CIS Amazon Web Services Foundations L2 1.5.0

Audit Details

Name: CIS Amazon Web Services Foundations L2 1.5.0

Updated: 3/7/2023

Authority: CIS

Plugin: amazon_aws

Revision: 1.2

Estimated Item Count: 35

File Details

Filename: CIS_Amazon_Web_Services_Foundations_v1.5.0_L2.audit

Size: 147 kB

MD5: 76f7c6f4ab14ae0fda124a8d99602450
SHA256: eaa75b8e40947373f3caa227ea1c17449b59f31797b11c66628fb9a2cdddfcea

Audit Items

DescriptionCategories
1.6 Ensure hardware MFA is enabled for the 'root' user account

IDENTIFICATION AND AUTHENTICATION

1.18 Ensure IAM instance roles are used for AWS resource access from instances

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments

ACCESS CONTROL

2.1.1 Ensure all S3 buckets employ encryption-at-rest

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required.

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.2 Ensure CloudTrail log file validation is enabled

AUDIT AND ACCOUNTABILITY

3.5 Ensure AWS Config is enabled in all regions - 'Include global resources'

CONFIGURATION MANAGEMENT, PROGRAM MANAGEMENT

3.5 Ensure AWS Config is enabled in all regions - 'Record all resources supported in this region'

CONFIGURATION MANAGEMENT, PROGRAM MANAGEMENT

3.5 Ensure AWS Config is enabled in all regions - 'Review defined S3 Bucket'

CONFIGURATION MANAGEMENT, PROGRAM MANAGEMENT

3.5 Ensure AWS Config is enabled in all regions - 'Review defined SNS Topic'

CONFIGURATION MANAGEMENT, PROGRAM MANAGEMENT

3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.8 Ensure rotation for customer created symmetric CMKs is enabled

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.9 Ensure VPC flow logging is enabled in all VPCs

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.10 Ensure that Object-level logging for write events is enabled for S3 bucket

AUDIT AND ACCOUNTABILITY

3.11 Ensure that Object-level logging for read events is enabled for S3 bucket

AUDIT AND ACCOUNTABILITY

4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures - 'alarm exists'

AUDIT AND ACCOUNTABILITY

4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures - 'metric filter exists'

AUDIT AND ACCOUNTABILITY

4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures - 'subscription exists'

AUDIT AND ACCOUNTABILITY

4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs - 'alarm exists'

AUDIT AND ACCOUNTABILITY

4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs - 'metric filter exists'

AUDIT AND ACCOUNTABILITY

4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs - 'subscription exists'

AUDIT AND ACCOUNTABILITY

4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes - 'alarm exists'

AUDIT AND ACCOUNTABILITY

4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes - 'metric filter exists'

AUDIT AND ACCOUNTABILITY

4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes - 'subscription exists'

AUDIT AND ACCOUNTABILITY

4.10 Ensure a log metric filter and alarm exist for security group changes - 'alarm exists'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION

4.10 Ensure a log metric filter and alarm exist for security group changes - 'metric filter exists'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION

4.10 Ensure a log metric filter and alarm exist for security group changes - 'subscription exists'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION

4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) - 'alarm exists'

AUDIT AND ACCOUNTABILITY

4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) - 'metric filter exists'

AUDIT AND ACCOUNTABILITY

4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) - 'subscription exists'

AUDIT AND ACCOUNTABILITY

4.16 Ensure AWS Security Hub is enabled

CONFIGURATION MANAGEMENT

5.4 Ensure the default security group of every VPC restricts all traffic - 'No Inbound Rules exist

ACCESS CONTROL, MEDIA PROTECTION

5.4 Ensure the default security group of every VPC restricts all traffic - 'No Outbound Rules exist

ACCESS CONTROL, MEDIA PROTECTION

5.5 Ensure routing tables for VPC peering are 'least access' - least access

ACCESS CONTROL, MEDIA PROTECTION