@turbot/aws-cisv1
Recommended Version
Version
5.0.10
Released On
Mar 08, 2022
Depends On
@turbot/aws ^5.0.0
@turbot/turbot ^5.0.1
@turbot/turbot-iam ^5.1.0
@turbot/aws-iam ^5.1.0
@turbot/cis ^5.0.0
@turbot/aws-kms ^5.0.0
@turbot/aws-sns ^5.0.0
@turbot/aws-logs ^5.0.0
@turbot/aws-cloudtrail ^5.0.0
@turbot/aws-cloudwatch ^5.0.0
@turbot/aws-config ^5.0.0
@turbot/aws-ec2 ^5.0.0
@turbot/aws-vpc-core ^5.0.0
@turbot/aws-vpc-security ^5.0.0
@turbot/turbot ^5.0.1
@turbot/turbot-iam ^5.1.0
@turbot/aws-iam ^5.1.0
@turbot/cis ^5.0.0
@turbot/aws-kms ^5.0.0
@turbot/aws-sns ^5.0.0
@turbot/aws-logs ^5.0.0
@turbot/aws-cloudtrail ^5.0.0
@turbot/aws-cloudwatch ^5.0.0
@turbot/aws-config ^5.0.0
@turbot/aws-ec2 ^5.0.0
@turbot/aws-vpc-core ^5.0.0
@turbot/aws-vpc-security ^5.0.0
Control Types
- AWS > CIS v1
- AWS > CIS v1 > 1 Identity and Access Management
- AWS > CIS v1 > 1 Identity and Access Management > 1.01 Avoid the use of the "root" account (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.02 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.03 Ensure credentials unused for 90 days or greater are disabled (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.04 Ensure access keys are rotated every 90 days or less (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.05 Ensure IAM password policy requires at least one uppercase letter (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.06 Ensure IAM password policy require at least one lowercase letter (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.07 Ensure IAM password policy require at least one symbol (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.08 Ensure IAM password policy require at least one number (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.09 Ensure IAM password policy requires minimum length of 14 or greater (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.10 Ensure IAM password policy prevents password reuse (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.12 Ensure no root account access key exists (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.13 Ensure MFA is enabled for the "root" account (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.14 Ensure hardware MFA is enabled for the "root" account (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.15 Ensure security questions are registered in the AWS account (Not Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.16 Ensure IAM policies are attached only to groups or roles (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.17 Maintain current contact details (Not Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.18 Ensure security contact information is registered (Not Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.19 Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.21 Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.22 Ensure IAM policies that allow full ":" administrative privileges are not created (Scored)
- AWS > CIS v1 > 2 Logging
- AWS > CIS v1 > 2 Logging > 2.01 Ensure CloudTrail is enabled in all regions (Scored)
- AWS > CIS v1 > 2 Logging > 2.02 Ensure CloudTrail log file validation is enabled (Scored)
- AWS > CIS v1 > 2 Logging > 2.03 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (Scored)
- AWS > CIS v1 > 2 Logging > 2.04 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)
- AWS > CIS v1 > 2 Logging > 2.05 Ensure AWS Config is enabled in all regions (Scored)
- AWS > CIS v1 > 2 Logging > 2.06 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)
- AWS > CIS v1 > 2 Logging > 2.07 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)
- AWS > CIS v1 > 2 Logging > 2.08 Ensure rotation for customer created CMKs is enabled (Scored)
- AWS > CIS v1 > 2 Logging > 2.09 Ensure VPC flow logging is enabled in all VPCs (Scored)
- AWS > CIS v1 > 3 Monitoring
- AWS > CIS v1 > 3 Monitoring > 3.01 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.02 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.03 Ensure a log metric filter and alarm exist for usage of "root" account (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.04 Ensure a log metric filter and alarm exist for IAM policy changes (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.05 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.06 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.07 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.08 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.09 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.10 Ensure a log metric filter and alarm exist for security group changes (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.13 Ensure a log metric filter and alarm exist for route table changes (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored)
- AWS > CIS v1 > 4 Networking
- AWS > CIS v1 > 4 Networking > 4.01 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
- AWS > CIS v1 > 4 Networking > 4.02 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
- AWS > CIS v1 > 4 Networking > 4.03 Ensure the default security group of every VPC restricts all traffic (Scored)
- AWS > CIS v1 > 4 Networking > 4.04 Ensure routing tables for VPC peering are "least access" (Not Scored)
Policy Types
- AWS > CIS v1
- AWS > CIS v1 > 1 Identity and Access Management
- AWS > CIS v1 > 1 Identity and Access Management > 1.01 Avoid the use of the "root" account (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.02 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.03 Ensure credentials unused for 90 days or greater are disabled (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.04 Ensure access keys are rotated every 90 days or less (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.05 Ensure IAM password policy requires at least one uppercase letter (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.06 Ensure IAM password policy require at least one lowercase letter (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.07 Ensure IAM password policy require at least one symbol (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.08 Ensure IAM password policy require at least one number (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.09 Ensure IAM password policy requires minimum length of 14 or greater (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.10 Ensure IAM password policy prevents password reuse (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.12 Ensure no root account access key exists (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.13 Ensure MFA is enabled for the "root" account (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.14 Ensure hardware MFA is enabled for the "root" account (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.15 Ensure security questions are registered in the AWS account (Not Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.15 Ensure security questions are registered in the AWS account (Not Scored) > Attestation
