization. The AWS Organizations feature provides centralized account management and governance. It allows you to group multiple accounts into an organizational units (OUs) and, in turn, apply policies to OUs instead of directly to accounts. This type of consolidation becomes extremely valuable as you scale your AWS resources and architecture.
For more information, visit the AWS documentation for AWS Organizations best practices.
Management Control
1.11 Ensure Users with Access Keys Enabled Require MFA for API Calls
Description:
Using IAM policies with MFA conditions, you can ensure that MFA is required for users who are able to make API calls. This will add an additional layer of protection and accountability before a user is allowed to perform sensitive API operations.
For more information, visit the AWS documentation on configuring MFA-protected API access.
Logical Access
1.12 Ensure Access to EBS Snapshots is Restricted
Description:
AWS does allow you to make your EBS snapshots public, but we recommend restricting access to EBS snapshots by making them private, unless you have a specific business need that requires this. These point-in-time snapshots are crucial to your data backup and recovery processes; you don’t want to risk public access or permissions misconfigurations here.
For more information, visit the AWS documentation on EBS snapshots.
Logical Access
1.13 Ensure IAM Password Policy Expires Password Within 90 Days or Less
Description:
Recommendation 1.11 of the CIS AWS Foundations Benchmark states that IAM password policies can require passwords to be rotated or expired after given a specified number of days. It’s recommended that password policy expire passwords after 90 days or fewer. Decreasing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes helps scenarios like stolen passwords, redundant use of passwords across accounts, and compromised end users.
Logical Access
1.14 Ensure No Root Account Access Key Exists
Description:
Recommendation 1.12 of the CIS AWS Foundations Benchmark recommends that all access keys associated with the root account be removed. The root account is the most privileged user in the AWS account, and Access Keys provide programmatic access to a given account. That said, if the account is compromised, by removing the access keys associated with the root account, it limits vectors by which the attackers can act on. Additionally, by removing the root access keys, it encourages the creation and use of role based accounts that are least privileged.
Logical Access
1.16 Ensure MFA is Enabled for the "root" Account
Description:
Recommendation 1.13 of the CIS AWS Foundations Benchmark states that the root account is the most privileged user in an AWS Account. MFA adds an additional layer of security on top of a username and password. When a user signs into an AWS website/account, if MFA is enabled, they will be prompted for their username and password following an authentication code from their AWS MFA device.
Note: When virtual MFA is used for root accounts, make sure NOT to use a personal device, but rather a dedicated mobile device (tablet/phone) that is securely independent from any other devices.
Logical Access
1.17 Ensure Hardware MFA is Enabled for the "root" Account
Description:
Recommendation 1.14 of the CIS AWS Foundations Benchmark states that the root account is the most privileged user in an AWS Account. MFA adds an additional layer of security on top of a username and password. When a user signs into an AWS website/account, if MFA is enabled, they will be prompted for their username and password following an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA.
Data Security
2.1 Ensure CMKs are Rotated Annually
Description:
Following cryptographic best practice, we recommend rotating CMKs annually. Enabling automatic key rotation through AWS KMS is the easiest way to ensure this standard is followed. Using the automatic key rotation feature, AWS KMS will automatically generate new cryptographic material for a CMK every year, plus it will save the old cryptographic material. If you prefer, manual key rotation is also available.
For more information, visit the AWS documentation on rotating customer master keys.
Data Security
2.3 Ensure Encryption is Enabled for S3 Buckets
Description:
To enhance the security of S3 buckets, you must ensure encryption is properly enabled. Amazon gives you the ability to set default encryption settings using SSE-S3 or SSE-KMS to automatically encrypt all objects that are stored within an S3 bucket.
For more information, visit the AWS documentation on enabling Amazon S3 default bucket encryption.
Data Security
2.4 Ensure Encryption is Enabled for EBS Volumes
Description:
To enhance the security of your EC2 instances, you must ensure that encryption is enabled for EBS volumes. AWS provides the Amazon EBS encryption feature, which uses KSM to encrypt EBS volumes. Amazon EBS encryption is supported by all volume types.
For more information, visit the AWS documentation on EBS encryption.
Data Security
2.5 Ensure Encryption is Enabled for DB Instances
Description:
To enhance the security of Amazon RDS and data at rest or in underlying storage, you must ensure that encryption is enabled for DB instances. Amazon RDS can encrypt DB instances using the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts DB instances.
For more information, visit the AWS documentation on encrypting Amazon RDS resources.
Data Security
2.6 Ensure All Load Balancers that Accept HTTPS Traffic Require TLS 1.2
Description:
To enhance the security of your Application Load Balancers (ALBs) and Network Load Balancers (NLBs), you must ensure that all load balancers that accept HTTPS traffic require, at a minimum, TLS 1.2. Older versions of TLS or legacy SSL protocols are known to have fatal security flaws and do not provide protection for data in transit.
