CIS Amazon Web Services Foundations Benchmark v1.2.0
  • 29 Minutes To Read
  • Print
  • Share
  • Dark
    Light

CIS Amazon Web Services Foundations Benchmark v1.2.0

  • Print
  • Share
  • Dark
    Light

CIS released the CIS Amazon Web Services (AWS) Foundations Benchmark, intended for system and application administrators, security specialists, auditors, help desk, platform deployment, and/or DevOps personnel who plan to develop, deploy, assess, or secure solutions in Amazon Web Services. This benchmark was created using a consensus review process comprised of subject matter experts. Consensus participants provide perspective from a diverse set of backgrounds including consulting, software development, audit and compliance, security research, operations, government, and legal.

The CIS AWS Foundations Benchmark consists of recommendation rules in 4 distinct categories:

  1. Identity and Access Management
  2. Logging
  3. Monitoring
  4. Networking

We’ll now examine the individual rules in these categories, explain why they matter, and then show how Axonius customers are able to ensure they meet the benchmark set forth by CIS.

1. Identity and Access Management.

1.1 Avoid the use of the "root" account

Description

  • What It Means: The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.
  • Why It Matters: The "root" account is the most privileged AWS account. Minimizing the use of this account and adopting the principle of least privilege for access management will reduce the risk of accidental changes and unintended disclosure of highly privileged credentials.

CIS Controls

  • 4.3 Ensure the Use of Dedicated Administrative Accounts
    Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.

1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password

Description

  • What It Means: Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs into an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password.
  • Why It Matters: Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.

CIS Controls

4.5 Use Multifactor Authentication For All Administrative Access
Use multi-factor authentication and encrypted channels for all administrative account access.

1.3 Ensure credentials unused for 90 days or greater are disabled

Description

  • What It Means: AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 90 or greater days be removed or deactivated.
  • Why It Matters: Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.

CIS Controls

16.9 Disable Dormant Accounts
Automatically disable dormant accounts after a set period of inactivity.

1.4 Ensure access keys are rotated every 90 days or less

Description

  • What It Means: Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.
  • Why It Matters: Rotating access keys will reduce the window of opportunity for an access key
    that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.

CIS Controls

16 Account Monitoring and Control
Account Monitoring and Control

1.5 Ensure IAM password policy requires at least one uppercase letter

Description

  • What It Means: Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.
  • Why It Matters: Setting a password complexity policy increases account resiliency against brute force login attempts

CIS Controls

16 Account Monitoring and Control
Account Monitoring and Control

1.6 Ensure IAM password policy require at least one lowercase letter

Description

  • What It Means: Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter.
  • Why It Matters: Setting a password complexity policy increases account resiliency against
    brute force login attempts.

CIS Controls

16 Account Monitoring and Control
Account Monitoring and Control

1.7 Ensure IAM password policy require at least one symbol

Description

  • What It Means: Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol.
  • Why It Matters: Setting a password complexity policy increases account resiliency against brute force login attempts.

CIS Controls

16 Account Monitoring and Control
Account Monitoring and Control

1.8 Ensure IAM password policy require at least one number

Description

  • What It Means: Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number.
  • Why It Matters: Setting a password complexity policy increases account resiliency against brute force login attempts.

CIS Controls

16 Account Monitoring and Control
Account Monitoring and Control

1.9 Ensure IAM password policy requires minimum length of 14 or greater

Description

  • What It Means: Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.
  • Why It Matters: Setting a password complexity policy increases account resiliency against brute force login attempts.

CIS Controls

16 Account Monitoring and Control
Account Monitoring and Control

1.10 Ensure IAM password policy prevents password reuse

Description

  • What It Means: IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.
  • Why It Matters: Preventing password reuse increases account resiliency against brute force login attempts.

CIS Controls

4.4 Use Unique Passwords
Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.

1.11 Ensure IAM password policy expires passwords within 90 days or less

Description

  • What It Means: IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less.
  • Why It Matters: Reducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help in the following scenarios:
    • Passwords can be stolen or compromised sometimes without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat.
    • Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted.
    • Many people use the same password for many systems such as work, email, and personal.
    • Compromised end user workstations might have a keystroke logger.

CIS Controls

16 Account Monitoring and Control
Account Monitoring and Control

1.12 Ensure no root account access key exists

Description

  • What It Means: The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed.
  • Why It Matters: Removing access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role-based accounts that are least privileged.

