Mod: aws-cisv1-4
The aws-cisv1-4 mod consists of 80 policies and 67 controls.
Recommended Version
Version
5.0.7
Released On
Nov 23, 2022
Depends On
aws ^5.0.0
turbot ^5.0.1
turbot-iam ^5.1.0
aws-iam ^5.1.0
cis ^5.0.0
aws-kms ^5.0.0
aws-sns ^5.0.0
aws-logs ^5.0.0
aws-cloudtrail ^5.0.0
aws-cloudwatch ^5.0.0
aws-config ^5.0.0
aws-ec2 ^5.0.0
aws-vpc-core ^5.0.0
aws-vpc-security ^5.0.0
aws-rds ^5.0.0
aws-s3 ^5.0.0
turbot ^5.0.1
turbot-iam ^5.1.0
aws-iam ^5.1.0
cis ^5.0.0
aws-kms ^5.0.0
aws-sns ^5.0.0
aws-logs ^5.0.0
aws-cloudtrail ^5.0.0
aws-cloudwatch ^5.0.0
aws-config ^5.0.0
aws-ec2 ^5.0.0
aws-vpc-core ^5.0.0
aws-vpc-security ^5.0.0
aws-rds ^5.0.0
aws-s3 ^5.0.0
Controls
- AWS > CIS v1.4
- AWS > CIS v1.4 > 1 - Identity and Access Management
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.01 - Maintain current contact details (Manual)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered (Manual)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account (Manual)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password (Manual)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full "*:*" administrative privileges are not attached (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances (Manual)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments (Manual)
- AWS > CIS v1.4 > 2 - Storage
- AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3)
- AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure all S3 buckets employ encryption-at-rest (Manual)
- AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure S3 Bucket Policy is set to deny HTTP requests (Manual)
- AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure MFA Delete is enable on S3 buckets (Automated)
- AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure all data in Amazon S3 has been discovered, classified and secured when required. (Manual)
- AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.05 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' (Automated)
- AWS > CIS v1.4 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
- AWS > CIS v1.4 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS volume encryption is enabled (Manual)
- AWS > CIS v1.4 > 2 - Storage > 2.03 - Relational Database Service (RDS)
- AWS > CIS v1.4 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption is enabled for RDS Instances (Automated)
- AWS > CIS v1.4 > 3 - Logging
- AWS > CIS v1.4 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.03 - Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.04 - Ensure CloudTrail trails are integrated with CloudWatch Logs (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.05 - Ensure AWS Config is enabled in all regions (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.06 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.07 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.08 - Ensure rotation for customer created CMKs is enabled (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.09 - Ensure VPC flow logging is enabled in all VPCs (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket (Automated)
- AWS > CIS v1.4 > 4 - Monitoring
- AWS > CIS v1.4 > 4 - Monitoring > 4.01 - Ensure a log metric filter and alarm exist for unauthorized API calls (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.02 - Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.03 - Ensure a log metric filter and alarm exist for usage of 'root' account (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.04 - Ensure a log metric filter and alarm exist for IAM policy changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.05 - Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.06 - Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.07 - Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.08 - Ensure a log metric filter and alarm exist for S3 bucket policy changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.09 - Ensure a log metric filter and alarm exist for AWS Config configuration changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.10 - Ensure a log metric filter and alarm exist for security group changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.11 - Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.12 - Ensure a log metric filter and alarm exist for changes to network gateways (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.13 - Ensure a log metric filter and alarm exist for route table changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.14 - Ensure a log metric filter and alarm exist for VPC changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.15 - Ensure a log metric filter and alarm exists for AWS Organizations changes (Automated)
- AWS > CIS v1.4 > 5 - Networking
- AWS > CIS v1.4 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)
- AWS > CIS v1.4 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)
- AWS > CIS v1.4 > 5 - Networking > 5.03 - Ensure the default security group of every VPC restricts all traffic (Automated)
- AWS > CIS v1.4 > 5 - Networking > 5.04 - Ensure routing tables for VPC peering are 'least access' (Manual)
Policies
- AWS > CIS v1.4
- AWS > CIS v1.4 > 1 - Identity and Access Management
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.01 - Maintain current contact details (Manual)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.01 - Maintain current contact details (Manual) > Attestation
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered (Manual)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered (Manual) > Attestation
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account (Manual)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account (Manual) > Attestation
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password (Manual)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full "*:*" administrative privileges are not attached (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances (Manual)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances (Manual) > Attestation
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments (Manual)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments (Manual) > Attestation
- AWS > CIS v1.4 > 1 - Identity and Access Management > Maximum Attestation Duration
- AWS > CIS v1.4 > 2 - Storage
- AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3)
- AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure all S3 buckets employ encryption-at-rest (Manual)
- AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure S3 Bucket Policy is set to deny HTTP requests (Manual)
- AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure MFA Delete is enable on S3 buckets (Automated)
- AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure all data in Amazon S3 has been discovered, classified and secured when required. (Manual)
- AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure all data in Amazon S3 has been discovered, classified and secured when required. (Manual) > Attestation
- AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.05 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' (Automated)
- AWS > CIS v1.4 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
- AWS > CIS v1.4 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS volume encryption is enabled (Manual)
- AWS > CIS v1.4 > 2 - Storage > 2.03 - Relational Database Service (RDS)
- AWS > CIS v1.4 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption is enabled for RDS Instances (Automated)
- AWS > CIS v1.4 > 2 - Storage > Maximum Attestation Duration
- AWS > CIS v1.4 > 3 - Logging
- AWS > CIS v1.4 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.03 - Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.04 - Ensure CloudTrail trails are integrated with CloudWatch Logs (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.05 - Ensure AWS Config is enabled in all regions (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.06 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.07 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.08 - Ensure rotation for customer created CMKs is enabled (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.09 - Ensure VPC flow logging is enabled in all VPCs (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket (Automated)
- AWS > CIS v1.4 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket (Automated)
- AWS > CIS v1.4 > 3 - Logging > Maximum Attestation Duration
- AWS > CIS v1.4 > 4 - Monitoring
- AWS > CIS v1.4 > 4 - Monitoring > 4.01 - Ensure a log metric filter and alarm exist for unauthorized API calls (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.02 - Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.03 - Ensure a log metric filter and alarm exist for usage of 'root' account (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.04 - Ensure a log metric filter and alarm exist for IAM policy changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.05 - Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.06 - Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.07 - Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.08 - Ensure a log metric filter and alarm exist for S3 bucket policy changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.09 - Ensure a log metric filter and alarm exist for AWS Config configuration changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.10 - Ensure a log metric filter and alarm exist for security group changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.11 - Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.12 - Ensure a log metric filter and alarm exist for changes to network gateways (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.13 - Ensure a log metric filter and alarm exist for route table changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.14 - Ensure a log metric filter and alarm exist for VPC changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.15 - Ensure a log metric filter and alarm exists for AWS Organizations changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > Maximum Attestation Duration
- AWS > CIS v1.4 > 5 - Networking
- AWS > CIS v1.4 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)
- AWS > CIS v1.4 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)
- AWS > CIS v1.4 > 5 - Networking > 5.03 - Ensure the default security group of every VPC restricts all traffic (Automated)
- AWS > CIS v1.4 > 5 - Networking > 5.04 - Ensure routing tables for VPC peering are 'least access' (Manual)
- AWS > CIS v1.4 > 5 - Networking > 5.04 - Ensure routing tables for VPC peering are 'least access' (Manual) > Attestation
- AWS > CIS v1.4 > 5 - Networking > Maximum Attestation Duration
- AWS > CIS v1.4 > Maximum Attestation Duration