For more information, visit the AWS documentation on creating HTTPS listeners for ALBs.
Data Security
2.7 Ensure Versioning is Enabled for S3 Buckets
Description:
To support your backup and recovery processes, we recommend enabling versioning in S3. S3 versioning provides a way to keep your objects accurate, up to date, and protected. You can enable bucket versioning on both new buckets and buckets that already exist, and this keeps multiple versions of an object within a bucket.
For more information, visit the AWS documentation on enabling versioning on S3 buckets.
Data Security
2.8 Ensure S3 Buckets are Not Publicly Available
Description:
A foundation to S3 security is to ensure S3 buckets are not publicly available. Using the Block Public Access feature, you can manage access to buckets, accounts, and access points. By default, new buckets, access points, and objects do not allow public access.
For more information, visit the AWS documentation on configuring Block Public Access settings for S3 buckets.
Data Security
2.9 Ensure RDS and DB Instances are Not Publicly Accessible
Description:
To enhance the security of AWS RDS and DB instances, they should not be publicly accessible. Restricting unauthorized access will minimize the risk of compromise to your DB instances.
Data Security
2.10 Ensure CloudTrail Logs are Encrypted at Rest Using KMS CMKs
Description:
Recommendation 2.7 of the CIS AWS Foundations Benchmark is to ensure CloudTrail logs are encrypted at rest using KMS CMKs . The CIS explains that CloudTrail records AWS API calls for your account and delivers log files to you. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use
SSE-KMS.
SSE-KMS.
Vulnerability Management
3.1 Ensure EC2 Instances are Managed by Systems Manager
Description:
To strengthen your security posture, we recommend configuring EC2 instances as managed instances under AWS Systems Manager. AWS Config can use the ec2-instance-managed-by-systems-manager rule to check whether the EC2 instances in your account are managed by Systems Manager.
For more information, visit the AWS documentation on AWS Systems Manager managed instances.
Vulnerability Management
3.3 Ensure a VPC Endpoint is Used to Access Systems Manager
Description:
AWS explains that you can improve the security posture of your managed instances by configuring AWS Systems Manager to use an interface VPC endpoint. An interface VPC endpoint enables you to connect to services powered by AWS PrivateLink, a technology that enables you to privately access Amazon EC2 and Systems Manager APIs by using private IP addresses. This means that your managed instances don't have access to the Internet.
For more information, visit the AWS documentation on creating VCP endpoints.
Vulnerability Management
3.4 Ensure All EC2 Instances Managed by Systems Manager are Compliant with Patch Baseline
Description:
Patch management is an integral component of vulnerability management. To ensure your EC2 instances are compliant with patching standards, you must use AWS Systems Manager to apply patch baselines to instances. To associate a specific patch baseline with your instances, you will add EC2 instances to a patch group, then adding a patch group to a patch baseline.
For more information, visit the AWS documentation on creating a patch grou
Network Monitoring
4.1 Ensure Insecure Ports are Not In Use
Description:
It is best practice not to use insecure ports and protocols such as FTP, Telnet, and SNMP. Using insecure ports and protocols makes it possible for your traffic to be sent unencrypted over the Internet. To ensure protection, you can utilize the inbound rules for security groups. Security groups act as a firewall in your AWS environment and their inbound rules will show you areas of vulnerability in terms of insecure ports and protocols.
For more information, visit the AWS documentation on security group rules.
Network Monitoring
4.2 Ensure EC2 Instances are Not Directly Connected to the Internet
Description:
To build a strong perimeter, you must ensure that EC2 instances are not directly connected to the Internet. You can deploy EC2 instances in two ways: on an internal network or assigning them a public IP address. For security purposes, you want to ensure that when possible, your EC2 instances live on an internal network and you do not allow direct Internet access to them.
For more information, visit the AWS documentation on networking in Amazon EC2.
Network Monitoring
4.3 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to Port 3389
Description:
Recommendation 4.2 of the CIS AWS Foundations Benchmark is to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to port 3389. The CIS explains how security groups provide stateful filtering of ingress/egress network traffic to AWS resources. By removing unfettered connectivity to remote console services, such as RDP, this reduces a server's exposure to risk.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.4 Ensure All Outbound Traffic is Routed Through a NAT Gateway
Description:
Just because you create a NAT gateway does not mean that EC2 instances have the ability to run outbound traffic through the Internet. You need to define a route that allows EC2 instances on a private subnet to talk to NAT gateways and then go out to the Internet. This is where route tables comes into play. AWS defines a route table as a set of rules (called routes) that are used to determine where network traffic from your subnet or gateway is directed. When you save your route, you’ve created a route for instances in that Availability Zone to be able to route outbound traffic to the Internet.
