Netskope

AWS Predefined Rules



🔍
Name Description Service Rule
Ensure EC2 Instance does not have open DNS port DNS Port 53, of an EC2 Instance, should not be open to public. EC2
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "udp") and ( FromPort lte 53 and ToPort gte 53 ) ] ]
Ensure EC2 Instance does not have open MongoDB port MongoDB Port 27017, 27018, 27019 of an EC2 Instance, should not be open to public. EC2
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "tcp") and ( (FromPort lte 27019 and ToPort gte 27017) ) ] ]
Communications and control network protection: Ensure no rule exists which allows all ingress traffic in default Network ACL Network ACLs are designed to provide a secondary layer of security. Adding a rule that allows all network traffic (all protocols, IPs, and source) prior to any deny rule defeats the purpose of network ACLs. EC2
NetworkACL should not have IsDefault eq true and Rules with [ RuleAction eq "allow" and Protocol eq "-1" and Egress eq False and CidrBlock eq 0.0.0.0/0 ]
Ensure EC2 Instance does not have open NFS port NFS Port 2049, 111 of an EC2 Instance, should not be open to public. EC2
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","udp","tcp") and ( (FromPort lte 2049 and ToPort gte 2049) or (FromPort lte 111 and ToPort gte 111)) ] ]
Ensure EC2 Instance does not have open SMTP port SMTP Port 25, of an EC2 Instance, should not be open to public. EC2
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 25 and ToPort gte 25) ) ] ]
Communications and control network protection: Ensure no rule exists which allows all ingress traffic in Network ACL which is associated with a subnet Network ACLs are designed to provide a secondary layer of security. Adding a rule that allows all network traffic (all protocols, IPs, and source) prior to any deny rule defeats the purpose of network ACLs. Network ACLs associated with subnets and VPCs should not allow all ingress traffic. EC2
NetworkACL where Subnets len( ) gt 0 should not have Rules with [ Egress eq False and RuleAction eq "allow" and Protocol eq "-1" and CidrBlock eq 0.0.0.0/0 ]
Ensure EC2 Instance does not have open UDP ports UDP Ports 22, 80, 443, 1433, 1521, 3306, 3389, 5432, 27017, 27018, 27019 of an EC2 Instance, should not be open to public. EC2
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "udp") and ( ( FromPort lte 22 and ToPort gte 22) or ( FromPort lte 80 and ToPort gte 80) or ( FromPort lte 443 and ToPort gte 443) or ( FromPort lte 1433 and ToPort gte 1433) or ( FromPort lte 1521 and ToPort gte 1521) or ( FromPort lte 3306 and ToPort gte 3306) or ( FromPort lte 3389 and ToPort gte 3389) or ( FromPort lte 5432 and ToPort gte 5432) or ( FromPort lte 27019 and ToPort gte 27017) ) ] ]
Ensure SNS Topics do not have Policies containing AddPermission Action to all principals SNS Topic should not have Policy with Add Permission Action authorized to all principals SNS
SNSTopic should not have Policy . Statement with [ Effect eq "Allow" and ( Action has ( "SNS:AddPermission" ) or Action has ( "sns:AddPermission" ) or Action has ( "SNS:*" ) or Action has ( "sns:*" ) ) and Principal has ( "*" ) and Conditions len ( ) eq 0 ]
Ensure CloudWatch alarm has at least one Action Each CloudWatch alarm should have at least one action CloudWatch
MetricAlarm should have AlarmActions with [ SNSTopic . id ]
Establish an access control system(s) : IAM Policies with Effect Allow and NotActions Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. IAM
IAMPolicy should not have Permissions . Statements with [ Effect eq "Allow" and ( NotAction len ( ) gt 0 or Action with [ value eq "*" ] ) ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 )
Ensure ChangeMessageVisibility Action is not authorized to all principals in SQS Queue Policy SQS Queue Policy should not have ChangeMessageVisibility action authorized to all principals SQS
