Skip to main content

💼 CM-2 Baseline Configuration

  • ID: /frameworks/nist-sp-800-53-r5/cm/02

Description

a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and b. Review and update the baseline configuration of the system:

  1. [Assignment: organization-defined frequency];
  2. When required due to [Assignment: organization-defined circumstances]; and
  3. When system components are installed or upgraded.

Similar

  • Sections
    • /frameworks/aws-fsbp-v1.0.0/account/01
    • /frameworks/aws-fsbp-v1.0.0/api-gateway/08
    • /frameworks/aws-fsbp-v1.0.0/auto-scaling/03
    • /frameworks/aws-fsbp-v1.0.0/auto-scaling/09
    • /frameworks/aws-fsbp-v1.0.0/cloudfront/08
    • /frameworks/aws-fsbp-v1.0.0/cloudfront/12
    • /frameworks/aws-fsbp-v1.0.0/documentdb/05
    • /frameworks/aws-fsbp-v1.0.0/dynamodb/06
    • /frameworks/aws-fsbp-v1.0.0/ec2/04
    • /frameworks/aws-fsbp-v1.0.0/ec2/19
    • /frameworks/aws-fsbp-v1.0.0/ec2/21
    • /frameworks/aws-fsbp-v1.0.0/ec2/23
    • /frameworks/aws-fsbp-v1.0.0/ec2/24
    • /frameworks/aws-fsbp-v1.0.0/ecr/02
    • /frameworks/aws-fsbp-v1.0.0/ecr/03
    • /frameworks/aws-fsbp-v1.0.0/ecs/03
    • /frameworks/aws-fsbp-v1.0.0/ecs/08
    • /frameworks/aws-fsbp-v1.0.0/eks/02
    • /frameworks/aws-fsbp-v1.0.0/elb/06
    • /frameworks/aws-fsbp-v1.0.0/elb/07
    • /frameworks/aws-fsbp-v1.0.0/elb/12
    • /frameworks/aws-fsbp-v1.0.0/elb/14
    • /frameworks/aws-fsbp-v1.0.0/fsx/01
    • /frameworks/aws-fsbp-v1.0.0/lambda/02
    • /frameworks/aws-fsbp-v1.0.0/neptune/04
    • /frameworks/aws-fsbp-v1.0.0/neptune/08
    • /frameworks/aws-fsbp-v1.0.0/network-firewall/03
    • /frameworks/aws-fsbp-v1.0.0/network-firewall/04
    • /frameworks/aws-fsbp-v1.0.0/network-firewall/05
    • /frameworks/aws-fsbp-v1.0.0/network-firewall/09
    • /frameworks/aws-fsbp-v1.0.0/network-firewall/10
    • /frameworks/aws-fsbp-v1.0.0/pca/01
    • /frameworks/aws-fsbp-v1.0.0/rds/16
    • /frameworks/aws-fsbp-v1.0.0/rds/24
    • /frameworks/aws-fsbp-v1.0.0/rds/25
    • /frameworks/aws-fsbp-v1.0.0/redshift/06
    • /frameworks/aws-fsbp-v1.0.0/redshift/08
    • /frameworks/aws-fsbp-v1.0.0/redshift/09
    • /frameworks/aws-fsbp-v1.0.0/s3/06
    • /frameworks/aws-fsbp-v1.0.0/ssm/01
    • /frameworks/aws-fsbp-v1.0.0/ssm/03
    • /frameworks/aws-fsbp-v1.0.0/waf/04
    • /frameworks/aws-fsbp-v1.0.0/waf/06
    • /frameworks/aws-fsbp-v1.0.0/waf/07
    • /frameworks/aws-fsbp-v1.0.0/waf/10
  • Internal
    • ID: dec-c-c06d1794