Network Monitoring
4.5 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to Port 22
Description:
Recommendation 4.1 of the CIS AWS Foundations Benchmark is to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to port 22. The CIS explains how security groups provide stateful filtering of ingress/egress network traffic to AWS resources. By removing unfettered connectivity to remote console services, such as SSH, this reduces a server's exposure to risk.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.6 Ensure RDS Instances are Only Accessible by Internal IPs
Description:
It is a security best practice to ensure that the Amazon Relational Database Service (Amazon RDS) instances are not publicly accessible. This could lead to potential data loss as you are giving direct access to your database when it is exposed to the internet.
Network Monitoring
4.7 Ensure that No More than 1 Host Per Account is Allowed External Access to Port 22
Description:
To enhance your security perimeter, you must ensure that you do not have multiple hosts with external access to administrative ports, like port 22, and that you implement the principle of least privilege around administrative ports. You can use Session Manager feature in AWS Systems Manager or bastion hosts to ensure that no more than 1 host per account is allowed external access to port 22.
Network Monitoring
4.8 Ensure Backups are Enabled for RDS
Description:
For business continuity and disaster recovery purposes, it’s extremely important to have the maintenance and backup settings in your Amazon RDS correctly configured. If configured properly, your RDS can easily manage your backups, patching, failure detection, and more.
For more information, visit the AWS documentation on working with RDS backups.
Network Monitoring
4.9 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to All Ports
Description:
If your security groups allow unrestricted traffic (0.0.0.0/0 or ::/0) to all ports, this invalidates everything the security groups are working to accomplish as a virtual firewall. You must ensure that your security groups do not allow unrestricted traffic to all ports.
Network Monitoring
4.10 Ensure Default VPC Security Groups Restrict Traffic
Description:
Recommendation 4.3 of the CIS AWS Foundations Benchmark is to ensure that the default security group of every VPC restricts all traffic. This CIS explains that a VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.
For more information, visit the AWS documentation on default security groups.
Network Monitoring
4.11 Ensure WAF Rules are Logged
Description:
Best practice for AWS WAF rules is to maintain logging in order to gain details about the traffic that is analyzed by your web ACLs. AWS explains that the information contained in the logs includes the time that AWS WAF received the request from your AWS resource, detailed information about the request, and the action for the rule that each request matched. You send logs from your web ACL to an Amazon Kinesis Data Firehose with a configured storage destination. After you enable logging, AWS WAF delivers logs to your storage destination through the HTTPS endpoint of Kinesis Data Firehose.
For more information, visit the AWS documentation on logging web ACL traffic information.
Network Monitoring
4.12 Ensure Internet-Facing ALBs Have WAF ACLs Attached
Description:
Internet-facing ALBs need to have WAF ACLs attached. WAF, as part of your security posture, will sit in front of your ALBs and provide a web ACL to block malicious traffic on the load balancer side. To implement this best practice, you must understand which load balancers are attached to the WAF through we ACLs.
For more information, visit the AWS documentation on associating web ACLs with an AWS resources.
Network Monitoring
4.13 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to Oracle Ports 1521 and 2483
Description:
It is best practice to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to Oracle ports 1521 and 2483. These are common ports that should not have unrestricted connectivity to your environment. By restricting access through the inbound rules for security groups, you will reduce risk exposure.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.15 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to MySQL Port 3306
Description:
It is best practice to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to MySQL port 3306. This is a common port that should not have unrestricted connectivity to your environment. By restricting access through the inbound rules for security groups, you will reduce risk exposure.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.16 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to PostgreSQL Port 5432
Description:
It is best practice to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to PostgreSQL port 5432. This is a common port that should not have unrestricted connectivity to your environment. By restricting access through the inbound rules for security groups, you will reduce risk exposure.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.17 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to Redis Port 6379
Description:
It is best practice to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to Redis port 6379. This is a common port that should not have unrestricted connectivity to your environment. By restricting access through the inbound rules for security groups, you will reduce risk exposure.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.18 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to MongoDB Ports 27017 and 27018
Description:
It is best practice to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018. These are common ports that should not have unrestricted connectivity to your environment. By restricting access through the inbound rules for security groups, you will reduce risk exposure.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.20 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to Cassandra Ports 7199, 8888, and 9160
Description:
It is best practice to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199, 8888, and 9160. These are common ports that should not have unrestricted connectivity to your environment. By restricting access through the inbound rules for security groups, you will reduce risk exposure.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.23 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to Memcached Port 11211
Description:
It is best practice to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211. This is a common port that should not have unrestricted connectivity to your environment. By restricting access through the inbound rules for security groups, you will reduce risk exposure.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.24 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to Microsoft SQL Server Port 1433
Description:
It is best practice to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to Microsoft SQL Server port 1433. This is a common port that should not have unrestricted connectivity to your environment. By restricting access through the inbound rules for security groups, you will reduce risk exposure.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.25 Ensure API Gateways Have WAF ACLs Attached
Description:
By using AWS WAF in combination with web ACLs, you can control control how a variety of services (including API Gateways) respond to web requests, as well as inspect web requests to see if they match your criteria. The Amazon API Gateway service is used to create, publish, maintain, monitoring, and secure REST, HTTP, and WebSocket APIs.
