CIS Amazon Web Services Foundations Benchmark

Overview

Center for Internet Security (CIS) provides set of best practices and security recommendations which is referred to as Amazon Web Services (AWS) Foundations Benchmark. These benchmarks are provided for enhancing the security of the AWS environments.

Purpose

The CIS AWS Foundations Benchmark serves as a crucial resource for organizations looking to establish a strong security foundation in their AWS infrastructure. It offers a well-defined and widely-recognized set of security guidelines tailored specifically for AWS environments. The primary purposes of this benchmark are:

1. Security Enhancement: The benchmark is designed to assist organizations in proactively identifying and addressing security vulnerabilities, misconfigurations, and best practices that are essential to the security of AWS resources.

2. Compliance Alignment: In a rapidly evolving regulatory landscape, the benchmark helps organizations align with industry and regulatory compliance requirements by providing detailed security recommendations.

3. Standardization: By offering a universally accepted set of best practices, the benchmark encourages the adoption of standardized security practices across AWS environments, ensuring consistency and uniformity in security configurations.

Importance

Securing AWS resources is of paramount importance for several reasons:

• Data Protection: AWS environments often handle sensitive data, and inadequate security measures can result in data breaches and loss.

• Operational Continuity: Security incidents can disrupt operations and lead to downtime, making a secure AWS environment essential for maintaining business continuity.

• Reputation and Trust: Security incidents can damage an organization's reputation and erode trust among customers and partners. Implementing robust security measures is crucial for maintaining trust and integrity.

• Legal and Regulatory Compliance: Many industries and jurisdictions have stringent data protection and security regulations. Non-compliance can lead to legal consequences and liabilities.

By adhering to the recommendations outlined in the CIS AWS Foundations Benchmark, organizations can significantly bolster the security of their AWS cloud resources, protect their assets, and mitigate potential security threats effectively.

