@turbot/aws-cisv1

Recommended Version

Version

5.0.10

Released On

Mar 08, 2022

Depends On

The AWS > CIS v1 > 2 Logging > 2.01 Ensure CloudTrail is enabled in all regions (Scored) control would sometimes go into an error state if trails did not include all the eventSelectors details. This is now fixed. The aws-cisv1 mod will be deprecated in the future and we recommend that users install and use the new aws-cisv1-4 mod to evaluate the AWS CIS recommendations.

The AWS > CIS v1 > 2.03 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible control would incorrectly move to an error state when the S3 bucket used to store CloudTrail logs did not exist in Turbot. This is now fixed.

The AWS > CIS v1 > 2 Logging > 2.05 Ensure AWS Config is enabled in all regions (Scored) control would incorrectly remain in TBD state if the configuration recorder was not enabled for all regions. This is fixed and the control will now work correctly, as expected.

For any flow log discovered in Turbot under a VPC, the AWS > CIS v1 > 2 Logging > 2.09 Ensure VPC flow logging is enabled in all VPCs (Scored) control did not trigger automatically to show the correct evaluation of the control with the latest flow logging details. This is now fixed.
We've made some improvements in a few GraphQL queries under AWS > CIS v1 > 2 Logging > 2.03 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (Scored) and AWS > CIS v1 > 2 Logging > 2.06 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored). There's no noticeable difference, but they will run much lighter now.

The AWS > CIS v1 > 1 Identity and Access Management > 1.12 Ensure no root account access key exists (Scored) control went to an error state for US Gov and China cloud accounts since there are no root accounts available. This is now fixed and the control will remain in OK state for such accounts.

The AWS > CIS v1 > 2 Logging > 2.05 Ensure AWS Config is enabled in all regions (Scored) would go into an error state if the configuration recorder in the region was not discovered in Turbot. This is now fixed and the AWS > CIS v1 > 2 Logging > 2.05 Ensure AWS Config is enabled in all regions (Scored) will now be in a TBD state until the configuration recorder in the region is discovered and its CMDB data is updated in Turbot.

We've improved logging in the AWS > CIS v1 > 1 Identity and Access Management > 1.01 Avoid the use of the "root" account (Scored) control to provide more details on how we determine if the root account password or access keys have been used.
We've also improved the description for the AWS > CIS v1 > 1 Identity and Access Management > 1.10 Ensure IAM password policy prevents password reuse (Scored) control to provide more details on how many passwords should be remembered for the recommendation to be met.

We misplaced the release notes for version 5.0.2, but have successfully recovered them and put them back in their rightful place.

The AWS > CIS v1 > 1 Identity and Access Management > 1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored) control would incorrectly be in OK state when Enable password expiration was unchecked in the AWS console for the account. This is now fixed and the AWS > CIS v1 > 1 Identity and Access Management > 1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored) control will work as expected.