For more information, visit the AWS documentation on Amazon API Gateway.
Incident Response
5.1 Ensure CloudTrail is Enabled in All Regions
Description:
Recommendation 2.1 of the CIS AWS Foundations Benchmark is to ensure CloudTrail is enabled in all regions. The CIS explains that CloudTrail records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services. The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.
For more information, visit the AWS documentation on best practices in CloudTrail.
Incident Response
5.2 Ensure CloudTrail Log File Integrity Validation is Enabled
Description:
Recommendation 2.2 of the CIS AWS Foundations Benchmark states that enabling log file validation will provide additional integrity checking of CloudTrail logs. CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log.
For more information, visit the AWS documentation on validating CloudTrail log file integrity.
Incident Response
5.3 Ensure the S3 Bucket Used to Store CloudTrail Logs is Not Publicly Accessible
Description:
Recommendation 2.3 of the CIS AWS Foundations Benchmark states that, by using bucket policies or ACLs, S3 buckets used to store CloudTrail logs should prevent public access. Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.
For more information, visit the AWS documentation on S3 bucket policies for CloudTrail.
Incident Response
5.4 Ensure CloudTrail is Integrated with CloudWatch
Description:
Recommendation 2.4 of the CIS AWS Foundations Benchmark states that CloudTrail logs need to be integrated with CloudWatch logs. Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.
For more information, visit the AWS documentation on monitoring CloudTrail log files with CloudWatch logs.
Incident Response
5.5 Ensure AWS Config is Enabled in All Regions
Description:
Recommendation 2.5 of the CIS AWS Foundations Benchmark is to ensure AWS Config is enabled in all regions. The CIS explains that AWS Config performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item, relationships between configuration items, and any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.
For more information, visit the AWS documentation on best practices for AWS Config.
Incident Response
5.6 Ensure Logging is Enabled for Access to CloudTrail S3 Bucket
Description:
Recommendation 2.6 of the CIS AWS Foundations Benchmark is to ensure CloudTrail S3 bucket logging is enabled, which generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within a target bucket. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.
For more information, visit the AWS documentation on enabling S3 server access logging.
Incident Response
5.7 Ensure VPC Flow Logs are Enabled in All VPCs
Description:
Recommendation 2.9 of the CIS AWS Foundations Benchmark states that in order to capture information about the IP traffic going to and from network interfaces in your VPC, you must enable VPC flow logging in all VPCs. VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.
For more information, visit the AWS documentation on VPC flow logs.
Logical Access
1.1 Avoid Use of the Root Account
Description:
Recommendation 1.1 of the CIS AWS Foundations Benchmark states that because the root account has unrestricted access to all resources in the AWS account, use of this account should be avoided. The root account is the most privileged AWS account. Minimizing the use of this account and adopting the principle of least privilege for access management will reduce the risk of accidental changes and unintended disclosure of highly privileged credentials.
For more information, visit the AWS documentation on AWS root accounts.
Logical Access
1.2 Ensure MFA is Enabled for All IAM Users
Description:
Recommendation 1.2 of the CIS AWS Foundations Benchmark states that because MFA adds an extra layer of protection on top of a user name and password, MFA needs to be enabled for all IAM users with a console password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.
Logical Access
1.3 Ensure Credentials Unused for 90+ Days are Disabled
Description:
Recommendation 1.3 of the CIS AWS Foundations Benchmark states that all credentials that have been unused in 90 or greater days should be removed or deactivated. Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.
Logical Access
1.4 Ensure IAM Password Policies Require At Least 1 Lowercase Letter, 1 Uppercase Letter, 1 Number, 1 Symbol, and is At Least 10 Characters Long
Description:
The CIS AWS Foundations Benchmark explains that password policies need to enforce password complexity requirements in order to increase account resiliency against brute force login attempts. Industry best practice is to ensure that IAM password policies require at least one lowercase letter, one uppercase letter, one number, one symbol, and a minimum length of 10 characters.
Logical Access
1.5 Ensure IAM Password Policies Prevent Password Reuse for the Last 24 Passwords
Description:
Industry best practices is to ensure that IAM password policies prevent password reuse for the last 24 passwords. The CIS AWS Foundations Benchmark explains that password policies need to prevent password reuse in order to increase account resiliency against brute force login attempts.