CIS Controls

4.3 Ensure the Use of Dedicated Administrative Accounts
Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.

1.13 Ensure MFA is enabled for the "root" account

Description

  • What It Means: The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs into an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device. Note: When virtual MFA is used for root accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. ("non-personal virtual MFA") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.
  • Why It Matters: Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.

CIS Controls

4.5 Use Multifactor Authentication For All Administrative Access
Use multi-factor authentication and encrypted channels for all administrative account access.

1.14 Ensure hardware MFA is enabled for the "root" account

Description

  • What It Means: The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs into an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA.
  • Why It Matters: A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides.

CIS Controls

4.5 Use Multifactor Authentication For All Administrative Access
Use multi-factor authentication and encrypted channels for all administrative account access.

1.16 Ensure IAM policies are attached only to groups or roles

Description

  • What It Means: By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users.
  • Why It Matters: Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.

CIS Controls

16 Account Monitoring and Control
Account Monitoring and Control

1.20 Ensure a support role has been created to manage incidents with AWS Support

Description

  • What It Means: AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.
  • Why It Matters: By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.

1.22 Ensure IAM policies that allow full ":" administrative privileges are not created

Description

  • What It Means: IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.
  • Why It Matters: It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. IAM policies that have a statement with "Effect": "Allow" with "Action": "" over "Resource": "" should be removed.

CIS Controls

4 Controlled Use of Administrative Privileges
Controlled Use of Administrative Privileges

2. Logging

2.1 Ensure CloudTrail is enabled in all regions

Description

  • What It Means: AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).
  • Why It Matters: The AWS API call history produced by CloudTrail enables security analysis, esource change tracking, and compliance auditing. Additionally,
    • Esuring that a multi-regions trail exists will ensure that unexpected activity occurring n otherwise unused regions is detected
    • Ensuring that a multi-regions trail exists will ensure that Global Service Logging is enabled for a trail by default to capture recording of events generated on AWS global services.
    • For a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account

CIS Controls

6.2 Activate audit logging
Ensure that local logging has been enabled on all systems and networking devices.

2.2 Ensure CloudTrail log file validation is enabled

Description

  • What It Means: CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.
  • Why It Matters: Enabling log file validation will provide additional integrity checking of CloudTrail logs.

CIS Controls

6 Maintenance, Monitoring and Analysis of Audit Logs
Maintenance, Monitoring and Analysis of Audit Logs

2.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

Description

  • What It Means: CloudTrail logs a record of every API call made in your AWS account. These log files are stored in an S3 bucket. It is recommended that the bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs.
  • Why It Matters: Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.

CIS Controls

14.6 Protect Information through Access Control Lists
Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.

2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs

Description

  • What It Means: AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, real-time analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. Note: The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution.
  • Why It Matters: Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.

CIS Controls

6.2 Activate audit logging
Ensure that local logging has been enabled on all systems and networking devices.
6.5 Central Log Management
Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.

2.5 Ensure AWS Config is enabled in all regions

Description

  • What It Means: AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended to enable AWS Config in all regions.
  • Why It Matters: The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.

CIS Controls

1.4 Maintain Detailed Asset Inventory
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not.
11.2 Document Traffic Configuration Rules
All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need.
16.1 Maintain an Inventory of Authentication Systems
Maintain an inventory of each of the organization's authentication systems, including those located onsite or at a remote service provider.

2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

Description

  • What It Means: S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.
  • Why It Matters: By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.

CIS Controls

6.2 Activate audit logging
Ensure that local logging has been enabled on all systems and networking devices.
14.9 Enforce Detail Logging for Access or Changes to Sensitive Data
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).

2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs

Description

  • What It Means: AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server-side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE- KMS.
  • Why It Matters: Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.

CIS Controls

6 Maintenance, Monitoring and Analysis of Audit Logs
Maintenance, Monitoring and Analysis of Audit Logs

2.8 Ensure rotation for customer created CMKs is enabled

Description

  • What It Means: AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled.
  • Why It Matters: Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.

CIS Controls

6 Maintenance, Monitoring and Analysis of Audit Logs
Maintenance, Monitoring and Analysis of Audit Logs

2.9 Ensure VPC flow logging is enabled in all VPCs

Description

  • What It Means: VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs.
  • Why It Matters: VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.

