| Name | Description | Service | Rule |
|---|---|---|---|
| Ensure that no inline policy is attached to an IAMUser | IAMUsers should not have any Inline policy attached to them. |
IAM |
IAMUser should not have Policies . Inline len ( ) > 0 |
| Ensure that an IAMUser has no more than 1 Active API Key | IAMUsers should not have multiple active API keys |
IAM |
IAMUser should not have every AccessKey with [ Active eq true] |
| Ensure there is only one active access key available for any single IAM user | Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK) |
IAM |
IAMUser should not have every AccessKey with [ Active eq true] and AccessKey len() gt 1 |
| Ensure unused role for EC2Instance does not exist | IAMRoles which are not attached to any EC2Instance should not exist. |
IAM |
IAMRole should not have InstanceProfile with [ InstanceCount eq 0 ] |
| IAM customer managed policies should not allow decryption and re-encryption actions on all KMS keys | Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources |
IAM |
IAMPolicy where Type eq "Customer Managed" should not have Permissions . Statements with [ Effect eq "Allow" and Action with [ value in ("kms:Decrypt", "kms:ReEncryptFrom") ] and Resource with [ value eq "*" ] ] |
| Name | Description | Service | Rule |
|---|---|---|---|
| Remote access: Ensure no root account access key exists. | The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. |
IAM |
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ] |
| Remote access: Ensure access keys are rotated every 90 days or less. | Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. |
IAM |
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ] |
| Remote access: Ensure access keys unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ] |
| Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. | IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. |
IAM |
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 ) |
| IAM Policies for iam:PassRole permission with Resource '*' is attached to an IAM entity | Make sure the IAM policy with iam:PassRole and Resource '*' is not attached to any IAM entity (User, Role, Group). This rule is created by Netskope with the intent of surfacing higher priority findings from regular IAM compliance checks by requiring the vulnerable policy to be attached to an IAM entity. |
IAM |
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "iam:PassRole"] and Resource with [ value eq "*" ] ] and ( AttachedEntities . Groups len ( ) > 0 or AttachedEntities . Roles len ( ) > 0 or AttachedEntities . Users len ( ) > 0 ) |
| IAM principals should not have IAM Group inline policies that allow decryption and re-encryption actions on all KMS keys | Checks whether the inline policies that are embedded in your IAM group allow the AWS KMS decryption and re-encryption actions on all KMS keys |
IAM |
IAMGroup should not have GroupPolicy . InlinePolicies with [ PolicyDocument . Statement with [ Effect eq "Allow" and Action with [ value in ("kms:Decrypt", "kms:ReEncryptFrom") ] and Resource with [ value eq "*" ] ] ] |
| IAM principals should not have IAM Role inline policies that allow decryption and re-encryption actions on all KMS keys | Checks whether the inline policies that are embedded in your IAM role allow the AWS KMS decryption and re-encryption actions on all KMS keys |
IAM |
IAMRole should not have Policies . Inline with [ PolicyDocument . Statements with [ Effect eq "Allow" and Action with [ value in ("kms:Decrypt", "kms:ReEncryptFrom") ] and Resource with [ value eq "*" ] ] ] |
| IAM principals should not have IAM User inline policies that allow decryption and re-encryption actions on all KMS keys | Checks whether the inline policies that are embedded in your IAM user allow the AWS KMS decryption and re-encryption actions on all KMS keys |
IAM |
IAMUser should not have Policies . Inline with [ PolicyDocument . Statements with [ Effect eq "Allow" and Action with [ value in ("kms:Decrypt", "kms:ReEncryptFrom") ] and Resource with [ value eq "*" ] ] ] |
| Establish an access control system(s) : IAM Policies with Effect Allow and NotActions | Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. |
IAM |
IAMPolicy should not have Permissions . Statements with [ Effect eq "Allow" and ( NotAction len ( ) gt 0 or Action with [ value eq "*" ] ) ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 ) |
| Ensure no user has the AdministratorAccess policy | Ensure users are not attached to the overly-privileged AdministratorAccess IAM policy. |
IAM |
IAMUser should not have Policies . Managed with [ Permissions . Statements with [ Effect eq "Allow" and Resource with [ value eq "*" ] and Action with [ value eq "*" ] ] ] or Policies . Inline with [ PolicyDocument . Statements with [ Effect eq "Allow" and Resource with [ value eq "*" ] and Action with [ value eq "*" ] ] ] |
| Establish an access control system(s) : IAM Policies with Effect as Allow and Action with sts:AssumeRole for CrossAccountArn | Establish an access control system(s) for IAM AssumeRole Policies having cross account ARN to have condition specifying “sts:ExternalId” |
IAM |
IAMRole where AssumeRolePolicy . CrossAccountArn eq True should have AssumeRolePolicy . Statement with [ Conditions with [ Condition eq "StringEquals" and Name eq "sts:ExternalId" and Value len() gt 0 ]] |
| IAM customer managed policies that you create should not allow wildcard actions for services | This control checks whether the IAM identity-based policies that you create have Allow statements that use the * wildcard to grant permissions for all actions on any service |
IAM |
IAMPolicy where Type eq "Customer Managed" should not have Permissions . Statements with [ Effect eq "Allow" and ( NotAction with [ value like "\:\*$" ] or Action with [ value like "\:\*$" ] ) ] |
| Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. |
IAM |
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true |
| Authentication: Ensure hardware MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0 |
| GuardDuty should be enabled | This control checks whether Amazon GuardDuty is enabled in your GuardDuty account and Region. |
GuardDuty |
GuardDutyDetector should have Status eq "ENABLED" |
| Name | Description | Service | Rule |
|---|---|---|---|
| Ensure Lambda execution role has permissions to log to CloudWatch. | Ensure Lambda execution role has permissions to log to CloudWatch. |
Lambda |
Lambda should have IAMRole . Policies . Inline with [ PolicyDocument . Statements with [ Effect eq "Allow" and Resource len ( ) gt 0 and Action with [ value eq "logs:CreateLogGroup" ] ] and PolicyDocument . Statements with [ Effect eq "Allow" and Resource len ( ) gt 0 and Action with [ value eq "logs:CreateLogStream" ] ] and PolicyDocument . Statements with [ Effect eq "Allow" and Resource len ( ) gt 0 and Action with [ value eq "logs:PutLogEvents" ] ] ] or IAMRole . Policies . Managed with [ Permissions . Statements with [ Effect eq "Allow" and Resource len ( ) gt 0 and Action with [ value eq "logs:CreateLogGroup" ] ] and Permissions . Statements with [ Effect eq "Allow" and Resource len ( ) gt 0 and Action with [ value eq "logs:CreateLogStream" ] ] and Permissions . Statements with [ Effect eq "Allow" and Resource len ( ) gt 0 and Action with [ value eq "logs:PutLogEvents" ] ] ] |
| Ensure EBS Snapshots are encrypted. | Ensure EBS Snapshots are encrypted |
EC2Instance |
Snapshots should have Encrypted |
| Ensure unattached EBS volumes are removed. | Ensure unattached EBS volumes are removed. |
EC2Instance |
Volume should not have Attachments len ( ) eq 0 |
| EBS default encryption should be enabled | This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS) |
EC2 |
Volume should have EbsEncryptionByDefault |
| EC2 instances should be managed by AWS Systems Manager | This control checks whether the stopped and running EC2 instances in the account are managed by AWS Systems Manager. Systems Manager is an AWS service that can be used to view and control the AWS infrastructure. |
EC2 |
EC2Instance should have SSMInformation len () gt 0 |
| Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider. | Scan images being deployed to Amazon EKS for vulnerabilities. |
ECRRepository |
ECRRepository should have ImageScanningConfiguration.ScanOnPush |
| Name | Description | Service | Rule |
|---|---|---|---|
| Ensure Lambda functions do not have administrative level execution privileges. | Ensure Lambda functions do not have administrative level execution privileges |
Lambda |
Lambda should not have AdminPrivileges eq True |
| Ensure Lambda execution role does not have IAM admin permissions. | Ensure Lambda execution role does not have IAM admin permissions. |
Lambda |
Lambda should not have IAMRole . Policies . Inline with [ PolicyDocument . Statements with [ Effect eq "Allow" and Resource with [ value eq "*" ] and Action with [ value eq "iam:*" ] ] ] or IAMRole . Policies . Managed with [ Permissions . Statements with [ Effect eq "Allow" and Resource with [ value eq "*" ] and Action with [ value eq "iam:*" ] ] ] |
| Lambda function policies should prohibit public access | This control checks whether the Lambda function resource-based policy prohibits public access outside of your account |
Lambda |
Lambda should not have ResourceBasedIAMPolicy . Statements with [ Effect eq "Allow" and Principal with [ value eq "*"] ] |
| Data-in-transit is protected: Ensure encryption in transit is enabled for lambda functions using environmental variables. | Ensure encryption in transit is enabled for lambda functions using environmental variables. |
Lambda |
Lambda where ( Environment len() > 0 ) should have KMSKey . Enabled |
| Ensure Lambda execution role does not have full admin permissions. | Ensure Lambda execution role does not have full admin permissions. |
Lambda |
Lambda should not have IAMRole . Policies . Inline with [ PolicyDocument . Statements with [ Effect eq "Allow" and Resource with [ value eq "*" ] and Action with [ value eq "*" ] ] ] or IAMRole . Policies . Managed with [ Permissions . Statements with [ Effect eq "Allow" and Resource with [ value eq "*" ] and Action with [ value eq "*" ] ] ] |
| Attached EBS volumes should be encrypted at rest | This control checks whether the EBS volumes that are in an attached state are encrypted |
EC2 |
Volume where Attachments len () gt 0 should have Encrypted |
| EC2 instances should use IMDSv2 | This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2) |
EC2 |
EC2Instance should have MetadataOptions.HttpTokens eq "required" |
| Lambda function s3 invoked policies should prohibit public access | This control checks whether the Lambda function resource-based s3 invoked policy prohibits public access outside of your account. The control also fails if a Lambda function is invoked from Amazon S3 and the policy does not include a condition for AWS:SourceAccount |
Lambda |
Lambda where ResourceBasedIAMPolicy . Statements with [ Action with [ value eq "lambda:InvokeFunction" ] and Principal with [ value eq "s3.amazonaws.com" ]] should have ResourceBasedIAMPolicy . Statements with [ Action with [ value eq "lambda:InvokeFunction" ] and Principal with [ value eq "s3.amazonaws.com" ] and Conditions with [ Name eq "AWS:SourceAccount" and Value len() gt 0 ]] |
| Ensure EKS Clusters have logging enabled. | Ensure EKS Clusters have logging enabled |
EKSCluster |
EKSCluster should have Logging . ClusterLogging with [ Type has ( "api", "audit", "authenticator", "controllerManager", "scheduler") and Enabled eq true ] |
| Name | Description | Service | Rule |
|---|---|---|---|
| Imported ACM certificates should be renewed after a specified time period | This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager. |
ACM |
ACM should have NotAfter isLaterThan(30, "days") |
| Ensure SNS Topics do not have Policies containing AddPermission Action to all principals | SNS Topic should not have Policy with Add Permission Action authorized to all principals |
SNS |
SNSTopic should not have Policy . Statement with [ Effect eq "Allow" and ( Action with [ value like "(?i)SNS:AddPermission" or value like "(?i)SNS:\*" ] ) and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] |
| API Gateway REST API cache data should be encrypted at rest | Checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted. |
APIGateway |
APIGateway should have Stages with [ MethodSettings with [ MethodValue . CacheDataEncrypted ] ] |
| Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs | AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS |
CloudTrail |
CloudTrail should have KMSKey . Enabled |
| Ensure Delete Message Action is not authorized to all principals in SQS Queue Policy | SQS Queue Policy should not have DeleteMessage action authorized to all principals |
SQS |
SQSQueue should not have SQSPolicy with [ Statement with [ (Action with [ value like "(?i)SQS:DeleteMessage" or value like "(?i)SQS:\*" ] ) and Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Ensure SNS Topics do not have Policies containing Delete Topic Action to all principals | SNS Topic should not have Policy with Delete Topic Action authorized to all principals |
SNS |
SNSTopic should not have Policy . Statement with [ Effect eq "Allow" and ( Action with [ value like "(?i)SNS:DeleteTopic" or value like "(?i)SNS:\*" ] ) and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] |
| Data-at-rest is protected: Ensure DynamoDB tables are encrypted at rest | Ensure DynamoDB tables are encrypted at rest. |
Dynamo |
DynamoDBTable should have SSEDescription . Status eq "ENABLED" |
| Elasticsearch domains should have encryption at rest enabled | This control checks whether Elasticsearch domains have encryption at rest configuration enabled. The check fails if encryption at rest is not enabled. |
ElasticSearch |
ElasticSearchDomain should have EncryptionAtRestOptions . Enabled |
| Connections to Elasticsearch domains should be encrypted using TLS 1.2 | This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07. |
ElasticSearch |
ElasticSearchDomain should have DomainEndpointOptions . TLSSecurityPolicy eq "Policy-Min-TLS-1-2-2019-07" |
| AWS KMS keys should not be unintentionally deleted | This control checks whether KMS keys are scheduled for deletion. KMS keys cannot be recovered once deleted. Data encrypted under a KMS key is also permanently unrecoverable if the KMS key is deleted. If meaningful data has been encrypted under a KMS key scheduled for deletion, consider decrypting the data or re-encrypting the data under a new KMS key unless you are intentionally performing a cryptographic erasure |
KMS |
KMSKey should not have Status eq "PendingDeletion" |
| RDS clusters should have deletion protection enabled | This control checks whether RDS clusters have deletion protection enabled. |
RDSCluster |
RDSCluster should have DeletionProtection |
| Data-at-rest is protected: Ensure RDS encryption is enabled | Ensure RDS encryption is enabled. |
RDS |
RDSInstance should have StorageEncrypted eq true |
| RDS DB instances should have deletion protection enabled | This control checks whether your RDS DB instances that use one of the listed database engines have deletion protection enabled |
RDS |
RDSInstance should have DeletionProtection |
| RDS clusters should not use a database engine default port | This control checks whether the RDS cluster uses a port other than the default port of the database engine |
RDS |
RDSCluster should not have Port eq 3306 |
| Data-at-rest is protected: Ensure RDS instance snapshots are encrypted | Ensure RDS instance snapshots are encrypted. |
RDS |
RDSInstance should have every Snapshots with [ Encrypted eq true ] |
| Ensure automated snapshots are enabled for Redshift clusters | Ensure automated snapshots are enabled for Redshift clusters. |
RedShift |
RedShiftCluster should have AutomatedSnapshotRetentionPeriod gt 0 |
| SNS topics should be encrypted at rest using AWS KMS | This control checks whether an SNS topic is encrypted at rest using AWS KMS |
SNS |
SNSTopic should have KmsMasterKeyId len () gt 0 |
| Amazon SQS queues should be encrypted at rest | This control checks whether Amazon SQS queues are encrypted at rest |
SQS |
SQSQueue should have ( KmsMasterKeyId len ( ) gt 0 or SqsManagedSseEnabled ) |
| Vulnerability management plan: Ensure Allow Version Upgrade is set to yes for Redshift Cluster | Redshift Clusters should have Version Upgrade set to avoid missing important security updates. |
Redshift |
RedShiftCluster should have AllowVersionUpgrade |
| Name | Description | Service | Rule |
|---|---|---|---|
| Ensure CloudTrail logs to S3Bucket without any failures. | Alert if any Error is encountered by CloudTrail while logging to the designated S3Bucket. |
S3 CloudTrail |
CloudTrail should have LatestDeliveryError eq "None" |
| Access permissions and authorizations: Ensure Redshift Clusters are not Publicly accessible | Redshift Clusters should not be accessible to the public. |
Redshift |
RedShiftCluster should not have Access eq "Public" |
| CodeBuild project environment variables should not contain clear text credentials | This control checks whether the project contains clear text credentials in the environment variables |
CodeBuild |
CodeBuild should not have Environment . EnvironmentVariables with [Type eq "PLAINTEXT" ] |
| Ensure Delete Action is not authorized to all principals in S3 Bucket Policy | S3 Bucket Policy should not have Delete action authorized to all principals |
S3 |
S3Bucket should not have BucketPolicy with [ Statement with [ ( Action with [ value like "(?i)s3:Delete" or value like "(?i)S3:\*" ] ) and Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| AWS Database Migration Service replication instances should not be public | This control checks whether AWS DMS replication instances are public |
DMS |
DMSReplicationInstance should not have PubliclyAccessible |
| Elasticsearch domains should have audit logging enabled | This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled. |
ElasticSearch |
ElasticSearchDomain should have LogPublishingOptions with [ Name eq "AUDIT_LOGS" and Enabled and CloudWatchLogsLogGroup . id len( ) gt 0 ] |
| Ensure the S3 bucket CloudTrail logs to is not publicly accessible | CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs |
S3 CloudTrail |
CloudTrail should not have S3Bucket . Access eq "Public" |
| Ensure Get Action is not authorized to all principals in S3 Bucket Policy | S3 Bucket Policy should not have Get action authorized to all principals |
S3 |
S3Bucket should not have BucketPolicy with [ Statement with [ ( Action with [ value like "(?i)s3:GetObject" or value like "(?i)S3:\*" ] ) and Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Ensure List Action is not authorized to all principals in S3 Bucket Policy | S3 Bucket Policy should not have List action authorized to all principals |
S3 |
S3Bucket should not have BucketPolicy with [ Statement with [ ( Action with [ value like "(?i)s3:ListBucket" or value like "(?i)S3:\*" ] ) and Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Ensure Manage Action is not authorized to all principals in S3 Bucket Policy | S3 Bucket Policy should not have Manage action authorized to all principals |
S3 |
S3Bucket should not have BucketPolicy with [ Statement with [ (Action with [ value like "(?i)s3:Put" or value like "(?i)S3:\*" ] ) and Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Ensure CloudTrail logging bucket has Multi-Factor Authentication (MFA) Enabled. | Ensure that your AWS CloudTrail logging bucket use Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned log files. |
S3 CloudTrail |
CloudTrail should have S3Bucket . BucketVersioning . MFADelete eq "Enabled" |
| Ensure Put Action is not authorized to all principals in S3 Bucket Policy | S3 Bucket Policy should not have Put action authorized to all principals |
S3 |
S3Bucket should not have BucketPolicy with [ Statement with [ ( Action with [ value like "(?i)s3:PutObject" or value like "(?i)S3:\*" ]) and Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| IAM authentication should be configured for RDS clusters | This control checks whether an RDS DB cluster has IAM database authentication enabled. |
RDSCluster |
RDSCluster should have IAMDatabaseAuthenticationEnabled |
| IAM authentication should be configured for RDS instances | This control checks whether an RDS DB instance has IAM database authentication enabled |
RDS |
RDSInstance should have IAMDatabaseAuthenticationEnabled |
| Database logging should be enabled | This control checks whether the logs of Amazon RDS are enabled and sent to CloudWatch Logs |
RDS |
RDSInstance should have EnabledCloudwatchLogsExports len () gt 0 |
| Ensure RDS database instances have detailed monitoring enabled | Ensure RDS database instances have detailed monitoring enabled. |
RDS |
RDSInstance should not have MonitoringInterval eq 0 |
| Communications and control network protection: Ensure RDS instances are not in public subnets | Ensure RDS instances are not in public subnets. |
RDS |
RDSInstance should not have Access eq "Public" |
| Access permissions and authorizations: Ensure RDS Instances do not have Publicly Accessible Snapshots | RDS Instances should not have publicly accessible snapshots. |
RDS |
RDSInstance should not have Snapshots with [ PubliclyAccessible ] |
| Ensure Amazon Redshift clusters are not using port 5439 (default port) for database access. | Ensure Amazon Redshift clusters are not using port 5439 (default port) for database access. |
RedShift |
RedShiftCluster should not have Port eq 5439 |
| Ensure S3 Bucket is not publicly accessible. | Ensure S3 Bucket is not publicly accessible |
S3 |
S3Bucket should not have Access eq "Public" |
| Ensure MFA Delete is enable on S3 buckets | Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication |
S3 |
S3Bucket should have BucketVersioning . Status eq "Enabled" and BucketVersioning . MFADelete eq "Enabled" |
| Implement automated audit trails for all system components : Lack of Logging For Access to S3 Buckets | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
S3 |
S3Bucket should have LoggingEnabled |
| SageMaker notebook instances should not have direct internet access | This control checks whether direct internet access is disabled for an SageMaker notebook instance |
Compute |
SageMakerNotebookInstance should have DirectInternetAccess eq "Disabled" |
| Name | Description | Service | Rule |
|---|---|---|---|
| Ensure EC2 Instance does not have open ahsp port | Ahsp Port 4333, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 4333 and ToPort gte 4333) ) ] ] |
| Application Load Balancer should be configured to redirect all HTTP requests to HTTPS | This control checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers |
ElasticLoadBalancer |
ElasticLoadBalancer where (Type eq "application" and Listeners with [ Protocol eq "HTTP" ]) should have Listeners with [ Protocol eq "HTTP" and DefaultActions with [ Type eq "redirect" and RedirectConfig . Protocol eq "HTTPS" and RedirectConfig . Port eq 443 ] ] |
| Ensure EC2 Instance does not have open Alternative HTTP port | Alternative HTTP Port 8888, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 8888 and ToPort gte 8888) ) ] ] |
| API Gateway should be associated with an AWS WAF web ACL | Checks whether an API Gateway stage uses an AWS WAF web access control list (ACL). The control fails if it is not attached to a REST API Gateway stage. |
APIGateway |
APIGateway should have Stages with [ WebAclArn len( ) gt 0 ] |
| API Gateway REST API stages should be configured to use SSL certificates for backend authentication | This control checks whether Amazon API Gateway REST API stages have SSL certificates configured. Backend systems use these certificates to authenticate that incoming requests are from API Gateway. |
APIGateway |
APIGateway should have Stages with [ ClientCertificateId len( ) gt 0 ] |
| Ensure EC2 Instance does not have open CIFS port | CIFS Port 445, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 445 and ToPort gte 445) ) ] ] |
| Ensure EC2 Instance does not have open DNS port | DNS Port 53, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "udp") and ( FromPort lte 53 and ToPort gte 53 ) ] ] |
| Ensure Domain Transfer Lock is enabled | To lock a domain to prevent unauthorized transfer to another registrar. |
Route53 |
Route53Domain should have TransferLock |
| EC2 instances should not use multiple ENIs | This control checks whether an EC2 instance uses multiple Elastic Network Interfaces (ENIs) |
EC2 |
EC2Instance should have NetworkInterfaces len ( ) lte 1 |
| Ensure EC2 Instance does not have open fcp-addr-srvr1 port | fcp-addr-srvr1 Port 5500, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 5500 and ToPort gte 5500) ) ] ] |
| Ensure EC2 Instance does not have open FTP port | FTP Port 20 and 21, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 20 and ToPort gte 21) ) ] ] |
| Ensure EC2 Instance does not have open IMAP port | IMAP Port 143, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 143 and ToPort gte 143) ) ] ] |
| Ensure EC2 Instance does not have open Legacy HTTP port | Legacy HTTP Port 8088, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 8088 and ToPort gte 8088) ) ] ] |
| Ensure EC2 Instance does not have open OpenSearch Dashboards port | OpenSearch Dashboards Port 5601, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 5601 and ToPort gte 5601) ) ] ] |
| Ensure EC2 Instance does not have open OpenSearch port | OpenSearch Port 9200 or 9300, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 9200 and ToPort gte 9200) or (FromPort lte 9300 and ToPort gte 9300) ) ] ] |
| Ensure EC2 Instance does not have open POP3 port | POP3 Port 110, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 110 and ToPort gte 110) ) ] ] |
| Ensure EC2 Instance does not have open Proxy port | Proxy Port 8080, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 8080 and ToPort gte 8080) ) ] ] |
| Ensure EC2 Instance does not have open RPC port | RPC Port 135, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 135 and ToPort gte 135) ) ] ] |
| Ensure EC2 Instance does not have open SMTP port | SMTP Port 25, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 25 and ToPort gte 25) ) ] ] |
| Ensure EC2 Instance does not have open UDP ports | UDP Ports 22, 80, 443, 1433, 1521, 3306, 3389, 5432, 27017, 27018, 27019 of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "udp") and ( ( FromPort lte 22 and ToPort gte 22) or ( FromPort lte 80 and ToPort gte 80) or ( FromPort lte 443 and ToPort gte 443) or ( FromPort lte 1433 and ToPort gte 1433) or ( FromPort lte 1521 and ToPort gte 1521) or ( FromPort lte 3306 and ToPort gte 3306) or ( FromPort lte 3389 and ToPort gte 3389) or ( FromPort lte 5432 and ToPort gte 5432) or ( FromPort lte 27019 and ToPort gte 27017) ) ] ] |
| Ensure VPC Flow Log records are successfully published to a CloudWatch log group or an Amazon S3 bucket. | Ensure VPC Flow Log records are successfully published to a CloudWatch log group or an Amazon S3 bucket. |
EC2 |
VPCFlow where Status eq "ACTIVE" should have DeliverLogsStatus eq "SUCCESS" |
| Unused network access control lists should be removed | This control checks whether there are any unused network access control lists (ACLs) |
EC2 |
NetworkACL should have Subnets len () gt 0 |
| Ensure EC2 Instance does not have open Python web development frameworks port | Python web development frameworks Port 5000, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 5000 and ToPort gte 5000) ) ] ] |
| Ensure EC2 Instance does not have open Go, Node.js, and Ruby web development frameworks port | Go, Node.js, and Ruby web development frameworks Port 3000, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 3000 and ToPort gte 3000) ) ] ] |
| Name | Description | Service | Rule |
|---|---|---|---|
| API Gateway REST and WebSocket API logging should be enabled | This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled. The control fails if logging is not enabled for all methods of a stage or if loggingLevel is neither ERROR nor INFO. |
APIGateway |
APIGateway where Stages len( ) gt 0 should have Stages with [ MethodSettings with [ MethodValue . LoggingLevel in ("INFO", "ERROR") ] ] |
| Communications and control network protection: Ensure no rule exists which allows all ingress traffic in default Network ACL | Network ACLs are designed to provide a secondary layer of security. Adding a rule that allows all network traffic (all protocols, IPs, and source) prior to any deny rule defeats the purpose of network ACLs. |
EC2 |
NetworkACL should not have IsDefault eq true and Rules with [ RuleAction eq "allow" and Protocol eq "-1" and Egress eq False and CidrBlock eq 0.0.0.0/0 ] |
| Network Intefrace with Inbound internet traffic allowed attached to an ec2 | Make sure that there is no Network Intefrace with full internet public access attached to an ec2 instance. This rule is created by Netskope with the intent of surfacing higher priority findings from regular network interface compliance checks by requiring the vulnerable interface to be attached to an instance. |
EC2 |
NetworkInterface should not have any SecurityGroups with [ InboundRules with [ IPv6Ranges with [ IPv6 isPublic ( ) ] or IPRanges with [ IP isPublic ( ) ] ] ] and Attachment . InstanceId |
| Ensure EKS Clusters are created with Private Endpoint Enabled and Public Access Disabled | Disable access to the Kubernetes API from outside the node network if it is not required. |
EKSCluster |
EKSCluster should have EndPointPrivateAccess and not EndPointPublicAccess |
