CIS Amazon Web Services Foundations v4.0.1 L2

This audit file has been deprecated and will be removed in a future update.

Name: CIS Amazon Web Services Foundations v4.0.1 L2

Updated: 4/29/2025

Authority: CIS

Plugin: amazon_aws

Revision: 1.1

Estimated Item Count: 22

Filename: CIS_Amazon_Web_Services_Foundations_v4.0.1_L2.audit

Size: 72.4 kB

MD5: 53a5ee07d161b901542f19e3ac43517b

SHA256: e15af7b84101f1d674674a57e8e2c6e755eca54a80276e36678308b7bc8131f0

Description	Categories
1.6 Ensure hardware MFA is enabled for the 'root' user account
1.18 Ensure IAM instance roles are used for AWS resource access from instances
1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests
2.1.2 Ensure MFA Delete is enabled on S3 buckets
2.1.3 Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary
3.2 Ensure CloudTrail log file validation is enabled
3.3 Ensure AWS Config is enabled in all regions
3.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs
3.6 Ensure rotation for customer-created symmetric CMKs is enabled
3.7 Ensure VPC flow logging is enabled in all VPCs
3.8 Ensure that object-level logging for write events is enabled for S3 buckets
3.9 Ensure that object-level logging for read events is enabled for S3 buckets
4.1 Ensure unauthorized API calls are monitored
4.6 Ensure AWS Management Console authentication failures are monitored
4.7 Ensure disabling or scheduled deletion of customer created CMKs is monitored
4.9 Ensure AWS Config configuration changes are monitored
4.10 Ensure security group changes are monitored
4.11 Ensure Network Access Control List (NACL) changes are monitored
4.16 Ensure AWS Security Hub is enabled
5.5 Ensure the default security group of every VPC restricts all traffic
5.6 Ensure routing tables for VPC peering are "least access"