CIS Controls

6.2 Activate audit logging
Ensure that local logging has been enabled on all systems and networking devices.
12.5 Configure Monitoring Systems to Record Network Packets
Configure monitoring systems to record network packets passing through the boundary at each of the organization's network boundaries.

3. Monitoring

3.1 Ensure a log metric filter and alarm exist for unauthorized API calls

Description

  • What It Means: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.
  • Why It Matters: Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.

CIS Controls

6.5 Central Log Management
Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.
6.7 Regularly Review Logs
On a regular basis, review logs to identify anomalies or abnormal events.

3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA

Description

  • What It Means: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).
  • Why It Matters: Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.

CIS Controls

16 Account Monitoring and Control
Account Monitoring and Control

3.3 Ensure a log metric filter and alarm exist for usage of "root" account

Description

  • What It Means: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts.
  • Why It Matters: Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.

CIS Controls

4.9 Log and Alert on Unsuccessful Administrative Account Login
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.

3.4 Ensure a log metric filter and alarm exist for IAM policy changes

Description

  • What It Means: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.
  • Why It Matters: Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.

CIS Controls

16 Account Monitoring and Control
Account Monitoring and Control

3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes

Description

  • What It Means: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.
  • Why It Matters: Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.

CIS Controls

6 Maintenance, Monitoring and Analysis of Audit Logs
Maintenance, Monitoring and Analysis of Audit Logs

3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

Description

  • What It Means: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.
  • Why It Matters: Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlations.

CIS Controls

16 Account Monitoring and Control
Account Monitoring and Control

3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs

Description

  • What It Means: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.
    Why It Matters: Data encrypted with disabled or deleted keys will no longer be accessible.

CIS Controls

16 Account Monitoring and Control
Account Monitoring and Control

3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes

Description

What It Means: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.
Why It Matters: Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.

CIS Controls

6.2 Activate audit logging
Ensure that local logging has been enabled on all systems and networking devices.
14 Controlled Access Based on the Need to Know
Controlled Access Based on the Need to Know

3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes

Description

  • What It Means: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.
  • Why It Matters: Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.

CIS Controls

1.4 Maintain Detailed Asset Inventory
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not.
11.2 Document Traffic Configuration Rules
All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need.
16.1 Maintain an Inventory of Authentication Systems
Maintain an inventory of each of the organization's authentication systems, including those located onsite or at a remote service provider.

3.10 Ensure a log metric filter and alarm exist for security group changes

Description

  • What It Means: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established changes to Security Groups.
  • Why It Matters: Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.

CIS Controls

4.8 Log and Alert on Changes to Administrative Group Membership
Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.

3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)

Description

  • What It Means: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.
  • Why It Matters: Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.

CIS Controls

11.3 Use Automated Tools to Verify Standard Device Configurations and Detect Changes
Compare all network device configuration against approved security configurations defined for each network device in use and alert when any deviations are discovered.

3.12 Ensure a log metric filter and alarm exist for changes to network gateways

Description

  • What It Means: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.
  • Why It Matters: Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.

CIS Controls

6.2 Activate audit logging
Ensure that local logging has been enabled on all systems and networking devices.
11.3 Use Automated Tools to Verify Standard Device Configurations and Detect Changes
Compare all network device configuration against approved security configurations defined for each network device in use and alert when any deviations are discovered.

3.13 Ensure a log metric filter and alarm exist for route table changes

Description

  • What It Means: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.
  • Why It Matters: Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.

CIS Controls

6.2 Activate audit logging
Ensure that local logging has been enabled on all systems and networking devices.
11.3 Use Automated Tools to Verify Standard Device Configurations and Detect Changes
Compare all network device configuration against approved security configurations defined for each network device in use and alert when any deviations are discovered.

3.14 Ensure a log metric filter and alarm exist for VPC changes

Description

  • What It Means: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.
  • Why It Matters: Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.

CIS Controls

5.5 Implement Automated Configuration Monitoring Systems
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur.

4. Networking

4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

Description

  • What It Means: Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22.
  • Why It Matters: Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

CIS Controls

9.2 Ensure Only Approved Ports, Protocols and Services Are Running
Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.

4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

Description

  • What It Means: Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389.
  • Why It Matters: Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.

CIS Controls

9.2 Ensure Only Approved Ports, Protocols and Services Are Running
Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.

4.3 Ensure the default security group of every VPC restricts all traffic

Description

  • What It Means: A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. Note: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.
  • Why It Matters: Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.

CIS Controls

14.6 Protect Information through Access Control Lists
Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.

Was This Article Helpful?