| Restrict Access to the Control Plane Endpoint | Enable Endpoint Private Access to restrict access to the cluster's control plane to only an allowlist of authorized IPs. |
EKSCluster |
EKSCluster where EndPointPublicAccess should not have PublicAccessCidrs with [ CidrBlock eq 0.0.0.0/0] |
| Ensure EC2 Instance does not have open MongoDB port | MongoDB Port 27017, 27018, 27019 of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "tcp") and ( (FromPort lte 27019 and ToPort gte 27017) ) ] ] |
| Ensure EC2 Instance does not have open MySQL port | MySQL Port 3306, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "tcp") and ( (FromPort lte 3306 and ToPort gte 3306) ) ] ] |
| Ensure EC2 Instance does not have open SQL Server port | MySQL Port 1433, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "tcp") and ( (FromPort lte 1433 and ToPort gte 1434) ) ] ] |
| Ensure EC2 Instance does not have open NFS port | NFS Port 2049, 111 of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","udp","tcp") and ( (FromPort lte 2049 and ToPort gte 2049) or (FromPort lte 111 and ToPort gte 111)) ] ] |
| Ensure default security groups of EC2Instances contain rules | Non-empty rule sets for default security groups should not exist. |
EC2 |
EC2Instance where SecurityGroups with [ Name eq "default" ] should not have SecurityGroups with [ InboundRules len ( ) neq 0 or OutboundRules len ( ) neq 0 ] |
| Ensure EC2 Instance does not have open OracleDb port | OracleDb Port 1521, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 1521 and ToPort gte 1521) ) ] ] |
| Ensure EC2 Instance does not have open PostgreSQL port | PostgreSQL Port 5432, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 5432 and ToPort gte 5432) ) ] ] |
| Ensure EC2 Instance does not have open RDP port | RDP Port 3389, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","udp","tcp") and ( (FromPort lte 3389 and ToPort gte 3389) ) ] ] |
| Make sure no security groups attached to ec2 allow ingress from 0.0.0.0/0 to remote server administration ports | Make sure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports and attached to ec2 instances. This rule is created by Netskope with the intent of surfacing higher priority findings from regular inbound connection compliance checks by requiring the vulnerable security group to be attached to an instance. |
Network |
SecurityGroup should not have EC2Instances and InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( (FromPort lte 22 and ToPort gte 22) or (FromPort lte 3389 and ToPort gte 3389) ) ] |
| Security groups allow ingress from 0.0.0.0/0 is attached to an ec2 instance | Make sure there is no security groups with allowed ingress from 0.0.0.0/0 is attached to an ec2 instance. This rule is created by Netskope with the intent of surfacing higher priority findings from regular inbound connection compliance checks by requiring the vulnerable security group to be attached to an instance. |
Network |
SecurityGroup should not have EC2Instances and InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] ] |
| Ensure EC2 Instance does not have open SSH port | SSH Port 22, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 22 and ToPort gte 22) ) ] ] |
| EC2 subnets should not automatically assign public IP addresses | This control checks whether the assignment of public IPs in Amazon Virtual Private Cloud (Amazon VPC) subnets have MapPublicIpOnLaunch set to FALSE. The control passes if the flag is set to FALSE |
EC2 |
Subnet should not have MapPublicIpOnLaunch |
| Communications and control network protection: Ensure no rule exists which allows all ingress traffic in Network ACL which is associated with a subnet | Network ACLs are designed to provide a secondary layer of security. Adding a rule that allows all network traffic (all protocols, IPs, and source) prior to any deny rule defeats the purpose of network ACLs. Network ACLs associated with subnets and VPCs should not allow all ingress traffic. |
EC2 |
NetworkACL where Subnets len( ) gt 0 should not have Rules with [ Egress eq False and RuleAction eq "allow" and Protocol eq "-1" and CidrBlock eq 0.0.0.0/0 ] |
| Ensure EC2 Instance does not have open TCP ports | TCP Ports 22, 80, 443, 1433, 1521, 3306, 3389, 5432, 27017, 27018, 27019 of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "tcp") and ( ( FromPort lte 22 and ToPort gte 22) or ( FromPort lte 80 and ToPort gte 80) or ( FromPort lte 443 and ToPort gte 443) or ( FromPort lte 1433 and ToPort gte 1433) or ( FromPort lte 1521 and ToPort gte 1521) or ( FromPort lte 3306 and ToPort gte 3306) or ( FromPort lte 3389 and ToPort gte 3389) or ( FromPort lte 5432 and ToPort gte 5432) or ( FromPort lte 27019 and ToPort gte 27017) ) ] ] |
| Ensure EC2 Instance does not have open Telnet port | Telnet Port 23, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 23 and ToPort gte 23) ) ] ] |
| AWS WAF Classic global web ACL logging should be enabled | This control checks if logging is enabled on AWS Web Application Firewall (WAF) classic global web ACLs. This rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled. |
Security |
WebACL should have LoggingConfiguration . LogDestinationConfigs len( ) gt 0 |
| Name | Description | Service | Rule |
|---|---|---|---|
| Ensure EC2 Instance does not have open DNS port | DNS Port 53, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "udp") and ( FromPort lte 53 and ToPort gte 53 ) ] ] |
| Ensure EC2 Instance does not have open MongoDB port | MongoDB Port 27017, 27018, 27019 of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "tcp") and ( (FromPort lte 27019 and ToPort gte 27017) ) ] ] |
| Communications and control network protection: Ensure no rule exists which allows all ingress traffic in default Network ACL | Network ACLs are designed to provide a secondary layer of security. Adding a rule that allows all network traffic (all protocols, IPs, and source) prior to any deny rule defeats the purpose of network ACLs. |
EC2 |
NetworkACL should not have IsDefault eq true and Rules with [ RuleAction eq "allow" and Protocol eq "-1" and Egress eq False and CidrBlock eq 0.0.0.0/0 ] |
| Ensure EC2 Instance does not have open NFS port | NFS Port 2049, 111 of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","udp","tcp") and ( (FromPort lte 2049 and ToPort gte 2049) or (FromPort lte 111 and ToPort gte 111)) ] ] |
| Ensure EC2 Instance does not have open SMTP port | SMTP Port 25, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 25 and ToPort gte 25) ) ] ] |
| Communications and control network protection: Ensure no rule exists which allows all ingress traffic in Network ACL which is associated with a subnet | Network ACLs are designed to provide a secondary layer of security. Adding a rule that allows all network traffic (all protocols, IPs, and source) prior to any deny rule defeats the purpose of network ACLs. Network ACLs associated with subnets and VPCs should not allow all ingress traffic. |
EC2 |
NetworkACL where Subnets len( ) gt 0 should not have Rules with [ Egress eq False and RuleAction eq "allow" and Protocol eq "-1" and CidrBlock eq 0.0.0.0/0 ] |
| Ensure EC2 Instance does not have open UDP ports | UDP Ports 22, 80, 443, 1433, 1521, 3306, 3389, 5432, 27017, 27018, 27019 of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "udp") and ( ( FromPort lte 22 and ToPort gte 22) or ( FromPort lte 80 and ToPort gte 80) or ( FromPort lte 443 and ToPort gte 443) or ( FromPort lte 1433 and ToPort gte 1433) or ( FromPort lte 1521 and ToPort gte 1521) or ( FromPort lte 3306 and ToPort gte 3306) or ( FromPort lte 3389 and ToPort gte 3389) or ( FromPort lte 5432 and ToPort gte 5432) or ( FromPort lte 27019 and ToPort gte 27017) ) ] ] |
| Ensure SNS Topics do not have Policies containing AddPermission Action to all principals | SNS Topic should not have Policy with Add Permission Action authorized to all principals |
SNS |
SNSTopic should not have Policy . Statement with [ Effect eq "Allow" and ( Action with [ value like "(?i)SNS:AddPermission" or value like "(?i)SNS:\*" ] ) and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] |
| Ensure CloudWatch alarm has at least one Action | Each CloudWatch alarm should have at least one action |
CloudWatch |
MetricAlarm should have AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] |
| Establish an access control system(s) : IAM Policies with Effect Allow and NotActions | Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. |
IAM |
IAMPolicy should not have Permissions . Statements with [ Effect eq "Allow" and ( NotAction len ( ) gt 0 or Action with [ value eq "*" ] ) ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 ) |
| Ensure ChangeMessageVisibility Action is not authorized to all principals in SQS Queue Policy | SQS Queue Policy should not have ChangeMessageVisibility action authorized to all principals |
SQS |
SQSQueue should not have SQSPolicy with [ Statement with [ ( Action with [ value like "(?i)SQS:ChangeMessageVisibility" or value like "(?i)SQS:\*" ] ) and Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Access permissions and authorizations: Ensure Redshift Clusters are not Publicly accessible | Redshift Clusters should not be accessible to the public. |
Redshift |
RedShiftCluster should not have Access eq "Public" |
| Ensure Delete Action is not authorized to all principals in S3 Bucket Policy | S3 Bucket Policy should not have Delete action authorized to all principals |
S3 |
S3Bucket should not have BucketPolicy with [ Statement with [ ( Action with [ value like "(?i)s3:Delete" or value like "(?i)S3:\*" ] ) and Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Ensure Delete Message Action is not authorized to all principals in SQS Queue Policy | SQS Queue Policy should not have DeleteMessage action authorized to all principals |
SQS |
SQSQueue should not have SQSPolicy with [ Statement with [ (Action with [ value like "(?i)SQS:DeleteMessage" or value like "(?i)SQS:\*" ] ) and Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Ensure SNS Topics do not have Policies containing Delete Topic Action to all principals | SNS Topic should not have Policy with Delete Topic Action authorized to all principals |
SNS |
SNSTopic should not have Policy . Statement with [ Effect eq "Allow" and ( Action with [ value like "(?i)SNS:DeleteTopic" or value like "(?i)SNS:\*" ] ) and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] |
| Ensure Domain Auto Renew is enabled | To ensure that the domain is always up, enable Auto Domain Renewal |
Route53 |
Route53Domain should have AutoRenew |
| Ensure Domain Transfer Lock is enabled | To lock a domain to prevent unauthorized transfer to another registrar. |
Route53 |
Route53Domain should have TransferLock |
| Ensure Get Action is not authorized to all principals in S3 Bucket Policy | S3 Bucket Policy should not have Get action authorized to all principals |
S3 |
S3Bucket should not have BucketPolicy with [ Statement with [ ( Action with [ value like "(?i)s3:GetObject" or value like "(?i)S3:\*" ] ) and Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Ensure Get Queue Attribute Action is not authorized to all principals in SQS Queue Policy | SQS Queue Policy should not have GetQueueAttribute action authorized to all principals |
SQS |
SQSQueue should not have SQSPolicy with [ Statement with [ ( Action with [ value like "(?i)SQS:GetQueueAttributes" or value like "(?i)SQS:\*" ] ) and Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Ensure Get Queue URL Action is not authorized to all principals in SQS Queue Policy | SQS Queue Policy should not have GetQueueURL action authorized to all principals |
SQS |
SQSQueue should not have SQSPolicy with [ Statement with [ ( Action with [ value like "(?i)SQS:GetQueueUrl" or value like "(?i)SQS:\*" ] ) and Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Ensure Deletion Protection is enabled on Elastic Load Balancer | Enabling deletion protection on load balancers mitigates risks of accidental deletion. |
ElasticLoadBalancer |
ElasticLoadBalancer should have DeletionProtection |
| Ensure List Action is not authorized to all principals in S3 Bucket Policy | S3 Bucket Policy should not have List action authorized to all principals |
S3 |
S3Bucket should not have BucketPolicy with [ Statement with [ ( Action with [ value like "(?i)s3:ListBucket" or value like "(?i)S3:\*" ] ) and Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Ensure Manage Action is not authorized to all principals in S3 Bucket Policy | S3 Bucket Policy should not have Manage action authorized to all principals |
S3 |
S3Bucket should not have BucketPolicy with [ Statement with [ (Action with [ value like "(?i)s3:Put" or value like "(?i)S3:\*" ] ) and Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Ensure default security groups of EC2Instances contain rules | Non-empty rule sets for default security groups should not exist. |
EC2 |
EC2Instance where SecurityGroups with [ Name eq "default" ] should not have SecurityGroups with [ InboundRules len ( ) neq 0 or OutboundRules len ( ) neq 0 ] |
| Data-in-transit is protected: Ensure older SSL/TLS policies are not used with Elastic Load Balancers | Older SSL/TLS policy should not be used with Elastic Load Balancer Security Policy. |
ElasticLoadBalancer |
ElasticLoadBalancer should have SslPolicy in ( "ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-TLS-1-2-2017-01", "ELBSecurityPolicy-TLS-1-1-2017-01" ) |
| Access permissions and authorizations: Ensure RDS Instances do not have Publicly Accessible Snapshots | RDS Instances should not have publicly accessible snapshots. |
RDS |
RDSInstance should not have Snapshots with [ PubliclyAccessible ] |
| Ensure SNS Topics do not have Policies containing Publish Action to all principals | SNS Topic should not have Policy with Publish Action authorized to all principals |
SNS |
SNSTopic should not have Policy . Statement with [ Effect eq "Allow" and ( Action with [ value like "(?i)SNS:Publish" or value like "(?i)SNS:\*" ] ) and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] |
| Ensure PurgeQueue Action is not authorized to all principals in SQS Queue Policy | SQS Queue should not have Policy with PurgeQueue Action authorized to all principals |
SQS |
SQSQueue should not have SQSPolicy with [ Statement with [ ( Action with [ value like "(?i)SQS:PurgeQueue" or value like "(?i)SQS:\*" ] ) and Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Ensure Put Action is not authorized to all principals in S3 Bucket Policy | S3 Bucket Policy should not have Put action authorized to all principals |
S3 |
S3Bucket should not have BucketPolicy with [ Statement with [ ( Action with [ value like "(?i)s3:PutObject" or value like "(?i)S3:\*" ]) and Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Ensure SNS Topics do not have Policies containing Receive Action to all principals | SNS Topic should not have Policy with Receive Action authorized to all principals |
SNS |
SNSTopic should not have Policy . Statement with [ Effect eq "Allow" and ( Action with [ value like "(?i)SNS:Receive" or value like "(?i)SNS:\*" ] ) and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] |
| Ensure ReceiveMessage Action is not authorized to all principals in SQS Queue Policy | SQS Queue Policy should not have ReceiveMessage action authorized to all principals |
SQS |
SQSQueue should not have SQSPolicy with [ Statement with [ ( Action with [ value like "(?i)SQS:ReceiveMessage" or value like "(?i)SQS:\*" ] ) and Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Ensure SNS Topics do not have Policies containing Remove Permission Action to all principals | SNS Topic should not have Policy with Remove Permission Action authorized to all principals |
SNS |
SNSTopic should not have Policy . Statement with [ Effect eq "Allow" and ( Action with [ value like "(?i)SNS:RemovePermission" or value like "(?i)SNS:\*" ] ) and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] |
| Ensure roles are not passed to CloudFormation stacks | Passing a role to CloudFormation stacks may result in privilege escalation because IAM users with privileges, within the CloudFormation scope, implicitly inherit the stack's role's permissions. |
CloudFormation |
CloudFormation where Status in ("CREATE_COMPLETE", "UPDATE_COMPLETE") should not have StackRole . id |
| Ensure SendEmail Action in SES Policy is not authorized to all principals | SES should not have Policy with action as SendEmail, authorized to all principals |
SES |
SESIdentity should not have Policy with [ Statement with [ Effect eq "Allow" and ( Action with [ value like "(?i)ses:SendEmail" or value like "(?i)ses:SendRawEmail" or value like "(?i)ses:\*" ] )and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Ensure SendMessage Action is not authorized to all principals in SQS Queue Policy | SQS Queue Policy should not have SendMessage action authorized to all principals |
SQS |
SQSQueue should not have SQSPolicy with [ Statement with [ ( Action with [ value like "(?i)SQS:SendMessage" or value like "(?i)SQS:\*" ] ) and Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Ensure SNS Topics do not have Policies containing Set Topic Attribute Action to all principals | SNS Topic should not have Policy with Set Topic Attribute Action authorized to all principals |
SNS |
SNSTopic should not have Policy . Statement with [ Effect eq "Allow" and ( Action with [ value like "(?i)SNS:SetTopicAttributes" or value like "(?i)SNS:\*" ] ) and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] |
| Backups of information: Ensure Backup Retention Period is set greater than or equal to 30 days. | Setting Backup Retention Period of RDS Instance to a value greater than or equal to 30 ensures safety of data. |
RDS |
RDSInstance should not have BackupRetentionPeriod lt 30 |
| Ensure SNS Topics do not have Policies containing Subscribe Action to all principals | SNS Topic should not have Policy with Subscribe Action authorized to all principals |
SNS |
SNSTopic should not have Policy . Statement with [ Effect eq "Allow" and ( Action with [ value like "(?i)SNS:Subscribe" or value like "(?i)SNS:\*" ] ) and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] |
| Ensure unused role for EC2Instance does not exist | IAMRoles which are not attached to any EC2Instance should not exist. |
IAM |
IAMRole should not have InstanceProfile with [ InstanceCount eq 0 ] |
| Ensure that no inline policy is attached to an IAMUser | IAMUsers should not have any Inline policy attached to them. |
IAM |
IAMUser should not have Policies . Inline len ( ) > 0 |
| Ensure that an IAMUser has no more than 1 Active API Key | IAMUsers should not have multiple active API keys |
IAM |
IAMUser should not have every AccessKey with [ Active eq true] |
| Vulnerability management plan: Ensure Allow Version Upgrade is set to yes for Redshift Cluster | Redshift Clusters should have Version Upgrade set to avoid missing important security updates. |
Redshift |
RedShiftCluster should have AllowVersionUpgrade |
| Ensure EC2 Instance does not have open MySQL port | MySQL Port 3306, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "tcp") and ( (FromPort lte 3306 and ToPort gte 3306) ) ] ] |
| Ensure EC2 Instance does not have open SQL Server port | MySQL Port 1433, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "tcp") and ( (FromPort lte 1433 and ToPort gte 1434) ) ] ] |
| Ensure EC2 Instance does not have open OracleDb port | OracleDb Port 1521, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 1521 and ToPort gte 1521) ) ] ] |
| Ensure EC2 Instance does not have open PostgreSQL port | PostgreSQL Port 5432, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 5432 and ToPort gte 5432) ) ] ] |
| Ensure EC2 Instance does not have open RDP port | RDP Port 3389, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","udp","tcp") and ( (FromPort lte 3389 and ToPort gte 3389) ) ] ] |
| Ensure EC2 Instance does not have open SSH port | SSH Port 22, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 22 and ToPort gte 22) ) ] ] |
| Data-at-rest is protected: Ensure RDS encryption is enabled | Ensure RDS encryption is enabled. |
RDS |
RDSInstance should have StorageEncrypted eq true |
| Communications and control network protection: Ensure RDS instances are not in public subnets | Ensure RDS instances are not in public subnets. |
RDS |
RDSInstance should not have Access eq "Public" |
| Ensure RDS database instances have detailed monitoring enabled | Ensure RDS database instances have detailed monitoring enabled. |
RDS |
RDSInstance should not have MonitoringInterval eq 0 |
| Data-at-rest is protected: Ensure RDS instance snapshots are encrypted | Ensure RDS instance snapshots are encrypted. |
RDS |
RDSInstance should have every Snapshots with [ Encrypted eq true ] |
| Backups of information: Ensure DynamoDB tables are backed up | Ensure DynamoDB tables are backed up. |
Dynamo |
DynamoDBTable should have BackedUp eq true |
| Backups of information: Ensure DynamoDB tables have point in time recovery enabled | Ensure DynamoDB tables have point in time recovery enabled. |
Dynamo |
DynamoDBTable should have PointInTimeRecovery eq "ENABLED" |
| Data-at-rest is protected: Ensure DynamoDB tables are encrypted at rest | Ensure DynamoDB tables are encrypted at rest. |
Dynamo |
DynamoDBTable should have SSEDescription . Status eq "ENABLED" |
| Ensure Amazon Redshift clusters are launched within a Virtual Private Cloud (VPC) | Ensure Amazon Redshift clusters are launched within a Virtual Private Cloud (VPC). |
RedShift |
RedShiftCluster should have VPC len ( ) gt 0 |
| Ensure automated snapshots are enabled for Redshift clusters | Ensure automated snapshots are enabled for Redshift clusters. |
RedShift |
RedShiftCluster should have AutomatedSnapshotRetentionPeriod gt 0 |
| Ensure Amazon Redshift clusters are not using port 5439 (default port) for database access. | Ensure Amazon Redshift clusters are not using port 5439 (default port) for database access. |
RedShift |
RedShiftCluster should not have Port eq 5439 |
| Data-in-transit is protected: Ensure encryption in transit is enabled for lambda functions using environmental variables. | Ensure encryption in transit is enabled for lambda functions using environmental variables. |
Lambda |
Lambda where ( Environment len() > 0 ) should have KMSKey . Enabled |
| Ensure Lambda functions do not have administrative level execution privileges. | Ensure Lambda functions do not have administrative level execution privileges |
Lambda |
Lambda should not have AdminPrivileges eq True |
| Ensure EKS Clusters have logging enabled. | Ensure EKS Clusters have logging enabled |
EKSCluster |
EKSCluster should have Logging . ClusterLogging with [ Type has ( "api", "audit", "authenticator", "controllerManager", "scheduler") and Enabled eq true ] |
| Ensure unattached EBS volumes are removed. | Ensure unattached EBS volumes are removed. |
EC2Instance |
Volume should not have Attachments len ( ) eq 0 |
| Ensure EBS Snapshots are encrypted. | Ensure EBS Snapshots are encrypted |
EC2Instance |
Snapshots should have Encrypted |
| Ensure Lambda functions have an associated Tag. | Ensure Lambda functions have an associated Tag. |
Lambda |
Lambda should not have Tags len( ) eq 0 |
| Ensure Lambda execution role has permissions to log to CloudWatch. | Ensure Lambda execution role has permissions to log to CloudWatch. |
Lambda |
Lambda should have IAMRole . Policies . Inline with [ PolicyDocument . Statements with [ Effect eq "Allow" and Resource len ( ) gt 0 and Action with [ value eq "logs:CreateLogGroup" ] ] and PolicyDocument . Statements with [ Effect eq "Allow" and Resource len ( ) gt 0 and Action with [ value eq "logs:CreateLogStream" ] ] and PolicyDocument . Statements with [ Effect eq "Allow" and Resource len ( ) gt 0 and Action with [ value eq "logs:PutLogEvents" ] ] ] or IAMRole . Policies . Managed with [ Permissions . Statements with [ Effect eq "Allow" and Resource len ( ) gt 0 and Action with [ value eq "logs:CreateLogGroup" ] ] and Permissions . Statements with [ Effect eq "Allow" and Resource len ( ) gt 0 and Action with [ value eq "logs:CreateLogStream" ] ] and Permissions . Statements with [ Effect eq "Allow" and Resource len ( ) gt 0 and Action with [ value eq "logs:PutLogEvents" ] ] ] |
| Ensure Lambda execution role does not have IAM admin permissions. | Ensure Lambda execution role does not have IAM admin permissions. |
Lambda |
Lambda should not have IAMRole . Policies . Inline with [ PolicyDocument . Statements with [ Effect eq "Allow" and Resource with [ value eq "*" ] and Action with [ value eq "iam:*" ] ] ] or IAMRole . Policies . Managed with [ Permissions . Statements with [ Effect eq "Allow" and Resource with [ value eq "*" ] and Action with [ value eq "iam:*" ] ] ] |
| Ensure Lambda execution role does not have full admin permissions. | Ensure Lambda execution role does not have full admin permissions. |
Lambda |
Lambda should not have IAMRole . Policies . Inline with [ PolicyDocument . Statements with [ Effect eq "Allow" and Resource with [ value eq "*" ] and Action with [ value eq "*" ] ] ] or IAMRole . Policies . Managed with [ Permissions . Statements with [ Effect eq "Allow" and Resource with [ value eq "*" ] and Action with [ value eq "*" ] ] ] |
| Ensure CloudTrail logs to S3Bucket without any failures. | Alert if any Error is encountered by CloudTrail while logging to the designated S3Bucket. |
S3 CloudTrail |
CloudTrail should have LatestDeliveryError eq "None" |
| Ensure CloudTrail sends SNS notifications without any failures. | Alert if any Error is encountered by CloudTrail when attempting to send a SNS notification. |
SNS CloudTrail |
CloudTrail should have LatestNotificationError eq "None" |
| Ensure CloudTrail logging bucket has Multi-Factor Authentication (MFA) Enabled. | Ensure that your AWS CloudTrail logging bucket use Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned log files. |
S3 CloudTrail |
CloudTrail should have S3Bucket . BucketVersioning . MFADelete eq "Enabled" |
| Ensure VPC Flow Log records are successfully published to a CloudWatch log group or an Amazon S3 bucket. | Ensure VPC Flow Log records are successfully published to a CloudWatch log group or an Amazon S3 bucket. |
EC2 |
VPCFlow where Status eq "ACTIVE" should have DeliverLogsStatus eq "SUCCESS" |
| Ensure S3 Bucket is not publicly accessible. | Ensure S3 Bucket is not publicly accessible |
S3 |
S3Bucket should not have Access eq "Public" |
| Ensure no user has the AdministratorAccess policy | Ensure users are not attached to the overly-privileged AdministratorAccess IAM policy. |
IAM |
IAMUser should not have Policies . Managed with [ Permissions . Statements with [ Effect eq "Allow" and Resource with [ value eq "*" ] and Action with [ value eq "*" ] ] ] or Policies . Inline with [ PolicyDocument . Statements with [ Effect eq "Allow" and Resource with [ value eq "*" ] and Action with [ value eq "*" ] ] ] |
| Ensure EC2 Instance does not have open TCP ports | TCP Ports 22, 80, 443, 1433, 1521, 3306, 3389, 5432, 27017, 27018, 27019 of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "tcp") and ( ( FromPort lte 22 and ToPort gte 22) or ( FromPort lte 80 and ToPort gte 80) or ( FromPort lte 443 and ToPort gte 443) or ( FromPort lte 1433 and ToPort gte 1433) or ( FromPort lte 1521 and ToPort gte 1521) or ( FromPort lte 3306 and ToPort gte 3306) or ( FromPort lte 3389 and ToPort gte 3389) or ( FromPort lte 5432 and ToPort gte 5432) or ( FromPort lte 27019 and ToPort gte 27017) ) ] ] |
| Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support | AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. |
IAM |
AWS should have atleast one IAMPolicies with [ id eq "arn:aws:iam::aws:policy/AWSSupportAccess" and AttachedEntities . Roles len ( ) gt 0 ] |
| Establish an access control system(s) : IAM Policies with Effect as Allow and Action with sts:AssumeRole for CrossAccountArn | Establish an access control system(s) for IAM AssumeRole Policies having cross account ARN to have condition specifying “sts:ExternalId” |
IAM |
IAMRole where AssumeRolePolicy . CrossAccountArn eq True should have AssumeRolePolicy . Statement with [ Conditions with [ Condition eq "StringEquals" and Name eq "sts:ExternalId" and Value len() gt 0 ]] |
| Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider. | Scan images being deployed to Amazon EKS for vulnerabilities. |
ECRRepository |
ECRRepository should have ImageScanningConfiguration.ScanOnPush |
| Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS. | Encrypt Kubernetes secrets, stored in etcd, using secrets encryption feature during Amazon EKS cluster creation. |
EKSCluster |
EKSCluster should have EncryptionConfig len() gt 0 |
| Restrict Access to the Control Plane Endpoint | Enable Endpoint Private Access to restrict access to the cluster's control plane to only an allowlist of authorized IPs. |
EKSCluster |
EKSCluster where EndPointPublicAccess should not have PublicAccessCidrs with [ CidrBlock eq 0.0.0.0/0] |
| Ensure EKS Clusters are created with Private Endpoint Enabled and Public Access Disabled | Disable access to the Kubernetes API from outside the node network if it is not required. |
EKSCluster |
EKSCluster should have EndPointPrivateAccess and not EndPointPublicAccess |
| Consider Fargate for running untrusted workloads | It is Best Practice to restrict or fence untrusted workloads when running in a multi-tenant environment. |
EKSCluster |
EKSCluster should not have FargateProfileNames len() eq 0 |
| Amazon Redshift clusters should use enhanced VPC routing | This control checks whether an Amazon Redshift cluster has EnhancedVpcRouting enabled |
