Mod: aws-nist-800-53
The aws-nist-800-53 mod consists of 1 policy and 148 controls.
Recommended Version
Version
5.1.0
Released On
Aug 21, 2023
Depends On
aws ^5.0.0
aws-acm ^5.0.0
aws-apigateway ^5.0.0
aws-cloudtrail ^5.0.0
aws-cloudwatch ^5.0.0
aws-codebuild ^5.0.0
aws-dms ^5.0.0
aws-dynamodb ^5.0.0
aws-ec2 ^5.0.0
aws-ecs ^5.0.0
aws-efs ^5.0.0
aws-elasticache ^5.0.0
aws-elasticsearch ^5.0.0
aws-emr ^5.0.0
aws-guardduty ^5.0.0
aws-iam ^5.0.0
aws-kms ^5.0.0
aws-lambda ^5.0.0
aws-logs ^5.0.0
aws-rds ^5.0.0
aws-redshift ^5.0.0
aws-s3 ^5.0.0
aws-sagemaker ^5.0.0
aws-secretsmanager ^5.0.0
aws-securityhub ^5.0.0
aws-sns ^5.0.0
aws-ssm ^5.0.0
aws-vpc-connect ^5.0.0
aws-vpc-core ^5.0.0
aws-vpc-internet ^5.0.0
aws-vpc-security ^5.0.0
aws-waf ^5.0.0
turbot ^5.37.0
turbot-iam ^5.1.0
aws-acm ^5.0.0
aws-apigateway ^5.0.0
aws-cloudtrail ^5.0.0
aws-cloudwatch ^5.0.0
aws-codebuild ^5.0.0
aws-dms ^5.0.0
aws-dynamodb ^5.0.0
aws-ec2 ^5.0.0
aws-ecs ^5.0.0
aws-efs ^5.0.0
aws-elasticache ^5.0.0
aws-elasticsearch ^5.0.0
aws-emr ^5.0.0
aws-guardduty ^5.0.0
aws-iam ^5.0.0
aws-kms ^5.0.0
aws-lambda ^5.0.0
aws-logs ^5.0.0
aws-rds ^5.0.0
aws-redshift ^5.0.0
aws-s3 ^5.0.0
aws-sagemaker ^5.0.0
aws-secretsmanager ^5.0.0
aws-securityhub ^5.0.0
aws-sns ^5.0.0
aws-ssm ^5.0.0
aws-vpc-connect ^5.0.0
aws-vpc-core ^5.0.0
aws-vpc-internet ^5.0.0
aws-vpc-security ^5.0.0
aws-waf ^5.0.0
turbot ^5.37.0
turbot-iam ^5.1.0
Controls
- AWS > NIST 800-53
- AWS > NIST 800-53 > Account
- AWS > NIST 800-53 > Account > At least one multi-region AWS CloudTrail should be present in an account
- AWS > NIST 800-53 > ACM
- AWS > NIST 800-53 > ACM > ACM certificates should be set to expire within 30 days
- AWS > NIST 800-53 > API Gateway
- AWS > NIST 800-53 > API Gateway > API Gateway stage cache encryption at rest should be enabled
- AWS > NIST 800-53 > API Gateway > API Gateway stage logging should be enabled
- AWS > NIST 800-53 > API Gateway > API Gateway stage should be associated with WAF
- AWS > NIST 800-53 > API Gateway > API Gateway stage should uses SSL certificate
- AWS > NIST 800-53 > CloudTrail
- AWS > NIST 800-53 > CloudTrail > At least one trail should be enabled with security best practices
- AWS > NIST 800-53 > CloudTrail > CloudTrail trail log file validation should be enabled
- AWS > NIST 800-53 > CloudTrail > CloudTrail trail logs should be encrypted with KMS CMK
- AWS > NIST 800-53 > CloudTrail > CloudTrail trails should be integrated with CloudWatch logs
- AWS > NIST 800-53 > CloudWatch
- AWS > NIST 800-53 > CloudWatch > CloudWatch alarm action should be enabled
- AWS > NIST 800-53 > CodeBuild
- AWS > NIST 800-53 > CodeBuild > CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
- AWS > NIST 800-53 > CodeBuild > CodeBuild project plaintext environment variables should not contain sensitive AWS values
- AWS > NIST 800-53 > DMS
- AWS > NIST 800-53 > DMS > DMS replication instances should not be publicly accessible
- AWS > NIST 800-53 > DynamoDB
- AWS > NIST 800-53 > DynamoDB > DynamoDB table auto scaling should be enabled
- AWS > NIST 800-53 > DynamoDB > DynamoDB table point-in-time recovery should be enabled
- AWS > NIST 800-53 > DynamoDB > DynamoDB table should be encrypted with AWS KMS
- AWS > NIST 800-53 > DynamoDB > DynamoDB tables should be in a backup plan
- AWS > NIST 800-53 > EC2
- AWS > NIST 800-53 > EC2 > Attached EBS volumes should have delete on termination enabled
- AWS > NIST 800-53 > EC2 > Attached EBS volumes should have encryption enabled
- AWS > NIST 800-53 > EC2 > Auto Scaling groups with a load balancer should use health checks
- AWS > NIST 800-53 > EC2 > Auto Scaling launch config public IP should be disabled
- AWS > NIST 800-53 > EC2 > EBS default encryption should be enabled
- AWS > NIST 800-53 > EC2 > EBS snapshots should not be publicly restorable
- AWS > NIST 800-53 > EC2 > EBS volumes should be in a backup plan
- AWS > NIST 800-53 > EC2 > EC2 instance detailed monitoring should be enabled
- AWS > NIST 800-53 > EC2 > EC2 instances should be in a VPC
