CIS Amazon Web Services Foundations L1 1.5.0

Audit Details

Name: CIS Amazon Web Services Foundations L1 1.5.0

Updated: 3/7/2023

Authority: CIS

Plugin: amazon_aws

Revision: 1.2

Estimated Item Count: 68

File Details

Filename: CIS_Amazon_Web_Services_Foundations_v1.5.0_L1.audit

Size: 296 kB

MD5: c71f63036bd6d8e560aff27e2d8d84f0
SHA256: 3f1687b3880fa19884a91892c4d8094698f740a88e163e758bd81ecf444b2231

Audit Items

DescriptionCategories
1.1 Maintain current contact details

INCIDENT RESPONSE

1.2 Ensure security contact information is registered

CONTINGENCY PLANNING, INCIDENT RESPONSE

1.3 Ensure security questions are registered in the AWS account

INCIDENT RESPONSE

1.4 Ensure no 'root' user account access key exists - 'Access Key 1'

ACCESS CONTROL, MEDIA PROTECTION

1.4 Ensure no 'root' user account access key exists - 'Access Key 2'

ACCESS CONTROL, MEDIA PROTECTION

1.5 Ensure MFA is enabled for the 'root' user account

IDENTIFICATION AND AUTHENTICATION

1.7 Eliminate use of the 'root' user for administrative and daily tasks

ACCESS CONTROL

1.8 Ensure IAM password policy requires minimum length of 14 or greater

IDENTIFICATION AND AUTHENTICATION

1.9 Ensure IAM password policy prevents password reuse

IDENTIFICATION AND AUTHENTICATION

1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password

IDENTIFICATION AND AUTHENTICATION

1.11 Do not setup access keys during initial user setup for all IAM users that have a console password

ACCESS CONTROL, MEDIA PROTECTION

1.12 Ensure credentials unused for 45 days or greater are disabled

ACCESS CONTROL

1.13 Ensure there is only one active access key available for any single IAM user

ACCESS CONTROL

1.14 Ensure access keys are rotated every 90 days or less

ACCESS CONTROL

1.15 Ensure IAM Users Receive Permissions Only Through Groups

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

1.16 Ensure IAM policies that allow full '*:*' administrative privileges are not attached - *:* administrative privileges are not attached

ACCESS CONTROL, MEDIA PROTECTION

1.17 Ensure a support role has been created to manage incidents with AWS Support

INCIDENT RESPONSE

1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

1.20 Ensure that IAM Access analyzer is enabled for all regions

ACCESS CONTROL, MEDIA PROTECTION

2.1.3 Ensure MFA Delete is enabled on S3 buckets - MfaDelete

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MEDIA PROTECTION

2.1.3 Ensure MFA Delete is enabled on S3 buckets - versioning status

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MEDIA PROTECTION

2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'

ACCESS CONTROL, MEDIA PROTECTION

2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.3.1 Ensure that encryption is enabled for RDS Instances

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

2.3.3 Ensure that public access is not given to RDS Instance

ACCESS CONTROL, MEDIA PROTECTION

2.4.1 Ensure that encryption is enabled for EFS file systems

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.1 Ensure CloudTrail is enabled in all regions - IncludeManagementEvents

AUDIT AND ACCOUNTABILITY

3.1 Ensure CloudTrail is enabled in all regions - IsLogging

AUDIT AND ACCOUNTABILITY

3.1 Ensure CloudTrail is enabled in all regions - IsMultiRegionTrail

AUDIT AND ACCOUNTABILITY

3.1 Ensure CloudTrail is enabled in all regions - ReadWriteType

AUDIT AND ACCOUNTABILITY

3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

ACCESS CONTROL, MEDIA PROTECTION

3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs - 'log group is configured'

AUDIT AND ACCOUNTABILITY

3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs - 'LogWatch Log Delivery'

AUDIT AND ACCOUNTABILITY

3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

4.1 Ensure a log metric filter and alarm exist for unauthorized API calls - 'alarm exists'

AUDIT AND ACCOUNTABILITY

4.1 Ensure a log metric filter and alarm exist for unauthorized API calls - 'metric filter exists'

AUDIT AND ACCOUNTABILITY

4.1 Ensure a log metric filter and alarm exist for unauthorized API calls - 'subscription exists'

AUDIT AND ACCOUNTABILITY

4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA - 'alarm exists'

AUDIT AND ACCOUNTABILITY

4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA - 'metric filter exists'

AUDIT AND ACCOUNTABILITY

4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA - 'subscription exists'

AUDIT AND ACCOUNTABILITY

4.3 Ensure a log metric filter and alarm exist for usage of 'root' account - 'alarm exists'

AUDIT AND ACCOUNTABILITY

4.3 Ensure a log metric filter and alarm exist for usage of 'root' account - 'metric filter exists'

AUDIT AND ACCOUNTABILITY

4.3 Ensure a log metric filter and alarm exist for usage of 'root' account - 'subscription exists'

AUDIT AND ACCOUNTABILITY

4.4 Ensure a log metric filter and alarm exist for IAM policy changes - 'alarm exists'

AUDIT AND ACCOUNTABILITY

4.4 Ensure a log metric filter and alarm exist for IAM policy changes - 'metric filter exists'

AUDIT AND ACCOUNTABILITY

4.4 Ensure a log metric filter and alarm exist for IAM policy changes - 'subscription exists'

AUDIT AND ACCOUNTABILITY

4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes - 'alarm exists'

AUDIT AND ACCOUNTABILITY

4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes - 'metric filter exists'

AUDIT AND ACCOUNTABILITY

4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes - 'subscription exists'

AUDIT AND ACCOUNTABILITY