CIS AWS Foundations43
CIS AWS Foundations
Requirements in this framework
- CIS AWS Foundations v1.2 1.1: Avoid the use of the root user
- CIS AWS Foundations v1.2 1.10: Ensure IAM password policy prevents password reuse
- CIS AWS Foundations v1.2 1.11: Ensure IAM password policy expires passwords within 90 days or less
- CIS AWS Foundations v1.2 1.12: IAM root user access key should not exist
- CIS AWS Foundations v1.2 1.13: MFA should be enabled for the root user
- CIS AWS Foundations v1.2 1.14: Hardware MFA should be enabled for the root user
- CIS AWS Foundations v1.2 1.16: IAM users should not have IAM policies attached
- CIS AWS Foundations v1.2 1.18: Security contact information should be provided for an AWS account
- CIS AWS Foundations v1.2 1.2: MFA should be enabled for all IAM users that have a console password
- CIS AWS Foundations v1.2 1.22: IAM policies should not allow full "*" administrative privileges
- CIS AWS Foundations v1.2 1.3: Unused IAM user credentials should be removed
- CIS AWS Foundations v1.2 1.4: IAM users' access keys should be rotated every 90 days or less
- CIS AWS Foundations v1.2 1.5: Ensure IAM password policy requires at least one uppercase letter
- CIS AWS Foundations v1.2 1.6: Ensure IAM password policy requires at least one lowercase letter
- CIS AWS Foundations v1.2 1.7: Ensure IAM password policy requires at least one symbol
- CIS AWS Foundations v1.2 1.8: Ensure IAM password policy requires at least one number
- CIS AWS Foundations v1.2 1.9: Ensure IAM password policy requires minimum password length of 14 or greater
- CIS AWS Foundations v1.2 2.1: CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events
- CIS AWS Foundations v1.2 2.2: CloudTrail log file validation should be enabled
- CIS AWS Foundations v1.2 2.3: Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
- CIS AWS Foundations v1.2 2.4: CloudTrail trails should be integrated with Amazon CloudWatch Logs
- CIS AWS Foundations v1.2 2.5: AWS Config should be enabled and use the service-linked role for resource recording
- CIS AWS Foundations v1.2 2.6: Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
- CIS AWS Foundations v1.2 2.7: CloudTrail should have encryption at-rest enabled
- CIS AWS Foundations v1.2 2.8: AWS KMS key rotation should be enabled
- CIS AWS Foundations v1.2 2.9: VPC flow logging should be enabled in all VPCs
- CIS AWS Foundations v1.2 3.1: Ensure a log metric filter and alarm exist for unauthorized API calls
- CIS AWS Foundations v1.2 3.10: Ensure a log metric filter and alarm exist for security group changes
- CIS AWS Foundations v1.2 3.11: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- CIS AWS Foundations v1.2 3.12: Ensure a log metric filter and alarm exist for changes to network gateways
- CIS AWS Foundations v1.2 3.13: Ensure a log metric filter and alarm exist for route table changes
- CIS AWS Foundations v1.2 3.14: Ensure a log metric filter and alarm exist for VPC changes
- CIS AWS Foundations v1.2 3.2: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
- CIS AWS Foundations v1.2 3.3: A log metric filter and alarm should exist for usage of the "root" user
- CIS AWS Foundations v1.2 3.4: Ensure a log metric filter and alarm exist for IAM policy changes
- CIS AWS Foundations v1.2 3.5: Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- CIS AWS Foundations v1.2 3.6: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- CIS AWS Foundations v1.2 3.7: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
- CIS AWS Foundations v1.2 3.8: Ensure a log metric filter and alarm exist for S3 bucket policy changes
- CIS AWS Foundations v1.2 3.9: Ensure a log metric filter and alarm exist for AWS Config configuration changes
- CIS AWS Foundations v1.2 4.1: Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22
- CIS AWS Foundations v1.2 4.2: Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389
- CIS AWS Foundations v1.2 4.3: VPC default security groups should not allow inbound or outbound traffic