Logical Access
1.6 Ensure IAM Policies are Attached Only to Groups or Roles
Description:
Recommendation 1.16 of the CIS AWS Foundations Benchmark states that by default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. To that end, IAM policies should only be attached to groups or roles – not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.
Logical Access
1.7 Ensure IAM Instance Roles are Used for AWS Resource Access
Description:
Recommendation 1.19 of the CIS AWS Foundations Benchmark states that by ensuring IAM instance roles are used for AWS resource access, you reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it. Additionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials.
Logical Access
1.8 Ensure IAM Policies that Allow Full "*:*" Administrative Privileges are Not Created
Description:
Following the industry standard of least privilege, recommendation 1.22 of the CIS AWS Foundations Benchmark states that IAM policies that allow full administrative privileges should not be created. The CIS recommends to first determine what users need to do, and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Specifically, IAM policies that have a statement with "Effect": "Allow" with "Action": "*" over "Resource": "*" should be removed.
Logical Access
1.9 Ensure S3 IAM Policies Do Not Grant Access to All Buckets
Description:
S3 bucket policies and user policies are what determine the permissions and access to S3. S3 bucket policies are attached at the bucket level and apply to all objects within that bucket. Our recommendation is to ensure that S3 bucket policies do no grant access to all buckets.
Logical Access
1.10 Ensure an Organization Has Been Created Within AWS to House Accounts
Description:
To securely create a multi-account AWS environment, we recommend housing AWS accounts within an organization. The AWS Organizations feature provides centralized account management and governance. It allows you to group multiple accounts into an organizational units (OUs) and, in turn, apply policies to OUs instead of directly to accounts. This type of consolidation becomes extremely valuable as you scale your AWS resources and architecture.
For more information, visit the AWS documentation for AWS Organizations best practices.
Logical Access
1.12 Ensure Access to EBS Snapshots is Restricted
Description:
AWS does allow you to make your EBS snapshots public, but we recommend restricting access to EBS snapshots by making them private, unless you have a specific business need that requires this. These point-in-time snapshots are crucial to your data backup and recovery processes; you don’t want to risk public access or permissions misconfigurations here.
For more information, visit the AWS documentation on EBS snapshots.
Logical Access
1.13 Ensure IAM Password Policy Expires Password Within 90 Days or Less
Description:
Recommendation 1.11 of the CIS AWS Foundations Benchmark states that IAM password policies can require passwords to be rotated or expired after given a specified number of days. It’s recommended that password policy expire passwords after 90 days or fewer. Decreasing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes helps scenarios like stolen passwords, redundant use of passwords across accounts, and compromised end users.
Logical Access
1.14 Ensure No Root Account Access Key Exists
Description:
Recommendation 1.12 of the CIS AWS Foundations Benchmark recommends that all access keys associated with the root account be removed. The root account is the most privileged user in the AWS account, and Access Keys provide programmatic access to a given account. That said, if the account is compromised, by removing the access keys associated with the root account, it limits vectors by which the attackers can act on. Additionally, by removing the root access keys, it encourages the creation and use of role based accounts that are least privileged.
Logical Access
1.16 Ensure MFA is Enabled for the "root" Account
Description:
Recommendation 1.13 of the CIS AWS Foundations Benchmark states that the root account is the most privileged user in an AWS Account. MFA adds an additional layer of security on top of a username and password. When a user signs into an AWS website/account, if MFA is enabled, they will be prompted for their username and password following an authentication code from their AWS MFA device.
Note: When virtual MFA is used for root accounts, make sure NOT to use a personal device, but rather a dedicated mobile device (tablet/phone) that is securely independent from any other devices.
Logical Access
1.17 Ensure Hardware MFA is Enabled for the "root" Account
Description:
Recommendation 1.14 of the CIS AWS Foundations Benchmark states that the root account is the most privileged user in an AWS Account. MFA adds an additional layer of security on top of a username and password. When a user signs into an AWS website/account, if MFA is enabled, they will be prompted for their username and password following an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA.
Management Control
1.11 Ensure Users with Access Keys Enabled Require MFA for API Calls
Description:
Using IAM policies with MFA conditions, you can ensure that MFA is required for users who are able to make API calls. This will add an additional layer of protection and accountability before a user is allowed to perform sensitive API operations.
For more information, visit the AWS documentation on configuring MFA-protected API access.
Data Security
2.1 Ensure CMKs are Rotated Annually
Description:
Following cryptographic best practice, we recommend rotating CMKs annually. Enabling automatic key rotation through AWS KMS is the easiest way to ensure this standard is followed. Using the automatic key rotation feature, AWS KMS will automatically generate new cryptographic material for a CMK every year, plus it will save the old cryptographic material. If you prefer, manual key rotation is also available.