RedShift |
RedShiftCluster should have EnhancedVpcRouting |
| Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone | This control checks that Amazon Elastic Block Store snapshots are not public, as determined by the ability to be restorable by anyone. EBS snapshots are used to back up the data on your EBS volumes to Amazon S3 at a specific point in time. You can use the snapshots to restore previous states of EBS volumes. It is rarely acceptable to share a snapshot with the public. Typically the decision to share a snapshot publicly was made in error or without a complete understanding of the implications. This check helps ensure that all such sharing was fully planned and intentional |
EC2 |
Snapshots should have Access neq "Public" |
| Ensure the default security group of every VPC restricts all traffic | A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. |
EC2 |
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0 |
| Attached EBS volumes should be encrypted at rest | This control checks whether the EBS volumes that are in an attached state are encrypted |
EC2 |
Volume where Attachments len () gt 0 should have Encrypted |
| Stopped EC2 instances should be removed after a specified time period | This control checks whether any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days |
EC2 |
EC2Instance where Status eq "stopped" should have StateTransitionTime isLaterThan ( -30 , "days" ) |
| EBS default encryption should be enabled | This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS) |
EC2 |
Volume should have EbsEncryptionByDefault |
| EC2 instances should use IMDSv2 | This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2) |
EC2 |
EC2Instance should have MetadataOptions.HttpTokens eq "required" |
| EC2 instances should not have a public IP address | This rule checks whether EC2 instances have a public IP address. The rule fails if the publicIp field is present in the EC2 instance configuration item. This rule applies to IPv4 addresses only |
EC2 |
EC2Instance should not have PublicIPv4 len () gt 0 |
| Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service | This control checks whether a service endpoint for Amazon EC2 is created for each VPC |
EC2 |
VPC should have EndpointRef with [ ServiceName like "\.ec2$"] |
| EC2 subnets should not automatically assign public IP addresses | This control checks whether the assignment of public IPs in Amazon Virtual Private Cloud (Amazon VPC) subnets have MapPublicIpOnLaunch set to FALSE. The control passes if the flag is set to FALSE |
EC2 |
Subnet should not have MapPublicIpOnLaunch |
| Unused network access control lists should be removed | This control checks whether there are any unused network access control lists (ACLs) |
EC2 |
NetworkACL should have Subnets len () gt 0 |
| EC2 instances should not use multiple ENIs | This control checks whether an EC2 instance uses multiple Elastic Network Interfaces (ENIs) |
EC2 |
EC2Instance should have NetworkInterfaces len ( ) lte 1 |
| RDS DB instances should have deletion protection enabled | This control checks whether your RDS DB instances that use one of the listed database engines have deletion protection enabled |
RDS |
RDSInstance should have DeletionProtection |
| Database logging should be enabled | This control checks whether the logs of Amazon RDS are enabled and sent to CloudWatch Logs |
RDS |
RDSInstance should have EnabledCloudwatchLogsExports len () gt 0 |
| IAM authentication should be configured for RDS instances | This control checks whether an RDS DB instance has IAM database authentication enabled |
RDS |
RDSInstance should have IAMDatabaseAuthenticationEnabled |
| Install critical security patches within one month of release. : Auto Minor Version Upgrade Disabled for RDS Instances | Ensure that all system components and software are protected from known vulnerabilities by installing applicable AWS RDSInstance security patches. Install critical security patches within one month of release. |
RDS |
RDSInstance should have AutoMinorVersionUpgrade eq true |
| Amazon Aurora clusters should have backtracking enabled | This control checks whether Amazon Aurora clusters have backtracking enabled |
RDS |
RDSCluster where Engine eq "aurora-mysql" should have BacktrackWindow gt 0 |
| RDS DB clusters should be configured to copy tags to snapshots | This control checks whether RDS DB clusters are configured to copy all tags to snapshots when the snapshots are created |
RDS |
RDSCluster should have CopyTagsToSnapshot |
| RDS DB instances should be configured to copy tags to snapshots | This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created |
RDS |
RDSInstance should have CopyTagsToSnapshot |
| An RDS event notifications subscription should be configured for critical cluster events | This control checks whether an Amazon RDS event subscription exists that has notifications enabled for the DBCluster source type with maintenance,failure event category |
RDS |
AWS should have atleast one RDSEventSubscriptions with [ SourceType eq "db-cluster" and (EventCategoriesList has ("maintenance") and EventCategoriesList has ("failure")) and Enabled and SnsTopic . Subscriptions len () gt 0 ] |
| An RDS event notifications subscription should be configured for critical database instance events | This control checks whether an Amazon RDS event subscription exists with notifications enabled for the DBInstance source type with maintenance,configuration change,failure event category |
RDS |
AWS should have atleast one RDSEventSubscriptions with [ SourceType eq "db-instance" and (EventCategoriesList has ("maintenance") and EventCategoriesList has ("failure") and EventCategoriesList has("configuration change")) and Enabled and SnsTopic . Subscriptions len () gt 0 ] |
| An RDS event notifications subscription should be configured for critical database parameter group events | This control checks whether an Amazon RDS event subscription exists with notifications enabled for the DBParameterGroup source type with configuration change event category |
RDS |
AWS should have atleast one RDSEventSubscriptions with [ SourceType eq "db-parameter-group" and EventCategoriesList has("configuration change") and Enabled and SnsTopic . Subscriptions len () gt 0 ] |
| An RDS event notifications subscription should be configured for critical database security group events | This control checks whether an Amazon RDS event subscription exists with notifications enabled for the DBSecurityGroup source type with configuration change failure event category |
RDS |
AWS should have atleast one RDSEventSubscriptions with [ SourceType eq "db-security-group" and (EventCategoriesList has ("failure") and EventCategoriesList has("configuration change")) and Enabled and SnsTopic . Subscriptions len () gt 0 ] |
| RDS clusters should not use a database engine default port | This control checks whether the RDS cluster uses a port other than the default port of the database engine |
RDS |
RDSCluster should not have Port eq 3306 |
| Classic Load Balancer listeners should be configured with HTTPS or TLS termination | This control checks whether your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. |
ElasticLoadBalancer |
ClassicLoadBalancer where ( ListenerDescriptions len () gt 0 ) should have ListenerDescriptions with [ Listener . Protocol in ("HTTPS", "SSL") ] |
| Application load balancers should be configured to drop HTTP headers | This control evaluates AWS Application Load Balancers to ensure they are configured to drop invalid HTTP headers |
ElasticLoadBalancer |
ElasticLoadBalancer where Type eq "application" should have RoutingHttpDropInvalidHeaderFieldsEnabled eq True |
| Application Load Balancers logging should be enabled | This control checks whether the Application Load Balancer have logging enabled |
ElasticLoadBalancer |
ElasticLoadBalancer where Type eq "application" should have AccessLogsEnabled eq True |
| Classic Load Balancers logging should be enabled | This rule checks whether the Classic Load Balancer have logging enabled |
ElasticLoadBalancer |
ClassicLoadBalancer should have Attributes . AccessLog . Enabled |
| Classic Load Balancers should have connection draining enabled | This rule checks whether Classic Load Balancers have connection draining enabled. Enabling connection draining on Classic Load Balancers ensures that the load balancer stops sending requests to instances that are de-registering or unhealthy. It keeps the existing connections open. This is particularly useful for instances in Auto Scaling groups, to ensure that connections aren’t severed abruptly |
ElasticLoadBalancer |
ClassicLoadBalancer should have Attributes . ConnectionDraining . Enabled |
| Application Load Balancer should be configured to redirect all HTTP requests to HTTPS | This control checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers |
ElasticLoadBalancer |
ElasticLoadBalancer where (Type eq "application" and Listeners with [ Protocol eq "HTTP" ]) should have Listeners with [ Protocol eq "HTTP" and DefaultActions with [ Type eq "redirect" and RedirectConfig . Protocol eq "HTTPS" and RedirectConfig . Port eq 443 ] ] |
| CodeBuild GitHub or Bitbucket source repository URLs should use OAuth | This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password |
CodeBuild |
SourceCredential should have AuthType eq "OAUTH" |
| CodeBuild project environment variables should not contain clear text credentials | This control checks whether the project contains clear text credentials in the environment variables |
CodeBuild |
CodeBuild should not have Environment . EnvironmentVariables with [Type eq "PLAINTEXT" ] |
| AWS Database Migration Service replication instances should not be public | This control checks whether AWS DMS replication instances are public |
DMS |
DMSReplicationInstance should not have PubliclyAccessible |
| IAM customer managed policies that you create should not allow wildcard actions for services | This control checks whether the IAM identity-based policies that you create have Allow statements that use the * wildcard to grant permissions for all actions on any service |
IAM |
IAMPolicy where Type eq "Customer Managed" should not have Permissions . Statements with [ Effect eq "Allow" and ( NotAction with [ value like "\:\*$" ] or Action with [ value like "\:\*$" ] ) ] |
| IAM customer managed policies should not allow decryption and re-encryption actions on all KMS keys | Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources |
IAM |
IAMPolicy where Type eq "Customer Managed" should not have Permissions . Statements with [ Effect eq "Allow" and Action with [ value in ("kms:Decrypt", "kms:ReEncryptFrom") ] and Resource with [ value eq "*" ] ] |
| AWS KMS keys should not be unintentionally deleted | This control checks whether KMS keys are scheduled for deletion. KMS keys cannot be recovered once deleted. Data encrypted under a KMS key is also permanently unrecoverable if the KMS key is deleted. If meaningful data has been encrypted under a KMS key scheduled for deletion, consider decrypting the data or re-encrypting the data under a new KMS key unless you are intentionally performing a cryptographic erasure |
KMS |
KMSKey should not have Status eq "PendingDeletion" |
| IAM principals should not have IAM Group inline policies that allow decryption and re-encryption actions on all KMS keys | Checks whether the inline policies that are embedded in your IAM group allow the AWS KMS decryption and re-encryption actions on all KMS keys |
IAM |
IAMGroup should not have GroupPolicy . InlinePolicies with [ PolicyDocument . Statement with [ Effect eq "Allow" and Action with [ value in ("kms:Decrypt", "kms:ReEncryptFrom") ] and Resource with [ value eq "*" ] ] ] |
| IAM principals should not have IAM Role inline policies that allow decryption and re-encryption actions on all KMS keys | Checks whether the inline policies that are embedded in your IAM role allow the AWS KMS decryption and re-encryption actions on all KMS keys |
IAM |
IAMRole should not have Policies . Inline with [ PolicyDocument . Statements with [ Effect eq "Allow" and Action with [ value in ("kms:Decrypt", "kms:ReEncryptFrom") ] and Resource with [ value eq "*" ] ] ] |
| IAM principals should not have IAM User inline policies that allow decryption and re-encryption actions on all KMS keys | Checks whether the inline policies that are embedded in your IAM user allow the AWS KMS decryption and re-encryption actions on all KMS keys |
IAM |
IAMUser should not have Policies . Inline with [ PolicyDocument . Statements with [ Effect eq "Allow" and Action with [ value in ("kms:Decrypt", "kms:ReEncryptFrom") ] and Resource with [ value eq "*" ] ] ] |
| Lambda function policies should prohibit public access | This control checks whether the Lambda function resource-based policy prohibits public access outside of your account |
Lambda |
Lambda should not have ResourceBasedIAMPolicy . Statements with [ Effect eq "Allow" and Principal with [ value eq "*"] ] |
| Lambda function s3 invoked policies should prohibit public access | This control checks whether the Lambda function resource-based s3 invoked policy prohibits public access outside of your account. The control also fails if a Lambda function is invoked from Amazon S3 and the policy does not include a condition for AWS:SourceAccount |
Lambda |
Lambda where ResourceBasedIAMPolicy . Statements with [ Action with [ value eq "lambda:InvokeFunction" ] and Principal with [ value eq "s3.amazonaws.com" ]] should have ResourceBasedIAMPolicy . Statements with [ Action with [ value eq "lambda:InvokeFunction" ] and Principal with [ value eq "s3.amazonaws.com" ] and Conditions with [ Name eq "AWS:SourceAccount" and Value len() gt 0 ]] |
| Lambda functions should use supported runtimes | This control checks that the Lambda function settings for runtimes match the expected values set for the supported runtimes for each language |
Lambda |
Lambda where PackageType neq "Image" should have Runtime in ("nodejs14.x", "nodejs12.x", "python3.9", "python3.8", "python3.7", "python3.6", "ruby2.7", "java11", "java8", "java8.al2", "go1.x", "dotnetcore3.1") |
| Amazon ECS task definitions should have secure networking modes and user definitions | This control checks whether an active Amazon ECS task definition that has host networking mode also has privileged or user container definitions. The control fails for task definitions that have host network mode and container definitions where privileged=false or is empty and user=root or is empty |
ECS |
ECSTaskDefinition where NetworkMode eq "host" should have ContainerDefinitions with [ Privileged and User len () gt 0 and User neq "root" ] |
| Amazon ECS services should not have public IP addresses assigned to them automatically | This control checks whether Amazon ECS services are configured to automatically assign public IP addresses. A public IP address is an IP address that is reachable from the internet. If you launch your Amazon ECS instances with a public IP address, then your Amazon ECS instances are reachable from the internet. Amazon ECS services should not be publicly accessible, as this may allow unintended access to your container application servers |
ECS |
ECSCluster where Services with [ TaskDefinition . NetworkMode eq "awsvpc"] should have Services with [ TaskDefinition . NetworkMode eq "awsvpc" and AwsVPCConfiguration . AssignPublicIp neq "ENABLED" ] |
| SNS topics should be encrypted at rest using AWS KMS | This control checks whether an SNS topic is encrypted at rest using AWS KMS |
SNS |
SNSTopic should have KmsMasterKeyId len () gt 0 |
| Amazon SQS queues should be encrypted at rest | This control checks whether Amazon SQS queues are encrypted at rest |
SQS |
SQSQueue should have ( KmsMasterKeyId len ( ) gt 0 or SqsManagedSseEnabled ) |
| Imported ACM certificates should be renewed after a specified time period | This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager. |
ACM |
ACM should have NotAfter isLaterThan(30, "days") |
| API Gateway REST and WebSocket API logging should be enabled | This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled. The control fails if logging is not enabled for all methods of a stage or if loggingLevel is neither ERROR nor INFO. |
APIGateway |
APIGateway where Stages len( ) gt 0 should have Stages with [ MethodSettings with [ MethodValue . LoggingLevel in ("INFO", "ERROR") ] ] |
| API Gateway REST API stages should be configured to use SSL certificates for backend authentication | This control checks whether Amazon API Gateway REST API stages have SSL certificates configured. Backend systems use these certificates to authenticate that incoming requests are from API Gateway. |
APIGateway |
APIGateway should have Stages with [ ClientCertificateId len( ) gt 0 ] |
| API Gateway REST API stages should have AWS X-Ray tracing enabled | This control checks whether AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages. |
Category |
APIGateway should have Stages with [ TracingEnabled ] |
| API Gateway should be associated with an AWS WAF web ACL | Checks whether an API Gateway stage uses an AWS WAF web access control list (ACL). The control fails if it is not attached to a REST API Gateway stage. |
APIGateway |
APIGateway should have Stages with [ WebAclArn len( ) gt 0 ] |
| API Gateway REST API cache data should be encrypted at rest | Checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted. |
APIGateway |
APIGateway should have Stages with [ MethodSettings with [ MethodValue . CacheDataEncrypted ] ] |
| Auto Scaling groups associated with a load balancer should use load balancer health checks | This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. |
AutoScalingGroup |
AutoScalingGroup where LoadBalancerNames len( ) gt 0 should have HealthCheckType eq "ELB" |
| CloudFront distributions should have a default root object configured | This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured. |
CloudFront |
CloudfrontDistribution should have DefaultRootObject len( ) gt 0 |
| CloudFront distributions should have origin access identity enabled | This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured. |
CloudFront |
CloudfrontDistribution should have Origins . Items with [ S3OriginConfig . OriginAccessIdentity len( ) gt 0 ] |
| CloudFront distributions should require encryption in transit | This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for cacheBehaviors. |
CloudFront |
CloudfrontDistribution should not have DefaultCacheBehavior . ViewerProtocolPolicy eq "allow-all" |
| CloudFront distributions should have origin failover configured | This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins. |
CloudFront |
CloudfrontDistribution should have OriginGroups . Quantity gt 0 and OriginGroups . Items len( ) gt 0 |
| CloudFront distributions should have logging enabled | This control checks whether server access logging is enabled on CloudFront distributions. The control fails if access logging is not enabled for a distribution. |
CloudFront |
CloudfrontDistribution should have Logging . Enabled |
| CloudFront distributions should have AWS WAF enabled | This control checks whether CloudFront distributions are associated with either AWS WAF or AWS WAFv2 web ACLs. The control fails if the distribution is not associated with a web ACL. |
CloudFront |
CloudfrontDistribution should have WebACLId len( ) gt 0 |
| Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs | AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS |
CloudTrail |
CloudTrail should have KMSKey . Enabled |
| DynamoDB tables should automatically scale capacity with demand | This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured. |
DynamoDB |
DynamoDBTable should have ScalableTargets len( ) gt 0 |
| DynamoDB Accelerator (DAX) clusters should be encrypted at rest | This control checks whether a DAX cluster is encrypted at rest. |
DynamoDB |
DAX should have SSEDescription . Status eq "ENABLED" |
| Amazon EFS should be configured to encrypt file data at rest using AWS KMS | This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. |
EFS |
ElasticFileSystem should have Encrypted and KMSKey . Enabled |
| Elastic Beanstalk environments should have enhanced health reporting enabled | This control checks whether enhanced health reporting is enabled for your AWS Elastic Beanstalk environments. |
ElasticBeanstalk |
ElasticBeanstalk should have ConfigurationSettings with [ OptionSettings with [ OptionName eq "EnhancedHealthAuthEnabled" and Value eq "true" ] ] |
| Elastic Beanstalk managed platform updates should be enabled | This control checks whether managed platform updates are enabled for the Elastic Beanstalk environment. |
ElasticBeanstalk |
ElasticBeanstalk should have ConfigurationSettings with [ OptionSettings with [ OptionName eq "ManagedActionsEnabled" and Value eq "true" ] ] |
| Amazon EMR cluster master nodes should not have public IP addresses | This control checks whether master nodes on Amazon EMR clusters have public IP addresses. |
EMR |
EMRCluster should not have Instances with [ PublicIpAddress isPublic() ] |
| Elasticsearch domains should have encryption at rest enabled | This control checks whether Elasticsearch domains have encryption at rest configuration enabled. The check fails if encryption at rest is not enabled. |
ElasticSearch |
ElasticSearchDomain should have EncryptionAtRestOptions . Enabled |
| Elasticsearch domains should be in a VPC | This control checks whether Elasticsearch domains are in a VPC. It should be ensured that Elasticsearch domains are not attached to public subnets. |
ElasticSearch |
ElasticSearchDomain should have VPCOptions . VPC . Status eq "available" |
| Elasticsearch domains should encrypt data sent between nodes | This control checks whether Elasticsearch domains have node-to-node encryption enabled. |
ElasticSearch |
ElasticSearchDomain should have NodeToNodeEncryptionOptions . Enabled |
| Elasticsearch domain error logging to CloudWatch Logs should be enabled | This control checks whether Elasticsearch domains are configured to send error logs to CloudWatch Logs. |
ElasticSearch |
ElasticSearchDomain should have LogPublishingOptions with [ Name eq "ES_APPLICATION_LOGS" and Enabled and CloudWatchLogsLogGroup . id len( ) gt 0 ] |
| Elasticsearch domains should have audit logging enabled | This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled. |
ElasticSearch |
ElasticSearchDomain should have LogPublishingOptions with [ Name eq "AUDIT_LOGS" and Enabled and CloudWatchLogsLogGroup . id len( ) gt 0 ] |
| Elasticsearch domains should have at least three data nodes | This control checks whether Elasticsearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true. |
ElasticSearch |
ElasticSearchDomain should have ElasticsearchClusterConfig . ZoneAwarenessEnabled and ElasticsearchClusterConfig . ZoneAwarenessConfig . AvailabilityZoneCount gte 3 |
| Elasticsearch domains should be configured with at least three dedicated master nodes | This control checks whether Elasticsearch domains are configured with at least three dedicated master nodes. This control fails if the domain does not use dedicated master nodes. |
ElasticSearch |
ElasticSearchDomain should have ElasticsearchClusterConfig . DedicatedMasterEnabled and ElasticsearchClusterConfig . DedicatedMasterCount gte 3 |
| Connections to Elasticsearch domains should be encrypted using TLS 1.2 | This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07. |
ElasticSearch |
ElasticSearchDomain should have DomainEndpointOptions . TLSSecurityPolicy eq "Policy-Min-TLS-1-2-2019-07" |
| GuardDuty should be enabled | This control checks whether Amazon GuardDuty is enabled in your GuardDuty account and Region. |
GuardDuty |
GuardDutyDetector should have Status eq "ENABLED" |
| IAM authentication should be configured for RDS clusters | This control checks whether an RDS DB cluster has IAM database authentication enabled. |
RDSCluster |
RDSCluster should have IAMDatabaseAuthenticationEnabled |
| RDS DB clusters should be configured for multiple Availability Zones | This control checks whether high availability is enabled for your RDS DB clusters. |
RDSCluster |
RDSCluster should have MultiAZ eq true and AvailabilityZones len ( ) gt 0 |
| RDS clusters should have deletion protection enabled | This control checks whether RDS clusters have deletion protection enabled. |
RDSCluster |
RDSCluster should have DeletionProtection |
| SageMaker notebook instances should not have direct internet access | This control checks whether direct internet access is disabled for an SageMaker notebook instance |
Compute |
SageMakerNotebookInstance should have DirectInternetAccess eq "Disabled" |
| Secrets Manager secrets should have automatic rotation enabled | This control checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation |
Security |
Secret should have RotationEnabled |
| Secrets Manager secrets configured with automatic rotation should rotate successfully | This control checks whether an AWS Secrets Manager secret rotated successfully based on the rotation schedule. The control does not evaluate secrets that do not have rotation configured |
Security |
Secret where RotationEnabled should have RotationOccurringAsScheduled |
| Remove unused Secrets Manager secrets | This control checks whether your secrets have been accessed within a specified number of days. If a secret was not accessed within 90 days, this control fails |
Security |
Secret should have LastAccessedDate isLaterThan(-90, "days") |
| Secrets Manager secrets should be rotated within a specified number of days | This control checks whether your secrets have been rotated at least once within 90 days. Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your AWS account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised |
Security |
Secret should have LastRotatedDate isLaterThan(-90, "days") |
| AWS WAF Classic global web ACL logging should be enabled | This control checks if logging is enabled on AWS Web Application Firewall (WAF) classic global web ACLs. This rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled. |
Security |
WebACL should have LoggingConfiguration . LogDestinationConfigs len( ) gt 0 |
| EC2 instances should be managed by AWS Systems Manager | This control checks whether the stopped and running EC2 instances in the account are managed by AWS Systems Manager. Systems Manager is an AWS service that can be used to view and control the AWS infrastructure. |
EC2 |
EC2Instance should have SSMInformation len () gt 0 |
| All EC2 instances managed by Systems Manager should be compliant with patching requirements | This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. It only checks instances that are managed by Systems Manager Patch Manager. |
EC2 |
EC2Instance where SSMInformation len() gt 0 and ComplianceSummaryItems with [ ComplianceType eq "Patch" ] should have ComplianceSummaryItems with [ ComplianceType eq "Patch" and NonCompliantSummary . NonCompliantCount eq 0 ] |
| Instances managed by Systems Manager should have an association compliance status of COMPLIANT | This control checks whether the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association is run on an instance. The control passes if the association compliance status is COMPLIANT. |
EC2 |
EC2Instance where SSMInformation len() gt 0 and ComplianceSummaryItems with [ ComplianceType eq "Association" ] should have ComplianceSummaryItems with [ ComplianceType eq "Association" and NonCompliantSummary . NonCompliantCount eq 0 ] |
| Ensure EC2 Instance does not have open ahsp port | Ahsp Port 4333, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 4333 and ToPort gte 4333) ) ] ] |
| Ensure EC2 Instance does not have open Alternative HTTP port | Alternative HTTP Port 8888, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 8888 and ToPort gte 8888) ) ] ] |
| Ensure EC2 Instance does not have open CIFS port | CIFS Port 445, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 445 and ToPort gte 445) ) ] ] |
| Ensure EC2 Instance does not have open fcp-addr-srvr1 port | fcp-addr-srvr1 Port 5500, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 5500 and ToPort gte 5500) ) ] ] |
| Ensure EC2 Instance does not have open FTP port | FTP Port 20 and 21, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 20 and ToPort gte 21) ) ] ] |
| Ensure EC2 Instance does not have open IMAP port | IMAP Port 143, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 143 and ToPort gte 143) ) ] ] |
| Ensure EC2 Instance does not have open Legacy HTTP port | Legacy HTTP Port 8088, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 8088 and ToPort gte 8088) ) ] ] |
| Ensure EC2 Instance does not have open OpenSearch Dashboards port | OpenSearch Dashboards Port 5601, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 5601 and ToPort gte 5601) ) ] ] |
| Ensure EC2 Instance does not have open OpenSearch port | OpenSearch Port 9200 or 9300, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 9200 and ToPort gte 9200) or (FromPort lte 9300 and ToPort gte 9300) ) ] ] |
| Ensure EC2 Instance does not have open POP3 port | POP3 Port 110, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 110 and ToPort gte 110) ) ] ] |
| Ensure EC2 Instance does not have open Proxy port | Proxy Port 8080, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 8080 and ToPort gte 8080) ) ] ] |
| Ensure EC2 Instance does not have open RPC port | RPC Port 135, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 135 and ToPort gte 135) ) ] ] |
| Ensure EC2 Instance does not have open Telnet port | Telnet Port 23, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 23 and ToPort gte 23) ) ] ] |