- AWS > NIST 800-53 > EC2 > EC2 instances should be managed by AWS Systems Manager
- AWS > NIST 800-53 > EC2 > EC2 instances should have IAM profile attached
- AWS > NIST 800-53 > EC2 > EC2 instances should not have a public IP address
- AWS > NIST 800-53 > EC2 > EC2 instances should use IMDSv2
- AWS > NIST 800-53 > EC2 > EC2 stopped instances should be removed in 30 days
- AWS > NIST 800-53 > EC2 > ELB application and classic load balancer logging should be enabled
- AWS > NIST 800-53 > EC2 > ELB application load balancer deletion protection should be enabled
- AWS > NIST 800-53 > EC2 > ELB application load balancers should be drop HTTP headers
- AWS > NIST 800-53 > EC2 > ELB application load balancers should have Web Application Firewall (WAF) enabled
- AWS > NIST 800-53 > EC2 > ELB application load balancers should redirect HTTP requests to HTTPS
- AWS > NIST 800-53 > EC2 > ELB classic load balancers should have cross-zone load balancing enabled
- AWS > NIST 800-53 > EC2 > ELB classic load balancers should only use SSL or HTTPS listeners
- AWS > NIST 800-53 > EC2 > ELB classic load balancers should use SSL certificates
- AWS > NIST 800-53 > ECS
- AWS > NIST 800-53 > ECS > ECS task definition container definitions should be checked for host mode
- AWS > NIST 800-53 > EFS
- AWS > NIST 800-53 > EFS > EFS file system encryption at rest should be enabled
- AWS > NIST 800-53 > EFS > EFS file systems should be in a backup plan
- AWS > NIST 800-53 > ElastiCache
- AWS > NIST 800-53 > ElastiCache > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
- AWS > NIST 800-53 > Elasticsearch
- AWS > NIST 800-53 > Elasticsearch > Elasticsearch domain node-to-node encryption should be enabled
- AWS > NIST 800-53 > Elasticsearch > ES domain encryption at rest should be enabled
- AWS > NIST 800-53 > Elasticsearch > ES domains should be in a VPC
- AWS > NIST 800-53 > EMR
- AWS > NIST 800-53 > EMR > EMR cluster Kerberos should be enabled
- AWS > NIST 800-53 > EMR > EMR cluster master nodes should not have public IP addresses
- AWS > NIST 800-53 > GuardDuty
- AWS > NIST 800-53 > GuardDuty > GuardDuty findings should be archived
- AWS > NIST 800-53 > IAM
- AWS > NIST 800-53 > IAM > Ensure IAM password policy requires a minimum length of 14 or greater
- AWS > NIST 800-53 > IAM > Ensure IAM policy should not grant full access to service
- AWS > NIST 800-53 > IAM > IAM groups should have at least one user
- AWS > NIST 800-53 > IAM > IAM groups, users, and roles should not have any inline policies
- AWS > NIST 800-53 > IAM > IAM password policies for users should have strong configurations
- AWS > NIST 800-53 > IAM > IAM policy should not have statements with admin access
- AWS > NIST 800-53 > IAM > IAM root user hardware MFA should be enabled
- AWS > NIST 800-53 > IAM > IAM root user MFA should be enabled
- AWS > NIST 800-53 > IAM > IAM root user should not have access keys
- AWS > NIST 800-53 > IAM > IAM user access keys should be rotated at least every 90 days
- AWS > NIST 800-53 > IAM > IAM user credentials that have not been used in 90 days should be disabled
- AWS > NIST 800-53 > IAM > IAM user MFA should be enabled
- AWS > NIST 800-53 > IAM > IAM user should not have any inline or attached policies
- AWS > NIST 800-53 > IAM > IAM users should be in at least one group
- AWS > NIST 800-53 > IAM > IAM users with console access should have MFA enabled
- AWS > NIST 800-53 > KMS
- AWS > NIST 800-53 > KMS > KMS CMK rotation should be enabled
- AWS > NIST 800-53 > KMS > KMS keys should not be pending deletion
- AWS > NIST 800-53 > Lambda
- AWS > NIST 800-53 > Lambda > Lambda functions should be in a VPC
- AWS > NIST 800-53 > Lambda > Lambda functions should restrict public access
- AWS > NIST 800-53 > Logs
- AWS > NIST 800-53 > Logs > Log group encryption at rest should be enabled
- AWS > NIST 800-53 > Logs > Log group retention period should be at least 365 days
- AWS > NIST 800-53 > RDS
- AWS > NIST 800-53 > RDS > Database logging should be enabled