For more information, visit the AWS documentation on rotating customer master keys.
Data Security
2.3 Ensure Encryption is Enabled for S3 Buckets
Description:
To enhance the security of S3 buckets, you must ensure encryption is properly enabled. Amazon gives you the ability to set default encryption settings using SSE-S3 or SSE-KMS to automatically encrypt all objects that are stored within an S3 bucket.
For more information, visit the AWS documentation on enabling Amazon S3 default bucket encryption.
Data Security
2.4 Ensure Encryption is Enabled for EBS Volumes
Description:
To enhance the security of your EC2 instances, you must ensure that encryption is enabled for EBS volumes. AWS provides the Amazon EBS encryption feature, which uses KSM to encrypt EBS volumes. Amazon EBS encryption is supported by all volume types.
For more information, visit the AWS documentation on EBS encryption.
Data Security
2.5 Ensure Encryption is Enabled for DB Instances
Description:
To enhance the security of Amazon RDS and data at rest or in underlying storage, you must ensure that encryption is enabled for DB instances. Amazon RDS can encrypt DB instances using the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts DB instances.
For more information, visit the AWS documentation on encrypting Amazon RDS resources.
Data Security
2.6 Ensure All Load Balancers that Accept HTTPS Traffic Require TLS 1.2
Description:
To enhance the security of your Application Load Balancers (ALBs) and Network Load Balancers (NLBs), you must ensure that all load balancers that accept HTTPS traffic require, at a minimum, TLS 1.2. Older versions of TLS or legacy SSL protocols are known to have fatal security flaws and do not provide protection for data in transit.
For more information, visit the AWS documentation on creating HTTPS listeners for ALBs.
Data Security
2.7 Ensure Versioning is Enabled for S3 Buckets
Description:
To support your backup and recovery processes, we recommend enabling versioning in S3. S3 versioning provides a way to keep your objects accurate, up to date, and protected. You can enable bucket versioning on both new buckets and buckets that already exist, and this keeps multiple versions of an object within a bucket.
For more information, visit the AWS documentation on enabling versioning on S3 buckets.
Data Security
2.8 Ensure S3 Buckets are Not Publicly Available
Description:
A foundation to S3 security is to ensure S3 buckets are not publicly available. Using the Block Public Access feature, you can manage access to buckets, accounts, and access points. By default, new buckets, access points, and objects do not allow public access.
For more information, visit the AWS documentation on configuring Block Public Access settings for S3 buckets.
Data Security
2.9 Ensure RDS and DB Instances are Not Publicly Accessible
Description:
To enhance the security of AWS RDS and DB instances, they should not be publicly accessible. Restricting unauthorized access will minimize the risk of compromise to your DB instances.
Data Security
2.10 Ensure CloudTrail Logs are Encrypted at Rest Using KMS CMKs
Description:
Recommendation 2.7 of the CIS AWS Foundations Benchmark is to ensure CloudTrail logs are encrypted at rest using KMS CMKs . The CIS explains that CloudTrail records AWS API calls for your account and delivers log files to you. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use
SSE-KMS.
SSE-KMS.
Vulnerability Management
3.1 Ensure EC2 Instances are Managed by Systems Manager
Description:
To strengthen your security posture, we recommend configuring EC2 instances as managed instances under AWS Systems Manager. AWS Config can use the ec2-instance-managed-by-systems-manager rule to check whether the EC2 instances in your account are managed by Systems Manager.
For more information, visit the AWS documentation on AWS Systems Manager managed instances.
Vulnerability Management
3.3 Ensure a VPC Endpoint is Used to Access Systems Manager
Description:
AWS explains that you can improve the security posture of your managed instances by configuring AWS Systems Manager to use an interface VPC endpoint. An interface VPC endpoint enables you to connect to services powered by AWS PrivateLink, a technology that enables you to privately access Amazon EC2 and Systems Manager APIs by using private IP addresses. This means that your managed instances don't have access to the Internet.
For more information, visit the AWS documentation on creating VCP endpoints.
Vulnerability Management
3.4 Ensure All EC2 Instances Managed by Systems Manager are Compliant with Patch Baseline
Description:
Patch management is an integral component of vulnerability management. To ensure your EC2 instances are compliant with patching standards, you must use AWS Systems Manager to apply patch baselines to instances. To associate a specific patch baseline with your instances, you will add EC2 instances to a patch group, then adding a patch group to a patch baseline.
For more information, visit the AWS documentation on creating a patch grou
Network Monitoring
4.1 Ensure Insecure Ports are Not In Use
Description:
It is best practice not to use insecure ports and protocols such as FTP, Telnet, and SNMP. Using insecure ports and protocols makes it possible for your traffic to be sent unencrypted over the Internet. To ensure protection, you can utilize the inbound rules for security groups. Security groups act as a firewall in your AWS environment and their inbound rules will show you areas of vulnerability in terms of insecure ports and protocols.
