Skip to main content

๐Ÿ’ผ CIS AWS v5.0.0

  • Contextual name: ๐Ÿ’ผ CIS AWS v5.0.0
  • ID: /frameworks/cis-aws-v5.0.0

Descriptionโ€‹

Empty...

Similarโ€‹

Sub Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlags
๐Ÿ’ผ 1 Identity and Access Management21
    ๐Ÿ’ผ 1.1 Maintain current contact details (Manual)1
    ๐Ÿ’ผ 1.2 Ensure security contact information is registered (Manual)1
    ๐Ÿ’ผ 1.3 Ensure no 'root' user account access key exists (Automated)1
    ๐Ÿ’ผ 1.4 Ensure MFA is enabled for the 'root' user account (Automated)1
    ๐Ÿ’ผ 1.5 Ensure hardware MFA is enabled for the 'root' user account (Manual)1
    ๐Ÿ’ผ 1.6 Eliminate use of the 'root' user for administrative and daily tasks (Manual)1
    ๐Ÿ’ผ 1.7 Ensure IAM password policy requires minimum length of 14 or greater (Automated)1
    ๐Ÿ’ผ 1.8 Ensure IAM password policy prevents password reuse (Automated)1
    ๐Ÿ’ผ 1.9 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Automated)1
    ๐Ÿ’ผ 1.10 Do not create access keys during initial setup for IAM users with a console password (Manual)1
    ๐Ÿ’ผ 1.11 Ensure credentials unused for 45 days or more are disabled (Automated)1
    ๐Ÿ’ผ 1.12 Ensure there is only one active access key for any single IAM user (Automated)1
    ๐Ÿ’ผ 1.13 Ensure access keys are rotated every 90 days or less (Automated)1
    ๐Ÿ’ผ 1.14 Ensure IAM users receive permissions only through groups (Automated)1
    ๐Ÿ’ผ 1.15 Ensure IAM policies that allow full ":" administrative privileges are not attached (Automated)1
    ๐Ÿ’ผ 1.16 Ensure a support role has been created to manage incidents with AWS Support (Automated)1
    ๐Ÿ’ผ 1.17 Ensure IAM instance roles are used for AWS resource access from instances (Automated)1
    ๐Ÿ’ผ 1.18 Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed (Automated)1
    ๐Ÿ’ผ 1.19 Ensure that IAM External Access Analyzer is enabled for all regions (Automated)1
    ๐Ÿ’ผ 1.20 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments (Manual)1
    ๐Ÿ’ผ 1.21 Ensure access to AWSCloudShellFullAccess is restricted (Manual)1
๐Ÿ’ผ 2 Storage3
    ๐Ÿ’ผ 2.1 Simple Storage Service (S3)4
        ๐Ÿ’ผ 2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests (Automated)1
        ๐Ÿ’ผ 2.1.2 Ensure MFA Delete is enabled on S3 buckets (Manual)1
        ๐Ÿ’ผ 2.1.3 Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary (Manual)1
        ๐Ÿ’ผ 2.1.4 Ensure that S3 is configured with 'Block Public Access' enabled (Automated)1
    ๐Ÿ’ผ 2.2 Relational Database Service (RDS)4
        ๐Ÿ’ผ 2.2.1 Ensure that encryption-at-rest is enabled for RDS instances (Automated)1
        ๐Ÿ’ผ 2.2.2 Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances (Automated)1
        ๐Ÿ’ผ 2.2.3 Ensure that RDS instances are not publicly accessible (Automated)1
        ๐Ÿ’ผ 2.2.4 Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS (Manual)1
    ๐Ÿ’ผ 2.3 Elastic File System (EFS)1
        ๐Ÿ’ผ 2.3.1 Ensure that encryption is enabled for EFS file systems (Automated)1
๐Ÿ’ผ 3 Logging9
    ๐Ÿ’ผ 3.1 Ensure CloudTrail is enabled in all regions (Manual)1
    ๐Ÿ’ผ 3.2 Ensure CloudTrail log file validation is enabled (Automated)1
    ๐Ÿ’ผ 3.3 Ensure AWS Config is enabled in all regions (Automated)1
    ๐Ÿ’ผ 3.4 Ensure that server access logging is enabled on the CloudTrail S3 bucket (Manual)1
    ๐Ÿ’ผ 3.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Automated)1
    ๐Ÿ’ผ 3.6 Ensure rotation for customer-created symmetric CMKs is enabled (Automated)1
    ๐Ÿ’ผ 3.7 Ensure VPC flow logging is enabled in all VPCs (Automated)1
    ๐Ÿ’ผ 3.8 Ensure that object-level logging for write events is enabled for S3 buckets (Automated)1
    ๐Ÿ’ผ 3.9 Ensure that object-level logging for read events is enabled for S3 buckets (Automated)1
๐Ÿ’ผ 4 Monitoring16
    ๐Ÿ’ผ 4.1 Ensure unauthorized API calls are monitored (Automated)1
    ๐Ÿ’ผ 4.2 Ensure management console sign-in without MFA is monitored (Manual)1
    ๐Ÿ’ผ 4.3 Ensure usage of the 'root' account is monitored (Manual)1
    ๐Ÿ’ผ 4.4 Ensure IAM policy changes are monitored (Manual)1
    ๐Ÿ’ผ 4.5 Ensure CloudTrail configuration changes are monitored (Manual)1
    ๐Ÿ’ผ 4.6 Ensure AWS Management Console authentication failures are monitored (Manual)1
    ๐Ÿ’ผ 4.7 Ensure disabling or scheduled deletion of customer created CMKs is monitored (Manual)1
    ๐Ÿ’ผ 4.8 Ensure S3 bucket policy changes are monitored (Manual)1
    ๐Ÿ’ผ 4.9 Ensure AWS Config configuration changes are monitored (Manual)1
    ๐Ÿ’ผ 4.10 Ensure security group changes are monitored (Manual)1
    ๐Ÿ’ผ 4.11 Ensure Network Access Control List (NACL) changes are monitored (Manual)1
    ๐Ÿ’ผ 4.12 Ensure changes to network gateways are monitored (Manual)1
    ๐Ÿ’ผ 4.13 Ensure route table changes are monitored (Manual)1
    ๐Ÿ’ผ 4.14 Ensure VPC changes are monitored (Manual)1
    ๐Ÿ’ผ 4.15 Ensure AWS Organizations changes are monitored (Manual)1
    ๐Ÿ’ผ 4.16 Ensure AWS Security Hub is enabled (Automated)1
๐Ÿ’ผ 5 Networking7
    ๐Ÿ’ผ 5.1 Elastic Compute Cloud (EC2)2
        ๐Ÿ’ผ 5.1.1 Ensure EBS volume encryption is enabled in all regions (Automated)1
        ๐Ÿ’ผ 5.1.2 Ensure CIFS access is restricted to trusted networks to prevent unauthorized access (Automated)1
    ๐Ÿ’ผ 5.2 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)1
    ๐Ÿ’ผ 5.3 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)1
    ๐Ÿ’ผ 5.4 Ensure no security groups allow ingress from ::/0 to remote server administration ports (Automated)1
    ๐Ÿ’ผ 5.5 Ensure the default security group of every VPC restricts all traffic (Automated)1
    ๐Ÿ’ผ 5.6 Ensure routing tables for VPC peering are "least access" (Manual)1
    ๐Ÿ’ผ 5.7 Ensure that the EC2 Metadata Service only allows IMDSv2 (Automated)1