SQSQueue should not have SQSPolicy with [ Statement with [ ( Action has ( "SQS:ChangeMessageVisibility" ) or Action has ( "SQS:*" ) or Action has ( "sqs:ChangeMessageVisibility" ) or Action has ( "sqs:*" ) ) and Effect eq "Allow" and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Access permissions and authorizations: Ensure Redshift Clusters are not Publicly accessible Redshift Clusters should not be accessible to the public. Redshift
RedShiftCluster should not have Access eq "Public"
Ensure Delete Action is not authorized to all principals in S3 Bucket Policy S3 Bucket Policy should not have Delete action authorized to all principals S3
S3Bucket should not have BucketPolicy with [ Statement with [ ( Action has ( "s3:Delete*" ) or Action has ("S3:Delete*") or Action has ("S3:*") or Action has ("s3:*") ) and Effect eq "Allow" and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Ensure Delete Message Action is not authorized to all principals in SQS Queue Policy SQS Queue Policy should not have DeleteMessage action authorized to all principals SQS
SQSQueue should not have SQSPolicy with [ Statement with [ ( Action has ( "SQS:DeleteMessage" ) or Action has ( "SQS:*" ) or Action has ( "sqs:DeleteMessage" ) or Action has ( "sqs:*" ) ) and Effect eq "Allow" and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Ensure SNS Topics do not have Policies containing Delete Topic Action to all principals SNS Topic should not have Policy with Delete Topic Action authorized to all principals SNS
SNSTopic should not have Policy . Statement with [ Effect eq "Allow" and ( Action has ( "SNS:DeleteTopic" ) or Action has ( "sns:DeleteTopic" ) or Action has ( "SNS:*" ) or Action has ( "sns:*" ) ) and Principal has ( "*" ) and Conditions len ( ) eq 0 ]
Ensure Domain Auto Renew is enabled To ensure that the domain is always up, enable Auto Domain Renewal Route53
Route53Domain should have AutoRenew
Ensure Domain Transfer Lock is enabled To lock a domain to prevent unauthorized transfer to another registrar. Route53
Route53Domain should have TransferLock
Ensure Get Action is not authorized to all principals in S3 Bucket Policy S3 Bucket Policy should not have Get action authorized to all principals S3
S3Bucket should not have BucketPolicy with [ Statement with [ ( Action has ( "s3:GetObject*" ) or Action has ( "S3:GetObject*" ) or Action has ( "s3:*" ) or Action has ( "S3:*" ) ) and Effect eq "Allow" and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Ensure Get Queue Attribute Action is not authorized to all principals in SQS Queue Policy SQS Queue Policy should not have GetQueueAttribute action authorized to all principals SQS
SQSQueue should not have SQSPolicy with [ Statement with [ ( Action has ( "SQS:GetQueueAttributes" ) or Action has ( "SQS:*" ) ) and Effect eq "Allow" and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Ensure Get Queue URL Action is not authorized to all principals in SQS Queue Policy SQS Queue Policy should not have GetQueueURL action authorized to all principals SQS
SQSQueue should not have SQSPolicy with [ Statement with [ ( Action has ( "SQS:GetQueueUrl" ) or Action has ( "sqs:GetQueueUrl" ) or Action has ( "SQS:*" ) or Action has ( "sqs:*" ) ) and Effect eq "Allow" and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Ensure Deletion Protection is enabled on Elastic Load Balancer Enabling deletion protection on load balancers mitigates risks of accidental deletion. ElasticLoadBalancer
ElasticLoadBalancer should have DeletionProtection
Ensure List Action is not authorized to all principals in S3 Bucket Policy S3 Bucket Policy should not have List action authorized to all principals S3
S3Bucket should not have BucketPolicy with [ Statement with [ ( Action has ("s3:ListBucket*" ) or Action has ("S3:ListBucket*" ) or Action has ("s3:*" ) or Action has ("S3:*" ) ) and Effect eq "Allow" and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Ensure Manage Action is not authorized to all principals in S3 Bucket Policy S3 Bucket Policy should not have Manage action authorized to all principals S3
S3Bucket should not have BucketPolicy with [ Statement with [ ( Action has ("s3:Put*" ) or Action has ("S3:Put*" ) or Action has ("s3:*" ) or Action has ("S3:*" ) ) and Effect eq "Allow" and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Ensure default security groups of EC2Instances contain rules Non-empty rule sets for default security groups should not exist. EC2
