CIS AWS Foundations Benchmarks

In this topic:

    CIS AWS Benchmark 1.1.0 released

    A new Compliance Bundle that supports an updated version ofCIS AWS Foundations Benchmark 1.1.0 is now being offered as part of Dome9 Compliance module.

    Customer Impact

    You should be able to see this new bundle as part of the Compliance Bundle list. You can use this bundle as-is, or clone it and make changes per your specific needs. This supports the latest CIS AWS Foundation Benchmark, so we strongly recommend that this bundle be used instead of the older version, 1.0.0

     

    Frequently Asked Questions

    • Can I still continue using the CIS AWS Foundation Version 1.0.0 bundle?

    Yes, we will continue to support both these versions

    • Can I still continue to use my own bundle cloned from CIS AWS Foundation Version 1.0.0?

    Yes. You can continue to use the compliance bundle you have cloned from the Version 1.0.0

    • Can I use both the V 1.0.0 and Version 1.1.0 bundles?

    Yes, you can use both these versions at any given time. Version 1.1.0 is released as a different bundle, so it will not impact your runs & results of Version 1.0.0 or its clones.

    • If I use both these versions, I see different results / scores on my dashboard?

    This is expected behavior. The Version 1.1.0 and Version 1.0.0 bundles follow two separate standards published by CIS. The relative weighting, counts etc. all factor into the scores. The guidelines in Version 1.1.0 are updated over those in Version 1.0.0. You may see different scores while running these two separate bundles on the same AWS infrastructure. We strongly recommend that you plan to adopt Version 1.1.0 and discontinue using Version 1.0.0 at your earliest convenience.

     

    Dome9 Recommendations

    Cloned Bundles

    If you would like to keep your cloned bundle description up-to-date, please update the description of your cloned bundle to the following text:

    "Dome9 compliance bundle of CIS AWS Foundations Benchmark 1.0.0"

    This is how it should look after this change:

    If you have cloned the CIS AWS Foundations 1.0.0 bundle, and made custom changes to it, we suggest you to create a new clone from CIS AWS Foundations Benchmark 1.1.0. and apply all the changes to the clone of this new version. This updated version has better rule coverage of CIS AWS Foundations described in the following publication: https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

    If you need more information on how to clone compliance bundles, please contact our support team atsupport@dome9.com

    Continuous Compliance

    Consider using the CIS AWS Foundations Benchmark 1.1.0 bundle to run your Continuous Compliance assessments. Please note that the historical assessments can be found under the previous bundle called CIS AWS Foundations 1.0.0.

     

    CIS AWS Foundations Benchmarks bundle differences (between versions 1.0.0 and 1.1.0)

    CIS Recommendation

    CIS AWS Foundations Benchmark 1.1.0

    Supported by Dome9?

    Updates applied on CIS AWS Foundations bundle

     CIS for AWS v1.1.0 Section 1.1

    Avoid the use of the "root" account 

    Yes 

    Rule Update to make the check more specific.

    regexMatch /^<root_account>$/i is used to eliminate all the false positive cases that include root as part of the name of the user (for example user called ‘GROOT”)

    CIS for AWS v1.1.0 Section 1.2

    Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 1.3

    Ensure credentials unused for 90 days or greater are disabled

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 1.4

    Ensure access keys are rotated every 90 days or less

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 1.5

    Ensure IAM password policy requires at least one uppercase letter

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 1.6

    Ensure IAM password policy require at least one lowercase letter

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 1.7

    Ensure IAM password policy require at least one symbol

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 1.8

    Ensure IAM password policy require at least one number

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 1.9

    Ensure IAM password policy requires minimum length of 14 or greater

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 1.10-

    Ensure IAM password policy prevents password reuse

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 1.11

    Ensure IAM password policy expires passwords within 90 days or less

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 1.12

    Ensure no root account access key exists

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 1.13

    Ensure MFA is enabled for the "root" account

    Yes

    Rule 1.13 changed to 1.14

    CIS for AWS v1.1.0 Section 1.14

    Ensure hardware MFA is enabled for the "root" account

    Yes

    Rule 1.14 changed to 1.15

    CIS for AWS v1.1.0 Section 1.15

    Ensure security questions are registered in the AWS account (Not Scored)

