Product logo
DocsBlogPricing

@turbot/aws-cisv1-4

Version
5.0.7
Released On
Nov 23, 2022
Depends On

Control Types

Policy Types

Release Notes

5.0.7 (2022-11-23)

Bug fixes

  • A few controls under CIS section 4 would sometimes go into an error state because of an incorrect GraphQL query reference for metric names. This is fixed and the controls will now work as expected.

5.0.6 (2022-09-28)

Bug fixes

  • The AWS > CIS v1.4 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account (Automated), AWS > CIS v1.4 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account (Automated) and AWS > CIS v1.4 > 4 - Monitoring > 4.03 - Ensure a log metric filter and alarm exist for usage of 'root' account (Automated) controls will now move to a skipped state for US Government and China cloud accounts.

5.0.5 (2022-08-05)

Bug fixes

  • Controls under section 3 and section 4 would sometimes evaluate the outcome incorrectly for resources on AWS US Gov cloud. This is fixed and such controls will now work as expected.
  • The AWS > CISV1-4 > Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket (Automated) control would incorrectly move to an error state when the data for EventSelectors was not available in the trail's CMDB. This is now fixed.

5.0.4 (2022-06-29)

Bug fixes

  • The AWS > CISV1.4 > 1.20 - Ensure that IAM Access analyzer is enabled for all regions (Automated) control would incorrectly move to an error state while waiting for the AWS > IAM > Access Analyzer CMDB data to update. This is fixed and the control will now move to a TBD state while waiting for the access analyzer data, and then evaluate the outcome correctly once the data is available.

5.0.3 (2022-06-20)

Bug fixes

  • The AWS > CISV1-4 > 3.01 - Ensure CloudTrail is enabled in all regions (Automated) control will now also check for shadow trails to evaluate the outcome correctly.

5.0.2 (2022-03-08)

Bug fixes

  • The AWS > CIS v1.4 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions (Automated) control would sometimes go into an error state if trails did not include all the eventSelectors details. This is now fixed.

5.0.1 (2021-11-10)

Bug fixes

  • The AWS > CIS v1.4 > 3.03 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible control would incorrectly move to an error state when the S3 bucket used to store CloudTrail logs did not exist in Turbot. This is now fixed.

5.0.0 (2021-09-03)

Control Types

Added

  • AWS > CIS v1.4
  • AWS > CIS v1.4 > 1 - Identity and Access Management
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.01 - Maintain current contact details (Manual)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered (Manual)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account (Manual)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password (Manual)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances (Manual)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments (Manual)
  • AWS > CIS v1.4 > 2 - Storage
  • AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3)
  • AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure all S3 buckets employ encryption-at-rest (Manual)
  • AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure S3 Bucket Policy is set to deny HTTP requests (Manual)
  • AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure MFA Delete is enable on S3 buckets (Automated)
  • AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure all data in Amazon S3 has been discovered, classified and secured when required. (Manual)
  • AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.05 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' (Automated)
  • AWS > CIS v1.4 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
  • AWS > CIS v1.4 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS volume encryption is enabled (Manual)
  • AWS > CIS v1.4 > 2 - Storage > 2.03 - Relational Database Service (RDS)
  • AWS > CIS v1.4 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption is enabled for RDS Instances (Automated)
  • AWS > CIS v1.4 > 3 - Logging
  • AWS > CIS v1.4 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.03 - Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.04 - Ensure CloudTrail trails are integrated with CloudWatch Logs (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.05 - Ensure AWS Config is enabled in all regions (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.06 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.07 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.08 - Ensure rotation for customer created CMKs is enabled (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.09 - Ensure VPC flow logging is enabled in all VPCs (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring
  • AWS > CIS v1.4 > 4 - Monitoring > 4.01 - Ensure a log metric filter and alarm exist for unauthorized API calls (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.02 - Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.03 - Ensure a log metric filter and alarm exist for usage of 'root' account (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.04 - Ensure a log metric filter and alarm exist for IAM policy changes (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.05 - Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.06 - Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.07 - Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.08 - Ensure a log metric filter and alarm exist for S3 bucket policy changes (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.09 - Ensure a log metric filter and alarm exist for AWS Config configuration changes (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.10 - Ensure a log metric filter and alarm exist for security group changes (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.11 - Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.12 - Ensure a log metric filter and alarm exist for changes to network gateways (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.13 - Ensure a log metric filter and alarm exist for route table changes (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.14 - Ensure a log metric filter and alarm exist for VPC changes (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.15 - Ensure a log metric filter and alarm exists for AWS Organizations changes (Automated)
  • AWS > CIS v1.4 > 5 - Networking
  • AWS > CIS v1.4 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)
  • AWS > CIS v1.4 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)
  • AWS > CIS v1.4 > 5 - Networking > 5.03 - Ensure the default security group of every VPC restricts all traffic (Automated)
  • AWS > CIS v1.4 > 5 - Networking > 5.04 - Ensure routing tables for VPC peering are 'least access' (Manual)

