The CIS benchmark controls available under Identity and Access Management ensure the following:
-
Avoid the use of the root account.
-
Multi-Factor authentication (MFA) is enabled for all IAM users that have a console password.
-
Credentials are unused for 90 days or greater are disabled.
-
Access keys are rotated every 90 days or less.
-
IAM password policy requires: at least one uppercase letter, at least one lowercase letter, at least one symbol, at least one number, minimum password length of 14 or greater, prevents password reuse, expires passwords within 90 days or less.
-
No root account access key exists.
-
MFA is enabled for the root account.
-
Hardware MFA is enabled for the root account.
-
IAM policies are attached only to groups or roles.
-
IAM policies that allow full '*:*' administrative privileges are not created.
The CIS benchmark controls available under Logging ensure following:
-
CloudTrail is enabled in all regions.
-
CloudTrail log file validation is enabled.
-
The S3 bucket used to store CloudTrail logs is not publicly accessible.
-
CloudTrail trails are integrated with CloudWatch Logs.
-
AWS Config is enabled.
-
S3 bucket access logging is enabled on the CloudTrail S3 bucket.
-
CloudTrail logs are encrypted at rest using KMS CMKs.
-
Rotation for customer created CMKs is enabled.
-
VPC flow logging is enabled in all VPCs.
The CIS benchmark controls available under Monitoring, all ensure that a log metric filter and alarm exist for:
-
Unauthorized API calls.
-
Management Console sign-in without MFA.
-
Usage of root account.
-
IAM policy changes.
-
CloudTrail configuration changes.
-
AWS Management Console authentication failures.
-
Disabling or scheduled deletion of customer created CMKs.
-
S3 bucket policy changes.
-
AWS Config configuration changes.
-
Security group changes.
-
Changes to Network Access Control Lists (NACL).
-
Changes to network gateways.
-
Route table changes.
-
VPC changes.
The CIS benchmark controls available under Networking ensure that:
-
No security groups allow ingress from 0.0.0.0/0 to port 22.
-
No security groups allow ingress from 0.0.0.0/0 to port 3389.
-
The default security group of every VPC restricts all traffic.
References:
- heartin's blog
- Log in or register to post comments
Recent comments