CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0

Audit Details

Name: CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0

Updated: 6/17/2024

Authority: CIS

Plugin: amazon_aws

Revision: 1.14

Estimated Item Count: 84

File Details

Filename: CIS_Amazon_Web_Services_Three-tier_Web_Architecture_L1_v1.0.0.audit

Size: 251 kB

MD5: 3fb84c9a40854ee5a381a195d737075e
SHA256: d03525ee2fb6ab94b3f9d747cdfa0d75c25571aa48d87cb1a99702e59072a609

Audit Items

DescriptionCategories
1.4 Ensure Databases running on RDS have encryption at rest enabled

SYSTEM AND COMMUNICATIONS PROTECTION

1.5 Ensure all EBS volumes for Web-Tier are encrypted

SYSTEM AND COMMUNICATIONS PROTECTION

1.6 Ensure all EBS volumes for App-Tier are encrypted

SYSTEM AND COMMUNICATIONS PROTECTION

1.7 Ensure all Customer owned Amazon Machine Images for Web Tier are not shared publicly

ACCESS CONTROL

1.8 Ensure all Customer owned Amazon Machine Images for Application Tier are not shared publicly

ACCESS CONTROL

1.9 Ensure Web Tier ELB have SSL/TLS Certificate attached
1.10 Ensure Web Tier ELB have the latest SSL Security Policies configured

SYSTEM AND COMMUNICATIONS PROTECTION

1.16 Ensure all S3 buckets have policy to require server-side and in transit encryption for all objects stored in bucket.

SYSTEM AND COMMUNICATIONS PROTECTION

2.1 Ensure IAM Policy for EC2 IAM Roles for Web tier is configured

ACCESS CONTROL

2.2 Ensure IAM Policy for EC2 IAM Roles for App tier is configured

ACCESS CONTROL

2.3 Ensure an IAM Role for Amazon EC2 is created for Web Tier

ACCESS CONTROL

2.4 Ensure an IAM Role for Amazon EC2 is created for App Tier

ACCESS CONTROL

2.5 Ensure AutoScaling Group Launch Configuration for Web Tier is configured to use a customer created Web-Tier IAM Role

ACCESS CONTROL

2.6 Ensure AutoScaling Group Launch Configuration for App Tier is configured to use an App-Tier IAM Role

ACCESS CONTROL

2.7 Ensure an IAM group for administration purposes is created
2.8 Ensure an IAM policy that allows admin privileges for all services used is created - Policy Exist

ACCESS CONTROL

2.8 Ensure an IAM policy that allows admin privileges for all services used is created - Review Policy Document

ACCESS CONTROL

2.9 Ensure SNS Topics do not Allow Everyone To Publish

ACCESS CONTROL

2.10 Ensure SNS Topics do not Allow Everyone To Subscribe

ACCESS CONTROL

3.1 Ensure each Auto-Scaling Group has an associated Elastic Load Balancer

CONFIGURATION MANAGEMENT

3.2 Ensure each Auto-Scaling Group is configured for multiple Availability Zones

SYSTEM AND INFORMATION INTEGRITY

3.3 Ensure Auto-Scaling Launch Configuration for Web-Tier is configured to use an approved Amazon Machine Image

CONFIGURATION MANAGEMENT

3.4 Ensure Auto-Scaling Launch Configuration for App-Tier is configured to use an approved Amazon Machine Image

CONFIGURATION MANAGEMENT

3.5 Ensure Relational Database Service is Multi-AZ Enabled

SYSTEM AND INFORMATION INTEGRITY

3.6 Ensure Relational Database Service Instances have Auto Minor Version Upgrade Enabled

SYSTEM AND INFORMATION INTEGRITY

3.7 Ensure Relational Database Service backup retention policy is set

CONTINGENCY PLANNING

3.8 Ensure Web Tier Elastic Load Balancer has application layer Health Check Configured

AUDIT AND ACCOUNTABILITY

3.9 Ensure App Tier Elastic Load Balancer has application layer Health Check Configured

AUDIT AND ACCOUNTABILITY

3.10 Ensure S3 buckets have versioning enabled

CONTINGENCY PLANNING

3.13 Ensure Web Tier Auto-Scaling Group has an associated Elastic Load Balancer

CONFIGURATION MANAGEMENT

3.14 Ensure App Tier Auto-Scaling Group has an associated Elastic Load Balancer

CONFIGURATION MANAGEMENT

4.1 Ensure a SNS topic is created for sending out notifications from Cloudtwatch Alarms and Auto-Scaling Groups - CloudwatchAlarms

SYSTEM AND INFORMATION INTEGRITY

4.1 Ensure a SNS topic is created for sending out notifications from Cloudtwatch Alarms and Auto-Scaling Groups - List SNS Subscriptions

ACCESS CONTROL

4.2 Ensure a SNS topic is created for sending out notifications from RDS events - List SNS Subscriptions

ACCESS CONTROL

4.2 Ensure a SNS topic is created for sending out notifications from RDS events - RDS Event Subscriptions

SYSTEM AND INFORMATION INTEGRITY

4.3 Ensure RDS event subscriptions are enabled for Instance level events

AUDIT AND ACCOUNTABILITY

4.4 Ensure RDS event subscriptions are enabled for DB security groups

AUDIT AND ACCOUNTABILITY

4.6 Ensure that a log metric filter for the Cloudwatch group assigned to the "VPC Flow Logs" is created

AUDIT AND ACCOUNTABILITY

4.7 Ensure that a Cloudwatch Alarm is created for the "VPC Flow Logs" metric filter, and an Alarm Action is configured
4.8 Ensure Billing Alerts are enabled for increments of X spend
5.1 Ensure all resources are correctly tagged
5.2 Ensure AWS Elastic Load Balancer logging is enabled

AUDIT AND ACCOUNTABILITY

5.3 Ensure AWS Cloudfront Logging is enabled

AUDIT AND ACCOUNTABILITY

5.4 Ensure Cloudwatch Log Group is created for Web Tier

AUDIT AND ACCOUNTABILITY

5.5 Ensure Cloudwatch Log Group is created for App Tier

AUDIT AND ACCOUNTABILITY

5.6 Ensure Cloudwatch Log Group for Web Tier has a retention period

AUDIT AND ACCOUNTABILITY

5.7 Ensure Cloudwatch Log Group for App Tier has a retention period

AUDIT AND ACCOUNTABILITY

5.8 Ensure an agent for AWS Cloudwatch Logs is installed within Auto-Scaling Group for Web-Tier

AUDIT AND ACCOUNTABILITY

5.9 Ensure an agent for AWS Cloudwatch Logs is installed within Auto-Scaling Group for App-Tier

AUDIT AND ACCOUNTABILITY

5.10 Ensure an AWS Managed Config Rule for encrypted volumes is applied to Web Tier - Encryption

SYSTEM AND COMMUNICATIONS PROTECTION