Policy types for @turbot/aws-cisv1

• AWS > CIS v1
• AWS > CIS v1 > 1 Identity and Access Management
• AWS > CIS v1 > 1 Identity and Access Management > 1.01 Avoid the use of the "root" account (Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.02 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.03 Ensure credentials unused for 90 days or greater are disabled (Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.04 Ensure access keys are rotated every 90 days or less (Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.05 Ensure IAM password policy requires at least one uppercase letter (Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.06 Ensure IAM password policy require at least one lowercase letter (Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.07 Ensure IAM password policy require at least one symbol (Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.08 Ensure IAM password policy require at least one number (Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.09 Ensure IAM password policy requires minimum length of 14 or greater (Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.10 Ensure IAM password policy prevents password reuse (Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.12 Ensure no root account access key exists (Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.13 Ensure MFA is enabled for the "root" account (Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.14 Ensure hardware MFA is enabled for the "root" account (Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.15 Ensure security questions are registered in the AWS account (Not Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.15 Ensure security questions are registered in the AWS account (Not Scored) > Attestation
• AWS > CIS v1 > 1 Identity and Access Management > 1.16 Ensure IAM policies are attached only to groups or roles (Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.17 Maintain current contact details (Not Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.17 Maintain current contact details (Not Scored) > Attestation
• AWS > CIS v1 > 1 Identity and Access Management > 1.18 Ensure security contact information is registered (Not Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.18 Ensure security contact information is registered (Not Scored) > Attestation
• AWS > CIS v1 > 1 Identity and Access Management > 1.19 Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.19 Ensure IAM instance roles are used for AWS resource access from instances (Not Scored) > Attestation
• AWS > CIS v1 > 1 Identity and Access Management > 1.21 Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
• AWS > CIS v1 > 1 Identity and Access Management > 1.22 Ensure IAM policies that allow full ":"; administrative privileges are not created (Scored)
• AWS > CIS v1 > 2 Logging
• AWS > CIS v1 > 2 Logging > 2.01 Ensure CloudTrail is enabled in all regions (Scored)
• AWS > CIS v1 > 2 Logging > 2.02 Ensure CloudTrail log file validation is enabled (Scored)
• AWS > CIS v1 > 2 Logging > 2.03 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (Scored)
• AWS > CIS v1 > 2 Logging > 2.04 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)
• AWS > CIS v1 > 2 Logging > 2.05 Ensure AWS Config is enabled in all regions (Scored)
• AWS > CIS v1 > 2 Logging > 2.06 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)
• AWS > CIS v1 > 2 Logging > 2.07 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)
• AWS > CIS v1 > 2 Logging > 2.08 Ensure rotation for customer created CMKs is enabled (Scored)
• AWS > CIS v1 > 2 Logging > 2.09 Ensure VPC flow logging is enabled in all VPCs (Scored)
• AWS > CIS v1 > 3 Monitoring
• AWS > CIS v1 > 3 Monitoring > 3.01 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)
• AWS > CIS v1 > 3 Monitoring > 3.02 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)
• AWS > CIS v1 > 3 Monitoring > 3.03 Ensure a log metric filter and alarm exist for usage of "root" account (Scored)
• AWS > CIS v1 > 3 Monitoring > 3.04 Ensure a log metric filter and alarm exist for IAM policy changes (Scored)
• AWS > CIS v1 > 3 Monitoring > 3.05 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)
• AWS > CIS v1 > 3 Monitoring > 3.06 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)
• AWS > CIS v1 > 3 Monitoring > 3.07 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)
• AWS > CIS v1 > 3 Monitoring > 3.08 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)
• AWS > CIS v1 > 3 Monitoring > 3.09 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)
• AWS > CIS v1 > 3 Monitoring > 3.10 Ensure a log metric filter and alarm exist for security group changes (Scored)
• AWS > CIS v1 > 3 Monitoring > 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)
• AWS > CIS v1 > 3 Monitoring > 3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored)
• AWS > CIS v1 > 3 Monitoring > 3.13 Ensure a log metric filter and alarm exist for route table changes (Scored)
• AWS > CIS v1 > 3 Monitoring > 3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored)
• AWS > CIS v1 > 4 Networking
• AWS > CIS v1 > 4 Networking > 4.01 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
• AWS > CIS v1 > 4 Networking > 4.02 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
• AWS > CIS v1 > 4 Networking > 4.03 Ensure the default security group of every VPC restricts all traffic (Scored)
• AWS > CIS v1 > 4 Networking > 4.04 Ensure routing tables for VPC peering are "least access" (Not Scored)
• AWS > CIS v1 > 4 Networking > 4.04 Ensure routing tables for VPC peering are "least access" (Not Scored) > Attestation
• AWS > CIS v1 > Maximum Attestation Duration