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Account.1] Security contact information should be provided for an AWS account11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [APIGateway.8] API Gateway routes should specify an authorization type11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudFront.12] CloudFront distributions should not point to non-existent S3 originsno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DynamoDB.6] DynamoDB tables should have deletion protection enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.4] Stopped EC2 instances should be removed after a specified time periodno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.19] Security groups should not allow unrestricted access to ports with high risk10no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 33891no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.24] Amazon EC2 paravirtual instance types should not be used1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECR.2] ECR private repositories should have tag immutability configured11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECR.3] ECR repositories should have at least one lifecycle policy configured11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.3] ECS task definitions should not share the host's process namespaceno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.8] Secrets should not be passed as container environment variablesno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EKS.2] EKS clusters should run on a supported Kubernetes versionno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ELB.7] Classic Load Balancers should have connection draining enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation modeno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation modeno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumesno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Lambda.2] Lambda functions should use supported runtimesno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.4] Neptune DB clusters should have deletion protection enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.8] Neptune DB clusters should be configured to copy tags to snapshotsno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [NetworkFirewall.3] Network Firewall policies should have at least one rule group associatedno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packetsno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packetsno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [PCA.1] AWS Private CA root certificate authority should be disabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.16] RDS DB clusters should be configured to copy tags to snapshotsno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.24] RDS Database clusters should use a custom administrator usernameno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.25] RDS database instances should use a custom administrator usernameno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.8] Amazon Redshift clusters should not use the default Admin usernameno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.9] Redshift clusters should not use the default database nameno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.6] S3 general purpose bucket policies should restrict access to other AWS accountsno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SSM.1] Amazon EC2 instances should be managed by AWS Systems Managerno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANTno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule groupno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WAF.6] AWS WAF Classic global rules should have at least one conditionno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WAF.7] AWS WAF Classic global rule groups should have at least one ruleno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WAF.10] AWS WAF web ACLs should have at least one rule or rule groupno data

Similar Sections (Give Policies To)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)3128no data
💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)27no data

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 CM-2(1) Baseline Configuration _ Reviews and Updatesno data
💼 CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency16no data
💼 CM-2(3) Baseline Configuration _ Retention of Previous Configurationsno data
💼 CM-2(4) Baseline Configuration _ Unauthorized Softwareno data
💼 CM-2(5) Baseline Configuration _ Authorized Softwareno data
💼 CM-2(6) Baseline Configuration _ Development and Test Environmentsno data
💼 CM-2(7) Baseline Configuration _ Configure Systems and Components for High-risk Areasno data

Policies (27)

PolicyLogic CountFlagsCompliance
🛡️ AWS Account Alternate Contact Information is not current🔴🟢⚪🔴 x1, 🟢 x2, ⚪ x1no data
🛡️ AWS API Gateway API Route Authorization Type is not configured🟢1🟢 x6no data
🛡️ AWS CloudFront Web Distribution uses Dedicated IP for SSL🟢1🟢 x6no data
🛡️ AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2🟢1🟢 x6no data
🛡️ AWS EC2 Auto Scaling Group uses Launch Configuration instead of Launch Template🟢1🟢 x6no data
🛡️ AWS EC2 Instance uses paravirtual Virtualization Type🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted CIFS traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted FTP traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted RPC traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted SMTP traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MSSQL🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MySQL🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to PostgreSQL🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted Telnet traffic🟢1🟢 x6no data
🛡️ AWS ECR Repository Image Tag Mutability is set to Mutable🟢1🟢 x6no data
🛡️ AWS ECR Repository Lifecycle Policy is not configured🟢1🟢 x6no data
🛡️ AWS VPC Network ACL exposes admin ports to public internet ports🟢1🟢 x6no data
🛡️ AWS VPC Transit Gateway Auto Accept Shared Attachments is enabled🟢1🟢 x6no data
🛡️ Google Cloud DNS Managed Zone DNSSEC is not enabled🟢1🟢 x6no data
🛡️ Google Cloud DNS Managed Zone DNSSEC Key-Signing Algorithm is RSASHA1🟢1🟢 x6no data
🛡️ Google Cloud DNS Managed Zone DNSSEC Zone-Signing Algorithm is RSASHA1🟢1🟢 x6no data
🛡️ Google Cloud SQL Server Instance 3625 (trace flag) Database Flag is not set to on🟢1🟢 x6no data
🛡️ Google Cloud SQL Server Instance user connections Database Flag is set to a limiting (other than 0) value🟢1🟢 x6no data
🛡️ Google Cloud SQL Server Instance user options Database Flag is configured🟢1🟢 x6no data
🛡️ Google Project has a legacy network🟢1🟢 x6no data