CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0

Audit Details

Name: CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0

Updated: 4/25/2022

Authority: CIS

Plugin: amazon_aws

Revision: 1.8

Estimated Item Count: 16

File Details

Filename: CIS_Amazon_Web_Services_Three-tier_Web_Architecture_L2_v1.0.0.audit

Size: 49.3 kB

MD5: d9e03b7bcc68cd76f5617384088fea96
SHA256: 42dcc45f67275796a0bcc88b3d6a30e4510fdb029634a8b3564c6c2edbca10c2

Audit Items

DescriptionCategories
1.1 Ensure a customer created Customer Master Key (CMK) is created for the Web-tier

ACCESS CONTROL

1.2 Ensure a customer created Customer Master Key (CMK) is created for the App-tier

ACCESS CONTROL

1.3 Ensure a customer created Customer Master Key (CMK) is created for the Database-Tier

ACCESS CONTROL

1.11 Ensure Web Tier ELB is using HTTPS listener

IDENTIFICATION AND AUTHENTICATION

1.12 Ensure App Tier ELB have SSL\TLS Certificate attached

SYSTEM AND COMMUNICATIONS PROTECTION

1.13 Ensure App Tier ELB have the latest SSL Security Policies configured

SYSTEM AND COMMUNICATIONS PROTECTION

1.14 Ensure App Tier ELB is using HTTPS listener

IDENTIFICATION AND AUTHENTICATION

1.15 Ensure all Public Web Tier SSL\TLS certificates are >30 days from Expiration

SYSTEM AND INFORMATION INTEGRITY

1.17 Ensure CloudFront to Origin connection is configured using TLS1.1+ as the SSL\TLS protocol

SYSTEM AND COMMUNICATIONS PROTECTION

3.12 Configure HTTP to HTTPS Redirects with a CloudFront Viewer Protocol Policy

SYSTEM AND COMMUNICATIONS PROTECTION

3.13 Ensure all CloudFront Distributions require HTTPS between CloudFront and your Web-Tier ELB origin

SYSTEM AND COMMUNICATIONS PROTECTION

6.1 Ensure Root Domain Alias Record Points to ELB

SYSTEM AND COMMUNICATIONS PROTECTION

6.2 Ensure a DNS alias record for the root domain

SYSTEM AND COMMUNICATIONS PROTECTION

6.4 Ensure Geo-Restriction is enabled within Cloudfront Distribution

SYSTEM AND COMMUNICATIONS PROTECTION

6.30 Ensure RDS Database is not publically accessible

SYSTEM AND COMMUNICATIONS PROTECTION

6.31 Don't use the default VPC