CIS Amazon Web Services Foundations L2 1.4.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Amazon Web Services Foundations L2 1.4.0

Updated: 12/19/2022

Authority: Cloud Services

Plugin: amazon_aws

Revision: 1.6

Estimated Item Count: 34

Audit Items

DescriptionCategories
1.6 Ensure hardware MFA is enabled for the 'root' user account
1.18 Ensure IAM instance roles are used for AWS resource access from instances
1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
2.1.1 Ensure all S3 buckets employ encryption-at-rest
2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests
2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required.
3.2 Ensure CloudTrail log file validation is enabled
3.5 Ensure AWS Config is enabled in all regions - 'Include global resources'
3.5 Ensure AWS Config is enabled in all regions - 'Record all resources supported in this region'
3.5 Ensure AWS Config is enabled in all regions - 'Review defined S3 Bucket'
3.5 Ensure AWS Config is enabled in all regions - 'Review defined SNS Topic'
3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs
3.8 Ensure rotation for customer created CMKs is enabled
3.9 Ensure VPC flow logging is enabled in all VPCs
3.10 Ensure that Object-level logging for write events is enabled for S3 bucket
3.11 Ensure that Object-level logging for read events is enabled for S3 bucket
4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures - 'alarm exists'
4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures - 'metric filter exists'
4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures - 'subscription exists'
4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs - 'alarm exists'
4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs - 'metric filter exists'
4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs - 'subscription exists'
4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes - 'alarm exists'
4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes - 'metric filter exists'
4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes - 'subscription exists'
4.10 Ensure a log metric filter and alarm exist for security group changes - 'alarm exists'
4.10 Ensure a log metric filter and alarm exist for security group changes - 'metric filter exists'
4.10 Ensure a log metric filter and alarm exist for security group changes - 'subscription exists'
4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) - 'alarm exists'
4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) - 'metric filter exists'
4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) - 'subscription exists'
5.3 Ensure the default security group of every VPC restricts all traffic - 'No Inbound Rules exist
5.3 Ensure the default security group of every VPC restricts all traffic - 'No Outbound Rules exist
5.4 Ensure routing tables for VPC peering are 'least access' - least access