Service Screener

CIS Amazon Web Services Foundations Benchmark

The CIS Amazon Web Services Foundations Benchmark is a set of security configuration best practices for AWS accounts and resources. The benchmark covers identity and access management, logging and monitoring, networking, data protection, and incident response.
Read more

Summary: [Not available:1] | [Compliant:13] | [Need Attention:24]

Breakdown

Framework. CIS Amazon Web Services Foundations Benchmark

Category	Rule ID	Compliance Status	Description	Reference
CloudTrail.	1	Compliant	[NeedToEnableCloudTrail] [HasOneMultiRegionTrail]
CloudTrail.	2	Need Attention	[RequiresKmsKey] - Enable SSE [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE, Cloudtrail::aws-controltower-BaselineCloudTrail	Encrypt CloudTrail using AWS KMS CloudTrail Security Best Practices
CloudTrail.	4	Compliant	[LogFileValidationEnabled]
CloudTrail.	5	Need Attention	[CloudWatchLogsLogGroupArn] - CloudWatch for CloudTrail [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE	Using CloudWatch Logs with CloudTrail
CloudTrail.	6	Compliant	[EnableS3PublicAccessBlock]
CloudTrail.	7	Need Attention	[EnableTrailS3BucketLogging] - Enable S3 Bucket Logging [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE, Cloudtrail::mys3buckettrail	Configure S3 Logging Resilience in CloudTrail
CloudWatch.	1	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/IsengardTrail-DO-NOT-DELETE [trailWithCWLogsWithoutMetrics] - CloudTrail's Log to have log metrics [ap-southeast-1]ctLog::arn:aws:cloudtrail:ap-southeast-1:769655955296:trail/mys3buckettrail [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/aws-controltower-BaselineCloudTrail [trailWOMAroot1]	CIS Cloudwatch Controls CIS Cloudwatch Controls
CloudWatch.	4	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/IsengardTrail-DO-NOT-DELETE [trailWithCWLogsWithoutMetrics] - CloudTrail's Log to have log metrics [ap-southeast-1]ctLog::arn:aws:cloudtrail:ap-southeast-1:769655955296:trail/mys3buckettrail [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/aws-controltower-BaselineCloudTrail [trailWOMAalarm4]	CIS Cloudwatch Controls CIS Cloudwatch Controls
CloudWatch.	5	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/IsengardTrail-DO-NOT-DELETE [trailWithCWLogsWithoutMetrics] - CloudTrail's Log to have log metrics [ap-southeast-1]ctLog::arn:aws:cloudtrail:ap-southeast-1:769655955296:trail/mys3buckettrail [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/aws-controltower-BaselineCloudTrail [trailWOMATrail5]	CIS Cloudwatch Controls CIS Cloudwatch Controls
CloudWatch.	6	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/IsengardTrail-DO-NOT-DELETE [trailWithCWLogsWithoutMetrics] - CloudTrail's Log to have log metrics [ap-southeast-1]ctLog::arn:aws:cloudtrail:ap-southeast-1:769655955296:trail/mys3buckettrail [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/aws-controltower-BaselineCloudTrail [trailWOMAAuthFail6]	CIS Cloudwatch Controls CIS Cloudwatch Controls
CloudWatch.	7	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/IsengardTrail-DO-NOT-DELETE [trailWithCWLogsWithoutMetrics] - CloudTrail's Log to have log metrics [ap-southeast-1]ctLog::arn:aws:cloudtrail:ap-southeast-1:769655955296:trail/mys3buckettrail [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/aws-controltower-BaselineCloudTrail [trailWOMACMK7]	CIS Cloudwatch Controls CIS Cloudwatch Controls
CloudWatch.	8	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/IsengardTrail-DO-NOT-DELETE [trailWithCWLogsWithoutMetrics] - CloudTrail's Log to have log metrics [ap-southeast-1]ctLog::arn:aws:cloudtrail:ap-southeast-1:769655955296:trail/mys3buckettrail [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/aws-controltower-BaselineCloudTrail [trailWOMAS3Policy8]	CIS Cloudwatch Controls CIS Cloudwatch Controls