- AWS > CIS v1 > 1 Identity and Access Management > 1.16 Ensure IAM policies are attached only to groups or roles (Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.17 Maintain current contact details (Not Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.17 Maintain current contact details (Not Scored) > Attestation
- AWS > CIS v1 > 1 Identity and Access Management > 1.18 Ensure security contact information is registered (Not Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.18 Ensure security contact information is registered (Not Scored) > Attestation
- AWS > CIS v1 > 1 Identity and Access Management > 1.19 Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.19 Ensure IAM instance roles are used for AWS resource access from instances (Not Scored) > Attestation
- AWS > CIS v1 > 1 Identity and Access Management > 1.21 Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.22 Ensure IAM policies that allow full ":"; administrative privileges are not created (Scored)
- AWS > CIS v1 > 2 Logging
- AWS > CIS v1 > 2 Logging > 2.01 Ensure CloudTrail is enabled in all regions (Scored)
- AWS > CIS v1 > 2 Logging > 2.02 Ensure CloudTrail log file validation is enabled (Scored)
- AWS > CIS v1 > 2 Logging > 2.03 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (Scored)
- AWS > CIS v1 > 2 Logging > 2.04 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)
- AWS > CIS v1 > 2 Logging > 2.05 Ensure AWS Config is enabled in all regions (Scored)
- AWS > CIS v1 > 2 Logging > 2.06 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)
- AWS > CIS v1 > 2 Logging > 2.07 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)
- AWS > CIS v1 > 2 Logging > 2.08 Ensure rotation for customer created CMKs is enabled (Scored)
- AWS > CIS v1 > 2 Logging > 2.09 Ensure VPC flow logging is enabled in all VPCs (Scored)
- AWS > CIS v1 > 3 Monitoring
- AWS > CIS v1 > 3 Monitoring > 3.01 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.02 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.03 Ensure a log metric filter and alarm exist for usage of "root" account (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.04 Ensure a log metric filter and alarm exist for IAM policy changes (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.05 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.06 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.07 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.08 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.09 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.10 Ensure a log metric filter and alarm exist for security group changes (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.13 Ensure a log metric filter and alarm exist for route table changes (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored)
- AWS > CIS v1 > 4 Networking
- AWS > CIS v1 > 4 Networking > 4.01 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
- AWS > CIS v1 > 4 Networking > 4.02 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
- AWS > CIS v1 > 4 Networking > 4.03 Ensure the default security group of every VPC restricts all traffic (Scored)
- AWS > CIS v1 > 4 Networking > 4.04 Ensure routing tables for VPC peering are "least access" (Not Scored)
- AWS > CIS v1 > 4 Networking > 4.04 Ensure routing tables for VPC peering are "least access" (Not Scored) > Attestation
- AWS > CIS v1 > Maximum Attestation Duration
Release Notes
5.0.10 (2022-03-08)
Bug fixes
- The
AWS > CIS v1 > 2 Logging > 2.01 Ensure CloudTrail is enabled in all regions (Scored)
control would sometimes go into an error state if trails did not include all theeventSelectors
details. This is now fixed. Theaws-cisv1
mod will be deprecated in the future and we recommend that users install and use the newaws-cisv1-4
mod to evaluate the AWS CIS recommendations.
5.0.9 (2021-11-24)
Bug fixes
- The
AWS > CIS v1 > 2.03 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
control would incorrectly move to an error state when the S3 bucket used to store CloudTrail logs did not exist in Turbot. This is now fixed.
5.0.8 (2021-04-28)
Bug fixes
- The
AWS > CIS v1 > 2 Logging > 2.05 Ensure AWS Config is enabled in all regions (Scored)
control would incorrectly remain in TBD state if the configuration recorder was not enabled for all regions. This is fixed and the control will now work correctly, as expected.
5.0.7 (2021-03-18)
Bug fixes
- For any flow log discovered in Turbot under a VPC, the
AWS > CIS v1 > 2 Logging > 2.09 Ensure VPC flow logging is enabled in all VPCs (Scored)
control did not trigger automatically to show the correct evaluation of the control with the latest flow logging details. This is now fixed. - We've made some improvements in a few GraphQL queries under
AWS > CIS v1 > 2 Logging > 2.03 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (Scored)
andAWS > CIS v1 > 2 Logging > 2.06 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)
. There's no noticeable difference, but they will run much lighter now.
5.0.6 (2021-01-06)
Bug fixes
The AWS > CIS v1 > 1 Identity and Access Management > 1.12 Ensure no root account access key exists (Scored)
control went to an error state for US Gov and China cloud accounts since there are no root accounts available. This is now fixed and the control will remain in OK state for such accounts.
5.0.5 (2020-12-17)
Bug fixes
- The
AWS > CIS v1 > 2 Logging > 2.05 Ensure AWS Config is enabled in all regions (Scored)
would go into an error state if the configuration recorder in the region was not discovered in Turbot. This is now fixed and theAWS > CIS v1 > 2 Logging > 2.05 Ensure AWS Config is enabled in all regions (Scored)
will now be in aTBD
state until the configuration recorder in the region is discovered and its CMDB data is updated in Turbot.
5.0.4 (2020-09-15)
Bug fixes
We've improved logging in the
AWS > CIS v1 > 1 Identity and Access Management > 1.01 Avoid the use of the "root" account (Scored)
control to provide more details on how we determine if the root account password or access keys have been used.We've also improved the description for the
AWS > CIS v1 > 1 Identity and Access Management > 1.10 Ensure IAM password policy prevents password reuse (Scored)
control to provide more details on how many passwords should be remembered for the recommendation to be met.
5.0.3 (2020-09-10)
Bug fixes
- We misplaced the release notes for version
5.0.2
, but have successfully recovered them and put them back in their rightful place.
5.0.2 (2020-09-10)
Bug fixes
- The
AWS > CIS v1 > 1 Identity and Access Management > 1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored)
control would incorrectly be inOK
state whenEnable password expiration
was unchecked in the AWS console for the account. This is now fixed and theAWS > CIS v1 > 1 Identity and Access Management > 1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored)
control will work as expected.