EC2Instance where SecurityGroups with [ Name eq "default" ] should not have SecurityGroups with [ InboundRules len ( ) neq 0 or OutboundRules len ( ) neq 0 ]
Data-in-transit is protected: Ensure older SSL/TLS policies are not used with Elastic Load Balancers Older SSL/TLS policy should not be used with Elastic Load Balancer Security Policy. ElasticLoadBalancer
ElasticLoadBalancer should have SslPolicy in ( "ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-TLS-1-2-2017-01", "ELBSecurityPolicy-TLS-1-1-2017-01" )
Access permissions and authorizations: Ensure RDS Instances do not have Publicly Accessible Snapshots RDS Instances should not have publicly accessible snapshots. RDS
RDSInstance should not have Snapshots with [ PubliclyAccessible ]
Ensure SNS Topics do not have Policies containing Publish Action to all principals SNS Topic should not have Policy with Publish Action authorized to all principals SNS
SNSTopic should not have Policy . Statement with [ Effect eq "Allow" and ( Action has ( "SNS:Publish" ) or Action has ( "sns:Publish" ) or Action has ( "SNS:*" ) or Action has ( "sns:*" ) ) and Principal has ( "*" ) and Conditions len ( ) eq 0 ]
Ensure PurgeQueue Action is not authorized to all principals in SQS Queue Policy SQS Queue should not have Policy with PurgeQueue Action authorized to all principals SQS
SQSQueue should not have SQSPolicy with [ Statement with [ ( Action has ( "SQS:PurgeQueue" ) or Action has ( "sqs:PurgeQueue" ) or Action has ( "SQS:*" ) or Action has ( "sqs:*" ) ) and Effect eq "Allow" and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Ensure Put Action is not authorized to all principals in S3 Bucket Policy S3 Bucket Policy should not have Put action authorized to all principals S3
S3Bucket should not have BucketPolicy with [ Statement with [ ( Action has ("s3:PutObject*" ) or Action has ("S3:PutObject*" ) or Action has ("s3:*" ) or Action has ("S3:*" )) and Effect eq "Allow" and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Ensure SNS Topics do not have Policies containing Receive Action to all principals SNS Topic should not have Policy with Receive Action authorized to all principals SNS
SNSTopic should not have Policy . Statement with [ Effect eq "Allow" and ( Action has ( "SNS:Receive" ) or Action has ( "sns:Receive" ) or Action has ( "SNS:*" ) or Action has ( "sns:*" ) ) and Principal has ( "*" ) and Conditions len ( ) eq 0 ]
Ensure ReceiveMessage Action is not authorized to all principals in SQS Queue Policy SQS Queue Policy should not have ReceiveMessage action authorized to all principals SQS
SQSQueue should not have SQSPolicy with [ Statement with [ ( Action has ( "SQS:ReceiveMessage" ) or Action has ( "sqs:ReceiveMessage" ) or Action has ( "SQS:*" ) or Action has ( "sqs:*" ) ) and Effect eq "Allow" and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Ensure SNS Topics do not have Policies containing Remove Permission Action to all principals SNS Topic should not have Policy with Remove Permission Action authorized to all principals SNS
SNSTopic should not have Policy . Statement with [ Effect eq "Allow" and ( Action has ( "SNS:RemovePermission" ) or Action has ( "sns:RemovePermission" ) or Action has ( "SNS:*" ) or Action has ( "sns:*" ) ) and Principal has ( "*" ) and Conditions len ( ) eq 0 ]
Ensure roles are not passed to CloudFormation stacks Passing a role to CloudFormation stacks may result in privilege escalation because IAM users with privileges, within the CloudFormation scope, implicitly inherit the stack's role's permissions. CloudFormation
CloudFormation where Status in ("CREATE_COMPLETE", "UPDATE_COMPLETE") should not have StackRole . id
Ensure SendEmail Action in SES Policy is not authorized to all principals SES should not have Policy with action as SendEmail, authorized to all principals SES