| Ensure EC2 Instance does not have open Python web development frameworks port | Python web development frameworks Port 5000, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 5000 and ToPort gte 5000) ) ] ] |
| Ensure EC2 Instance does not have open Go, Node.js, and Ruby web development frameworks port | Go, Node.js, and Ruby web development frameworks Port 3000, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 3000 and ToPort gte 3000) ) ] ] |
| Name | Description | Service | Rule |
|---|---|---|---|
| Identities and credentials: Avoid the use of the "root" account: check for recent logins. | The 'root' account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided. |
IAM |
IAMUser where RootUser eq True should not have Password . LastUsedTime isLaterThan ( -1, "days" ) |
| Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. |
IAM |
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true |
| Identities and credentials: Ensure passwords unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all passwords that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) ) |
| Remote access: Ensure access keys unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ] |
| Remote access: Ensure access keys are rotated every 90 days or less. | Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. |
IAM |
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ] |
| Identities and credentials: Ensure IAM password policy requires at least one uppercase letter. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter. |
IAM |
IAMPasswordPolicy should have Configured and RequireUppercaseCharacters |
| Identities and credentials: Ensure IAM password policy require at least one lowercase letter. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter. |
IAM |
IAMPasswordPolicy should have Configured and RequireLowercaseCharacters |
| Identities and credentials: Ensure IAM password policy require at least one symbol. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol. |
IAM |
IAMPasswordPolicy should have Configured and RequireSymbols |
| Identities and credentials: Ensure IAM password policy require at least one number. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number. |
IAM |
IAMPasswordPolicy should have Configured and RequireNumbers |
| Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. |
IAM |
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14 |
| Identities and credentials: Ensure IAM password policy prevents password reuse | IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. |
IAM |
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24 |
| Identities and credentials: Ensure IAM password policy expires passwords within 90 days or less. | IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. |
IAM |
IAMPasswordPolicy should have Configured and ExpirePasswords and MaxPasswordAge <= 90 |
| Remote access: Ensure no root account access key exists. | The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. |
IAM |
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ] |
| Authentication: Ensure MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true |
| Authentication: Ensure hardware MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0 |
| Access permissions and authorizations: Ensure IAM policies are attached only to groups or roles. | By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. |
IAM |
IAMUser should have ( Policies . Managed len ( ) eq 0 and Policies . Inline len ( ) eq 0 ) |
| Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password | AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. |
IAM |
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ] |
| Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. | IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. |
IAM |
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 ) |
| Audit/log records: Ensure CloudTrail is enabled. | AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) |
CloudTrail |
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ] |
| Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation | Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). |
CloudTrail |
CloudTrail should have LogFileValidationEnabled |
| Audit/log records: Ensure the S3 bucket CloudTrail logs to is not publicly accessible | CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs |
S3 CloudTrail |
CloudTrail should not have S3Bucket . ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee. URI eq "http://acs.amazonaws.com/groups/global/AllUsers" ] or S3Bucket . BucketPolicy with [ Statement with [ Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs | AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. |
CloudTrail |
CloudTrail should have LogGroup . CreationDate gt 0 |
| Audit/log records: Ensure AWS Config is enabled in all regions | AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. |
CloudTrail Config |
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ] |
| Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
S3 CloudTrail |
CloudTrail should have S3Bucket . LoggingEnabled |
| Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs | AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS |
CloudTrail |
CloudTrail should have KMSKey . Enabled |
| Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled | AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled |
KMS |
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled |
| Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs | VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. |
EC2 |
VPC should have atleast one FlowLogs with [ Status eq "ACTIVE" ] |
| Remote access: Ensure a log metric filter and alarm exist for unauthorized API calls | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.errorCode\s*=\s*\"\*UnauthorizedOperation\"\)\s*\|\|\s*\(\$\.errorCode\s*=\s*\"AccessDenied\*\"\)\s*\|\|\s*\(\$\.sourceIPAddress\s*!=\s*\"delivery\.logs\.amazonaws\.com\"\)\s*\|\|\s*\(\$\.eventName\s*!=\s*\"HeadBucket\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA) |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*\"ConsoleLogin\"\)\s*\&\&\s*\(\$\.additionalEventData\.MFAUsed\s*!=\s*\"Yes\"\)\s*\&\&\s*\(\$\.userIdentity\.type\s*=\s*\"IAMUser\"\)\s*\&\&\s*\(\$\.responseElements\.ConsoleLogin\s*=\s*\"Success\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for usage of "root" account | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "{\s*\$\.userIdentity\.type\s*=\s*\"Root\"\s*\&\&\s*\$\.userIdentity\.invokedBy\s*NOT\s*EXISTS\s*\&\&\s*\$\.eventType\s*!=\s*\"AwsServiceEvent\"\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for IAM policy changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*DeleteGroupPolicy\)\|\|\(\$\.eventName\s*=\s*DeleteRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachGroupPolicy\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Audit/log records: Ensure a log metric filter and alarm exist for CloudTrail configuration changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*UpdateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*StartLogging\)\s*\|\|\s*\(\$\.eventName\s*=\s*StopLogging\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*ConsoleLogin\)\s*\&\&\s*\(\$\.errorMessage\s*=\s*\"Failed\s*authentication\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Data-at-rest is protected: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*kms\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=DisableKey\)\s*\|\|\s*\(\$\.eventName=ScheduleKeyDeletion\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Ensure a log metric filter and alarm exist for S3 bucket policy changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*s3\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName\s*=\s*PutBucketAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketReplication\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketReplication\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Audit/log records: Ensure a log metric filter and alarm exist for AWS Config configuration changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*config\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=StopConfigurationRecorder\)\s*\|\|\s*\(\$\.eventName=DeleteDeliveryChannel\)\s*\|\|\(\$\.eventName=PutDeliveryChannel\)\s*\|\|\s*\(\$\.eventName=PutConfigurationRecorder\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclAssociation\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for changes to network gateways | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachInternetGateway\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for route table changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRouteTableAssociation\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisassociateRouteTable\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for VPC changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*ModifyVpcAttribute\)\s*\|\|\s*\(\$\.eventName\s*=\s*AcceptVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*RejectVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisableVpcClassicLink\)\s*\|\|\s*\(\$\.eventName\s*=\s*EnableVpcClassicLink\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 | Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22. |
EC2 |
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 22 and ToPort gte 22 ) and Protocol in ("-1", "tcp") ] |
| Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 | Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389. |
EC2 |
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 3389 and ToPort gte 3389 ) and Protocol in ("-1", "udp", "tcp") ] |
| Ensure the default security group of every VPC restricts all traffic | A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. |
EC2 |
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0 |
| Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support | AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. |
IAM |
AWS should have atleast one IAMPolicies with [ id eq "arn:aws:iam::aws:policy/AWSSupportAccess" and AttachedEntities . Roles len ( ) gt 0 ] |
| Name | Description | Service | Rule |
|---|---|---|---|
| Identities and credentials: Avoid the use of the "root" account: check for recent logins. | The 'root' account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided. |
IAM |
IAMUser where RootUser eq True should not have Password . LastUsedTime isLaterThan ( -1, "days" ) |
| Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. |
IAM |
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true |
| Identities and credentials: Ensure passwords unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all passwords that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) ) |
| Remote access: Ensure access keys unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ] |
| Remote access: Ensure access keys are rotated every 90 days or less. | Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. |
IAM |
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ] |
| Identities and credentials: Ensure IAM password policy requires at least one uppercase letter. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter. |
IAM |
IAMPasswordPolicy should have Configured and RequireUppercaseCharacters |
| Identities and credentials: Ensure IAM password policy require at least one lowercase letter. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter. |
IAM |
IAMPasswordPolicy should have Configured and RequireLowercaseCharacters |
| Identities and credentials: Ensure IAM password policy require at least one symbol. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol. |
IAM |
IAMPasswordPolicy should have Configured and RequireSymbols |
| Identities and credentials: Ensure IAM password policy require at least one number. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number. |
IAM |
IAMPasswordPolicy should have Configured and RequireNumbers |
| Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. |
IAM |
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14 |
| Identities and credentials: Ensure IAM password policy prevents password reuse | IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. |
IAM |
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24 |
| Identities and credentials: Ensure IAM password policy expires passwords within 90 days or less. | IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. |
IAM |
IAMPasswordPolicy should have Configured and ExpirePasswords and MaxPasswordAge <= 90 |
| Remote access: Ensure no root account access key exists. | The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. |
IAM |
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ] |
| Authentication: Ensure MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true |
| Authentication: Ensure hardware MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0 |
| Access permissions and authorizations: Ensure IAM policies are attached only to groups or roles. | By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. |
IAM |
IAMUser should have ( Policies . Managed len ( ) eq 0 and Policies . Inline len ( ) eq 0 ) |
| Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support | AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. |
IAM |
AWS should have atleast one IAMPolicies with [ id eq "arn:aws:iam::aws:policy/AWSSupportAccess" and AttachedEntities . Roles len ( ) gt 0 ] |
| Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password | AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. |
IAM |
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ] |
| Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. | IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. |
IAM |
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 ) |
| Audit/log records: Ensure CloudTrail is enabled. | AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) |
CloudTrail |
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ] |
| Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation | Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). |
CloudTrail |
CloudTrail should have LogFileValidationEnabled |
| Ensure the S3 bucket CloudTrail logs to is not publicly accessible | CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs |
S3 CloudTrail |
CloudTrail should not have S3Bucket . Access eq "Public" |
| Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs | AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. |
CloudTrail |
CloudTrail should have LogGroup . CreationDate gt 0 |
| Audit/log records: Ensure AWS Config is enabled in all regions | AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. |
CloudTrail Config |
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ] |
| Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
S3 CloudTrail |
CloudTrail should have S3Bucket . LoggingEnabled |
| Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs | AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS |
CloudTrail |
CloudTrail should have KMSKey . Enabled |
| Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled | AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled |
KMS |
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled |
| Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs | VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. |
EC2 |
VPC should have atleast one FlowLogs with [ Status eq "ACTIVE" ] |
| Remote access: Ensure a log metric filter and alarm exist for unauthorized API calls | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.errorCode\s*=\s*\"\*UnauthorizedOperation\"\)\s*\|\|\s*\(\$\.errorCode\s*=\s*\"AccessDenied\*\"\)\s*\|\|\s*\(\$\.sourceIPAddress\s*!=\s*\"delivery\.logs\.amazonaws\.com\"\)\s*\|\|\s*\(\$\.eventName\s*!=\s*\"HeadBucket\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA) |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*\"ConsoleLogin\"\)\s*\&\&\s*\(\$\.additionalEventData\.MFAUsed\s*!=\s*\"Yes\"\)\s*\&\&\s*\(\$\.userIdentity\.type\s*=\s*\"IAMUser\"\)\s*\&\&\s*\(\$\.responseElements\.ConsoleLogin\s*=\s*\"Success\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for usage of "root" account | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "{\s*\$\.userIdentity\.type\s*=\s*\"Root\"\s*\&\&\s*\$\.userIdentity\.invokedBy\s*NOT\s*EXISTS\s*\&\&\s*\$\.eventType\s*!=\s*\"AwsServiceEvent\"\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for IAM policy changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*DeleteGroupPolicy\)\|\|\(\$\.eventName\s*=\s*DeleteRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachGroupPolicy\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Audit/log records: Ensure a log metric filter and alarm exist for CloudTrail configuration changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*UpdateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*StartLogging\)\s*\|\|\s*\(\$\.eventName\s*=\s*StopLogging\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*ConsoleLogin\)\s*\&\&\s*\(\$\.errorMessage\s*=\s*\"Failed\s*authentication\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Data-at-rest is protected: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*kms\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=DisableKey\)\s*\|\|\s*\(\$\.eventName=ScheduleKeyDeletion\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Ensure a log metric filter and alarm exist for S3 bucket policy changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*s3\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName\s*=\s*PutBucketAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketReplication\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketReplication\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Audit/log records: Ensure a log metric filter and alarm exist for AWS Config configuration changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*config\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=StopConfigurationRecorder\)\s*\|\|\s*\(\$\.eventName=DeleteDeliveryChannel\)\s*\|\|\(\$\.eventName=PutDeliveryChannel\)\s*\|\|\s*\(\$\.eventName=PutConfigurationRecorder\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclAssociation\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for changes to network gateways | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachInternetGateway\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for route table changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRouteTableAssociation\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisassociateRouteTable\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for VPC changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*ModifyVpcAttribute\)\s*\|\|\s*\(\$\.eventName\s*=\s*AcceptVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*RejectVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisableVpcClassicLink\)\s*\|\|\s*\(\$\.eventName\s*=\s*EnableVpcClassicLink\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 | Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22. |
EC2 |
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 22 and ToPort gte 22 ) and Protocol in ("-1", "tcp") ] |
| Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 | Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389. |
EC2 |
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 3389 and ToPort gte 3389 ) and Protocol in ("-1", "udp", "tcp") ] |
| Ensure the default security group of every VPC restricts all traffic | A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. |
EC2 |
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0 |
| Name | Description | Service | Rule |
|---|---|---|---|
| Remote access: Ensure no root account access key exists. | The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. |
IAM |
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ] |
| Authentication: Ensure MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true |
| Authentication: Ensure hardware MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0 |
| Identities and credentials: Eliminate use of the 'root' user for administrative and daily tasks | With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks. |
IAM |
IAMUser where RootUser eq True should not have ( ( AccessKey with [ Active and LastUsedTime isLaterThan ( -1, "days" ) ] ) or ( Password . Enabled and Password . LastUsedTime isLaterThan ( -1, "days" ) ) ) |
| Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. |
IAM |
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14 |
| Identities and credentials: Ensure IAM password policy prevents password reuse | IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. |
IAM |
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24 |
| Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. |
IAM |
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true |
| Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password | AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. |
IAM |
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ] |
| Remote access: Ensure access keys are rotated every 90 days or less. | Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. |
IAM |
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ] |
| Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. | IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. |
IAM |
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 ) |
| Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support | AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. |
IAM |
AWS should have atleast one IAMPolicies with [ id eq "arn:aws:iam::aws:policy/AWSSupportAccess" and AttachedEntities . Roles len ( ) gt 0 ] |
| Audit/log records: Ensure CloudTrail is enabled. | AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) |
CloudTrail |
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ] |
| Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation | Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). |
CloudTrail |
CloudTrail should have LogFileValidationEnabled |
| Ensure the S3 bucket CloudTrail logs to is not publicly accessible | CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs |
S3 CloudTrail |
CloudTrail should not have S3Bucket . Access eq "Public" |
| Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs | AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. |
CloudTrail |
CloudTrail should have LogGroup . CreationDate gt 0 |
| Audit/log records: Ensure AWS Config is enabled in all regions | AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. |
CloudTrail Config |
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ] |
| Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
S3 CloudTrail |
CloudTrail should have S3Bucket . LoggingEnabled |
| Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs | AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS |
CloudTrail |
CloudTrail should have KMSKey . Enabled |
| Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled | AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled |
KMS |
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled |
| Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs | VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. |
EC2 |
VPC should have atleast one FlowLogs with [ Status eq "ACTIVE" ] |
| Remote access: Ensure a log metric filter and alarm exist for unauthorized API calls | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.errorCode\s*=\s*\"\*UnauthorizedOperation\"\)\s*\|\|\s*\(\$\.errorCode\s*=\s*\"AccessDenied\*\"\)\s*\|\|\s*\(\$\.sourceIPAddress\s*!=\s*\"delivery\.logs\.amazonaws\.com\"\)\s*\|\|\s*\(\$\.eventName\s*!=\s*\"HeadBucket\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA) |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*\"ConsoleLogin\"\)\s*\&\&\s*\(\$\.additionalEventData\.MFAUsed\s*!=\s*\"Yes\"\)\s*\&\&\s*\(\$\.userIdentity\.type\s*=\s*\"IAMUser\"\)\s*\&\&\s*\(\$\.responseElements\.ConsoleLogin\s*=\s*\"Success\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for usage of "root" account | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "{\s*\$\.userIdentity\.type\s*=\s*\"Root\"\s*\&\&\s*\$\.userIdentity\.invokedBy\s*NOT\s*EXISTS\s*\&\&\s*\$\.eventType\s*!=\s*\"AwsServiceEvent\"\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for IAM policy changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*DeleteGroupPolicy\)\|\|\(\$\.eventName\s*=\s*DeleteRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachGroupPolicy\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Audit/log records: Ensure a log metric filter and alarm exist for CloudTrail configuration changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*UpdateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*StartLogging\)\s*\|\|\s*\(\$\.eventName\s*=\s*StopLogging\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*ConsoleLogin\)\s*\&\&\s*\(\$\.errorMessage\s*=\s*\"Failed\s*authentication\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Data-at-rest is protected: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*kms\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=DisableKey\)\s*\|\|\s*\(\$\.eventName=ScheduleKeyDeletion\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Ensure a log metric filter and alarm exist for S3 bucket policy changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*s3\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName\s*=\s*PutBucketAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketReplication\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketReplication\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Audit/log records: Ensure a log metric filter and alarm exist for AWS Config configuration changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*config\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=StopConfigurationRecorder\)\s*\|\|\s*\(\$\.eventName=DeleteDeliveryChannel\)\s*\|\|\(\$\.eventName=PutDeliveryChannel\)\s*\|\|\s*\(\$\.eventName=PutConfigurationRecorder\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclAssociation\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for changes to network gateways | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachInternetGateway\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for route table changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRouteTableAssociation\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisassociateRouteTable\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for VPC changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*ModifyVpcAttribute\)\s*\|\|\s*\(\$\.eventName\s*=\s*AcceptVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*RejectVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisableVpcClassicLink\)\s*\|\|\s*\(\$\.eventName\s*=\s*EnableVpcClassicLink\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Ensure the default security group of every VPC restricts all traffic | A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. |
EC2 |
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0 |
| Data-at-rest is protected: Ensure RDS encryption is enabled | Ensure RDS encryption is enabled. |
RDS |
RDSInstance should have StorageEncrypted eq true |
| Ensure MFA Delete is enable on S3 buckets | Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication |
S3 |
S3Bucket should have BucketVersioning . Status eq "Enabled" and BucketVersioning . MFADelete eq "Enabled" |
| Ensure S3 Bucket Policy is set to deny HTTP requests | At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS |
S3 |
S3Bucket should have BucketPolicy with [Statement with [Effect eq "Deny" and Conditions with [Name eq "aws:SecureTransport" and Value has ("false") ]]] |
| Network integrity: Ensure a log metric filter and alarm exists for AWS Organizations changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*organizations\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName\s*=\s*AcceptHandshake\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateAccount\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateOrganizationalUnit\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeclineHandshake\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteOrganization\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteOrganizationalUnit\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisablePolicyType\)\s*\|\|\s*\(\$\.eventName\s*=\s*EnablePolicyType\)\s*\|\|\s*\(\$\.eventName\s*=\s*InviteAccountToOrganization\)\s*\|\|\s*\(\$\.eventName\s*=\s*LeaveOrganization\)\s*\|\|\s*\(\$\.eventName\s*=\s*MoveAccount\)\s*\|\|\s*\(\$\.eventName\s*=\s*RemoveAccountFromOrganization\)\s*\|\|\s*\(\$\.eventName\s*=\s*UpdatePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*UpdateOrganizationalUnit\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for security group changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress\)\s*\|\|\s*\(\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress\)\s*\|\|\s*\(\$\.eventName\s*=\s*RevokeSecurityGroupIngress\)\s*\|\|\s*\(\$\.eventName\s*=\s*RevokeSecurityGroupEgress\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateSecurityGroup\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteSecurityGroup\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Ensure all S3 buckets employ encryption-at-rest | Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest |
S3 |
S3Bucket should not have DefaultEncryption eq "Disabled" |
| Ensure credentials unused for 45 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed |
IAM |