AWS > CIS v1

Configures a default auditing level against the Amazon Web Services Foundations Benchmark, Version 1.2

[
  "Skip",
  "Check: Level 1 (Scored)",
  "Check: Level 1 (Scored & Not Scored)",
  "Check: Level 1 & Level 2 (Scored)",
  "Check: Level 1 & Level 2 (Scored & Not Scored)"
]

{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Level 1 (Scored)",
    "Check: Level 1 (Scored & Not Scored)",
    "Check: Level 1 & Level 2 (Scored)",
    "Check: Level 1 & Level 2 (Scored & Not Scored)"
  ],
  "default": "Skip"
}

AWS > CIS v1 > 1 Identity and Access Management

Covers recommendations addressing Identity and Access Management.

[
  "Skip"
]

{
  "type": "string",
  "enum": [
    "Skip"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.01 Avoid the use of the "root" account (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.02 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.03 Ensure credentials unused for 90 days or greater are disabled (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 90 or greater days be removed or deactivated.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.04 Ensure access keys are rotated every 90 days or less (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.05 Ensure IAM password policy requires at least one uppercase letter (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.06 Ensure IAM password policy require at least one lowercase letter (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.07 Ensure IAM password policy require at least one symbol (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.08 Ensure IAM password policy require at least one number (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.09 Ensure IAM password policy requires minimum length of 14 or greater (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.10 Ensure IAM password policy prevents password reuse (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.12 Ensure no root account access key exists (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.13 Ensure MFA is enabled for the "root" account (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.14 Ensure hardware MFA is enabled for the "root" account (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 2 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.15 Ensure security questions are registered in the AWS account (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established.

[
  "Per AWS > CIS v1 using attestation",
  "Skip",
  "Check: Level 1 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1 using attestation",
    "Skip",
    "Check: Level 1 (Not Scored) using attestation"
  ],
  "default": "Per AWS > CIS v1 using attestation"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.15 Ensure security questions are registered in the AWS account (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Perform the following in the AWS Management Console:

1. Login to the AWS account as root
2. On the top right you will see the <Root_Account_Name>
3. Click on the <Root_Account_Name>
4. From the drop-down menu Click My Account
5. In the Configure Security Challenge Questions section on the Personal Information page, configure three security challenge questions.
6. Click Save questions .

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in AWS > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

AWS > CIS v1 > 1 Identity and Access Management > 1.16 Ensure IAM policies are attached only to groups or roles (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.17 Maintain current contact details (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.

[
  "Per AWS > CIS v1 using attestation",
  "Skip",
  "Check: Level 1 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1 using attestation",
    "Skip",
    "Check: Level 1 (Not Scored) using attestation"
  ],
  "default": "Per AWS > CIS v1 using attestation"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.17 Maintain current contact details (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:*Billing ).

• Sign in to the AWS Management Console and open the Billing and Cost Management console at https://console.aws.amazon.com/billing/home#/.
• On the navigation bar, choose your account name, and then choose My Account.
• On the Account Settings page, review and verify the current details.
• Under Contact Information, review and verify the current details.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in AWS > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

AWS > CIS v1 > 1 Identity and Access Management > 1.18 Ensure security contact information is registered (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided.

[
  "Per AWS > CIS v1 using attestation",
  "Skip",
  "Check: Level 1 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1 using attestation",
    "Skip",
    "Check: Level 1 (Not Scored) using attestation"
  ],
  "default": "Per AWS > CIS v1 using attestation"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.18 Ensure security contact information is registered (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Perform the following in the AWS Management Console to determine if security contact information is present:

1. Click on your account name at the top right corner of the console
2. From the drop-down menu Click My Account
3. Scroll down to the Alternate Contacts section
4. Ensure contact information is specified in the Security section

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in AWS > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

AWS > CIS v1 > 1 Identity and Access Management > 1.19 Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. "AWS Access" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.