Policy Types

Added

  • AWS > CIS v1.4
  • AWS > CIS v1.4 > 1 - Identity and Access Management
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.01 - Maintain current contact details (Manual)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.01 - Maintain current contact details (Manual) > Attestation
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered (Manual)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered (Manual) > Attestation
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account (Manual)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account (Manual) > Attestation
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password (Manual)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances (Manual)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances (Manual) > Attestation
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions (Automated)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments (Manual)
  • AWS > CIS v1.4 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments (Manual) > Attestation
  • AWS > CIS v1.4 > 1 - Identity and Access Management > Maximum Attestation Duration
  • AWS > CIS v1.4 > 2 - Storage
  • AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3)
  • AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure all S3 buckets employ encryption-at-rest (Manual)
  • AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure S3 Bucket Policy is set to deny HTTP requests (Manual)
  • AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure MFA Delete is enable on S3 buckets (Automated)
  • AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure all data in Amazon S3 has been discovered, classified and secured when required. (Manual)
  • AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure all data in Amazon S3 has been discovered, classified and secured when required. (Manual) > Attestation
  • AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.05 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' (Automated)
  • AWS > CIS v1.4 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
  • AWS > CIS v1.4 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS volume encryption is enabled (Manual)
  • AWS > CIS v1.4 > 2 - Storage > 2.03 - Relational Database Service (RDS)
  • AWS > CIS v1.4 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption is enabled for RDS Instances (Automated)
  • AWS > CIS v1.4 > 2 - Storage > Maximum Attestation Duration
  • AWS > CIS v1.4 > 3 - Logging
  • AWS > CIS v1.4 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.03 - Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.04 - Ensure CloudTrail trails are integrated with CloudWatch Logs (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.05 - Ensure AWS Config is enabled in all regions (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.06 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.07 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.08 - Ensure rotation for customer created CMKs is enabled (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.09 - Ensure VPC flow logging is enabled in all VPCs (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket (Automated)
  • AWS > CIS v1.4 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket (Automated)
  • AWS > CIS v1.4 > 3 - Logging > Maximum Attestation Duration
  • AWS > CIS v1.4 > 4 - Monitoring
  • AWS > CIS v1.4 > 4 - Monitoring > 4.01 - Ensure a log metric filter and alarm exist for unauthorized API calls (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.02 - Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.03 - Ensure a log metric filter and alarm exist for usage of 'root' account (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.04 - Ensure a log metric filter and alarm exist for IAM policy changes (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.05 - Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.06 - Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.07 - Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.08 - Ensure a log metric filter and alarm exist for S3 bucket policy changes (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.09 - Ensure a log metric filter and alarm exist for AWS Config configuration changes (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.10 - Ensure a log metric filter and alarm exist for security group changes (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.11 - Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.12 - Ensure a log metric filter and alarm exist for changes to network gateways (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.13 - Ensure a log metric filter and alarm exist for route table changes (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.14 - Ensure a log metric filter and alarm exist for VPC changes (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > 4.15 - Ensure a log metric filter and alarm exists for AWS Organizations changes (Automated)
  • AWS > CIS v1.4 > 4 - Monitoring > Maximum Attestation Duration
  • AWS > CIS v1.4 > 5 - Networking
  • AWS > CIS v1.4 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)
  • AWS > CIS v1.4 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)
  • AWS > CIS v1.4 > 5 - Networking > 5.03 - Ensure the default security group of every VPC restricts all traffic (Automated)
  • AWS > CIS v1.4 > 5 - Networking > 5.04 - Ensure routing tables for VPC peering are 'least access' (Manual)
  • AWS > CIS v1.4 > 5 - Networking > 5.04 - Ensure routing tables for VPC peering are 'least access' (Manual) > Attestation
  • AWS > CIS v1.4 > 5 - Networking > Maximum Attestation Duration
  • AWS > CIS v1.4 > Maximum Attestation Duration