CIS

  1. Home
  2. CIS

CIS Amazon Web Services Foundations Benchmark

The CIS Amazon Web Services Foundations Benchmark is a set of security configuration best practices for AWS accounts and resources. The benchmark covers identity and access management, logging and monitoring, networking, data protection, and incident response.
Read more

Summary: [Not available:1] | [Compliant:15] | [Need Attention:22]

Breakdown

Framework. CIS Amazon Web Services Foundations Benchmark

CategoryRule IDCompliance StatusDescriptionReference
CloudTrail.1Compliant
[NeedToEnableCloudTrail]
[HasOneMultiRegionTrail]
CloudTrail.2Need Attention
[RequiresKmsKey] - Enable SSE
  • [ap-southeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE
Encrypt CloudTrail using AWS KMS
CloudTrail Security Best Practices
CloudTrail.4Compliant
[LogFileValidationEnabled]
CloudTrail.5Need Attention
[CloudWatchLogsLogGroupArn] - CloudWatch for CloudTrail
  • [ap-southeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE
Using CloudWatch Logs with CloudTrail
CloudTrail.6Compliant
[EnableS3PublicAccessBlock]
CloudTrail.7Need Attention
[EnableTrailS3BucketLogging] - Enable S3 Bucket Logging
  • [ap-southeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE
Configure S3 Logging
Resilience in CloudTrail
CloudWatch.1Need Attention
[NeedToEnableCloudTrail]
[trailWithoutCWLogs] - CloudTrail to have CloudWatch Log
  • [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:961319563195:trail/IsengardTrail-DO-NOT-DELETE
[trailWithCWLogsWithoutMetrics]
[trailWOMAroot1]
CIS Cloudwatch Controls
CloudWatch.4Need Attention
[NeedToEnableCloudTrail]
[trailWithoutCWLogs] - CloudTrail to have CloudWatch Log
  • [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:961319563195:trail/IsengardTrail-DO-NOT-DELETE
[trailWithCWLogsWithoutMetrics]
[trailWOMAalarm4]
CIS Cloudwatch Controls
CloudWatch.5Need Attention
[NeedToEnableCloudTrail]
[trailWithoutCWLogs] - CloudTrail to have CloudWatch Log
  • [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:961319563195:trail/IsengardTrail-DO-NOT-DELETE
[trailWithCWLogsWithoutMetrics]
[trailWOMATrail5]
CIS Cloudwatch Controls
CloudWatch.6Need Attention
[NeedToEnableCloudTrail]
[trailWithoutCWLogs] - CloudTrail to have CloudWatch Log
  • [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:961319563195:trail/IsengardTrail-DO-NOT-DELETE
[trailWithCWLogsWithoutMetrics]
[trailWOMAAuthFail6]
CIS Cloudwatch Controls
CloudWatch.7Need Attention
[NeedToEnableCloudTrail]
[trailWithoutCWLogs] - CloudTrail to have CloudWatch Log
  • [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:961319563195:trail/IsengardTrail-DO-NOT-DELETE
[trailWithCWLogsWithoutMetrics]
[trailWOMACMK7]
CIS Cloudwatch Controls
CloudWatch.8Need Attention
[NeedToEnableCloudTrail]
[trailWithoutCWLogs] - CloudTrail to have CloudWatch Log
  • [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:961319563195:trail/IsengardTrail-DO-NOT-DELETE
[trailWithCWLogsWithoutMetrics]
[trailWOMAS3Policy8]
CIS Cloudwatch Controls
CloudWatch.9Need Attention
[NeedToEnableCloudTrail]
[trailWithoutCWLogs] - CloudTrail to have CloudWatch Log
  • [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:961319563195:trail/IsengardTrail-DO-NOT-DELETE
[trailWithCWLogsWithoutMetrics]
[trailWOMAConfig9]
CIS Cloudwatch Controls
CloudWatch.10Need Attention
[NeedToEnableCloudTrail]
[trailWithoutCWLogs] - CloudTrail to have CloudWatch Log
  • [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:961319563195:trail/IsengardTrail-DO-NOT-DELETE
[trailWithCWLogsWithoutMetrics]
[trailWOMASecGroup10]
CIS Cloudwatch Controls
CloudWatch.11Need Attention
[NeedToEnableCloudTrail]
[trailWithoutCWLogs] - CloudTrail to have CloudWatch Log
  • [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:961319563195:trail/IsengardTrail-DO-NOT-DELETE