IAMUser should not have ( RootUser eq False and ( ( AccessKey with [ Active and LastUsedTime isEarlierThan ( -45, "days" ) ] ) or ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -45, "days" ) ) ) ) or ( RootUser eq False and ( ( AccessKey with [ Active and LastUsedTime eq 0 ] ) or ( Password . Enabled and Password . LastUsedTime eq 0 ) ) and CreationDate isEarlierThan ( -45, "days" ) ) |
| Ensure there is only one active access key available for any single IAM user | Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK) |
IAM |
IAMUser should not have every AccessKey with [ Active eq true] and AccessKey len() gt 1 |
| Ensure IAM Users Receive Permissions Only Through Groups | IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended. |
Identity |
IAMUser should have Policies . Managed len () eq 0 and Policies . Inline len () eq 0 |
| Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console. |
Identity |
ServerCertificate should not have Expiration isEarlierThan (0, "seconds") |
| Ensure that IAM Access analyzer is enabled | IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. |
Security |
AccessAnalyzer should have Status eq "ACTIVE" |
| Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' | Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principle with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account. |
Storage |
S3Bucket should have BlockPublicAccess . BlockPublicAcls and BlockPublicAccess . IgnorePublicAcls and BlockPublicAccess . BlockPublicPolicy and BlockPublicAccess . RestrictPublicBuckets |
| Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389. |
Network |
NetworkACL should not have Rules with [ Egress eq False and RuleAction eq "allow" and CidrBlock eq 0.0.0.0/0 and ( (FromPort lte 22 and ToPort gte 22) or (FromPort lte 3389 and ToPort gte 3389) ) ] |
| Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports |
Network |
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( (FromPort lte 22 and ToPort gte 22) or (FromPort lte 3389 and ToPort gte 3389) ) ] |
| Name | Description | Service | Rule |
|---|---|---|---|
| Imported ACM certificates should be renewed after a specified time period | This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager. |
ACM |
ACM should have NotAfter isLaterThan(30, "days") |
| API Gateway REST and WebSocket API logging should be enabled | This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled. The control fails if logging is not enabled for all methods of a stage or if loggingLevel is neither ERROR nor INFO. |
APIGateway |
APIGateway where Stages len( ) gt 0 should have Stages with [ MethodSettings with [ MethodValue . LoggingLevel in ("INFO", "ERROR") ] ] |
| API Gateway REST API stages should be configured to use SSL certificates for backend authentication | This control checks whether Amazon API Gateway REST API stages have SSL certificates configured. Backend systems use these certificates to authenticate that incoming requests are from API Gateway. |
APIGateway |
APIGateway should have Stages with [ ClientCertificateId len( ) gt 0 ] |
| API Gateway REST API stages should have AWS X-Ray tracing enabled | This control checks whether AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages. |
Category |
APIGateway should have Stages with [ TracingEnabled ] |
| API Gateway should be associated with an AWS WAF web ACL | Checks whether an API Gateway stage uses an AWS WAF web access control list (ACL). The control fails if it is not attached to a REST API Gateway stage. |
APIGateway |
APIGateway should have Stages with [ WebAclArn len( ) gt 0 ] |
| API Gateway REST API cache data should be encrypted at rest | Checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted. |
APIGateway |
APIGateway should have Stages with [ MethodSettings with [ MethodValue . CacheDataEncrypted ] ] |
| Auto Scaling groups associated with a load balancer should use load balancer health checks | This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. |
AutoScalingGroup |
AutoScalingGroup where LoadBalancerNames len( ) gt 0 should have HealthCheckType eq "ELB" |
| CloudFront distributions should have a default root object configured | This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured. |
CloudFront |
CloudfrontDistribution should have DefaultRootObject len( ) gt 0 |
| CloudFront distributions should have origin access identity enabled | This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured. |
CloudFront |
CloudfrontDistribution should have Origins . Items with [ S3OriginConfig . OriginAccessIdentity len( ) gt 0 ] |
| CloudFront distributions should require encryption in transit | This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for cacheBehaviors. |
CloudFront |
CloudfrontDistribution should not have DefaultCacheBehavior . ViewerProtocolPolicy eq "allow-all" |
| CloudFront distributions should have origin failover configured | This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins. |
CloudFront |
CloudfrontDistribution should have OriginGroups . Quantity gt 0 and OriginGroups . Items len( ) gt 0 |
| CloudFront distributions should have logging enabled | This control checks whether server access logging is enabled on CloudFront distributions. The control fails if access logging is not enabled for a distribution. |
CloudFront |
CloudfrontDistribution should have Logging . Enabled |
| CloudFront distributions should have AWS WAF enabled | This control checks whether CloudFront distributions are associated with either AWS WAF or AWS WAFv2 web ACLs. The control fails if the distribution is not associated with a web ACL. |
CloudFront |
CloudfrontDistribution should have WebACLId len( ) gt 0 |
| Audit/log records: Ensure CloudTrail is enabled. | AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) |
CloudTrail |
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ] |
| Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs | AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS |
CloudTrail |
CloudTrail should have KMSKey . Enabled |
| Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation | Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). |
CloudTrail |
CloudTrail should have LogFileValidationEnabled |
| Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs | AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. |
CloudTrail |
CloudTrail should have LogGroup . CreationDate gt 0 |
| CodeBuild GitHub or Bitbucket source repository URLs should use OAuth | This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password |
CodeBuild |
SourceCredential should have AuthType eq "OAUTH" |
| CodeBuild project environment variables should not contain clear text credentials | This control checks whether the project contains clear text credentials in the environment variables |
CodeBuild |
CodeBuild should not have Environment . EnvironmentVariables with [Type eq "PLAINTEXT" ] |
| Audit/log records: Ensure AWS Config is enabled in all regions | AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. |
CloudTrail Config |
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ] |
| AWS Database Migration Service replication instances should not be public | This control checks whether AWS DMS replication instances are public |
DMS |
DMSReplicationInstance should not have PubliclyAccessible |
| DynamoDB tables should automatically scale capacity with demand | This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured. |
DynamoDB |
DynamoDBTable should have ScalableTargets len( ) gt 0 |
| Backups of information: Ensure DynamoDB tables have point in time recovery enabled | Ensure DynamoDB tables have point in time recovery enabled. |
Dynamo |
DynamoDBTable should have PointInTimeRecovery eq "ENABLED" |
| DynamoDB Accelerator (DAX) clusters should be encrypted at rest | This control checks whether a DAX cluster is encrypted at rest. |
DynamoDB |
DAX should have SSEDescription . Status eq "ENABLED" |
| Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone | This control checks that Amazon Elastic Block Store snapshots are not public, as determined by the ability to be restorable by anyone. EBS snapshots are used to back up the data on your EBS volumes to Amazon S3 at a specific point in time. You can use the snapshots to restore previous states of EBS volumes. It is rarely acceptable to share a snapshot with the public. Typically the decision to share a snapshot publicly was made in error or without a complete understanding of the implications. This check helps ensure that all such sharing was fully planned and intentional |
EC2 |
Snapshots should have Access neq "Public" |
| Ensure the default security group of every VPC restricts all traffic | A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. |
EC2 |
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0 |
| Attached EBS volumes should be encrypted at rest | This control checks whether the EBS volumes that are in an attached state are encrypted |
EC2 |
Volume where Attachments len () gt 0 should have Encrypted |
| Stopped EC2 instances should be removed after a specified time period | This control checks whether any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days |
EC2 |
EC2Instance where Status eq "stopped" should have StateTransitionTime isLaterThan ( -30 , "days" ) |
| Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs | VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. |
EC2 |
VPC should have atleast one FlowLogs with [ Status eq "ACTIVE" ] |
| EBS default encryption should be enabled | This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS) |
EC2 |
Volume should have EbsEncryptionByDefault |
| EC2 instances should use IMDSv2 | This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2) |
EC2 |
EC2Instance should have MetadataOptions.HttpTokens eq "required" |
| EC2 instances should not have a public IP address | This rule checks whether EC2 instances have a public IP address. The rule fails if the publicIp field is present in the EC2 instance configuration item. This rule applies to IPv4 addresses only |
EC2 |
EC2Instance should not have PublicIPv4 len () gt 0 |
| Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service | This control checks whether a service endpoint for Amazon EC2 is created for each VPC |
EC2 |
VPC should have EndpointRef with [ ServiceName like "\.ec2$"] |
| EC2 subnets should not automatically assign public IP addresses | This control checks whether the assignment of public IPs in Amazon Virtual Private Cloud (Amazon VPC) subnets have MapPublicIpOnLaunch set to FALSE. The control passes if the flag is set to FALSE |
EC2 |
Subnet should not have MapPublicIpOnLaunch |
| Unused network access control lists should be removed | This control checks whether there are any unused network access control lists (ACLs) |
EC2 |
NetworkACL should have Subnets len () gt 0 |
| EC2 instances should not use multiple ENIs | This control checks whether an EC2 instance uses multiple Elastic Network Interfaces (ENIs) |
EC2 |
EC2Instance should have NetworkInterfaces len ( ) lte 1 |
| Ensure EC2 Instance does not have open TCP ports | TCP Ports 22, 80, 443, 1433, 1521, 3306, 3389, 5432, 27017, 27018, 27019 of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "tcp") and ( ( FromPort lte 22 and ToPort gte 22) or ( FromPort lte 80 and ToPort gte 80) or ( FromPort lte 443 and ToPort gte 443) or ( FromPort lte 1433 and ToPort gte 1433) or ( FromPort lte 1521 and ToPort gte 1521) or ( FromPort lte 3306 and ToPort gte 3306) or ( FromPort lte 3389 and ToPort gte 3389) or ( FromPort lte 5432 and ToPort gte 5432) or ( FromPort lte 27019 and ToPort gte 27017) ) ] ] |
| Ensure EC2 Instance does not have open ahsp port | Ahsp Port 4333, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 4333 and ToPort gte 4333) ) ] ] |
| Ensure EC2 Instance does not have open Alternative HTTP port | Alternative HTTP Port 8888, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 8888 and ToPort gte 8888) ) ] ] |
| Ensure EC2 Instance does not have open CIFS port | CIFS Port 445, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 445 and ToPort gte 445) ) ] ] |
| Ensure EC2 Instance does not have open fcp-addr-srvr1 port | fcp-addr-srvr1 Port 5500, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 5500 and ToPort gte 5500) ) ] ] |
| Ensure EC2 Instance does not have open FTP port | FTP Port 20 and 21, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 20 and ToPort gte 21) ) ] ] |
| Ensure EC2 Instance does not have open IMAP port | IMAP Port 143, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 143 and ToPort gte 143) ) ] ] |
| Ensure EC2 Instance does not have open Legacy HTTP port | Legacy HTTP Port 8088, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 8088 and ToPort gte 8088) ) ] ] |
| Ensure EC2 Instance does not have open MySQL port | MySQL Port 3306, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "tcp") and ( (FromPort lte 3306 and ToPort gte 3306) ) ] ] |
| Ensure EC2 Instance does not have open SQL Server port | MySQL Port 1433, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "tcp") and ( (FromPort lte 1433 and ToPort gte 1434) ) ] ] |
| Ensure EC2 Instance does not have open OpenSearch Dashboards port | OpenSearch Dashboards Port 5601, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 5601 and ToPort gte 5601) ) ] ] |
| Ensure EC2 Instance does not have open OpenSearch port | OpenSearch Port 9200 or 9300, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 9200 and ToPort gte 9200) or (FromPort lte 9300 and ToPort gte 9300) ) ] ] |
| Ensure EC2 Instance does not have open POP3 port | POP3 Port 110, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 110 and ToPort gte 110) ) ] ] |
| Ensure EC2 Instance does not have open PostgreSQL port | PostgreSQL Port 5432, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 5432 and ToPort gte 5432) ) ] ] |
| Ensure EC2 Instance does not have open Proxy port | Proxy Port 8080, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 8080 and ToPort gte 8080) ) ] ] |
| Ensure EC2 Instance does not have open RDP port | RDP Port 3389, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","udp","tcp") and ( (FromPort lte 3389 and ToPort gte 3389) ) ] ] |
| Ensure EC2 Instance does not have open RPC port | RPC Port 135, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 135 and ToPort gte 135) ) ] ] |
| Ensure EC2 Instance does not have open SMTP port | SMTP Port 25, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 25 and ToPort gte 25) ) ] ] |
| Ensure EC2 Instance does not have open SSH port | SSH Port 22, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 22 and ToPort gte 22) ) ] ] |
| Ensure EC2 Instance does not have open Telnet port | Telnet Port 23, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 23 and ToPort gte 23) ) ] ] |
| Ensure EC2 Instance does not have open Python web development frameworks port | Python web development frameworks Port 5000, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 5000 and ToPort gte 5000) ) ] ] |
| Ensure EC2 Instance does not have open Go, Node.js, and Ruby web development frameworks port | Go, Node.js, and Ruby web development frameworks Port 3000, of an EC2 Instance, should not be open to public. |
EC2 |
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 3000 and ToPort gte 3000) ) ] ] |
| Amazon ECS task definitions should have secure networking modes and user definitions | This control checks whether an active Amazon ECS task definition that has host networking mode also has privileged or user container definitions. The control fails for task definitions that have host network mode and container definitions where privileged=false or is empty and user=root or is empty |
ECS |
ECSTaskDefinition where NetworkMode eq "host" should have ContainerDefinitions with [ Privileged and User len () gt 0 and User neq "root" ] |
| Amazon ECS services should not have public IP addresses assigned to them automatically | This control checks whether Amazon ECS services are configured to automatically assign public IP addresses. A public IP address is an IP address that is reachable from the internet. If you launch your Amazon ECS instances with a public IP address, then your Amazon ECS instances are reachable from the internet. Amazon ECS services should not be publicly accessible, as this may allow unintended access to your container application servers |
ECS |
ECSCluster where Services with [ TaskDefinition . NetworkMode eq "awsvpc"] should have Services with [ TaskDefinition . NetworkMode eq "awsvpc" and AwsVPCConfiguration . AssignPublicIp neq "ENABLED" ] |
| Amazon EFS should be configured to encrypt file data at rest using AWS KMS | This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. |
EFS |
ElasticFileSystem should have Encrypted and KMSKey . Enabled |
| Elastic Beanstalk environments should have enhanced health reporting enabled | This control checks whether enhanced health reporting is enabled for your AWS Elastic Beanstalk environments. |
ElasticBeanstalk |
ElasticBeanstalk should have ConfigurationSettings with [ OptionSettings with [ OptionName eq "EnhancedHealthAuthEnabled" and Value eq "true" ] ] |
| Elastic Beanstalk managed platform updates should be enabled | This control checks whether managed platform updates are enabled for the Elastic Beanstalk environment. |
ElasticBeanstalk |
ElasticBeanstalk should have ConfigurationSettings with [ OptionSettings with [ OptionName eq "ManagedActionsEnabled" and Value eq "true" ] ] |
| Classic Load Balancer listeners should be configured with HTTPS or TLS termination | This control checks whether your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. |
ElasticLoadBalancer |
ClassicLoadBalancer where ( ListenerDescriptions len () gt 0 ) should have ListenerDescriptions with [ Listener . Protocol in ("HTTPS", "SSL") ] |
| Application load balancers should be configured to drop HTTP headers | This control evaluates AWS Application Load Balancers to ensure they are configured to drop invalid HTTP headers |
ElasticLoadBalancer |
ElasticLoadBalancer where Type eq "application" should have RoutingHttpDropInvalidHeaderFieldsEnabled eq True |
| Application Load Balancers logging should be enabled | This control checks whether the Application Load Balancer have logging enabled |
ElasticLoadBalancer |
ElasticLoadBalancer where Type eq "application" should have AccessLogsEnabled eq True |
| Classic Load Balancers logging should be enabled | This rule checks whether the Classic Load Balancer have logging enabled |
ElasticLoadBalancer |
ClassicLoadBalancer should have Attributes . AccessLog . Enabled |
| Ensure Deletion Protection is enabled on Elastic Load Balancer | Enabling deletion protection on load balancers mitigates risks of accidental deletion. |
ElasticLoadBalancer |
ElasticLoadBalancer should have DeletionProtection |
| Classic Load Balancers should have connection draining enabled | This rule checks whether Classic Load Balancers have connection draining enabled. Enabling connection draining on Classic Load Balancers ensures that the load balancer stops sending requests to instances that are de-registering or unhealthy. It keeps the existing connections open. This is particularly useful for instances in Auto Scaling groups, to ensure that connections aren’t severed abruptly |
ElasticLoadBalancer |
ClassicLoadBalancer should have Attributes . ConnectionDraining . Enabled |
| Application Load Balancer should be configured to redirect all HTTP requests to HTTPS | This control checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers |
ElasticLoadBalancer |
ElasticLoadBalancer where (Type eq "application" and Listeners with [ Protocol eq "HTTP" ]) should have Listeners with [ Protocol eq "HTTP" and DefaultActions with [ Type eq "redirect" and RedirectConfig . Protocol eq "HTTPS" and RedirectConfig . Port eq 443 ] ] |
| Amazon EMR cluster master nodes should not have public IP addresses | This control checks whether master nodes on Amazon EMR clusters have public IP addresses. |
EMR |
EMRCluster should not have Instances with [ PublicIpAddress isPublic() ] |
| Elasticsearch domains should have encryption at rest enabled | This control checks whether Elasticsearch domains have encryption at rest configuration enabled. The check fails if encryption at rest is not enabled. |
ElasticSearch |
ElasticSearchDomain should have EncryptionAtRestOptions . Enabled |
| Elasticsearch domains should be in a VPC | This control checks whether Elasticsearch domains are in a VPC. It should be ensured that Elasticsearch domains are not attached to public subnets. |
ElasticSearch |
ElasticSearchDomain should have VPCOptions . VPC . Status eq "available" |
| Elasticsearch domains should encrypt data sent between nodes | This control checks whether Elasticsearch domains have node-to-node encryption enabled. |
ElasticSearch |
ElasticSearchDomain should have NodeToNodeEncryptionOptions . Enabled |
| Elasticsearch domain error logging to CloudWatch Logs should be enabled | This control checks whether Elasticsearch domains are configured to send error logs to CloudWatch Logs. |
ElasticSearch |
ElasticSearchDomain should have LogPublishingOptions with [ Name eq "ES_APPLICATION_LOGS" and Enabled and CloudWatchLogsLogGroup . id len( ) gt 0 ] |
| Elasticsearch domains should have audit logging enabled | This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled. |
ElasticSearch |
ElasticSearchDomain should have LogPublishingOptions with [ Name eq "AUDIT_LOGS" and Enabled and CloudWatchLogsLogGroup . id len( ) gt 0 ] |
| Elasticsearch domains should have at least three data nodes | This control checks whether Elasticsearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true. |
ElasticSearch |
ElasticSearchDomain should have ElasticsearchClusterConfig . ZoneAwarenessEnabled and ElasticsearchClusterConfig . ZoneAwarenessConfig . AvailabilityZoneCount gte 3 |
| Elasticsearch domains should be configured with at least three dedicated master nodes | This control checks whether Elasticsearch domains are configured with at least three dedicated master nodes. This control fails if the domain does not use dedicated master nodes. |
ElasticSearch |
ElasticSearchDomain should have ElasticsearchClusterConfig . DedicatedMasterEnabled and ElasticsearchClusterConfig . DedicatedMasterCount gte 3 |
| Connections to Elasticsearch domains should be encrypted using TLS 1.2 | This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07. |
ElasticSearch |
ElasticSearchDomain should have DomainEndpointOptions . TLSSecurityPolicy eq "Policy-Min-TLS-1-2-2019-07" |
| GuardDuty should be enabled | This control checks whether Amazon GuardDuty is enabled in your GuardDuty account and Region. |
GuardDuty |
GuardDutyDetector should have Status eq "ENABLED" |
| Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. | IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. |
IAM |
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 ) |
| Ensure IAM Users Receive Permissions Only Through Groups | IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended. |
Identity |
IAMUser should have Policies . Managed len () eq 0 and Policies . Inline len () eq 0 |
| Remote access: Ensure access keys unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ] |
| Remote access: Ensure no root account access key exists. | The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. |
IAM |
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ] |
| Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. |
IAM |
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true |
| Authentication: Ensure hardware MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0 |
| Ensure proper user-authentication management for non-consumer users and administrators : IAM Weak Password Policy | Passwords/passphrases must meet the following: Require a minimum length of at least seven characters. Contain both numeric and alphabetic characters. Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above |
IAM |
IAMPasswordPolicy should have RequireUppercaseCharacters and RequireLowercaseCharacters and (MinimumPasswordLength gte 8 or RequireSymbols ) |
| Ensure credentials unused for 45 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed |
IAM |
IAMUser should not have ( RootUser eq False and ( ( AccessKey with [ Active and LastUsedTime isEarlierThan ( -45, "days" ) ] ) or ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -45, "days" ) ) ) ) or ( RootUser eq False and ( ( AccessKey with [ Active and LastUsedTime eq 0 ] ) or ( Password . Enabled and Password . LastUsedTime eq 0 ) ) and CreationDate isEarlierThan ( -45, "days" ) ) |
| IAM customer managed policies that you create should not allow wildcard actions for services | This control checks whether the IAM identity-based policies that you create have Allow statements that use the * wildcard to grant permissions for all actions on any service |
IAM |
IAMPolicy where Type eq "Customer Managed" should not have Permissions . Statements with [ Effect eq "Allow" and ( NotAction with [ value like "\:\*$" ] or Action with [ value like "\:\*$" ] ) ] |
| IAM customer managed policies should not allow decryption and re-encryption actions on all KMS keys | Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources |
IAM |
IAMPolicy where Type eq "Customer Managed" should not have Permissions . Statements with [ Effect eq "Allow" and Action with [ value in ("kms:Decrypt", "kms:ReEncryptFrom") ] and Resource with [ value eq "*" ] ] |
| IAM principals should not have IAM Group inline policies that allow decryption and re-encryption actions on all KMS keys | Checks whether the inline policies that are embedded in your IAM group allow the AWS KMS decryption and re-encryption actions on all KMS keys |
IAM |
IAMGroup should not have GroupPolicy . InlinePolicies with [ PolicyDocument . Statement with [ Effect eq "Allow" and Action with [ value in ("kms:Decrypt", "kms:ReEncryptFrom") ] and Resource with [ value eq "*" ] ] ] |
| IAM principals should not have IAM Role inline policies that allow decryption and re-encryption actions on all KMS keys | Checks whether the inline policies that are embedded in your IAM role allow the AWS KMS decryption and re-encryption actions on all KMS keys |
IAM |
IAMRole should not have Policies . Inline with [ PolicyDocument . Statements with [ Effect eq "Allow" and Action with [ value in ("kms:Decrypt", "kms:ReEncryptFrom") ] and Resource with [ value eq "*" ] ] ] |
| IAM principals should not have IAM User inline policies that allow decryption and re-encryption actions on all KMS keys | Checks whether the inline policies that are embedded in your IAM user allow the AWS KMS decryption and re-encryption actions on all KMS keys |
IAM |
IAMUser should not have Policies . Inline with [ PolicyDocument . Statements with [ Effect eq "Allow" and Action with [ value in ("kms:Decrypt", "kms:ReEncryptFrom") ] and Resource with [ value eq "*" ] ] ] |
| AWS KMS keys should not be unintentionally deleted | This control checks whether KMS keys are scheduled for deletion. KMS keys cannot be recovered once deleted. Data encrypted under a KMS key is also permanently unrecoverable if the KMS key is deleted. If meaningful data has been encrypted under a KMS key scheduled for deletion, consider decrypting the data or re-encrypting the data under a new KMS key unless you are intentionally performing a cryptographic erasure |
KMS |
KMSKey should not have Status eq "PendingDeletion" |
| Lambda function policies should prohibit public access | This control checks whether the Lambda function resource-based policy prohibits public access outside of your account |
Lambda |
Lambda should not have ResourceBasedIAMPolicy . Statements with [ Effect eq "Allow" and Principal with [ value eq "*"] ] |
| Lambda function s3 invoked policies should prohibit public access | This control checks whether the Lambda function resource-based s3 invoked policy prohibits public access outside of your account. The control also fails if a Lambda function is invoked from Amazon S3 and the policy does not include a condition for AWS:SourceAccount |
Lambda |
Lambda where ResourceBasedIAMPolicy . Statements with [ Action with [ value eq "lambda:InvokeFunction" ] and Principal with [ value eq "s3.amazonaws.com" ]] should have ResourceBasedIAMPolicy . Statements with [ Action with [ value eq "lambda:InvokeFunction" ] and Principal with [ value eq "s3.amazonaws.com" ] and Conditions with [ Name eq "AWS:SourceAccount" and Value len() gt 0 ]] |
| Lambda functions should use supported runtimes | This control checks that the Lambda function settings for runtimes match the expected values set for the supported runtimes for each language |
Lambda |
Lambda where PackageType neq "Image" should have Runtime in ("nodejs14.x", "nodejs12.x", "python3.9", "python3.8", "python3.7", "python3.6", "ruby2.7", "java11", "java8", "java8.al2", "go1.x", "dotnetcore3.1") |
| Access permissions and authorizations: Ensure RDS Instances do not have Publicly Accessible Snapshots | RDS Instances should not have publicly accessible snapshots. |
RDS |
RDSInstance should not have Snapshots with [ PubliclyAccessible ] |
| Communications and control network protection: Ensure RDS instances are not in public subnets | Ensure RDS instances are not in public subnets. |
RDS |
RDSInstance should not have Access eq "Public" |
| Data-at-rest is protected: Ensure RDS encryption is enabled | Ensure RDS encryption is enabled. |
RDS |
RDSInstance should have StorageEncrypted eq true |
| Data-at-rest is protected: Ensure RDS instance snapshots are encrypted | Ensure RDS instance snapshots are encrypted. |
RDS |
RDSInstance should have every Snapshots with [ Encrypted eq true ] |
