📄️ 1.1
1.1 Maintain current contact details (Manual)
📄️ 1.2
1.2 Register security contact information (Manual)
📄️ 1.3
1.3 Register security questions in the AWS account (Manual)
📄️ 1.4
1.4 Ensure no 'root' user account access key exists (Automated)
📄️ 1.5
1.5 Enable Multi-Factor Authentication (MFA) for the 'root' user account (Automated)
📄️ 1.6
1.6 Enable hardware Multi-Factor Authentication (MFA) for the 'root' user account (Manual)
📄️ 1.7
1.7 Eliminate use of the 'root' user for administrative and daily tasks (Automated)
📄️ 1.8
1.8 Ensure Identity and Access Management (IAM) password policy requires minimum length of 14 or greater (Automated)
📄️ 1.9
1.9 Ensure Identity and Access Management (IAM) password policy prevents password reuse (Automated)
📄️ 1.10
1.10 Enable Multi-Factor Authentication (MFA) for all Identity and Access Management (IAM) users that have a console password (Automated)
📄️ 1.11
1.11 Do not setup access keys during initial user setup for all Identity and Access Management (IAM) users that have a console password (Automated)
📄️ 1.12
1.12 Disable credentials unused for 45 days or greater (Automated)
📄️ 1.13
1.13 Ensure there is only one active access key available for any single Identity and Access Management (IAM) user (Automated)
📄️ 1.14
1.14 Rotate access keys every 90 days or less (Automated)
📄️ 1.15
1.15 Ensure Identity and Access Management (IAM) Users Receive Permissions Only Through Groups (Automated)
📄️ 1.16
This rule also encompasses lacework-global-485 and lacework-global-486. See Adjusted Rules for CIS AWS 1.4.0 for further details.
📄️ 1.17
1.17 Create a support role to manage incidents with AWS Support (Automated)
📄️ 1.18
1.18 Use Identity and Access Management (IAM) instance roles for AWS resource access from instances (Manual)
📄️ 1.19
1.19 Remove all the expired SSL/Transport Layer Security (TLS) certificates stored in AWS Identity and Access Management (IAM) (Automated)
📄️ 1.20
1.20 Enable Identity and Access Management (IAM) Access analyzer for all regions (Automated)
📄️ 1.21
1.21 Manage Identity and Access Management (IAM) users centrally via identity federation or AWS Organizations for multi-account environments (Manual)
📄️ 2.1.1
2.1.1 Ensure all S3 buckets employ encryption-at-rest (Automated)
📄️ 2.1.2
2.1.2 Deny HTTP requests in S3 Bucket Policies (Automated)
📄️ 2.1.3
2.1.3 Enable Multi-Factor Authentication (MFA) Delete on S3 buckets (Automated)
📄️ 2.1.4
2.1.4 Discover, classify, and secure all data in Amazon S3 when required (Manual)
📄️ 2.1.5
2.1.5 Configure S3 Buckets with 'Block public access (bucket settings)' (Automated)
📄️ 2.2.1
2.2.1 Enable volume encryption for Elastic Block Store (EBS) (Automated)
📄️ 2.3.1
2.3.1 Enable encryption for Relational Database Service (RDS) Instances (Automated)
📄️ 3.1
3.1 Enable CloudTrail in all regions (Automated)
📄️ 3.2
3.2 Enable CloudTrail log file validation (Automated)
📄️ 3.3
3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (Automated)
📄️ 3.4
3.4 Integrate CloudTrail trails with CloudWatch Logs (Automated)
📄️ 3.5
This rule also encompasses lacework-global-497. See Adjusted Rules for CIS AWS 1.4.0 for further details.
📄️ 3.6
3.6 Enable S3 bucket access logging on the CloudTrail S3 bucket (Automated)
📄️ 3.7
3.7 Encrypt CloudTrail logs at rest using Customer-Managed Key Management Service (KMS) Keys (Automated)
📄️ 3.8
3.8 Enable rotation for Key Management Service (KMS) Keys (Automated)
📄️ 3.9
3.9 Enable Virtual Private Cloud (VPC) flow logging in all VPCs (Automated)
📄️ 3.10
3.10 Enable Object-level logging for write events on S3 buckets (Automated)
📄️ 3.11
3.11 Enable Object-level logging for read events on S3 buckets (Automated)
📄️ 4.1
4.1 Ensure a log metric filter and alarm exist for unauthorized API calls (Automated)
📄️ 4.2
4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without Multi-Factor Authentication (MFA) (Automated)
📄️ 4.3
4.3 Ensure a log metric filter and alarm exist for usage of 'root' account (Automated)
📄️ 4.4
4.4 Ensure a log metric filter and alarm exist for Identity and Access Management (IAM) policy changes (Automated)
📄️ 4.5
4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Automated)
📄️ 4.6
4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Automated)
📄️ 4.7
4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of Key Management Service (KMS) Keys (Automated)
📄️ 4.8
4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Automated)
📄️ 4.9
4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Automated)
📄️ 4.10
4.10 Ensure a log metric filter and alarm exist for security group changes (Automated)
📄️ 4.11
4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Automated)
📄️ 4.12
4.12 Ensure a log metric filter and alarm exist for changes to network gateways (Automated)
📄️ 4.13
4.13 Ensure a log metric filter and alarm exist for route table changes (Automated)
📄️ 4.14
4.14 Ensure a log metric filter and alarm exist for Virtual Private Cloud (VPC) changes (Automated)
📄️ 4.15
4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes (Automated)
📄️ 5.1
5.1 Ensure no Network Access Control Lists (ACL) allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)
📄️ 5.2
5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)
📄️ 5.3
5.3 Ensure the default security group of every Virtual Private Cloud (VPC) restricts all traffic (Automated)
📄️ 5.4
5.4 Ensure routing tables for Virtual Private Cloud (VPC) peering are "least access" (Manual)