CIS benchmark controls available within AWS Security Hub

The CIS benchmark controls available under Identity and Access Management ensure the following:

  • Avoid the use of the root account.

  • Multi-Factor authentication (MFA) is enabled for all IAM users that have a console password.

  • Credentials are unused for 90 days or greater are disabled.

  • Access keys are rotated every 90 days or less.

  • IAM password policy requires: at least one uppercase letter, at least one lowercase letter, at least one symbol, at least one number, minimum password length of 14 or greater, prevents password reuse, expires passwords within 90 days or less.

  • No root account access key exists.

  • MFA is enabled for the root account.

  • Hardware MFA is enabled for the root account.

  • IAM policies are attached only to groups or roles.

  • IAM policies that allow full '*:*' administrative privileges are not created.

The CIS benchmark controls available under Logging ensure following:

  • CloudTrail is enabled in all regions.

  • CloudTrail log file validation is enabled.

  • The S3 bucket used to store CloudTrail logs is not publicly accessible.

  • CloudTrail trails are integrated with CloudWatch Logs.

  • AWS Config is enabled.

  • S3 bucket access logging is enabled on the CloudTrail S3 bucket.

  • CloudTrail logs are encrypted at rest using KMS CMKs.

  • Rotation for customer created CMKs is enabled.

  • VPC flow logging is enabled in all VPCs.

The CIS benchmark controls available under Monitoring, all ensure that a log metric filter and alarm exist for:

  • Unauthorized API calls.

  • Management Console sign-in without MFA.

  • Usage of root account.

  • IAM policy changes.

  • CloudTrail configuration changes.

  • AWS Management Console authentication failures.

  • Disabling or scheduled deletion of customer created CMKs.

  • S3 bucket policy changes.

  • AWS Config configuration changes.

  • Security group changes.

  • Changes to Network Access Control Lists (NACL).

  • Changes to network gateways.

  • Route table changes.

  • VPC changes.

The CIS benchmark controls available under Networking ensure that:

  • No security groups allow ingress from to port 22.

  • No security groups allow ingress from to port 3389.

  • The default security group of every VPC restricts all traffic.

Learn Serverless from Serverless Programming Cookbook


Please first use the contact form or facebook page messaging to connect.

Offline Contact
We currently connect locally for discussions and sessions at Bangalore, India. Please follow us on our facebook page for details.
WhatsApp (Primary): (+91) 7411174113
Phone (Escalations): (+91) 7411174114

Business newsletter

Complete the form below, and we'll send you an e-mail every now and again with all the latest news.

About is my blog to share notes and learning materials on Cloud and Data Analytics. My current focus is on Amazon Web Services.

I like to write. I try to document what I learn and share with others. I believe that knowledge is useless unless you share it; the more you share, the more you learn.

Recent comments

Photo Stream