For more information, visit the AWS documentation on security group rules.
Network Monitoring
4.2 Ensure EC2 Instances are Not Directly Connected to the Internet
Description:
To build a strong perimeter, you must ensure that EC2 instances are not directly connected to the Internet. You can deploy EC2 instances in two ways: on an internal network or assigning them a public IP address. For security purposes, you want to ensure that when possible, your EC2 instances live on an internal network and you do not allow direct Internet access to them.
For more information, visit the AWS documentation on networking in Amazon EC2.
Network Monitoring
4.3 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to Port 3389
Description:
Recommendation 4.2 of the CIS AWS Foundations Benchmark is to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to port 3389. The CIS explains how security groups provide stateful filtering of ingress/egress network traffic to AWS resources. By removing unfettered connectivity to remote console services, such as RDP, this reduces a server's exposure to risk.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.4 Ensure All Outbound Traffic is Routed Through a NAT Gateway
Description:
Just because you create a NAT gateway does not mean that EC2 instances have the ability to run outbound traffic through the Internet. You need to define a route that allows EC2 instances on a private subnet to talk to NAT gateways and then go out to the Internet. This is where route tables comes into play. AWS defines a route table as a set of rules (called routes) that are used to determine where network traffic from your subnet or gateway is directed. When you save your route, you’ve created a route for instances in that Availability Zone to be able to route outbound traffic to the Internet.
Network Monitoring
4.5 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to Port 22
Description:
Recommendation 4.1 of the CIS AWS Foundations Benchmark is to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to port 22. The CIS explains how security groups provide stateful filtering of ingress/egress network traffic to AWS resources. By removing unfettered connectivity to remote console services, such as SSH, this reduces a server's exposure to risk.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.6 Ensure RDS Instances are Only Accessible by Internal IPs
Description:
It is a security best practice to ensure that the Amazon Relational Database Service (Amazon RDS) instances are not publicly accessible. This could lead to potential data loss as you are giving direct access to your database when it is exposed to the internet.
Network Monitoring
4.7 Ensure that No More than 1 Host Per Account is Allowed External Access to Port 22
Description:
To enhance your security perimeter, you must ensure that you do not have multiple hosts with external access to administrative ports, like port 22, and that you implement the principle of least privilege around administrative ports. You can use Session Manager feature in AWS Systems Manager or bastion hosts to ensure that no more than 1 host per account is allowed external access to port 22.
Network Monitoring
4.8 Ensure Backups are Enabled for RDS
Description:
For business continuity and disaster recovery purposes, it’s extremely important to have the maintenance and backup settings in your Amazon RDS correctly configured. If configured properly, your RDS can easily manage your backups, patching, failure detection, and more.
For more information, visit the AWS documentation on working with RDS backups.
Network Monitoring
4.9 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to All Ports
Description:
If your security groups allow unrestricted traffic (0.0.0.0/0 or ::/0) to all ports, this invalidates everything the security groups are working to accomplish as a virtual firewall. You must ensure that your security groups do not allow unrestricted traffic to all ports.
Network Monitoring
4.10 Ensure Default VPC Security Groups Restrict Traffic
Description:
Recommendation 4.3 of the CIS AWS Foundations Benchmark is to ensure that the default security group of every VPC restricts all traffic. This CIS explains that a VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.
For more information, visit the AWS documentation on default security groups.
Network Monitoring
4.11 Ensure WAF Rules are Logged
Description:
Best practice for AWS WAF rules is to maintain logging in order to gain details about the traffic that is analyzed by your web ACLs. AWS explains that the information contained in the logs includes the time that AWS WAF received the request from your AWS resource, detailed information about the request, and the action for the rule that each request matched. You send logs from your web ACL to an Amazon Kinesis Data Firehose with a configured storage destination. After you enable logging, AWS WAF delivers logs to your storage destination through the HTTPS endpoint of Kinesis Data Firehose.
For more information, visit the AWS documentation on logging web ACL traffic information.
Network Monitoring
4.12 Ensure Internet-Facing ALBs Have WAF ACLs Attached
Description:
Internet-facing ALBs need to have WAF ACLs attached. WAF, as part of your security posture, will sit in front of your ALBs and provide a web ACL to block malicious traffic on the load balancer side. To implement this best practice, you must understand which load balancers are attached to the WAF through we ACLs.
For more information, visit the AWS documentation on associating web ACLs with an AWS resources.
