Skip to main content

πŸ’Ό CM-2 Baseline Configuration

  • Contextual name: πŸ’Ό CM-2 Baseline Configuration
  • ID: /frameworks/nist-sp-800-53-r5/cm/02
  • Located in: πŸ’Ό CM Configuration Management

Description​

a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and b. Review and update the baseline configuration of the system:

  1. [Assignment: organization-defined frequency];
  2. When required due to [Assignment: organization-defined circumstances]; and
  3. When system components are installed or upgraded.

Similar​

  • Sections
    • /frameworks/aws-fsbp-v1.0.0/account/01
    • /frameworks/aws-fsbp-v1.0.0/api-gateway/08
    • /frameworks/aws-fsbp-v1.0.0/auto-scaling/03
    • /frameworks/aws-fsbp-v1.0.0/auto-scaling/09
    • /frameworks/aws-fsbp-v1.0.0/cloudfront/08
    • /frameworks/aws-fsbp-v1.0.0/cloudfront/12
    • /frameworks/aws-fsbp-v1.0.0/documentdb/05
    • /frameworks/aws-fsbp-v1.0.0/dynamodb/06
    • /frameworks/aws-fsbp-v1.0.0/ec2/04
    • /frameworks/aws-fsbp-v1.0.0/ec2/19
    • /frameworks/aws-fsbp-v1.0.0/ec2/21
    • /frameworks/aws-fsbp-v1.0.0/ec2/23
    • /frameworks/aws-fsbp-v1.0.0/ec2/24
    • /frameworks/aws-fsbp-v1.0.0/ecr/02
    • /frameworks/aws-fsbp-v1.0.0/ecr/03
    • /frameworks/aws-fsbp-v1.0.0/ecs/03
    • /frameworks/aws-fsbp-v1.0.0/ecs/08
    • /frameworks/aws-fsbp-v1.0.0/eks/02
    • /frameworks/aws-fsbp-v1.0.0/elb/06
    • /frameworks/aws-fsbp-v1.0.0/elb/07
    • /frameworks/aws-fsbp-v1.0.0/elb/12
    • /frameworks/aws-fsbp-v1.0.0/elb/14
    • /frameworks/aws-fsbp-v1.0.0/fsx/01
    • /frameworks/aws-fsbp-v1.0.0/lambda/02
    • /frameworks/aws-fsbp-v1.0.0/neptune/04
    • /frameworks/aws-fsbp-v1.0.0/neptune/08
    • /frameworks/aws-fsbp-v1.0.0/network-firewall/03
    • /frameworks/aws-fsbp-v1.0.0/network-firewall/04
    • /frameworks/aws-fsbp-v1.0.0/network-firewall/05
    • /frameworks/aws-fsbp-v1.0.0/network-firewall/09
    • /frameworks/aws-fsbp-v1.0.0/network-firewall/10
    • /frameworks/aws-fsbp-v1.0.0/pca/01
    • /frameworks/aws-fsbp-v1.0.0/rds/16
    • /frameworks/aws-fsbp-v1.0.0/rds/24
    • /frameworks/aws-fsbp-v1.0.0/rds/25
    • /frameworks/aws-fsbp-v1.0.0/redshift/06
    • /frameworks/aws-fsbp-v1.0.0/redshift/08
    • /frameworks/aws-fsbp-v1.0.0/redshift/09
    • /frameworks/aws-fsbp-v1.0.0/s3/06
    • /frameworks/aws-fsbp-v1.0.0/ssm/01
    • /frameworks/aws-fsbp-v1.0.0/ssm/03
    • /frameworks/aws-fsbp-v1.0.0/waf/04
    • /frameworks/aws-fsbp-v1.0.0/waf/06
    • /frameworks/aws-fsbp-v1.0.0/waf/07
    • /frameworks/aws-fsbp-v1.0.0/waf/10
  • Internal
    • ID: dec-c-c06d1794

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Account.1] Security contact information should be provided for an AWS account11
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [APIGateway.8] API Gateway routes should specify an authorization type11
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DynamoDB.6] DynamoDB tables should have deletion protection enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.4] Stopped EC2 instances should be removed after a specified time period
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.19] Security groups should not allow unrestricted access to ports with high risk10
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 33891
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.24] Amazon EC2 paravirtual instance types should not be used
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ECR.2] ECR private repositories should have tag immutability configured
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ECR.3] ECR repositories should have at least one lifecycle policy configured
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ECS.3] ECS task definitions should not share the host's process namespace
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ECS.8] Secrets should not be passed as container environment variables
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EKS.2] EKS clusters should run on a supported Kubernetes version
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ELB.7] Classic Load Balancers should have connection draining enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Lambda.2] Lambda functions should use supported runtimes
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Neptune.4] Neptune DB clusters should have deletion protection enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [PCA.1] AWS Private CA root certificate authority should be disabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [RDS.16] RDS DB clusters should be configured to copy tags to snapshots
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [RDS.24] RDS Database clusters should use a custom administrator username
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [RDS.25] RDS database instances should use a custom administrator username
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Redshift.8] Amazon Redshift clusters should not use the default Admin username
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Redshift.9] Redshift clusters should not use the default database name
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [S3.6] S3 general purpose bucket policies should restrict access to other AWS accounts
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [WAF.6] AWS WAF Classic global rules should have at least one condition
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [WAF.7] AWS WAF Classic global rule groups should have at least one rule
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [WAF.10] AWS WAF web ACLs should have at least one rule or rule group

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)3114
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)13

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CM-2(1) Baseline Configuration _ Reviews and Updates
πŸ’Ό CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency13
πŸ’Ό CM-2(3) Baseline Configuration _ Retention of Previous Configurations
πŸ’Ό CM-2(4) Baseline Configuration _ Unauthorized Software
πŸ’Ό CM-2(5) Baseline Configuration _ Authorized Software
πŸ’Ό CM-2(6) Baseline Configuration _ Development and Test Environments
πŸ’Ό CM-2(7) Baseline Configuration _ Configure Systems and Components for High-risk Areas

Policies (13)​

PolicyLogic CountFlags
πŸ“ AWS Account Alternate Contact Information is not current πŸ”΄πŸŸ’πŸ”΄ x1, 🟒 x3
πŸ“ AWS API Gateway API Route Authorization Type is not configured 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted CIFS traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted FTP traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted RPC traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted SMTP traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted traffic to MSSQL 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted traffic to MySQL 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted traffic to PostgreSQL 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted Telnet traffic 🟒1🟒 x6
πŸ“ AWS VPC Network ACL exposes admin ports to public internet ports 🟒1🟒 x6