How BOS targets CIS AWS Foundations Benchmarks v2.0.0

Benchmark Index	CIS Benchmark Recommendation	BOS Env Template Supports	BOS Pipeline Template Supports	BOS Default	Comments
1.0	Identity and Access Management
1.1	Maintain current contact details	Yes	NA	No	Configurable with BOS Template. Not applied in default as account owners should be responsible for maintaining current contact details.
1.10	Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password	NA	NA	NA	We are not creating any user for template which has console access enabled. This falls outside the scope of current BOS Template.
1.11	Do not setup access keys during initial user setup for all IAM users that have a console password	NA	NA	NA	We are not creating any user for template which has console access enabled. This falls outside the scope of current BOS Template.
1.12	Ensure credentials unused for 45 days or greater are disabled	NA	NA	NA	We are not creating any user for template which has console access enabled.
1.13	Ensure there is only one active access key available for any single IAM user	Yes	No	Yes	IAM Users created by ENV Template has only one active access key
1.14	Ensure access keys are rotated every 90 days or less	Yes	No	Yes	IAM Users created by ENV Template has the provision to rotate access keys with a parameter
1.15	Ensure IAM Users Receive Permissions Only Through Groups	Yes	No	Yes	We give permissions to iam users created through groups.
1.16	Ensure IAM policies that allow full "*:*" administrative privileges are not attached	Yes	No	Yes	ENV Template follows standard security advice to grant least privilege, IAM policies created by ENV template does not allow full "*:*" administrative privileges
1.17	Ensure a support role has been created to manage incidents with AWS Support	NA	NA	NA	This falls outside the scope of current BOS Template.
1.18	Ensure IAM instance roles are used for AWS resource access from instances	Yes	No	Yes	We create instance role for any ec2 created from ENV Template
1.19	Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed	NA	NA	NA	We are making use of certificates from ACM not from IAM. We have provision to remove certificate or update certificate in ACM through our ENV template parameters.
1.2	Ensure security contact information is registered	Yes	NA	No	Configurable with BOS Template. Not applied in default as account owners should be responsible for maintaining security contact details.
1.20	Ensure that IAM Access analyser is enabled for all regions	Yes	No	Yes	We create IAM Access analyser as part of the environment.
1.21	Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments	NA	NA	NA	This falls outside the scope of current BOS Template.
1.22	Ensure access to AWSCloudShellFullAccess is restricted	NA	NA	NA	We are not using AWSCloudShellFullAccess Policy in our templates
1.3	Ensure security questions are registered in the AWS account	NA	NA	NA	We need to setup authentication using secret questions for root user. This is an AWS Account configuration, not relating to specific environment.
1.4	Ensure no 'root' user account access key exists	NA	NA	NA	Users created by BOS Template are non root and have the provision to renew access key. Users created outside the BOS template does not fall in the scope.
1.5	Ensure MFA is enabled for the 'root' user account	NA	NA	NA	We should setup MFA for the 'root' user. This falls outside the scope of current BOS Template
1.6	Ensure hardware MFA is enabled for the 'root' user account	NA	NA	NA	We should setup Hardware MFA for the 'root' user. This falls outside the scope of current BOS Template.
1.7	Eliminate use of the 'root' user for administrative and daily tasks	NA	NA	NA	We don't use Root user for our templates to run.
1.8	Ensure IAM password policy requires minimum length of 14 or greater	Yes	No	Yes	Configurable with BOS Template with parameters.
1.9	Ensure IAM password policy prevents password reuse	Yes	No	Yes	Configurable with BOS Template with parameters.
2.1	Simple Storage Service (S3)
2.1.1	Ensure S3 Bucket Policy is set to deny HTTP requests	Yes	No	Yes	Our template provisions s3 which deny HTTP requests.
2.1.2	Ensure MFA Delete is enabled on S3 buckets	NA	NA	NA	This feature works best outside of ENV Template.
2.1.3	Ensure all data in Amazon S3 has been discovered, classified and secured when required.	Yes	No	No	Our template has the provision to enable/disable Amazon Macie to discover data from s3 Not enabled in default to limit cost
2.1.4	Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'	Yes	No	Yes	Our template provisions s3 which blocks all public access.
2.2	Elastic Compute Cloud (EC2)
2.2.1	Ensure EBS Volume Encryption is Enabled in all Regions	Yes	No	Yes	Our template provisions EBS Volumes which are encrypted.
2.3	Relational Database Service (RDS)
2.3.1	Ensure that encryption-at-rest is enabled for RDS Instances	Yes	No	Yes	We are encrypting the RDS instances with CMK
2.3.2	Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances	Yes	No	Yes	We have provision to enable with our ENV template parameters.
2.3.3	Ensure that public access is not given to RDS Instance	Yes	No	Yes	We have disabled public access.
2.4	Elastic File System (EFS)
2.4.1	Ensure that encryption is enabled for EFS file systems	NA	NA	NA	We are not making use of any EFS file systems yet.
3.0	Logging
3.1	Ensure CloudTrail is enabled in all regions	Yes	No	Yes	We have provision to enable this with our ENV template parameters.
3.10	Ensure that Object-level logging for write events is enabled for S3 bucket	Yes	No	Yes	We have provision to enable this with our ENV template parameters.
3.11	Ensure that Object-level logging for read events is enabled for S3 bucket	Yes	No	Yes	We have provision to enable this with our ENV template parameters.
3.2	Ensure CloudTrail log file validation is enabled	Yes	No	Yes	We have provision to enable this with our ENV template parameters.
3.3	Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible	Yes	No	Yes	Our template provisions s3 which blocks all public access.
3.4	Ensure CloudTrail trails are integrated with CloudWatch Logs	Yes	No	Yes	We have provision to enable this with our ENV template parameters.
3.5	Ensure AWS Config is enabled in all regions	Yes	No	No	We have provision to enable this with our ENV template parameters. Not enabled in default to limit cost
3.6	Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket	Yes	No	Yes	We have provision to enable this with our ENV template parameters.
3.7	Ensure CloudTrail logs are encrypted at rest using KMS CMKs	Yes	No	Yes	We encrypt the s3 where logs are stored and CloudTrail with keys stored in KMS
3.8	Ensure rotation for customer created symmetric CMKs is enabled	Yes	No	Yes	We have provision to enable this with our ENV template parameters.
3.9	Ensure VPC flow logging is enabled in all VPCs	Yes	No	Yes	We have provision to enable this with our ENV template parameters.
4.0	Monitoring
4.1	Ensure unauthorized API calls are monitored	Yes	No	Yes	BOS ENV Template configures an alert to monitor this.
4.10	Ensure security group changes are monitored	Yes	No	Yes	BOS ENV Template configures an alert to monitor this.
4.11	Ensure Network Access Control Lists (NACL) changes are monitored	Yes	No	Yes	BOS ENV Template configures an alert to monitor this.
4.12	Ensure changes to network gateways are monitored	Yes	No	Yes	BOS ENV Template configures an alert to monitor this.
4.13	Ensure route table changes are monitored	Yes	No	Yes	BOS ENV Template configures an alert to monitor this.
4.14	Ensure VPC changes are monitored	Yes	No	Yes	BOS ENV Template configures an alert to monitor this.
4.15	Ensure AWS Organizations changes are monitored	Yes	No	Yes	BOS ENV Template configures an alert to monitor this.
4.16	Ensure AWS Security Hub is enabled	Yes	No	No	BOS ENV Template supports enablement of security hub with an parameter Not enabled in default to limit cost
4.2	Ensure management console sign-in without MFA is monitored	Yes	No	Yes	BOS ENV Template configures an alert to monitor this.
4.3	Ensure usage of 'root' account is monitored	Yes	No	Yes	BOS ENV Template configures an alert to monitor this.
4.4	Ensure IAM policy changes are monitored	Yes	No	Yes	BOS ENV Template configures an alert to monitor this.
4.5	Ensure CloudTrail configuration changes are monitored	Yes	No	Yes	BOS ENV Template configures an alert to monitor this.
4.6	Ensure AWS Management Console authentication failures are monitored	Yes	No	Yes	BOS ENV Template configures an alert to monitor this.
4.7	Ensure disabling or scheduled deletion of customer created CMKs is monitored	Yes	No	Yes	BOS ENV Template configures an alert to monitor this.
4.8	Ensure S3 bucket policy changes are monitored	Yes	No	Yes	BOS ENV Template configures an alert to monitor this.
4.9	Ensure AWS Config configuration changes are monitored	Yes	No	Yes	BOS ENV Template configures an alert to monitor this.
5.0	Networking
5.1	Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports	NA	NA	NA	We are making use if security groups instead of ACLs
5.2	Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports	Yes	No	Yes	We are not making use of any 0.0.0.0/0 for remote server administration in any security groups
5.3	Ensure no security groups allow ingress from ::/0 to remote server administration ports	Yes	No	Yes	We are not making use of any 0.0.0.0/0 for remote server administration in any security groups
5.4	Ensure the default security group of every VPC restricts all traffic	Yes	NA	Yes	Our template creates VPC with default security group rules which restricts all traffic
5.5	Ensure routing tables for VPC peering are "least access"	NA	NA	NA	We are not establishing any VPC Peering
5.6	Ensure that EC2 Metadata Service only allows IMDSv2	Yes	No	Yes	Instance Metadata Service Version 2 (IMDSv2) is allowed through our ENV Template parameter.

✖