| Implement an incident response plan : Lack of Multi-AZ Deployment for RDS Instances | Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum. ; Specific incident response procedures. ; Business recovery and continuity procedures. ; Data backup processes. ; Analysis of legal requirements for reporting compromises. ; Coverage and responses of all critical system components. ; Reference or inclusion of incident response procedures from the payment brands |
RDS |
RDSInstance should have MultiAZ eq true |
| Ensure RDS database instances have detailed monitoring enabled | Ensure RDS database instances have detailed monitoring enabled. |
RDS |
RDSInstance should not have MonitoringInterval eq 0 |
| RDS clusters should have deletion protection enabled | This control checks whether RDS clusters have deletion protection enabled. |
RDSCluster |
RDSCluster should have DeletionProtection |
| RDS DB instances should have deletion protection enabled | This control checks whether your RDS DB instances that use one of the listed database engines have deletion protection enabled |
RDS |
RDSInstance should have DeletionProtection |
| Database logging should be enabled | This control checks whether the logs of Amazon RDS are enabled and sent to CloudWatch Logs |
RDS |
RDSInstance should have EnabledCloudwatchLogsExports len () gt 0 |
| IAM authentication should be configured for RDS instances | This control checks whether an RDS DB instance has IAM database authentication enabled |
RDS |
RDSInstance should have IAMDatabaseAuthenticationEnabled |
| IAM authentication should be configured for RDS clusters | This control checks whether an RDS DB cluster has IAM database authentication enabled. |
RDSCluster |
RDSCluster should have IAMDatabaseAuthenticationEnabled |
| Install critical security patches within one month of release. : Auto Minor Version Upgrade Disabled for RDS Instances | Ensure that all system components and software are protected from known vulnerabilities by installing applicable AWS RDSInstance security patches. Install critical security patches within one month of release. |
RDS |
RDSInstance should have AutoMinorVersionUpgrade eq true |
| Amazon Aurora clusters should have backtracking enabled | This control checks whether Amazon Aurora clusters have backtracking enabled |
RDS |
RDSCluster where Engine eq "aurora-mysql" should have BacktrackWindow gt 0 |
| RDS DB clusters should be configured for multiple Availability Zones | This control checks whether high availability is enabled for your RDS DB clusters. |
RDSCluster |
RDSCluster should have MultiAZ eq true and AvailabilityZones len ( ) gt 0 |
| RDS DB clusters should be configured to copy tags to snapshots | This control checks whether RDS DB clusters are configured to copy all tags to snapshots when the snapshots are created |
RDS |
RDSCluster should have CopyTagsToSnapshot |
| RDS DB instances should be configured to copy tags to snapshots | This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created |
RDS |
RDSInstance should have CopyTagsToSnapshot |
| An RDS event notifications subscription should be configured for critical cluster events | This control checks whether an Amazon RDS event subscription exists that has notifications enabled for the DBCluster source type with maintenance,failure event category |
RDS |
AWS should have atleast one RDSEventSubscriptions with [ SourceType eq "db-cluster" and (EventCategoriesList has ("maintenance") and EventCategoriesList has ("failure")) and Enabled and SnsTopic . Subscriptions len () gt 0 ] |
| An RDS event notifications subscription should be configured for critical database instance events | This control checks whether an Amazon RDS event subscription exists with notifications enabled for the DBInstance source type with maintenance,configuration change,failure event category |
RDS |
AWS should have atleast one RDSEventSubscriptions with [ SourceType eq "db-instance" and (EventCategoriesList has ("maintenance") and EventCategoriesList has ("failure") and EventCategoriesList has("configuration change")) and Enabled and SnsTopic . Subscriptions len () gt 0 ] |
| An RDS event notifications subscription should be configured for critical database parameter group events | This control checks whether an Amazon RDS event subscription exists with notifications enabled for the DBParameterGroup source type with configuration change event category |
RDS |
AWS should have atleast one RDSEventSubscriptions with [ SourceType eq "db-parameter-group" and EventCategoriesList has("configuration change") and Enabled and SnsTopic . Subscriptions len () gt 0 ] |
| An RDS event notifications subscription should be configured for critical database security group events | This control checks whether an Amazon RDS event subscription exists with notifications enabled for the DBSecurityGroup source type with configuration change failure event category |
RDS |
AWS should have atleast one RDSEventSubscriptions with [ SourceType eq "db-security-group" and (EventCategoriesList has ("failure") and EventCategoriesList has("configuration change")) and Enabled and SnsTopic . Subscriptions len () gt 0 ] |
| RDS clusters should not use a database engine default port | This control checks whether the RDS cluster uses a port other than the default port of the database engine |
RDS |
RDSCluster should not have Port eq 3306 |
| Access permissions and authorizations: Ensure Redshift Clusters are not Publicly accessible | Redshift Clusters should not be accessible to the public. |
Redshift |
RedShiftCluster should not have Access eq "Public" |
| Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission: Redshift Cluster has require_ssl disabled | Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. |
RedShift |
RedShiftCluster should have ClusterParameterGroups with [ ClusterParameterGroup with [ ParameterName eq "require_ssl" and ParameterValue eq "true" ] ] |
| Ensure automated snapshots are enabled for Redshift clusters | Ensure automated snapshots are enabled for Redshift clusters. |
RedShift |
RedShiftCluster should have AutomatedSnapshotRetentionPeriod gt 0 |
| Implement automated audit trails for all system components : Redshift Parameter Groups Disable Logging | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
RedShift |
RedShiftCluster should have LoggingEnabled eq true |
| Vulnerability management plan: Ensure Allow Version Upgrade is set to yes for Redshift Cluster | Redshift Clusters should have Version Upgrade set to avoid missing important security updates. |
Redshift |
RedShiftCluster should have AllowVersionUpgrade |
| Amazon Redshift clusters should use enhanced VPC routing | This control checks whether an Amazon Redshift cluster has EnhancedVpcRouting enabled |
RedShift |
RedShiftCluster should have EnhancedVpcRouting |
| Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' | Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principle with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account. |
Storage |
S3Bucket should have BlockPublicAccess . BlockPublicAcls and BlockPublicAccess . IgnorePublicAcls and BlockPublicAccess . BlockPublicPolicy and BlockPublicAccess . RestrictPublicBuckets |
| Ensure all S3 buckets employ encryption-at-rest | Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest |
S3 |
S3Bucket should not have DefaultEncryption eq "Disabled" |
| Ensure S3 Bucket Policy is set to deny HTTP requests | At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS |
S3 |
S3Bucket should have BucketPolicy with [Statement with [Effect eq "Deny" and Conditions with [Name eq "aws:SecureTransport" and Value has ("false") ]]] |
| Ensure S3 Bucket is not publicly accessible. | Ensure S3 Bucket is not publicly accessible |
S3 |
S3Bucket should not have Access eq "Public" |
| SNS topics should be encrypted at rest using AWS KMS | This control checks whether an SNS topic is encrypted at rest using AWS KMS |
SNS |
SNSTopic should have KmsMasterKeyId len () gt 0 |
| Amazon SQS queues should be encrypted at rest | This control checks whether Amazon SQS queues are encrypted at rest |
SQS |
SQSQueue should have ( KmsMasterKeyId len ( ) gt 0 or SqsManagedSseEnabled ) |
| SageMaker notebook instances should not have direct internet access | This control checks whether direct internet access is disabled for an SageMaker notebook instance |
Compute |
SageMakerNotebookInstance should have DirectInternetAccess eq "Disabled" |
| Secrets Manager secrets should have automatic rotation enabled | This control checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation |
Security |
Secret should have RotationEnabled |
| Secrets Manager secrets configured with automatic rotation should rotate successfully | This control checks whether an AWS Secrets Manager secret rotated successfully based on the rotation schedule. The control does not evaluate secrets that do not have rotation configured |
Security |
Secret where RotationEnabled should have RotationOccurringAsScheduled |
| Remove unused Secrets Manager secrets | This control checks whether your secrets have been accessed within a specified number of days. If a secret was not accessed within 90 days, this control fails |
Security |
Secret should have LastAccessedDate isLaterThan(-90, "days") |
| Secrets Manager secrets should be rotated within a specified number of days | This control checks whether your secrets have been rotated at least once within 90 days. Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your AWS account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised |
Security |
Secret should have LastRotatedDate isLaterThan(-90, "days") |
| EC2 instances should be managed by AWS Systems Manager | This control checks whether the stopped and running EC2 instances in the account are managed by AWS Systems Manager. Systems Manager is an AWS service that can be used to view and control the AWS infrastructure. |
EC2 |
EC2Instance should have SSMInformation len () gt 0 |
| All EC2 instances managed by Systems Manager should be compliant with patching requirements | This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. It only checks instances that are managed by Systems Manager Patch Manager. |
EC2 |
EC2Instance where SSMInformation len() gt 0 and ComplianceSummaryItems with [ ComplianceType eq "Patch" ] should have ComplianceSummaryItems with [ ComplianceType eq "Patch" and NonCompliantSummary . NonCompliantCount eq 0 ] |
| Instances managed by Systems Manager should have an association compliance status of COMPLIANT | This control checks whether the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association is run on an instance. The control passes if the association compliance status is COMPLIANT. |
EC2 |
EC2Instance where SSMInformation len() gt 0 and ComplianceSummaryItems with [ ComplianceType eq "Association" ] should have ComplianceSummaryItems with [ ComplianceType eq "Association" and NonCompliantSummary . NonCompliantCount eq 0 ] |
| AWS WAF Classic global web ACL logging should be enabled | This control checks if logging is enabled on AWS Web Application Firewall (WAF) classic global web ACLs. This rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled. |
Security |
WebACL should have LoggingConfiguration . LogDestinationConfigs len( ) gt 0 |
| Name | Description | Service | Rule |
|---|---|---|---|
| Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. |
IAM |
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true |
| Identities and credentials: Ensure passwords unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all passwords that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) ) |
| Remote access: Ensure access keys unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ] |
| Remote access: Ensure access keys are rotated every 90 days or less. | Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. |
IAM |
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ] |
| Identities and credentials: Ensure IAM password policy requires at least one uppercase letter. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter. |
IAM |
IAMPasswordPolicy should have Configured and RequireUppercaseCharacters |
| Identities and credentials: Ensure IAM password policy require at least one lowercase letter. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter. |
IAM |
IAMPasswordPolicy should have Configured and RequireLowercaseCharacters |
| Identities and credentials: Ensure IAM password policy require at least one symbol. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol. |
IAM |
IAMPasswordPolicy should have Configured and RequireSymbols |
| Identities and credentials: Ensure IAM password policy require at least one number. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number. |
IAM |
IAMPasswordPolicy should have Configured and RequireNumbers |
| Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. |
IAM |
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14 |
| Identities and credentials: Ensure IAM password policy prevents password reuse | IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. |
IAM |
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24 |
| Identities and credentials: Ensure IAM password policy expires passwords within 90 days or less. | IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. |
IAM |
IAMPasswordPolicy should have Configured and ExpirePasswords and MaxPasswordAge <= 90 |
| Remote access: Ensure no root account access key exists. | The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. |
IAM |
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ] |
| Authentication: Ensure MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true |
| Authentication: Ensure hardware MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0 |
| Access permissions and authorizations: Ensure IAM policies are attached only to groups or roles. | By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. |
IAM |
IAMUser should have ( Policies . Managed len ( ) eq 0 and Policies . Inline len ( ) eq 0 ) |
| Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password | AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. |
IAM |
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ] |
| Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. | IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. |
IAM |
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 ) |
| Audit/log records: Ensure CloudTrail is enabled. | AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) |
CloudTrail |
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ] |
| Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation | Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). |
CloudTrail |
CloudTrail should have LogFileValidationEnabled |
| Audit/log records: Ensure the S3 bucket CloudTrail logs to is not publicly accessible | CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs |
S3 CloudTrail |
CloudTrail should not have S3Bucket . ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee. URI eq "http://acs.amazonaws.com/groups/global/AllUsers" ] or S3Bucket . BucketPolicy with [ Statement with [ Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs | AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. |
CloudTrail |
CloudTrail should have LogGroup . CreationDate gt 0 |
| Audit/log records: Ensure AWS Config is enabled in all regions | AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. |
CloudTrail Config |
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ] |
| Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
S3 CloudTrail |
CloudTrail should have S3Bucket . LoggingEnabled |
| Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs | AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS |
CloudTrail |
CloudTrail should have KMSKey . Enabled |
| Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled | AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled |
KMS |
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled |
| Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs | VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. |
EC2 |
VPC should have atleast one FlowLogs with [ Status eq "ACTIVE" ] |
| Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 | Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22. |
EC2 |
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 22 and ToPort gte 22 ) and Protocol in ("-1", "tcp") ] |
| Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 | Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389. |
EC2 |
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 3389 and ToPort gte 3389 ) and Protocol in ("-1", "udp", "tcp") ] |
| Ensure the default security group of every VPC restricts all traffic | A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. |
EC2 |
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0 |
| Name | Description | Service | Rule |
|---|---|---|---|
| Identities and credentials: Avoid the use of the "root" account: check for recent logins. | The 'root' account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided. |
IAM |
IAMUser where RootUser eq True should not have Password . LastUsedTime isLaterThan ( -1, "days" ) |
| Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. |
IAM |
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true |
| Identities and credentials: Ensure passwords unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all passwords that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) ) |
| Remote access: Ensure access keys unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ] |
| Remote access: Ensure access keys are rotated every 90 days or less. | Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. |
IAM |
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ] |
| Identities and credentials: Ensure IAM password policy requires at least one uppercase letter. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter. |
IAM |
IAMPasswordPolicy should have Configured and RequireUppercaseCharacters |
| Identities and credentials: Ensure IAM password policy require at least one lowercase letter. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter. |
IAM |
IAMPasswordPolicy should have Configured and RequireLowercaseCharacters |
| Identities and credentials: Ensure IAM password policy require at least one symbol. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol. |
IAM |
IAMPasswordPolicy should have Configured and RequireSymbols |
| Identities and credentials: Ensure IAM password policy require at least one number. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number. |
IAM |
IAMPasswordPolicy should have Configured and RequireNumbers |
| Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. |
IAM |
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14 |
| Identities and credentials: Ensure IAM password policy prevents password reuse | IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. |
IAM |
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24 |
| Identities and credentials: Ensure IAM password policy expires passwords within 90 days or less. | IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. |
IAM |
IAMPasswordPolicy should have Configured and ExpirePasswords and MaxPasswordAge <= 90 |
| Remote access: Ensure no root account access key exists. | The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. |
IAM |
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ] |
| Authentication: Ensure MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true |
| Authentication: Ensure hardware MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0 |
| Access permissions and authorizations: Ensure IAM policies are attached only to groups or roles. | By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. |
IAM |
IAMUser should have ( Policies . Managed len ( ) eq 0 and Policies . Inline len ( ) eq 0 ) |
| Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password | AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. |
IAM |
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ] |
| Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. | IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. |
IAM |
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 ) |
| Audit/log records: Ensure CloudTrail is enabled. | AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) |
CloudTrail |
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ] |
| Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation | Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). |
CloudTrail |
CloudTrail should have LogFileValidationEnabled |
| Audit/log records: Ensure the S3 bucket CloudTrail logs to is not publicly accessible | CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs |
S3 CloudTrail |
CloudTrail should not have S3Bucket . ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee. URI eq "http://acs.amazonaws.com/groups/global/AllUsers" ] or S3Bucket . BucketPolicy with [ Statement with [ Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs | AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. |
CloudTrail |
CloudTrail should have LogGroup . CreationDate gt 0 |
| Audit/log records: Ensure AWS Config is enabled in all regions | AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. |
CloudTrail Config |
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ] |
| Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
S3 CloudTrail |
CloudTrail should have S3Bucket . LoggingEnabled |
| Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs | AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS |
CloudTrail |
CloudTrail should have KMSKey . Enabled |
| Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled | AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled |
KMS |
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled |
| Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs | VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. |
EC2 |
VPC should have atleast one FlowLogs with [ Status eq "ACTIVE" ] |
| Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support | AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. |
IAM |
AWS should have atleast one IAMPolicies with [ id eq "arn:aws:iam::aws:policy/AWSSupportAccess" and AttachedEntities . Roles len ( ) gt 0 ] |
| Name | Description | Service | Rule |
|---|---|---|---|
| Identities and credentials: Avoid the use of the "root" account: check for recent logins. | The 'root' account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided. |
IAM |
IAMUser where RootUser eq True should not have Password . LastUsedTime isLaterThan ( -1, "days" ) |
| Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. |
IAM |
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true |
| Identities and credentials: Ensure passwords unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all passwords that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) ) |
| Remote access: Ensure access keys unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ] |
| Remote access: Ensure access keys are rotated every 90 days or less. | Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. |
IAM |
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ] |
| Identities and credentials: Ensure IAM password policy requires at least one uppercase letter. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter. |
IAM |
IAMPasswordPolicy should have Configured and RequireUppercaseCharacters |
| Identities and credentials: Ensure IAM password policy require at least one lowercase letter. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter. |
IAM |
IAMPasswordPolicy should have Configured and RequireLowercaseCharacters |
| Identities and credentials: Ensure IAM password policy require at least one symbol. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol. |
IAM |
IAMPasswordPolicy should have Configured and RequireSymbols |
| Identities and credentials: Ensure IAM password policy require at least one number. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number. |
IAM |
IAMPasswordPolicy should have Configured and RequireNumbers |
| Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. |
IAM |
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14 |
| Identities and credentials: Ensure IAM password policy prevents password reuse | IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. |
IAM |
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24 |
| Identities and credentials: Ensure IAM password policy expires passwords within 90 days or less. | IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. |
IAM |
IAMPasswordPolicy should have Configured and ExpirePasswords and MaxPasswordAge <= 90 |
| Remote access: Ensure no root account access key exists. | The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. |
IAM |
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ] |
| Authentication: Ensure MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true |
| Authentication: Ensure hardware MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0 |
| Access permissions and authorizations: Ensure IAM policies are attached only to groups or roles. | By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. |
IAM |
IAMUser should have ( Policies . Managed len ( ) eq 0 and Policies . Inline len ( ) eq 0 ) |
| Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password | AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. |
IAM |
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ] |
| Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. | IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. |
IAM |
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 ) |
| Audit/log records: Ensure CloudTrail is enabled. | AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) |
CloudTrail |
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ] |
| Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation | Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). |
CloudTrail |
CloudTrail should have LogFileValidationEnabled |
| Audit/log records: Ensure the S3 bucket CloudTrail logs to is not publicly accessible | CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs |
S3 CloudTrail |
CloudTrail should not have S3Bucket . ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee. URI eq "http://acs.amazonaws.com/groups/global/AllUsers" ] or S3Bucket . BucketPolicy with [ Statement with [ Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs | AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. |
CloudTrail |
CloudTrail should have LogGroup . CreationDate gt 0 |
| Audit/log records: Ensure AWS Config is enabled in all regions | AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. |
CloudTrail Config |
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ] |
| Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
S3 CloudTrail |
CloudTrail should have S3Bucket . LoggingEnabled |
| Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs | AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS |
CloudTrail |
CloudTrail should have KMSKey . Enabled |
| Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled | AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled |
KMS |
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled |
| Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs | VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. |
EC2 |
VPC should have atleast one FlowLogs with [ Status eq "ACTIVE" ] |
| Remote access: Ensure a log metric filter and alarm exist for unauthorized API calls | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.errorCode\s*=\s*\"\*UnauthorizedOperation\"\)\s*\|\|\s*\(\$\.errorCode\s*=\s*\"AccessDenied\*\"\)\s*\|\|\s*\(\$\.sourceIPAddress\s*!=\s*\"delivery\.logs\.amazonaws\.com\"\)\s*\|\|\s*\(\$\.eventName\s*!=\s*\"HeadBucket\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA) |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*\"ConsoleLogin\"\)\s*\&\&\s*\(\$\.additionalEventData\.MFAUsed\s*!=\s*\"Yes\"\)\s*\&\&\s*\(\$\.userIdentity\.type\s*=\s*\"IAMUser\"\)\s*\&\&\s*\(\$\.responseElements\.ConsoleLogin\s*=\s*\"Success\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for usage of "root" account | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "{\s*\$\.userIdentity\.type\s*=\s*\"Root\"\s*\&\&\s*\$\.userIdentity\.invokedBy\s*NOT\s*EXISTS\s*\&\&\s*\$\.eventType\s*!=\s*\"AwsServiceEvent\"\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for IAM policy changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*DeleteGroupPolicy\)\|\|\(\$\.eventName\s*=\s*DeleteRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachGroupPolicy\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Audit/log records: Ensure a log metric filter and alarm exist for CloudTrail configuration changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*UpdateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*StartLogging\)\s*\|\|\s*\(\$\.eventName\s*=\s*StopLogging\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*ConsoleLogin\)\s*\&\&\s*\(\$\.errorMessage\s*=\s*\"Failed\s*authentication\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Data-at-rest is protected: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*kms\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=DisableKey\)\s*\|\|\s*\(\$\.eventName=ScheduleKeyDeletion\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Ensure a log metric filter and alarm exist for S3 bucket policy changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*s3\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName\s*=\s*PutBucketAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketReplication\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketReplication\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Audit/log records: Ensure a log metric filter and alarm exist for AWS Config configuration changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*config\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=StopConfigurationRecorder\)\s*\|\|\s*\(\$\.eventName=DeleteDeliveryChannel\)\s*\|\|\(\$\.eventName=PutDeliveryChannel\)\s*\|\|\s*\(\$\.eventName=PutConfigurationRecorder\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclAssociation\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for changes to network gateways | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachInternetGateway\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for route table changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRouteTableAssociation\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisassociateRouteTable\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for VPC changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*ModifyVpcAttribute\)\s*\|\|\s*\(\$\.eventName\s*=\s*AcceptVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*RejectVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisableVpcClassicLink\)\s*\|\|\s*\(\$\.eventName\s*=\s*EnableVpcClassicLink\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 | Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22. |