[trailWithCWLogsWithoutMetrics]
[trailWOMANACL11]
CIS Cloudwatch Controls
CloudWatch.12Need Attention
[NeedToEnableCloudTrail]
[trailWithoutCWLogs] - CloudTrail to have CloudWatch Log
  • [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:961319563195:trail/IsengardTrail-DO-NOT-DELETE
[trailWithCWLogsWithoutMetrics]
[trailWOMAGateway12]
CIS Cloudwatch Controls
CloudWatch.13Need Attention
[NeedToEnableCloudTrail]
[trailWithoutCWLogs] - CloudTrail to have CloudWatch Log
  • [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:961319563195:trail/IsengardTrail-DO-NOT-DELETE
[trailWithCWLogsWithoutMetrics]
[trailWOMARouteTable13]
CIS Cloudwatch Controls
CloudWatch.14Need Attention
[NeedToEnableCloudTrail]
[trailWithoutCWLogs] - CloudTrail to have CloudWatch Log
  • [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:961319563195:trail/IsengardTrail-DO-NOT-DELETE
[trailWithCWLogsWithoutMetrics]
[trailWOMAVPC14]
CIS Cloudwatch Controls
Config.1Need Attention
[EnableConfigService]
[PartialEnableConfigService] - Enable AWS Config
  • [GLOBAL]Account::Config
Enable AWS Config
EC2.2Need Attention
[SGDefaultDisallowTraffic] - Default Security Group with Rules
  • [ap-southeast-1]SG::sg-34753642
  • [us-east-1]SG::sg-9b3e45a4
VPC default security group rules
EC2.6Need Attention
[VPCFlowLogEnabled] - Enable VPC Flow Log
  • [ap-southeast-1]VPC::vpc-0229dd64
  • [us-east-1]VPC::vpc-8d976df0
Amazon Elastic Compute Cloud controls
EC2.7Compliant
[EBSEncrypted]
EC2.21Compliant
[NACLSensitivePort]
IAM.1Need Attention
[FullAdminAccess] - Limit permissions.
  • [GLOBAL]Role::AWSReservedSSO_AWSAdministratorAccess_fae89f7963febc98, Role::DojoEC2AdminRole, Role::EC2AdminRole, Role::itadmin, Role::OrganizationAccountAccessRole, Role::PACICloudFormationStackSetExecutionRole, Role::ServiceScreenerAutomationRole, Role::stacksets-exec-7ca18804340a75b25a831ca17fba8659
AWS Docs
Organization GuardRail Blog
IAM.3Compliant
[hasAccessKeyNoRotate90days]
IAM.4Compliant
[rootHasAccessKey]
IAM.5Compliant
[mfaActive]
IAM.9Need Attention
[rootMfaActive] - Enable MFA on root user
  • [GLOBAL]User::root_id
AWS MFA
IAM Best Practices
IAM.15Compliant
[passwordPolicyLength]
IAM.16Compliant
[passwordPolicyReuse]
IAM.18Not availablePlease refer to the CIS control section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective CIS control.
IAM.22Compliant
[consoleLastAccess45]
[consoleLastAccess90]
[consoleLastAccess365]
KMS.4Compliant
[KeyRotationEnabled]
RDS.3Compliant
[StorageEncrypted]
S3.1Compliant
[S3AccountPublicAccessBlock]
S3.5Need Attention
[TlsEnforced] - Enforce Encryption of Data in Transit
  • [ap-southeast-1]Bucket::aws-codestar-ap-southeast-1-961319563195, Bucket::aws-codestar-ap-southeast-1-961319563195-dojo-pipe, Bucket::codepipeline-ap-southeast-1-183991447891, Bucket::config-bucket-961319563195, Bucket::documentunderstandingsolutioncic-artifacts3bucket-dtr9a8q6yj2h, Bucket::documentunderstandingsolutioncicd-devoutputbucket-1m11zxjc9fhd6, Bucket::dojo-logs, Bucket::kuettai-solutions-bucket-ap-southeast-1
  • [us-east-1]Bucket::cloudtrail-awslogs-961319563195-pyvnhwtz-isengard-do-not-delete, Bucket::kuettai-dojo01
AWS Docs
S3.8Compliant
[PublicAccessBlock]
S3.20Need Attention
[MFADelete] - Enable MFA Delete
  • [ap-southeast-1]Bucket::aws-codestar-ap-southeast-1-961319563195, Bucket::aws-codestar-ap-southeast-1-961319563195-dojo-pipe, Bucket::codepipeline-ap-southeast-1-183991447891, Bucket::config-bucket-961319563195, Bucket::documentunderstandingsolutioncic-artifacts3bucket-dtr9a8q6yj2h, Bucket::documentunderstandingsolutioncicd-devoutputbucket-1m11zxjc9fhd6, Bucket::dojo-logs, Bucket::kuettai-solutions-bucket-ap-southeast-1
  • [us-east-1]Bucket::cloudtrail-awslogs-961319563195-pyvnhwtz-isengard-do-not-delete, Bucket::kuettai-dojo01
Prevention for Accidental Deletions on S3
AWS Docs