[
  "Per AWS > CIS v1 using attestation",
  "Skip",
  "Check: Level 2 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1 using attestation",
    "Skip",
    "Check: Level 2 (Not Scored) using attestation"
  ],
  "default": "Per AWS > CIS v1 using attestation"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.19 Ensure IAM instance roles are used for AWS resource access from instances (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Whether an Instance Is Associated With a Role For instances that are known to perform AWS actions, ensure that they belong to an instance role that has the necessary permissions:

1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Open the EC2 Dashboard and choose "Instances"
3. Click the EC2 instance that performs AWS actions, in the lower pane details find "IAM Role"
4. If the Role is blank, the instance is not assigned to one.
5. If the Role is filled in, it does not mean the instance might not also have credentials encoded on it for some activities. Whether an Instance Contains Embedded Credentials On the instance that is known to perform AWS actions, audit all scripts and environment variables to ensure that none of them contain AWS credentials. Whether an Instance Application Contains Embedded Credentials Applications that run on an instance may also have credentials embedded. This is a bad practice, but even worse if the source code is stored in a public code repository such as github. When an application contains credentials can be determined by eliminating all other sources of credentials and if the application can still access AWS resources - it likely contains embedded credentials. Another method is to examine all source code and configuration files of the application.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in AWS > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

AWS > CIS v1 > 1 Identity and Access Management > 1.21 Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Not Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Not Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 1 Identity and Access Management > 1.22 Ensure IAM policies that allow full ":"; administrative privileges are not created (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 2 Logging

Covers recommendations addressing Logging.

[
  "Skip"
]

{
  "type": "string",
  "enum": [
    "Skip"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > CIS v1 > 2 Logging > 2.01 Ensure CloudTrail is enabled in all regions (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 2 Logging > 2.02 Ensure CloudTrail log file validation is enabled (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 2 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 2 Logging > 2.03 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 2 Logging > 2.04 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 2 Logging > 2.05 Ensure AWS Config is enabled in all regions (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended to enable AWS Config be enabled in all regions.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 2 Logging > 2.06 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 2 Logging > 2.07 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 2 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 2 Logging > 2.08 Ensure rotation for customer created CMKs is enabled (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 2 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 2 Logging > 2.09 Ensure VPC flow logging is enabled in all VPCs (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 2 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 3 Monitoring

Covers recommendations addressing Monitoring.

[
  "Skip"
]

{
  "type": "string",
  "enum": [
    "Skip"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > CIS v1 > 3 Monitoring > 3.01 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 3 Monitoring > 3.02 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 3 Monitoring > 3.03 Ensure a log metric filter and alarm exist for usage of "root" account (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 3 Monitoring > 3.04 Ensure a log metric filter and alarm exist for IAM policy changes (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 3 Monitoring > 3.05 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail&#39;s configurations.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 3 Monitoring > 3.06 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 2 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 3 Monitoring > 3.07 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 2 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 3 Monitoring > 3.08 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 3 Monitoring > 3.09 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail&#39;s configurations.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 2 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 3 Monitoring > 3.10 Ensure a log metric filter and alarm exist for security group changes (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established changes to Security Groups.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 2 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 3 Monitoring > 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 2 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 3 Monitoring > 3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 3 Monitoring > 3.13 Ensure a log metric filter and alarm exist for route table changes (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 3 Monitoring > 3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 4 Networking

Covers recommendations addressing Networking.

[
  "Skip"
]

{
  "type": "string",
  "enum": [
    "Skip"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

AWS > CIS v1 > 4 Networking > 4.01 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 4 Networking > 4.02 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 4 Networking > 4.03 Ensure the default security group of every VPC restricts all traffic (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.

[
  "Per AWS > CIS v1",
  "Skip",
  "Check: Level 2 (Scored)"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per AWS > CIS v1"
}

AWS > CIS v1 > 4 Networking > 4.04 Ensure routing tables for VPC peering are "least access" (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.

[
  "Per AWS > CIS v1 using attestation",
  "Skip",
  "Check: Level 2 (Not Scored) using attestation"
]

{
  "type": "string",
  "enum": [
    "Per AWS > CIS v1 using attestation",
    "Skip",
    "Check: Level 2 (Not Scored) using attestation"
  ],
  "default": "Per AWS > CIS v1 using attestation"
}

AWS > CIS v1 > 4 Networking > 4.04 Ensure routing tables for VPC peering are "least access" (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs. Via CLI: List all the route tables from a VPC and check if "GatewayId" is pointing to a <peering_connection_id> (e.g. pcx-1a2b3c4d) and if "DestinationCidrBlock" is as specific as desired. aws ec2 describe-route-tables --filter "Name=vpc-id,Values=<vpc_id>" --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}"

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in AWS > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

{
  "type": "string",
  "format": "date-time",
  "default": ""
}

AWS > CIS v1 > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here

[
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]

{
  "type": "string",
  "enum": [
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Skip"
}