EC2 |
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 22 and ToPort gte 22 ) and Protocol in ("-1", "tcp") ] |
| Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 | Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389. |
EC2 |
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 3389 and ToPort gte 3389 ) and Protocol in ("-1", "udp", "tcp") ] |
| Ensure the default security group of every VPC restricts all traffic | A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. |
EC2 |
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0 |
| Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support | AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. |
IAM |
AWS should have atleast one IAMPolicies with [ id eq "arn:aws:iam::aws:policy/AWSSupportAccess" and AttachedEntities . Roles len ( ) gt 0 ] |
| Name | Description | Service | Rule |
|---|---|---|---|
| Identities and credentials: Avoid the use of the "root" account: check for recent logins. | The 'root' account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided. |
IAM |
IAMUser where RootUser eq True should not have Password . LastUsedTime isLaterThan ( -1, "days" ) |
| Identities and credentials: Ensure passwords unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all passwords that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) ) |
| Identities and credentials: Ensure IAM password policy requires at least one uppercase letter. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter. |
IAM |
IAMPasswordPolicy should have Configured and RequireUppercaseCharacters |
| Identities and credentials: Ensure IAM password policy require at least one lowercase letter. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter. |
IAM |
IAMPasswordPolicy should have Configured and RequireLowercaseCharacters |
| Identities and credentials: Ensure IAM password policy require at least one symbol. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol. |
IAM |
IAMPasswordPolicy should have Configured and RequireSymbols |
| Identities and credentials: Ensure IAM password policy require at least one number. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number. |
IAM |
IAMPasswordPolicy should have Configured and RequireNumbers |
| Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. |
IAM |
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14 |
| Identities and credentials: Ensure IAM password policy prevents password reuse | IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. |
IAM |
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24 |
| Identities and credentials: Ensure IAM password policy expires passwords within 90 days or less. | IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. |
IAM |
IAMPasswordPolicy should have Configured and ExpirePasswords and MaxPasswordAge <= 90 |
| Identities and credentials: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA) |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*\"ConsoleLogin\"\)\s*\&\&\s*\(\$\.additionalEventData\.MFAUsed\s*!=\s*\"Yes\"\)\s*\&\&\s*\(\$\.userIdentity\.type\s*=\s*\"IAMUser\"\)\s*\&\&\s*\(\$\.responseElements\.ConsoleLogin\s*=\s*\"Success\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for usage of "root" account | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "{\s*\$\.userIdentity\.type\s*=\s*\"Root\"\s*\&\&\s*\$\.userIdentity\.invokedBy\s*NOT\s*EXISTS\s*\&\&\s*\$\.eventType\s*!=\s*\"AwsServiceEvent\"\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for IAM policy changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*DeleteGroupPolicy\)\|\|\(\$\.eventName\s*=\s*DeleteRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachGroupPolicy\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*ConsoleLogin\)\s*\&\&\s*\(\$\.errorMessage\s*=\s*\"Failed\s*authentication\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Remote access: Ensure access keys unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ] |
| Remote access: Ensure access keys are rotated every 90 days or less. | Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. |
IAM |
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ] |
| Remote access: Ensure no root account access key exists. | The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. |
IAM |
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ] |
| Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password | AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. |
IAM |
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ] |
| Remote access: Ensure a log metric filter and alarm exist for unauthorized API calls | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.errorCode\s*=\s*\"\*UnauthorizedOperation\"\)\s*\|\|\s*\(\$\.errorCode\s*=\s*\"AccessDenied\*\"\)\s*\|\|\s*\(\$\.sourceIPAddress\s*!=\s*\"delivery\.logs\.amazonaws\.com\"\)\s*\|\|\s*\(\$\.eventName\s*!=\s*\"HeadBucket\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Access permissions and authorizations: Ensure IAM policies are attached only to groups or roles. | By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. |
IAM |
IAMUser should have ( Policies . Managed len ( ) eq 0 and Policies . Inline len ( ) eq 0 ) |
| Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. | IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. |
IAM |
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 ) |
| Establish an access control system(s) : IAM Policies with Effect as Allow and Action with iam:PassRole for All Roles | Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. |
IAM |
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "iam:PassRole" ] and Resource with [ value eq "*" ] ] |
| Establish an access control system(s) : IAM Policies with Effect as Allow and Action with sts:AssumeRole for All Roles | Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. |
IAM |
IAMRole should not have AssumeRolePolicy . Statement with [ Action eq "sts:AssumeRole" and Principal . AWS has ("*") ] |
| Establish an access control system(s) : S3 Bucket ACLs with Grant Access to All Users | Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. |
S3 |
S3Bucket should not have ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee . URI eq "http://acs.amazonaws.com/groups/global/AllUsers" ] |
| Establish an access control system(s) : S3 Bucket ACLs with Grant Access to Authenticated Users | Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. |
S3 |
S3Bucket should not have ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee . Type eq "Group" and Grantee . URI eq "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" ] |
| Access permissions and authorizations: Ensure Redshift Clusters are not Publicly accessible | Redshift Clusters should not be accessible to the public. |
Redshift |
RedShiftCluster should not have Access eq "Public" |
| Access permissions and authorizations: Ensure RDS Instances do not have Publicly Accessible Snapshots | RDS Instances should not have publicly accessible snapshots. |
RDS |
RDSInstance should not have Snapshots with [ PubliclyAccessible ] |
| Network integrity: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclAssociation\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for changes to network gateways | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachInternetGateway\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for route table changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRouteTableAssociation\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisassociateRouteTable\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for VPC changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*ModifyVpcAttribute\)\s*\|\|\s*\(\$\.eventName\s*=\s*AcceptVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*RejectVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisableVpcClassicLink\)\s*\|\|\s*\(\$\.eventName\s*=\s*EnableVpcClassicLink\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. |
IAM |
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true |
| Authentication: Ensure MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true |
| Authentication: Ensure hardware MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0 |
| Ensure MFA Delete is enable on S3 buckets | Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication |
S3 |
S3Bucket should have BucketVersioning . Status eq "Enabled" and BucketVersioning . MFADelete eq "Enabled" |
| Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled | AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled |
KMS |
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled |
| Data-at-rest is protected: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*kms\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=DisableKey\)\s*\|\|\s*\(\$\.eventName=ScheduleKeyDeletion\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Data-at-rest is protected: Ensure RDS encryption is enabled | Ensure RDS encryption is enabled. |
RDS |
RDSInstance should have StorageEncrypted eq true |
| Data-at-rest is protected: Ensure RDS instance snapshots are encrypted | Ensure RDS instance snapshots are encrypted. |
RDS |
RDSInstance should have every Snapshots with [ Encrypted eq true ] |
| Data-at-rest is protected: Ensure DynamoDB tables are encrypted at rest | Ensure DynamoDB tables are encrypted at rest. |
Dynamo |
DynamoDBTable should have SSEDescription . Status eq "ENABLED" |
| Render PAN unreadable anywhere it is stored : Redshift Cluster Not Encrypted At Rest | Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography, (hash must be of the entire PAN). ; Truncation (hashing cannot be used to replace the truncated segment of PAN). ; Index tokens and pads (pads must be securely stored). ; Strong cryptography with associated key-management processes and procedures. ; Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN date if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity’s environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN |
RedShift |
RedShiftCluster should have Encrypted eq true |
| Data-in-transit is protected: Ensure older SSL/TLS policies are not used with Elastic Load Balancers | Older SSL/TLS policy should not be used with Elastic Load Balancer Security Policy. |
ElasticLoadBalancer |
ElasticLoadBalancer should have SslPolicy in ( "ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-TLS-1-2-2017-01", "ELBSecurityPolicy-TLS-1-1-2017-01" ) |
| Data-in-transit is protected: Ensure encryption in transit is enabled for lambda functions using environmental variables. | Ensure encryption in transit is enabled for lambda functions using environmental variables. |
Lambda |
Lambda where ( Environment len() > 0 ) should have KMSKey . Enabled |
| Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission: Redshift Cluster has require_ssl disabled | Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. |
RedShift |
RedShiftCluster should have ClusterParameterGroups with [ ClusterParameterGroup with [ ParameterName eq "require_ssl" and ParameterValue eq "true" ] ] |
| Backups of information: Ensure Backup Retention Period is set greater than or equal to 30 days. | Setting Backup Retention Period of RDS Instance to a value greater than or equal to 30 ensures safety of data. |
RDS |
RDSInstance should not have BackupRetentionPeriod lt 30 |
| Backups of information: Ensure DynamoDB tables are backed up | Ensure DynamoDB tables are backed up. |
Dynamo |
DynamoDBTable should have BackedUp eq true |
| Backups of information: Ensure DynamoDB tables have point in time recovery enabled | Ensure DynamoDB tables have point in time recovery enabled. |
Dynamo |
DynamoDBTable should have PointInTimeRecovery eq "ENABLED" |
| Install critical security patches within one month of release. : Auto Minor Version Upgrade Disabled for RDS Instances | Ensure that all system components and software are protected from known vulnerabilities by installing applicable AWS RDSInstance security patches. Install critical security patches within one month of release. |
RDS |
RDSInstance should have AutoMinorVersionUpgrade eq true |
| Vulnerability management plan: Ensure Allow Version Upgrade is set to yes for Redshift Cluster | Redshift Clusters should have Version Upgrade set to avoid missing important security updates. |
Redshift |
RedShiftCluster should have AllowVersionUpgrade |
| Audit/log records: Ensure CloudTrail is enabled. | AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) |
CloudTrail |
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ] |
| Ensure the S3 bucket CloudTrail logs to is not publicly accessible | CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs |
S3 CloudTrail |
CloudTrail should not have S3Bucket . Access eq "Public" |
| Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs | AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. |
CloudTrail |
CloudTrail should have LogGroup . CreationDate gt 0 |
| Audit/log records: Ensure AWS Config is enabled in all regions | AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. |
CloudTrail Config |
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ] |
| Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
S3 CloudTrail |
CloudTrail should have S3Bucket . LoggingEnabled |
| Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs | AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS |
CloudTrail |
CloudTrail should have KMSKey . Enabled |
| Audit/log records: Ensure a log metric filter and alarm exist for CloudTrail configuration changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*UpdateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*StartLogging\)\s*\|\|\s*\(\$\.eventName\s*=\s*StopLogging\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Audit/log records: Ensure a log metric filter and alarm exist for AWS Config configuration changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*config\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=StopConfigurationRecorder\)\s*\|\|\s*\(\$\.eventName=DeleteDeliveryChannel\)\s*\|\|\(\$\.eventName=PutDeliveryChannel\)\s*\|\|\s*\(\$\.eventName=PutConfigurationRecorder\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Implement automated audit trails for all system components : CloudTrail - Lack of Global Service Event Logging | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
CloudTrail |
CloudTrail should have GlobalServiceEvents eq true |
| Implement automated audit trails for all system components : Lack of Logging For Access to S3 Buckets | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
S3 |
S3Bucket should have LoggingEnabled |
| Implement automated audit trails for all system components : S3 Buckets Lack Versioning | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
S3 |
S3Bucket should not have BucketVersioning . Status eq "Suspended" or BucketVersioning . Status eq "Disabled" |
| Implement automated audit trails for all system components : Redshift Parameter Groups Disable Logging | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
RedShift |
RedShiftCluster should have LoggingEnabled eq true |
| Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation | Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). |
CloudTrail |
CloudTrail should have LogFileValidationEnabled |
| Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 | Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22. |
EC2 |
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 22 and ToPort gte 22 ) and Protocol in ("-1", "tcp") ] |
| Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 | Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389. |
EC2 |
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 3389 and ToPort gte 3389 ) and Protocol in ("-1", "udp", "tcp") ] |
| Ensure the default security group of every VPC restricts all traffic | A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. |
EC2 |
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0 |
| Review firewall and router rule sets at least every six months : Numerous Unused EC2 Security Groups | Establish and implement firewall and router configuration standards that include the requirement to review firewall and router rule sets at least every six months. |
EC2 |
SecurityGroup where Name neq "default" should have NetworkInterfaces len ( ) neq 0 |
| Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic : Do not use the default security group. | Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. Note: An untrusted network is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage |
EC2 |
NetworkInterface should not have any SecurityGroups with [ Name eq "default" ] |
| Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet : Outbound Internet unrestricted is not allowed. | Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. Note: An untrusted network is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage |
EC2 |
NetworkInterface should not have any SecurityGroups with [ OutboundRules with [ IPv6Ranges with [ IPv6 in ( "::/0" ) ] or IPRanges with [ IP in ( "0.0.0.0/0" ) ] ] ] |
| Communications and control network protection: Ensure no rule exists which allows all ingress traffic in default Network ACL | Network ACLs are designed to provide a secondary layer of security. Adding a rule that allows all network traffic (all protocols, IPs, and source) prior to any deny rule defeats the purpose of network ACLs. |
EC2 |
NetworkACL should not have IsDefault eq true and Rules with [ RuleAction eq "allow" and Protocol eq "-1" and Egress eq False and CidrBlock eq 0.0.0.0/0 ] |
| Communications and control network protection: Ensure no rule exists which allows all ingress traffic in Network ACL which is associated with a subnet | Network ACLs are designed to provide a secondary layer of security. Adding a rule that allows all network traffic (all protocols, IPs, and source) prior to any deny rule defeats the purpose of network ACLs. Network ACLs associated with subnets and VPCs should not allow all ingress traffic. |
EC2 |
NetworkACL where Subnets len( ) gt 0 should not have Rules with [ Egress eq False and RuleAction eq "allow" and Protocol eq "-1" and CidrBlock eq 0.0.0.0/0 ] |
| Communications and control network protection: Ensure RDS instances are not in public subnets | Ensure RDS instances are not in public subnets. |
RDS |
RDSInstance should not have Access eq "Public" |
| Implement an incident response plan : Lack of Multi-AZ Deployment for RDS Instances | Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum. ; Specific incident response procedures. ; Business recovery and continuity procedures. ; Data backup processes. ; Analysis of legal requirements for reporting compromises. ; Coverage and responses of all critical system components. ; Reference or inclusion of incident response procedures from the payment brands |
RDS |
RDSInstance should have MultiAZ eq true |
| Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs | VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. |
EC2 |
VPC should have atleast one FlowLogs with [ Status eq "ACTIVE" ] |
| Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support | AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. |
IAM |
AWS should have atleast one IAMPolicies with [ id eq "arn:aws:iam::aws:policy/AWSSupportAccess" and AttachedEntities . Roles len ( ) gt 0 ] |
| Name | Description | Service | Rule |
|---|---|---|---|
| Identities and credentials: Avoid the use of the "root" account: check for recent logins. | The 'root' account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided. |
IAM |
IAMUser where RootUser eq True should not have Password . LastUsedTime isLaterThan ( -1, "days" ) |
| Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. |
IAM |
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true |
| Identities and credentials: Ensure passwords unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all passwords that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) ) |
| Remote access: Ensure access keys unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ] |
| Remote access: Ensure access keys are rotated every 90 days or less. | Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. |
IAM |
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ] |
| Identities and credentials: Ensure IAM password policy requires at least one uppercase letter. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter. |
IAM |
IAMPasswordPolicy should have Configured and RequireUppercaseCharacters |
| Identities and credentials: Ensure IAM password policy require at least one lowercase letter. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter. |
IAM |
IAMPasswordPolicy should have Configured and RequireLowercaseCharacters |
| Identities and credentials: Ensure IAM password policy require at least one symbol. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol. |
IAM |
IAMPasswordPolicy should have Configured and RequireSymbols |
| Identities and credentials: Ensure IAM password policy require at least one number. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number. |
IAM |
IAMPasswordPolicy should have Configured and RequireNumbers |
| Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. |
IAM |
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14 |
| Identities and credentials: Ensure IAM password policy prevents password reuse | IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. |
IAM |
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24 |
| Identities and credentials: Ensure IAM password policy expires passwords within 90 days or less. | IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. |
IAM |
IAMPasswordPolicy should have Configured and ExpirePasswords and MaxPasswordAge <= 90 |
| Remote access: Ensure no root account access key exists. | The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. |
IAM |
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ] |
| Authentication: Ensure MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true |
| Authentication: Ensure hardware MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0 |
| Access permissions and authorizations: Ensure IAM policies are attached only to groups or roles. | By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. |
IAM |
IAMUser should have ( Policies . Managed len ( ) eq 0 and Policies . Inline len ( ) eq 0 ) |
| Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password | AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. |
IAM |
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ] |
| Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. | IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. |
IAM |
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 ) |
| Audit/log records: Ensure CloudTrail is enabled. | AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) |
CloudTrail |
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ] |
| Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation | Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). |
CloudTrail |
CloudTrail should have LogFileValidationEnabled |
| Audit/log records: Ensure the S3 bucket CloudTrail logs to is not publicly accessible | CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs |
S3 CloudTrail |
CloudTrail should not have S3Bucket . ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee. URI eq "http://acs.amazonaws.com/groups/global/AllUsers" ] or S3Bucket . BucketPolicy with [ Statement with [ Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs | AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. |
CloudTrail |
CloudTrail should have LogGroup . CreationDate gt 0 |
| Audit/log records: Ensure AWS Config is enabled in all regions | AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. |
CloudTrail Config |
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ] |
| Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
S3 CloudTrail |
CloudTrail should have S3Bucket . LoggingEnabled |
| Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs | AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS |
CloudTrail |
CloudTrail should have KMSKey . Enabled |
| Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled | AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled |
KMS |
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled |
| Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs | VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. |
EC2 |
VPC should have atleast one FlowLogs with [ Status eq "ACTIVE" ] |
| Remote access: Ensure a log metric filter and alarm exist for unauthorized API calls | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.errorCode\s*=\s*\"\*UnauthorizedOperation\"\)\s*\|\|\s*\(\$\.errorCode\s*=\s*\"AccessDenied\*\"\)\s*\|\|\s*\(\$\.sourceIPAddress\s*!=\s*\"delivery\.logs\.amazonaws\.com\"\)\s*\|\|\s*\(\$\.eventName\s*!=\s*\"HeadBucket\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA) |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*\"ConsoleLogin\"\)\s*\&\&\s*\(\$\.additionalEventData\.MFAUsed\s*!=\s*\"Yes\"\)\s*\&\&\s*\(\$\.userIdentity\.type\s*=\s*\"IAMUser\"\)\s*\&\&\s*\(\$\.responseElements\.ConsoleLogin\s*=\s*\"Success\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for usage of "root" account | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "{\s*\$\.userIdentity\.type\s*=\s*\"Root\"\s*\&\&\s*\$\.userIdentity\.invokedBy\s*NOT\s*EXISTS\s*\&\&\s*\$\.eventType\s*!=\s*\"AwsServiceEvent\"\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for IAM policy changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*DeleteGroupPolicy\)\|\|\(\$\.eventName\s*=\s*DeleteRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachGroupPolicy\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Audit/log records: Ensure a log metric filter and alarm exist for CloudTrail configuration changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*UpdateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*StartLogging\)\s*\|\|\s*\(\$\.eventName\s*=\s*StopLogging\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*ConsoleLogin\)\s*\&\&\s*\(\$\.errorMessage\s*=\s*\"Failed\s*authentication\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Data-at-rest is protected: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*kms\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=DisableKey\)\s*\|\|\s*\(\$\.eventName=ScheduleKeyDeletion\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Ensure a log metric filter and alarm exist for S3 bucket policy changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*s3\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName\s*=\s*PutBucketAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketReplication\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketReplication\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Audit/log records: Ensure a log metric filter and alarm exist for AWS Config configuration changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*config\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=StopConfigurationRecorder\)\s*\|\|\s*\(\$\.eventName=DeleteDeliveryChannel\)\s*\|\|\(\$\.eventName=PutDeliveryChannel\)\s*\|\|\s*\(\$\.eventName=PutConfigurationRecorder\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclAssociation\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for changes to network gateways | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachInternetGateway\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for route table changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRouteTableAssociation\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisassociateRouteTable\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for VPC changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*ModifyVpcAttribute\)\s*\|\|\s*\(\$\.eventName\s*=\s*AcceptVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*RejectVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisableVpcClassicLink\)\s*\|\|\s*\(\$\.eventName\s*=\s*EnableVpcClassicLink\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 | Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22. |
EC2 |
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 22 and ToPort gte 22 ) and Protocol in ("-1", "tcp") ] |
| Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 | Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389. |
EC2 |
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 3389 and ToPort gte 3389 ) and Protocol in ("-1", "udp", "tcp") ] |
