Skip to main content

CIS AWS 1.4.0 Benchmark Report

The CIS AWS 1.4.0 benchmark report co-exists with the CIS AWS 1.1.0 benchmark report. The CIS AWS 1.1.0 benchmark is deprecated and will eventually be removed. You should migrate to the latest report soon. Meanwhile, do not suppress deprecated policies because this will stop the generation of SOC2, PCI, ISO and NIST reports.

For information about compliance assessment behavior differences between CIS AWS 1.1.0 and 1.4.0, see Legacy Rules Mapping.

Changes to Benchmark Reports in the Lacework Console

Due to changes in the Lacework Console, visibility of and interaction with the CIS AWS 1.4.0 benchmark is different from previous CIS reports.

Notable changes include the following:

  • All CIS AWS 1.4.0 benchmark policies are enabled or disabled through the Policies page. See Enable the CIS AWS 1.4.0 Benchmark Policies for more information.
  • The Compliance > AWS > Reports page does not display the CIS AWS 1.4.0 benchmark report, but will continue to display the older CIS AWS 1.1.0 benchmark report.
  • The Cloud Compliance Dashboard shows detailed results from each assessment, including assessments of CIS AWS 1.4.0 benchmark policies.
  • The Reports page displays all reports that have run in your environment, including a 90-day history for each report type on all your integrated accounts. You can view a summary for each report in the Console, and download it in PDF format. See Reports for more information.

Prerequisites

The following articles describe how to integrate your AWS environment with the Lacework Compliance platform. Completing these will prepare your environment for the CIS AWS 1.4.0 benchmark.

Choose one of the following options:

  1. Integrate Lacework with AWS - Terraform
    • Choose one of the configuration options to enable AWS configuration compliance. These articles provide guidance on multiple deployment scenarios.
  2. Integrate Lacework with AWS - AWS CloudFormation
  3. Integrate Lacework with AWS - AWS GovCloud (US)

Enable the CIS AWS 1.4.0 Benchmark Policies

All policies in the CIS AWS 1.4.0 benchmark are disabled by default. You can enable them as follows.

Enable Policies through the Lacework Console

On the Policies page, use the framework:cis-aws-1-4-0 tag to filter for CIS AWS 1.4.0 policies only. Enable or disable a policy using its status toggle: policy-status-toggle.png

note

Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Rules.

Bulk Enable Policies through the Lacework CLI

Enable all the CIS AWS 1.4.0 policies by using the following command in the Lacework CLI:

lacework policy enable --tag framework:cis-aws-1-4-0
tip

If you have not used the CLI before, see the Lacework CLI guide to get started.

Policy Mapping for CIS AWS 1.4.0

The CIS AWS 1.4.0 rules are mapped to Lacework policies, as listed in the following sections.

1. Identity and Access Management (IAM)

CIS AWS 1.4.0 Rule IDLacework Policy IDSeverity
1.1lacework-global-31Low
1.2lacework-global-32Low
1.3lacework-global-33Low
1.4lacework-global-34Critical
1.5lacework-global-35Critical
1.6lacework-global-69Critical
1.7lacework-global-36Low
1.8lacework-global-37Medium
1.9lacework-global-38Low
1.10lacework-global-39High
1.11lacework-global-40Medium
1.12lacework-global-41Medium
1.13lacework-global-42High
1.14lacework-global-43Medium
1.15lacework-global-44Low
1.16lacework-global-45 (Users)
lacework-global-485 (Groups)
lacework-global-486 (Roles)
High
1.17lacework-global-46Low
1.18lacework-global-70Medium
1.19lacework-global-47High
1.20lacework-global-48Medium
1.21lacework-global-71Medium

2. Storage

2.1 Simple Storage Service (S3)

CIS AWS 1.4.0 Rule IDLacework Policy IDSeverity
2.1.1lacework-global-72Medium
2.1.2lacework-global-73Medium
2.1.3lacework-global-49Medium
2.1.4lacework-global-74Medium
2.1.5lacework-global-50Medium

2.2 Elastic Compute Cloud (EC2)

CIS AWS 1.4.0 Rule IDLacework Policy IDSeverity
2.2.1lacework-global-51Medium

2.3 Relational Database Service (RDS)

CIS AWS 1.4.0 Rule IDLacework PolicySeverity
2.3.1lacework-global-52Medium

3. Logging

CIS AWS 1.4.0 Rule IDLacework Policy IDSeverity
3.1lacework-global-53Medium
3.2lacework-global-75Low
3.3lacework-global-54High
3.4lacework-global-55Low
3.5lacework-global-76 (all regions)
lacework-global-497 (global resources)
High
3.6lacework-global-56High
3.7lacework-global-77High
3.8lacework-global-78High
3.9lacework-global-79Medium
3.10lacework-global-80Medium
3.11lacework-global-81Medium

4. Monitoring

CIS AWS 1.4.0 Rule IDLacework Policy IDSeverity
4.1lacework-global-57Medium
4.2lacework-global-58Medium
4.3lacework-global-59Low
4.4lacework-global-60Medium
4.5lacework-global-61Low
4.6lacework-global-82Medium
4.7lacework-global-83Medium
4.8lacework-global-62Medium
4.9lacework-global-84Medium
4.10lacework-global-85Medium
4.11lacework-global-86Medium
4.12lacework-global-63Medium
4.13lacework-global-64Medium
4.14lacework-global-65Medium
4.15lacework-global-66Low

5. Networking

CIS AWS 1.4.0 Rule IDLacework Policy IDSeverity
5.1lacework-global-67High
5.2lacework-global-68High
5.3lacework-global-87High
5.4lacework-global-88High

Automated vs Manual Rules

Lacework automates compliance rules where possible. For some of the benchmark rules, it is not possible to automate the rule check in an AWS environment. These rules are called manual rules. You must verify such rules manually.

Adjusted Rules

1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached

This rule has been split into three policies to monitor users, groups, and roles.

The following table lists each policy and their corresponding title:

CIS AWS 1.4.0 Rule IDLacework Policy IDTitle
1.16lacework-global-45Ensure IAM policies that allow full "*:*" administrative privileges are not attached to users.
1.16lacework-global-485Ensure IAM policies that allow full "*:*" administrative privileges are not attached to groups.
1.16laceworkglobal486Ensure IAM policies that allow full "*:*" administrative privileges are not attached to roles.
note

The policy catalog only retains one entry for this rule, which is lacework-global-45.

3.5 Ensure AWS Config is enabled in all regions

This rule has been split into two different policies to check the following regarding AWS Config:

  1. Ensure that AWS Config is enabled in all regions and configured to record all resources.
  2. Ensure at least one region has AWS Config configured to record all global resources (for example: IAM).

The table below outlines each rule and their new title:

CIS AWS 1.4.0 Rule IDLacework Policy IDDescription
3.5lacework-global-76Ensure AWS Config is enabled in all regions
3.5lacework-global-497Ensure AWS Config is recording Global Resources in at least one region
note

The policy catalog only retains one entry for this rule, which is lacework-global-76.