Network Monitoring
4.13 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to Oracle Ports 1521 and 2483
Description:
It is best practice to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to Oracle ports 1521 and 2483. These are common ports that should not have unrestricted connectivity to your environment. By restricting access through the inbound rules for security groups, you will reduce risk exposure.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.15 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to MySQL Port 3306
Description:
It is best practice to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to MySQL port 3306. This is a common port that should not have unrestricted connectivity to your environment. By restricting access through the inbound rules for security groups, you will reduce risk exposure.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.16 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to PostgreSQL Port 5432
Description:
It is best practice to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to PostgreSQL port 5432. This is a common port that should not have unrestricted connectivity to your environment. By restricting access through the inbound rules for security groups, you will reduce risk exposure.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.17 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to Redis Port 6379
Description:
It is best practice to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to Redis port 6379. This is a common port that should not have unrestricted connectivity to your environment. By restricting access through the inbound rules for security groups, you will reduce risk exposure.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.18 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to MongoDB Ports 27017 and 27018
Description:
It is best practice to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018. These are common ports that should not have unrestricted connectivity to your environment. By restricting access through the inbound rules for security groups, you will reduce risk exposure.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.20 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to Cassandra Ports 7199, 8888, and 9160
Description:
It is best practice to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199, 8888, and 9160. These are common ports that should not have unrestricted connectivity to your environment. By restricting access through the inbound rules for security groups, you will reduce risk exposure.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.23 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to Memcached Port 11211
Description:
It is best practice to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211. This is a common port that should not have unrestricted connectivity to your environment. By restricting access through the inbound rules for security groups, you will reduce risk exposure.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.24 Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 or ::/0 to Microsoft SQL Server Port 1433
Description:
It is best practice to ensure that security groups do not allow ingress from 0.0.0.0/0 or ::/0 to Microsoft SQL Server port 1433. This is a common port that should not have unrestricted connectivity to your environment. By restricting access through the inbound rules for security groups, you will reduce risk exposure.
For more information, visit the AWS documentation on security group rules for different use cases.
Network Monitoring
4.25 Ensure API Gateways Have WAF ACLs Attached
Description:
By using AWS WAF in combination with web ACLs, you can control control how a variety of services (including API Gateways) respond to web requests, as well as inspect web requests to see if they match your criteria. The Amazon API Gateway service is used to create, publish, maintain, monitoring, and secure REST, HTTP, and WebSocket APIs.
For more information, visit the AWS documentation on Amazon API Gateway.
Incident Response
5.1 Ensure CloudTrail is Enabled in All Regions
Description:
Recommendation 2.1 of the CIS AWS Foundations Benchmark is to ensure CloudTrail is enabled in all regions. The CIS explains that CloudTrail records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services. The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.
For more information, visit the AWS documentation on best practices in CloudTrail.
Incident Response
5.2 Ensure CloudTrail Log File Integrity Validation is Enabled
Description:
Recommendation 2.2 of the CIS AWS Foundations Benchmark states that enabling log file validation will provide additional integrity checking of CloudTrail logs. CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log.
For more information, visit the AWS documentation on validating CloudTrail log file integrity.
Incident Response
5.3 Ensure the S3 Bucket Used to Store CloudTrail Logs is Not Publicly Accessible
Description:
Recommendation 2.3 of the CIS AWS Foundations Benchmark states that, by using bucket policies or ACLs, S3 buckets used to store CloudTrail logs should prevent public access. Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.
For more information, visit the AWS documentation on S3 bucket policies for CloudTrail.
Incident Response
5.4 Ensure CloudTrail is Integrated with CloudWatch
Description:
Recommendation 2.4 of the CIS AWS Foundations Benchmark states that CloudTrail logs need to be integrated with CloudWatch logs. Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.
For more information, visit the AWS documentation on monitoring CloudTrail log files with CloudWatch logs.
Incident Response
5.5 Ensure AWS Config is Enabled in All Regions
Description:
Recommendation 2.5 of the CIS AWS Foundations Benchmark is to ensure AWS Config is enabled in all regions. The CIS explains that AWS Config performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item, relationships between configuration items, and any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.
For more information, visit the AWS documentation on best practices for AWS Config.
Incident Response
5.6 Ensure Logging is Enabled for Access to CloudTrail S3 Bucket
Description:
Recommendation 2.6 of the CIS AWS Foundations Benchmark is to ensure CloudTrail S3 bucket logging is enabled, which generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within a target bucket. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.
For more information, visit the AWS documentation on enabling S3 server access logging.
Incident Response
5.7 Ensure VPC Flow Logs are Enabled in All VPCs
Description:
Recommendation 2.9 of the CIS AWS Foundations Benchmark states that in order to capture information about the IP traffic going to and from network interfaces in your VPC, you must enable VPC flow logging in all VPCs. VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.
For more information, visit the AWS documentation on VPC flow logs.