| Ensure the default security group of every VPC restricts all traffic | A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. |
EC2 |
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0 |
| Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support | AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. |
IAM |
AWS should have atleast one IAMPolicies with [ id eq "arn:aws:iam::aws:policy/AWSSupportAccess" and AttachedEntities . Roles len ( ) gt 0 ] |
| Name | Description | Service | Rule |
|---|---|---|---|
| Review firewall and router rule sets at least every six months : Numerous Unused EC2 Security Groups | Establish and implement firewall and router configuration standards that include the requirement to review firewall and router rule sets at least every six months. |
EC2 |
SecurityGroup where Name neq "default" should have NetworkInterfaces len ( ) neq 0 |
| Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic : Do not use the default security group. | Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. Note: An untrusted network is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage |
EC2 |
NetworkInterface should not have any SecurityGroups with [ Name eq "default" ] |
| Inbound Internet traffic is not allowed | Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. Note: An untrusted network is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage. This rule specifically checks for public IPs in inbound rules of Security Group. |
EC2 |
NetworkInterface should not have any SecurityGroups with [ InboundRules with [ IPv6Ranges with [ IPv6 isPublic ( ) ] or IPRanges with [ IP isPublic ( ) ] ] ] |
| Inbound All ports/protocols is not allowed | Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. Note: An untrusted network is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage. This rule specifically checks for security group inbound rule with all ports open. |
EC2 |
SecurityGroup should not have InboundRules with [ Protocol eq "-1" and ( FromPort eq 0 and ToPort eq 65535 ) ] |
| Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet : Outbound Internet unrestricted is not allowed. | Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. Note: An untrusted network is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage |
EC2 |
NetworkInterface should not have any SecurityGroups with [ OutboundRules with [ IPv6Ranges with [ IPv6 in ( "::/0" ) ] or IPRanges with [ IP in ( "0.0.0.0/0" ) ] ] ] |
| Render PAN unreadable anywhere it is stored : Weak RDS backup policy | Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography, (hash must be of the entire PAN). ; Truncation (hashing cannot be used to replace the truncated segment of PAN). ; Index tokens and pads (pads must be securely stored). ; Strong cryptography with associated key-management processes and procedures. ; Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN date if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity’s environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN |
RDS |
RDSInstance should have BackupRetentionPeriod neq 0 |
| Render PAN unreadable anywhere it is stored : Redshift Cluster Not Encrypted At Rest | Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography, (hash must be of the entire PAN). ; Truncation (hashing cannot be used to replace the truncated segment of PAN). ; Index tokens and pads (pads must be securely stored). ; Strong cryptography with associated key-management processes and procedures. ; Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN date if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity’s environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN |
RedShift |
RedShiftCluster should have Encrypted eq true |
| Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data : Lack of Access Key Rotation | Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the AWS or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57). |
IAM |
IAMUser should not have AccessKey with [ Active and CreatedTime isEarlierThan ( -90, "days" ) ] |
| Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission: Redshift Cluster has require_ssl disabled | Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. |
RedShift |
RedShiftCluster should have ClusterParameterGroups with [ ClusterParameterGroup with [ ParameterName eq "require_ssl" and ParameterValue eq "true" ] ] |
| Install critical security patches within one month of release. : Auto Minor Version Upgrade Disabled for RDS Instances | Ensure that all system components and software are protected from known vulnerabilities by installing applicable AWS RDSInstance security patches. Install critical security patches within one month of release. |
RDS |
RDSInstance should have AutoMinorVersionUpgrade eq true |
| Restrict access to cardholder data : IAM Policies with Effect as Allow and Action with iam:PassRole for All Roles | Limit access to system components and cardholder data to only those individuals whose job requires such access. |
IAM |
IAMRole should not have Policies . Inline with [ PolicyDocument . Statements with [ Action with [ value eq "iam:PassRole" ]]] |
| Establish an access control system(s) : IAM Policies with Effect as Allow and Action with iam:PassRole for All Roles | Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. |
IAM |
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "iam:PassRole" ] and Resource with [ value eq "*" ] ] |
| Ensure MFA Delete is enable on S3 buckets | Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication |
S3 |
S3Bucket should have BucketVersioning . Status eq "Enabled" and BucketVersioning . MFADelete eq "Enabled" |
| Establish an access control system(s) : IAM Policies with Effect as Allow and Action with sts:AssumeRole for All Roles | Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. |
IAM |
IAMRole should not have AssumeRolePolicy . Statement with [ Action eq "sts:AssumeRole" and Principal . AWS has ("*") ] |
| Establish an access control system(s) : IAM Headless User Account with Password | Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. |
IAM |
IAMUser should not have ( atleast one AccessKey with [ Active eq true ] and Password . Enabled eq True ) |
| Establish an access control system(s) : S3 Bucket ACLs with Grant Access to All Users | Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. |
S3 |
S3Bucket should not have ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee . URI eq "http://acs.amazonaws.com/groups/global/AllUsers" ] |
| Establish an access control system(s) : S3 Bucket ACLs with Grant Access to Authenticated Users | Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. |
S3 |
S3Bucket should not have ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee . Type eq "Group" and Grantee . URI eq "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" ] |
| Establish an access control system(s) : IAM Policies with Effect Allow and NotActions | Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. |
IAM |
IAMPolicy should not have Permissions . Statements with [ Effect eq "Allow" and ( NotAction len ( ) gt 0 or Action with [ value eq "*" ] ) ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 ) |
| Remove/disable inactive user accounts within 90 days | Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components. |
IAM |
IAMUser where RootUser eq false should not have ( ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) ) or ( AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ] ) ) |
| Ensure proper user-authentication management for non-consumer users and administrators : IAM Weak Password Policy | Passwords/passphrases must meet the following: Require a minimum length of at least seven characters. Contain both numeric and alphabetic characters. Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above |
IAM |
IAMPasswordPolicy should have RequireUppercaseCharacters and RequireLowercaseCharacters and (MinimumPasswordLength gte 8 or RequireSymbols ) |
| Secure all individual non-console administrative access and all remote access using multi-factor authentication : IAM Users Lack Multi-Factor Authentication | Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third party access for support or maintenance) originating from outside the entity’s network |
IAM |
IAMUser where Password . Enabled eq true should have MFAActive eq true |
| Implement automated audit trails for all system components : CloudTrail - Lack of Global Service Event Logging | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
CloudTrail |
CloudTrail should have GlobalServiceEvents eq true |
| Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
S3 CloudTrail |
CloudTrail should have S3Bucket . LoggingEnabled |
| Implement automated audit trails for all system components : Lack of Logging For Access to S3 Buckets | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
S3 |
S3Bucket should have LoggingEnabled |
| Implement automated audit trails for all system components : S3 Buckets Lack Versioning | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
S3 |
S3Bucket should not have BucketVersioning . Status eq "Suspended" or BucketVersioning . Status eq "Disabled" |
| Implement automated audit trails for all system components : Redshift Parameter Groups Disable Logging | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
RedShift |
RedShiftCluster should have LoggingEnabled eq true |
| Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation | Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). |
CloudTrail |
CloudTrail should have LogFileValidationEnabled |
| Implement an incident response plan : Lack of Multi-AZ Deployment for RDS Instances | Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum. ; Specific incident response procedures. ; Business recovery and continuity procedures. ; Data backup processes. ; Analysis of legal requirements for reporting compromises. ; Coverage and responses of all critical system components. ; Reference or inclusion of incident response procedures from the payment brands |
RDS |
RDSInstance should have MultiAZ eq true |
| Identities and credentials: Avoid the use of the "root" account: check for recent logins. | The 'root' account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided. |
IAM |
IAMUser where RootUser eq True should not have Password . LastUsedTime isLaterThan ( -1, "days" ) |
| Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. |
IAM |
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true |
| Identities and credentials: Ensure passwords unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all passwords that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) ) |
| Remote access: Ensure access keys unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ] |
| Remote access: Ensure access keys are rotated every 90 days or less. | Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. |
IAM |
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ] |
| Identities and credentials: Ensure IAM password policy requires at least one uppercase letter. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter. |
IAM |
IAMPasswordPolicy should have Configured and RequireUppercaseCharacters |
| Identities and credentials: Ensure IAM password policy require at least one lowercase letter. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter. |
IAM |
IAMPasswordPolicy should have Configured and RequireLowercaseCharacters |
| Identities and credentials: Ensure IAM password policy require at least one symbol. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol. |
IAM |
IAMPasswordPolicy should have Configured and RequireSymbols |
| Identities and credentials: Ensure IAM password policy require at least one number. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number. |
IAM |
IAMPasswordPolicy should have Configured and RequireNumbers |
| Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. |
IAM |
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14 |
| Identities and credentials: Ensure IAM password policy prevents password reuse | IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. |
IAM |
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24 |
| Identities and credentials: Ensure IAM password policy expires passwords within 90 days or less. | IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. |
IAM |
IAMPasswordPolicy should have Configured and ExpirePasswords and MaxPasswordAge <= 90 |
| Remote access: Ensure no root account access key exists. | The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. |
IAM |
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ] |
| Authentication: Ensure MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true |
| Authentication: Ensure hardware MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0 |
| Access permissions and authorizations: Ensure IAM policies are attached only to groups or roles. | By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. |
IAM |
IAMUser should have ( Policies . Managed len ( ) eq 0 and Policies . Inline len ( ) eq 0 ) |
| Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password | AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. |
IAM |
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ] |
| Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. | IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. |
IAM |
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 ) |
| Audit/log records: Ensure CloudTrail is enabled. | AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) |
CloudTrail |
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ] |
| Audit/log records: Ensure the S3 bucket CloudTrail logs to is not publicly accessible | CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs |
S3 CloudTrail |
CloudTrail should not have S3Bucket . ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee. URI eq "http://acs.amazonaws.com/groups/global/AllUsers" ] or S3Bucket . BucketPolicy with [ Statement with [ Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs | AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. |
CloudTrail |
CloudTrail should have LogGroup . CreationDate gt 0 |
| Audit/log records: Ensure AWS Config is enabled in all regions | AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. |
CloudTrail Config |
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ] |
| Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs | AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS |
CloudTrail |
CloudTrail should have KMSKey . Enabled |
| Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled | AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled |
KMS |
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled |
| Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs | VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. |
EC2 |
VPC should have atleast one FlowLogs with [ Status eq "ACTIVE" ] |
| Remote access: Ensure a log metric filter and alarm exist for unauthorized API calls | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.errorCode\s*=\s*\"\*UnauthorizedOperation\"\)\s*\|\|\s*\(\$\.errorCode\s*=\s*\"AccessDenied\*\"\)\s*\|\|\s*\(\$\.sourceIPAddress\s*!=\s*\"delivery\.logs\.amazonaws\.com\"\)\s*\|\|\s*\(\$\.eventName\s*!=\s*\"HeadBucket\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA) |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*\"ConsoleLogin\"\)\s*\&\&\s*\(\$\.additionalEventData\.MFAUsed\s*!=\s*\"Yes\"\)\s*\&\&\s*\(\$\.userIdentity\.type\s*=\s*\"IAMUser\"\)\s*\&\&\s*\(\$\.responseElements\.ConsoleLogin\s*=\s*\"Success\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for usage of "root" account | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "{\s*\$\.userIdentity\.type\s*=\s*\"Root\"\s*\&\&\s*\$\.userIdentity\.invokedBy\s*NOT\s*EXISTS\s*\&\&\s*\$\.eventType\s*!=\s*\"AwsServiceEvent\"\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for IAM policy changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*DeleteGroupPolicy\)\|\|\(\$\.eventName\s*=\s*DeleteRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachGroupPolicy\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Audit/log records: Ensure a log metric filter and alarm exist for CloudTrail configuration changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*UpdateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*StartLogging\)\s*\|\|\s*\(\$\.eventName\s*=\s*StopLogging\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*ConsoleLogin\)\s*\&\&\s*\(\$\.errorMessage\s*=\s*\"Failed\s*authentication\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Data-at-rest is protected: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*kms\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=DisableKey\)\s*\|\|\s*\(\$\.eventName=ScheduleKeyDeletion\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Ensure a log metric filter and alarm exist for S3 bucket policy changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*s3\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName\s*=\s*PutBucketAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketReplication\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketReplication\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Audit/log records: Ensure a log metric filter and alarm exist for AWS Config configuration changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*config\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=StopConfigurationRecorder\)\s*\|\|\s*\(\$\.eventName=DeleteDeliveryChannel\)\s*\|\|\(\$\.eventName=PutDeliveryChannel\)\s*\|\|\s*\(\$\.eventName=PutConfigurationRecorder\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclAssociation\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for changes to network gateways | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachInternetGateway\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for route table changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRouteTableAssociation\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisassociateRouteTable\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for VPC changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*ModifyVpcAttribute\)\s*\|\|\s*\(\$\.eventName\s*=\s*AcceptVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*RejectVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisableVpcClassicLink\)\s*\|\|\s*\(\$\.eventName\s*=\s*EnableVpcClassicLink\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 | Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22. |
EC2 |
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 22 and ToPort gte 22 ) and Protocol in ("-1", "tcp") ] |
| Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 | Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389. |
EC2 |
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 3389 and ToPort gte 3389 ) and Protocol in ("-1", "udp", "tcp") ] |
| Ensure the default security group of every VPC restricts all traffic | A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. |
EC2 |
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0 |
| Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support | AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. |
IAM |
AWS should have atleast one IAMPolicies with [ id eq "arn:aws:iam::aws:policy/AWSSupportAccess" and AttachedEntities . Roles len ( ) gt 0 ] |
| Name | Description | Service | Rule |
|---|---|---|---|
| Identities and credentials: Avoid the use of the "root" account: check for recent logins. | The 'root' account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided. |
IAM |
IAMUser where RootUser eq True should not have Password . LastUsedTime isLaterThan ( -1, "days" ) |
| Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. |
IAM |
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true |
| Identities and credentials: Ensure passwords unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all passwords that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) ) |
| Remote access: Ensure access keys unused for 90 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. |
IAM |
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ] |
| Remote access: Ensure access keys are rotated every 90 days or less. | Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. |
IAM |
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ] |
| Identities and credentials: Ensure IAM password policy requires at least one uppercase letter. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter. |
IAM |
IAMPasswordPolicy should have Configured and RequireUppercaseCharacters |
| Identities and credentials: Ensure IAM password policy require at least one lowercase letter. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter. |
IAM |
IAMPasswordPolicy should have Configured and RequireLowercaseCharacters |
| Identities and credentials: Ensure IAM password policy require at least one symbol. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol. |
IAM |
IAMPasswordPolicy should have Configured and RequireSymbols |
| Identities and credentials: Ensure IAM password policy require at least one number. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number. |
IAM |
IAMPasswordPolicy should have Configured and RequireNumbers |
| Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. |
IAM |
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14 |
| Identities and credentials: Ensure IAM password policy prevents password reuse | IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. |
IAM |
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24 |
| Identities and credentials: Ensure IAM password policy expires passwords within 90 days or less. | IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. |
IAM |
IAMPasswordPolicy should have Configured and ExpirePasswords and MaxPasswordAge <= 90 |
| Remote access: Ensure no root account access key exists. | The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. |
IAM |
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ] |
| Authentication: Ensure MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true |
| Authentication: Ensure hardware MFA is enabled for the "root" account. | The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. |
IAM |
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0 |
| Access permissions and authorizations: Ensure IAM policies are attached only to groups or roles. | By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. |
IAM |
IAMUser should have ( Policies . Managed len ( ) eq 0 and Policies . Inline len ( ) eq 0 ) |
| Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password | AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. |
IAM |
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ] |
| Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. | IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. |
IAM |
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 ) |
| Audit/log records: Ensure CloudTrail is enabled. | AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) |
CloudTrail |
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ] |
| Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation | Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). |
CloudTrail |
CloudTrail should have LogFileValidationEnabled |
| Audit/log records: Ensure the S3 bucket CloudTrail logs to is not publicly accessible | CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs |
S3 CloudTrail |
CloudTrail should not have S3Bucket . ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee. URI eq "http://acs.amazonaws.com/groups/global/AllUsers" ] or S3Bucket . BucketPolicy with [ Statement with [ Effect eq "Allow" and Principal with [ value eq "*" ] and Conditions len ( ) eq 0 ] ] |
| Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs | AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. |
CloudTrail |
CloudTrail should have LogGroup . CreationDate gt 0 |
| Audit/log records: Ensure AWS Config is enabled in all regions | AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. |
CloudTrail Config |
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ] |
| Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging | Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. |
S3 CloudTrail |
CloudTrail should have S3Bucket . LoggingEnabled |
| Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs | AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS |
CloudTrail |
CloudTrail should have KMSKey . Enabled |
| Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled | AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled |
KMS |
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled |
| Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs | VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. |
EC2 |
VPC should have atleast one FlowLogs with [ Status eq "ACTIVE" ] |
| Remote access: Ensure a log metric filter and alarm exist for unauthorized API calls | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.errorCode\s*=\s*\"\*UnauthorizedOperation\"\)\s*\|\|\s*\(\$\.errorCode\s*=\s*\"AccessDenied\*\"\)\s*\|\|\s*\(\$\.sourceIPAddress\s*!=\s*\"delivery\.logs\.amazonaws\.com\"\)\s*\|\|\s*\(\$\.eventName\s*!=\s*\"HeadBucket\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA) |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*\"ConsoleLogin\"\)\s*\&\&\s*\(\$\.additionalEventData\.MFAUsed\s*!=\s*\"Yes\"\)\s*\&\&\s*\(\$\.userIdentity\.type\s*=\s*\"IAMUser\"\)\s*\&\&\s*\(\$\.responseElements\.ConsoleLogin\s*=\s*\"Success\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for usage of "root" account | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "{\s*\$\.userIdentity\.type\s*=\s*\"Root\"\s*\&\&\s*\$\.userIdentity\.invokedBy\s*NOT\s*EXISTS\s*\&\&\s*\$\.eventType\s*!=\s*\"AwsServiceEvent\"\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for IAM policy changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*DeleteGroupPolicy\)\|\|\(\$\.eventName\s*=\s*DeleteRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachGroupPolicy\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Audit/log records: Ensure a log metric filter and alarm exist for CloudTrail configuration changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*UpdateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*StartLogging\)\s*\|\|\s*\(\$\.eventName\s*=\s*StopLogging\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Identities and credentials: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*ConsoleLogin\)\s*\&\&\s*\(\$\.errorMessage\s*=\s*\"Failed\s*authentication\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Data-at-rest is protected: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*kms\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=DisableKey\)\s*\|\|\s*\(\$\.eventName=ScheduleKeyDeletion\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Ensure a log metric filter and alarm exist for S3 bucket policy changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*s3\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName\s*=\s*PutBucketAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketReplication\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketReplication\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Audit/log records: Ensure a log metric filter and alarm exist for AWS Config configuration changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*config\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=StopConfigurationRecorder\)\s*\|\|\s*\(\$\.eventName=DeleteDeliveryChannel\)\s*\|\|\(\$\.eventName=PutDeliveryChannel\)\s*\|\|\s*\(\$\.eventName=PutConfigurationRecorder\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclAssociation\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for changes to network gateways | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. |
CloudWatch CloudTrail |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachInternetGateway\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for route table changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRouteTableAssociation\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisassociateRouteTable\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Network integrity: Ensure a log metric filter and alarm exist for VPC changes | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. |
CloudTrail CloudWatch |
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*ModifyVpcAttribute\)\s*\|\|\s*\(\$\.eventName\s*=\s*AcceptVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*RejectVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisableVpcClassicLink\)\s*\|\|\s*\(\$\.eventName\s*=\s*EnableVpcClassicLink\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ] |
| Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 | Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22. |
EC2 |
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 22 and ToPort gte 22 ) and Protocol in ("-1", "tcp") ] |
| Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 | Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389. |
EC2 |
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 3389 and ToPort gte 3389 ) and Protocol in ("-1", "udp", "tcp") ] |
| Ensure the default security group of every VPC restricts all traffic | A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. |
EC2 |
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0 |
| Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support | AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. |
IAM |
AWS should have atleast one IAMPolicies with [ id eq "arn:aws:iam::aws:policy/AWSSupportAccess" and AttachedEntities . Roles len ( ) gt 0 ] |