Control: AWS > CIS v1

Primary Policies

The following policies can be used to configure this control:

• CIS v1 > Maximum Attestation Duration
• CIS v1
• CIS v1 > 1 Identity and Access Management > 1.01 Avoid the use of the "root" account (Scored)
• CIS v1 > 1 Identity and Access Management > 1.02 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)
• CIS v1 > 1 Identity and Access Management > 1.03 Ensure credentials unused for 90 days or greater are disabled (Scored)
• CIS v1 > 1 Identity and Access Management > 1.04 Ensure access keys are rotated every 90 days or less (Scored)
• CIS v1 > 1 Identity and Access Management > 1.05 Ensure IAM password policy requires at least one uppercase letter (Scored)
• CIS v1 > 1 Identity and Access Management > 1.06 Ensure IAM password policy require at least one lowercase letter (Scored)
• CIS v1 > 1 Identity and Access Management > 1.07 Ensure IAM password policy require at least one symbol (Scored)
• CIS v1 > 1 Identity and Access Management > 1.08 Ensure IAM password policy require at least one number (Scored)
• CIS v1 > 1 Identity and Access Management > 1.09 Ensure IAM password policy requires minimum length of 14 or greater (Scored)
• CIS v1 > 1 Identity and Access Management > 1.10 Ensure IAM password policy prevents password reuse (Scored)
• CIS v1 > 1 Identity and Access Management > 1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored)
• CIS v1 > 1 Identity and Access Management > 1.12 Ensure no root account access key exists (Scored)
• CIS v1 > 1 Identity and Access Management > 1.13 Ensure MFA is enabled for the "root" account (Scored)
• CIS v1 > 1 Identity and Access Management > 1.14 Ensure hardware MFA is enabled for the "root" account (Scored)
• CIS v1 > 1 Identity and Access Management > 1.15 Ensure security questions are registered in the AWS account (Not Scored)
• CIS v1 > 1 Identity and Access Management > 1.15 Ensure security questions are registered in the AWS account (Not Scored) > Attestation
• CIS v1 > 1 Identity and Access Management > 1.16 Ensure IAM policies are attached only to groups or roles (Scored)
• CIS v1 > 1 Identity and Access Management > 1.17 Maintain current contact details (Not Scored)
• CIS v1 > 1 Identity and Access Management > 1.17 Maintain current contact details (Not Scored) > Attestation
• CIS v1 > 1 Identity and Access Management > 1.18 Ensure security contact information is registered (Not Scored)
• CIS v1 > 1 Identity and Access Management > 1.18 Ensure security contact information is registered (Not Scored) > Attestation
• CIS v1 > 1 Identity and Access Management > 1.19 Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)
• CIS v1 > 1 Identity and Access Management > 1.19 Ensure IAM instance roles are used for AWS resource access from instances (Not Scored) > Attestation
• CIS v1 > 1 Identity and Access Management > 1.21 Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
• CIS v1 > 1 Identity and Access Management > 1.22 Ensure IAM policies that allow full "*:*"; administrative privileges are not created (Scored)
• CIS v1 > 2 Logging > 2.01 Ensure CloudTrail is enabled in all regions (Scored)
• CIS v1 > 2 Logging > 2.02 Ensure CloudTrail log file validation is enabled (Scored)
• CIS v1 > 2 Logging > 2.03 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (Scored)
• CIS v1 > 2 Logging > 2.04 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)
• CIS v1 > 2 Logging > 2.05 Ensure AWS Config is enabled in all regions (Scored)
• CIS v1 > 2 Logging > 2.06 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)
• CIS v1 > 2 Logging > 2.07 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)
• CIS v1 > 2 Logging > 2.08 Ensure rotation for customer created CMKs is enabled (Scored)
• CIS v1 > 2 Logging > 2.09 Ensure VPC flow logging is enabled in all VPCs (Scored)
• CIS v1 > 3 Monitoring > 3.01 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)
• CIS v1 > 3 Monitoring > 3.02 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)
• CIS v1 > 3 Monitoring > 3.03 Ensure a log metric filter and alarm exist for usage of "root" account (Scored)
• CIS v1 > 3 Monitoring > 3.04 Ensure a log metric filter and alarm exist for IAM policy changes (Scored)
• CIS v1 > 3 Monitoring > 3.05 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)
• CIS v1 > 3 Monitoring > 3.06 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)
• CIS v1 > 3 Monitoring > 3.07 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)
• CIS v1 > 3 Monitoring > 3.08 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)
• CIS v1 > 3 Monitoring > 3.09 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)
• CIS v1 > 3 Monitoring > 3.10 Ensure a log metric filter and alarm exist for security group changes (Scored)
• CIS v1 > 3 Monitoring > 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)
• CIS v1 > 3 Monitoring > 3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored)
• CIS v1 > 3 Monitoring > 3.13 Ensure a log metric filter and alarm exist for route table changes (Scored)
• CIS v1 > 3 Monitoring > 3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored)
• CIS v1 > 4 Networking > 4.01 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
• CIS v1 > 4 Networking > 4.02 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
• CIS v1 > 4 Networking > 4.03 Ensure the default security group of every VPC restricts all traffic (Scored)
• CIS v1 > 4 Networking > 4.04 Ensure routing tables for VPC peering are "least access" (Not Scored)
• CIS v1 > 4 Networking > 4.04 Ensure routing tables for VPC peering are "least access" (Not Scored) > Attestation
• CIS v1 > 1 Identity and Access Management
• CIS v1 > 2 Logging
• CIS v1 > 3 Monitoring
• CIS v1 > 4 Networking

Category

• CIS

In Your Workspace

• Controls by Resource report
• Controls by Control Type report

Developers

Control Type URI

tmod:@turbot/aws-cisv1#/control/types/cis

Category URI

tmod:@turbot/cis#/control/categories/cis

GraphQL

query controlType(id: "tmod:@turbot/aws-cisv1#/control/types/cis") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-cisv1#/control/types/cis'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-cisv1#/control/types/cis"