    Yes

    Rule 1.15 changed to 1.16

    CIS for AWS v1.1.0 Section 1.16

    Ensure IAM policies are attached only to groups or roles

    No

    Rule Update to make the check more specific. See also Section 1.1

    CIS for AWS v1.1.0 Section 1.17

    Enable detailed billing

    No

    No API Call for this action, Not Supported by Dome9

    CIS for AWS v1.1.0 Section 1.18

    Ensure IAM Master and IAM Manager roles are active

    No

    No API Call for this action, Not Supported by Dome9

    CIS for AWS v1.1.0 Section 1.19

    Maintain current contact details

    No

    No API Call for this action, Not Supported by Dome9

    CIS for AWS v1.1.0 Section 1.20-

    Ensure security contact information is registered

    No

    No API Call for this action, Rule 3.15 changed to 1.20

    CIS for AWS v1.1.0 Section 1.21

    Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)

    No

    Not Scored by CIS - Not Supported in this version

    CIS for AWS v1.1.0 Section 1.22

    Ensure a support role has been created to manage incidents with AWS Support

    Yes

    Rule Added

    CIS for AWS v1.1.0 Section 1.23

    Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)

    No

    Not Scored by CIS - Not Supported in this version

    CIS for AWS v1.1.0 Section 1.24

    Ensure IAM policies that allow full "*:*" administrative privileges are not created

    Yes

    Rule Added

    CIS for AWS v1.1.0 Section 2.1

    Ensure CloudTrail is enabled in all regions

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 2.2

    Ensure CloudTrail log file validation is enabled

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 2.3

    Ensure the S3 bucket CloudTrail logs to is not publicly accessible

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 2.4

    Ensure CloudTrail trails are integrated with CloudWatch Logs

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 2.5

    Ensure AWS Config is enabled in all regions

    Yes

    Rule Added

    CIS for AWS v1.1.0 Section 2.6

    Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 2.7

    Ensure CloudTrail logs are encrypted at rest using KMS CMKs

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 2.8

    Ensure rotation for customer created CMKs is enabled

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 3.1

    Ensure a log metric filter and alarm exist for unauthorized API calls

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 3.2

    Ensure a log metric filter and alarm exist for Management Console sign-in without MFA

    Yes

    Rule Updated

    CIS for AWS v1.1.0 Section 3.3

    Ensure a log metric filter and alarm exist for usage of "root" account

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 3.4

    Ensure a log metric filter and alarm exist for IAM policy changes

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 3.5

    Ensure a log metric filter and alarm exist for CloudTrail configuration changes

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 3.6

    Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 3.7

    Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 3.8

    Ensure a log metric filter and alarm exist for S3 bucket policy changes

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 3.9

    Ensure a log metric filter and alarm exist for AWS Config configuration changes

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 3.10-

    Ensure a log metric filter and alarm exist for security group changes

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 3.11

    Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 3.12

    Ensure a log metric filter and alarm exist for changes to network gateways

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 3.13

    Ensure a log metric filter and alarm exist for route table changes

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 3.14

    Ensure a log metric filter and alarm exist for VPC changes

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 3.15

    Ensure security contact information is registered (Not Scored)

    No

    Moved to 1.20, No API Call for this action, Not Supported by Dome9

    CIS for AWS v1.1.0 Section 3.16

    Ensure appropriate subscribers to each SNS topic

    Yes

    Moved to 3.15, Not Scored by CIS - Not Supported in this version

    CIS for AWS v1.1.0 Section 4.1

    Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 4.2

    Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 4.3

    Ensure VPC Flow Logging is Enabled in all Applicable Regions

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 4.4

    Ensure the default security group restricts all traffic

    Yes

    No Changes

    CIS for AWS v1.1.0 Section 4.5

    Ensure routing tables for VPC peering are "least access" (Not Scored)

    No

    Not Scored by CIS - Not Supported in this version