CloudWatch.	9	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/IsengardTrail-DO-NOT-DELETE [trailWithCWLogsWithoutMetrics] - CloudTrail's Log to have log metrics [ap-southeast-1]ctLog::arn:aws:cloudtrail:ap-southeast-1:769655955296:trail/mys3buckettrail [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/aws-controltower-BaselineCloudTrail [trailWOMAConfig9]	CIS Cloudwatch Controls CIS Cloudwatch Controls
CloudWatch.	10	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/IsengardTrail-DO-NOT-DELETE [trailWithCWLogsWithoutMetrics] - CloudTrail's Log to have log metrics [ap-southeast-1]ctLog::arn:aws:cloudtrail:ap-southeast-1:769655955296:trail/mys3buckettrail [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/aws-controltower-BaselineCloudTrail [trailWOMASecGroup10]	CIS Cloudwatch Controls CIS Cloudwatch Controls
CloudWatch.	11	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/IsengardTrail-DO-NOT-DELETE [trailWithCWLogsWithoutMetrics] - CloudTrail's Log to have log metrics [ap-southeast-1]ctLog::arn:aws:cloudtrail:ap-southeast-1:769655955296:trail/mys3buckettrail [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/aws-controltower-BaselineCloudTrail [trailWOMANACL11]	CIS Cloudwatch Controls CIS Cloudwatch Controls
CloudWatch.	12	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/IsengardTrail-DO-NOT-DELETE [trailWithCWLogsWithoutMetrics] - CloudTrail's Log to have log metrics [ap-southeast-1]ctLog::arn:aws:cloudtrail:ap-southeast-1:769655955296:trail/mys3buckettrail [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/aws-controltower-BaselineCloudTrail [trailWOMAGateway12]	CIS Cloudwatch Controls CIS Cloudwatch Controls
CloudWatch.	13	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/IsengardTrail-DO-NOT-DELETE [trailWithCWLogsWithoutMetrics] - CloudTrail's Log to have log metrics [ap-southeast-1]ctLog::arn:aws:cloudtrail:ap-southeast-1:769655955296:trail/mys3buckettrail [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/aws-controltower-BaselineCloudTrail [trailWOMARouteTable13]	CIS Cloudwatch Controls CIS Cloudwatch Controls
CloudWatch.	14	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/IsengardTrail-DO-NOT-DELETE [trailWithCWLogsWithoutMetrics] - CloudTrail's Log to have log metrics [ap-southeast-1]ctLog::arn:aws:cloudtrail:ap-southeast-1:769655955296:trail/mys3buckettrail [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:769655955296:trail/aws-controltower-BaselineCloudTrail [trailWOMAVPC14]	CIS Cloudwatch Controls CIS Cloudwatch Controls
Config.	1	Need Attention	[EnableConfigService] [PartialEnableConfigService] - Enable AWS Config [GLOBAL]Account::Config	Enable AWS Config
EC2.	2	Need Attention	[SGDefaultDisallowTraffic] - Default Security Group with Rules [ap-northeast-1]SG::sg-0a9a9f1599f78e648 [ap-northeast-2]SG::sg-0e2f6a031113c6c65 [ap-northeast-3]SG::sg-0f1c015386fdeaef2 [ap-south-1]SG::sg-0ce181aa24e2327a0 [ap-southeast-1]SG::sg-0c82e152ce9347073, SG::sg-0442088071f74e66b [ap-southeast-2]SG::sg-06a87caeacb9bdc1c [ap-southeast-3]SG::sg-09c69789992976af0, SG::sg-07d450b94849d4deb [ap-southeast-5]SG::sg-0340a45e7f6dfdeef, SG::sg-0cdece98aec7d1e6c [ca-central-1]SG::sg-0807269705e2a7bce [eu-central-1]SG::sg-061edeb40615f37d8 [eu-north-1]SG::sg-0224dd542e0e0a188 [eu-west-1]SG::sg-0ee2cf797712225c6 [eu-west-2]SG::sg-0d712926de8d430e0 [eu-west-3]SG::sg-0d057db4a24c667d8 [sa-east-1]SG::sg-06a16f5c401b779ea [us-east-1]SG::sg-0f4d456d65b49cbcc, SG::sg-0562190d9d9c154da, SG::sg-0fe800a9602ab25ff [us-east-2]SG::sg-05b1211873efb1066 [us-west-1]SG::sg-0ac2b6884d3c7f382 [us-west-2]SG::sg-037dcb16366f739b8	VPC default security group rules
