Policy: AWS > CIS v6.0

Targets

This policy targets the following resource types:

• AWS > Account

Related Policies

• Maximum Attestation Duration
• 2 - Identity and Access Management
• 3 - Storage
• 4 - Logging
• 5 - Monitoring
• 6 - Networking

Controls

Setting this policy configures these controls:

• AWS > CIS v6.0
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.01 - Maintain current contact details
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.02 - Ensure security contact information is registered
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.03 - Ensure no 'root' user account access key exists
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.04 - Ensure MFA is enabled for the 'root' user account
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.05 - Ensure hardware MFA is enabled for the 'root' user account
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.06 - Eliminate use of the 'root' user for administrative and daily tasks
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.07 - Ensure IAM password policy requires minimum length of 14 or greater
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.08 - Ensure IAM password policy prevents password reuse
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.09 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.10 - Do not create access keys during initial setup for IAM users with a console password
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.11 - Ensure credentials unused for 45 days or more are disabled
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.12 - Ensure there is only one active access key for any single IAM user
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.13 - Ensure access keys are rotated every 90 days or less
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.14 - Ensure IAM users receive permissions only through groups
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.15 - Ensure IAM policies that allow full "*:*" administrative privileges are not attached
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.16 - Ensure a support role has been created to manage incidents with AWS Support
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.17 - Ensure IAM instance roles are used for AWS resource access from instances
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.18 - Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.19 - Ensure that IAM External Access Analyzer is enabled for all regions
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.20 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
• AWS > CIS v6.0 > 2 - Identity and Access Management > 2.21 - Ensure access to AWSCloudShellFullAccess is restricted
• AWS > CIS v6.0 > 3 - Storage > 3.01 - Simple Storage Service (S3) > 3.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
• AWS > CIS v6.0 > 3 - Storage > 3.01 - Simple Storage Service (S3) > 3.01.02 - Ensure MFA Delete is enabled on S3 buckets
• AWS > CIS v6.0 > 3 - Storage > 3.01 - Simple Storage Service (S3) > 3.01.03 - Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary
• AWS > CIS v6.0 > 3 - Storage > 3.01 - Simple Storage Service (S3) > 3.01.04 - Ensure that S3 is configured with 'Block Public Access' enabled
• AWS > CIS v6.0 > 3 - Storage > 3.02 - Relational Database Service (RDS) > 3.02.01 - Ensure that encryption-at-rest is enabled for RDS Instances
• AWS > CIS v6.0 > 3 - Storage > 3.02 - Relational Database Service (RDS) > 3.02.02 - Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances
• AWS > CIS v6.0 > 3 - Storage > 3.02 - Relational Database Service (RDS) > 3.02.03 - Ensure that RDS instances are not publicly accessible
• AWS > CIS v6.0 > 3 - Storage > 3.02 - Relational Database Service (RDS) > 3.02.04 - Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS
• AWS > CIS v6.0 > 3 - Storage > 3.03 - Elastic File System (EFS) > 3.03.01 - Ensure that encryption is enabled for EFS file systems
• AWS > CIS v6.0 > 4 - Logging > 4.01 - Ensure CloudTrail is enabled in all regions
• AWS > CIS v6.0 > 4 - Logging > 4.02 - Ensure CloudTrail log file validation is enabled
• AWS > CIS v6.0 > 4 - Logging > 4.03 - Ensure AWS Config is enabled in all regions
• AWS > CIS v6.0 > 4 - Logging > 4.04 - Ensure that server access logging is enabled on the CloudTrail S3 bucket
• AWS > CIS v6.0 > 4 - Logging > 4.05 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs
• AWS > CIS v6.0 > 4 - Logging > 4.06 - Ensure rotation for customer-created symmetric CMKs is enabled
• AWS > CIS v6.0 > 4 - Logging > 4.07 - Ensure VPC flow logging is enabled in all VPCs
• AWS > CIS v6.0 > 4 - Logging > 4.08 - Ensure that object-level logging for write events is enabled for S3 buckets
• AWS > CIS v6.0 > 4 - Logging > 4.09 - Ensure that object-level logging for read events is enabled for S3 buckets
• AWS > CIS v6.0 > 5 - Monitoring > 5.01 - Ensure unauthorized API calls are monitored
• AWS > CIS v6.0 > 5 - Monitoring > 5.02 - Ensure management console sign-in without MFA is monitored
• AWS > CIS v6.0 > 5 - Monitoring > 5.03 - Ensure usage of the 'root' account is monitored
• AWS > CIS v6.0 > 5 - Monitoring > 5.04 - Ensure IAM policy changes are monitored
• AWS > CIS v6.0 > 5 - Monitoring > 5.05 - Ensure CloudTrail configuration changes are monitored
• AWS > CIS v6.0 > 5 - Monitoring > 5.06 - Ensure AWS Management Console authentication failures are monitored
• AWS > CIS v6.0 > 5 - Monitoring > 5.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored
• AWS > CIS v6.0 > 5 - Monitoring > 5.08 - Ensure S3 bucket policy changes are monitored
• AWS > CIS v6.0 > 5 - Monitoring > 5.09 - Ensure AWS Config configuration changes are monitored
• AWS > CIS v6.0 > 5 - Monitoring > 5.10 - Ensure security group changes are monitored
• AWS > CIS v6.0 > 5 - Monitoring > 5.11 - Ensure Network Access Control List (NACL) changes are monitored
• AWS > CIS v6.0 > 5 - Monitoring > 5.12 - Ensure changes to network gateways are monitored
• AWS > CIS v6.0 > 5 - Monitoring > 5.13 - Ensure route table changes are monitored
• AWS > CIS v6.0 > 5 - Monitoring > 5.14 - Ensure VPC changes are monitored
• AWS > CIS v6.0 > 5 - Monitoring > 5.15 - Ensure AWS Organizations changes are monitored
• AWS > CIS v6.0 > 5 - Monitoring > 5.16 - Ensure AWS Security Hub is enabled
• AWS > CIS v6.0 > 6 - Networking > 6.01 - Elastic Compute Cloud (EC2) > 6.01.01 - Ensure EBS volume encryption is enabled in all regions
• AWS > CIS v6.0 > 6 - Networking > 6.01 - Elastic Compute Cloud (EC2) > 6.01.02 - Ensure CIFS access is restricted to trusted networks to prevent unauthorized access
• AWS > CIS v6.0 > 6 - Networking > 6.02 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
• AWS > CIS v6.0 > 6 - Networking > 6.03 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
• AWS > CIS v6.0 > 6 - Networking > 6.04 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
• AWS > CIS v6.0 > 6 - Networking > 6.05 - Ensure the default security group of every VPC restricts all traffic
• AWS > CIS v6.0 > 6 - Networking > 6.06 - Ensure routing tables for VPC peering are 'least access'
• AWS > CIS v6.0 > 6 - Networking > 6.07 - Ensure that the EC2 Metadata Service only allows IMDSv2

Policy Specification

string

Skip

Category

• CIS

In Your Workspace

• Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/cis

Policy Type URI

tmod:@turbot/aws-cisv6-0#/policy/types/cis

GraphQL

query policyType(id: "tmod:@turbot/aws-cisv6-0#/policy/types/cis") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/aws-cisv6-0#/policy/types/cis'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/aws-cisv6-0#/policy/types/cis'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/aws-cisv6-0#/policy/types/cis"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws-cisv6-0#/policy/types/cis"