- AWS > NIST 800-53 > RDS > RDS DB instance and cluster enhanced monitoring should be enabled
- AWS > NIST 800-53 > RDS > RDS DB instance backup should be enabled
- AWS > NIST 800-53 > RDS > RDS DB instance encryption at rest should be enabled
- AWS > NIST 800-53 > RDS > RDS DB instance multiple az should be enabled
- AWS > NIST 800-53 > RDS > RDS DB instances should be in a backup plan
- AWS > NIST 800-53 > RDS > RDS DB instances should have deletion protection enabled
- AWS > NIST 800-53 > RDS > RDS DB instances should prohibit public access
- AWS > NIST 800-53 > RDS > RDS DB snapshots should be encrypted at rest
- AWS > NIST 800-53 > RDS > RDS snapshots should prohibit public access
- AWS > NIST 800-53 > Redshift
- AWS > NIST 800-53 > Redshift > Amazon Redshift enhanced VPC routing should be enabled
- AWS > NIST 800-53 > Redshift > Redshift cluster audit logging and encryption should be enabled
- AWS > NIST 800-53 > Redshift > Redshift cluster encryption in transit should be enabled
- AWS > NIST 800-53 > Redshift > Redshift clusters should prohibit public access
- AWS > NIST 800-53 > Region
- AWS > NIST 800-53 > Region > At least one enabled trail should be present in a region
- AWS > NIST 800-53 > Region > AWS Security Hub should be enabled for an AWS Account
- AWS > NIST 800-53 > Region > GuardDuty should be enabled
- AWS > NIST 800-53 > S3
- AWS > NIST 800-53 > S3 > All S3 buckets should log S3 data events in CloudTrail
- AWS > NIST 800-53 > S3 > S3 bucket cross-region replication should be enabled
- AWS > NIST 800-53 > S3 > S3 bucket default encryption should be enabled
- AWS > NIST 800-53 > S3 > S3 bucket logging should be enabled
- AWS > NIST 800-53 > S3 > S3 bucket object lock should be enabled
- AWS > NIST 800-53 > S3 > S3 bucket versioning should be enabled
- AWS > NIST 800-53 > S3 > S3 buckets should enforce SSL
- AWS > NIST 800-53 > S3 > S3 buckets should prohibit public read access
- AWS > NIST 800-53 > S3 > S3 buckets should prohibit public write access
- AWS > NIST 800-53 > S3 > S3 public access should be blocked at account and bucket levels
- AWS > NIST 800-53 > S3 > S3 public access should be blocked at account level
- AWS > NIST 800-53 > S3 > S3 public access should be blocked at bucket levels
- AWS > NIST 800-53 > SageMaker
- AWS > NIST 800-53 > SageMaker > SageMaker endpoint configuration encryption should be enabled
- AWS > NIST 800-53 > SageMaker > SageMaker notebook instance encryption should be enabled
- AWS > NIST 800-53 > SageMaker > SageMaker notebook instances should not have direct internet access
- AWS > NIST 800-53 > Secrets Manager
- AWS > NIST 800-53 > Secrets Manager > Secrets Manager secrets should be rotated as per the rotation schedule
- AWS > NIST 800-53 > Secrets Manager > Secrets Manager secrets should have automatic rotation enabled
- AWS > NIST 800-53 > SNS
- AWS > NIST 800-53 > SNS > SNS topics should be encrypted at rest
- AWS > NIST 800-53 > SSM
- AWS > NIST 800-53 > SSM > SSM managed instance associations should be compliant
- AWS > NIST 800-53 > SSM > SSM managed instance patching should be compliant
- AWS > NIST 800-53 > VPC
- AWS > NIST 800-53 > VPC > Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
- AWS > NIST 800-53 > VPC > VPC default security group should not allow inbound and outbound traffic
- AWS > NIST 800-53 > VPC > VPC flow logs should be enabled
- AWS > NIST 800-53 > VPC > VPC internet gateways should be attached to authorized vpc
- AWS > NIST 800-53 > VPC > VPC route table should restrict public access to IGW
- AWS > NIST 800-53 > VPC > VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- AWS > NIST 800-53 > VPC > VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- AWS > NIST 800-53 > VPC > VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
- AWS > NIST 800-53 > VPC > VPC subnet auto assign public IP should be disabled
- AWS > NIST 800-53 > WAF
- AWS > NIST 800-53 > WAF > Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)