EC2.	6	Need Attention	[VPCFlowLogEnabled] - Enable VPC Flow Log [ap-northeast-1]VPC::vpc-0ab3a8658cd25c109 [ap-northeast-2]VPC::vpc-0ae9b620559740d70 [ap-northeast-3]VPC::vpc-06245ca22ea93c96c [ap-south-1]VPC::vpc-08fefc19c6abd7d80 [ap-southeast-1]VPC::vpc-065c917cd817f427e, VPC::vpc-06363c3059916c90e [ap-southeast-2]VPC::vpc-0df2ab7aba940c834 [ap-southeast-3]VPC::vpc-0652d450f2ab35cd2, VPC::vpc-0ffbb3d6d50b9623a [ap-southeast-5]VPC::vpc-021cbde25259594b9, VPC::vpc-0ce9c0784ff09b6b1 [ca-central-1]VPC::vpc-0b24c79e1f3663bd9 [eu-central-1]VPC::vpc-054f84d91b4742c04 [eu-north-1]VPC::vpc-085ff029f3856da68 [eu-west-1]VPC::vpc-030d57af9ec0578bd [eu-west-2]VPC::vpc-085d0e0d5a07e9174 [eu-west-3]VPC::vpc-01ee905f628fedbe1 [sa-east-1]VPC::vpc-0a2a2cba040ba08c5 [us-east-1]VPC::vpc-070496984d34d0248, VPC::vpc-0ba693df999b2fbc8 [us-east-2]VPC::vpc-068471871ab842bb8 [us-west-1]VPC::vpc-06acdacf8c135f707 [us-west-2]VPC::vpc-004f7662a794496b9	Amazon Elastic Compute Cloud controls
EC2.	7	Need Attention	[EBSEncrypted] - Enable EBS Encryption [ap-southeast-5]EBS::vol-088df622bcebd7a03 [us-west-2]EBS::vol-058a9449d61cf9461	Best practices for Amazon EC2
EC2.	21	Compliant	[NACLSensitivePort]
IAM.	1	Need Attention	[FullAdminAccess] - Limit permissions. [GLOBAL]Role::Admin, Role::AWSReservedSSO_AWSAdministratorAccess_ac7e558480de85c0, Role::ww_augnhtrole, Group::admin-group	AWS Docs Organization GuardRail Blog
IAM.	3	Compliant	[hasAccessKeyNoRotate90days]
IAM.	4	Compliant	[rootHasAccessKey]
IAM.	5	Compliant	[mfaActive]
IAM.	9	Need Attention	[rootMfaActive] - Enable MFA on root user [GLOBAL]User::root_id	AWS MFA IAM Best Practices
IAM.	15	Compliant	[passwordPolicyLength]
IAM.	16	Compliant	[passwordPolicyReuse]
IAM.	18	Not available	Please refer to the CIS control section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective CIS control.
IAM.	22	Compliant	[consoleLastAccess45] [consoleLastAccess90] [consoleLastAccess365]
KMS.	4	Need Attention	[KeyRotationEnabled] - Enable Key Rotation [ap-southeast-1]5d1b8bdf-8f89-42e1-85be-32f95811c17d [us-east-1]a2b67230-2e44-41c3-9176-ae9abaa920a0	Enable CMK Rotation
RDS.	3	Compliant	[StorageEncrypted]
S3.	1	Compliant	[S3AccountPublicAccessBlock]
S3.	5	Need Attention	[TlsEnforced] - Enforce Encryption of Data in Transit [ap-southeast-1]Bucket::aws-athena-query-results-769655955296-ap-southeast-1, Bucket::aws-cloudtrail-logs-769655955296-b457067d, Bucket::cf-templates-axtacndawvmi-ap-southeast-1, Bucket::config-bucket-769655955296, Bucket::tgw-flow-log-s3, Bucket::wwcurbucket, Bucket::wws3inventory [us-east-1]Bucket::aws-athena-query-results-cid-769655955296-us-east-1, Bucket::cf-templates-axtacndawvmi-us-east-1, Bucket::cid-769655955296-shared, Bucket::cloudtrail-awslogs-769655955296-fhklab3h-isengard-do-not-delete, Bucket::sagemaker-studio-769655955296-hn1cxm2eq5, Bucket::sagemaker-studio-edt80ljq4, Bucket::sagemaker-studio-nifj1w84os, Bucket::sagemaker-us-east-1-769655955296, Bucket::security-hub-format-s3bucketname-7uxkruwhbbhe, Bucket::securityhubcsvmanagerstac-securityhubexportbucket0-a2e5yuo0rpvs, Bucket::testcurver2bucket, Bucket::wwsagemakerbucket [us-west-2]Bucket::do-not-delete-gatedgarden-audit-769655955296	AWS Docs
S3.	8	Compliant	[PublicAccessBlock]
S3.	20	Need Attention	[MFADelete] - Enable MFA Delete [ap-southeast-1]Bucket::aws-athena-query-results-769655955296-ap-southeast-1, Bucket::aws-cloudtrail-logs-769655955296-b457067d, Bucket::cf-templates-axtacndawvmi-ap-southeast-1, Bucket::config-bucket-769655955296, Bucket::tgw-flow-log-s3, Bucket::wwcurbucket, Bucket::wws3inventory [us-east-1]Bucket::aws-athena-query-results-cid-769655955296-us-east-1, Bucket::cf-templates-axtacndawvmi-us-east-1, Bucket::cid-769655955296-shared, Bucket::cloudtrail-awslogs-769655955296-fhklab3h-isengard-do-not-delete, Bucket::sagemaker-studio-769655955296-hn1cxm2eq5, Bucket::sagemaker-studio-edt80ljq4, Bucket::sagemaker-studio-nifj1w84os, Bucket::sagemaker-us-east-1-769655955296, Bucket::security-hub-format-s3bucketname-7uxkruwhbbhe, Bucket::securityhubcsvmanagerstac-securityhubexportbucket0-a2e5yuo0rpvs, Bucket::testcurver2bucket, Bucket::wwsagemakerbucket [us-west-2]Bucket::do-not-delete-gatedgarden-audit-769655955296	Prevention for Accidental Deletions on S3 AWS Docs