SESIdentity should not have Policy with [ Statement with [ Effect eq "Allow" and ( Action has ( "ses:SendEmail" ) or Action has ( "ses:SendRawEmail" ) )and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Ensure SendMessage Action is not authorized to all principals in SQS Queue Policy SQS Queue Policy should not have SendMessage action authorized to all principals SQS
SQSQueue should not have SQSPolicy with [ Statement with [ ( Action has ( "SQS:SendMessage" ) or Action has ( "sqs:SendMessage" ) or Action has ( "SQS:*" ) or Action has ( "sqs:*" ) ) and Effect eq "Allow" and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Ensure SNS Topics do not have Policies containing Set Topic Attribute Action to all principals SNS Topic should not have Policy with Set Topic Attribute Action authorized to all principals SNS
SNSTopic should not have Policy . Statement with [ Effect eq "Allow" and ( Action has ( "SNS:SetTopicAttributes" ) or Action has ( "sns:SetTopicAttributes" ) or Action has ( "SNS:*" ) or Action has ( "sns:*" ) ) and Principal has ( "*" ) and Conditions len ( ) eq 0 ]
Backups of information: Ensure Backup Retention Period is set greater than or equal to 30 days. Setting Backup Retention Period of RDS Instance to a value greater than or equal to 30 ensures safety of data. RDS
RDSInstance should not have BackupRetentionPeriod lt 30
Ensure SNS Topics do not have Policies containing Subscribe Action to all principals SNS Topic should not have Policy with Subscribe Action authorized to all principals SNS
SNSTopic should not have Policy . Statement with [ Effect eq "Allow" and ( Action has ( "SNS:Subscribe" ) or Action has ( "sns:Subscribe" ) or Action has ( "SNS:*" ) or Action has ( "sns:*" ) ) and Principal has ( "*" ) and Conditions len ( ) eq 0 ]
Ensure unused role for EC2Instance does not exist IAMRoles which are not attached to any EC2Instance should not exist. IAM
IAMRole should not have InstanceProfile with [ InstanceCount eq 0 ]
Ensure that no inline policy is attached to an IAMUser IAMUsers should not have any Inline policy attached to them. IAM
IAMUser should not have Policies . Inline len ( ) > 0
Ensure that an IAMUser has no more than 1 Active API Key IAMUsers should not have multiple active API keys IAM
IAMUser should not have every AccessKey with [ Active eq true]
Vulnerability management plan: Ensure Allow Version Upgrade is set to yes for Redshift Cluster Redshift Clusters should have Version Upgrade set to avoid missing important security updates. Redshift
RedShiftCluster should have AllowVersionUpgrade
Ensure EC2 Instance does not have open MySQL port MySQL Port 3306, of an EC2 Instance, should not be open to public. EC2
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "tcp") and ( (FromPort lte 3306 and ToPort gte 3306) ) ] ]
Ensure EC2 Instance does not have open SQL Server port MySQL Port 1433, of an EC2 Instance, should not be open to public. EC2
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "tcp") and ( (FromPort lte 1433 and ToPort gte 1433) ) ] ]
Ensure EC2 Instance does not have open OracleDb port OracleDb Port 1521, of an EC2 Instance, should not be open to public. EC2
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 1521 and ToPort gte 1521) ) ] ]
Ensure EC2 Instance does not have open PostgreSQL port PostgreSQL Port 5432, of an EC2 Instance, should not be open to public. EC2
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 5432 and ToPort gte 5432) ) ] ]
Ensure EC2 Instance does not have open RDP port RDP Port 3389, of an EC2 Instance, should not be open to public. EC2
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","udp","tcp") and ( (FromPort lte 3389 and ToPort gte 3389) ) ] ]
Ensure EC2 Instance does not have open SSH port SSH Port 22, of an EC2 Instance, should not be open to public. EC2
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 22 and ToPort gte 22) ) ] ]
Data-at-rest is protected: Ensure RDS encryption is enabled Ensure RDS encryption is enabled. RDS
RDSInstance should have StorageEncrypted eq true
Communications and control network protection: Ensure RDS instances are not in public subnets Ensure RDS instances are not in public subnets. RDS
RDSInstance should not have Access eq "Public"
Ensure RDS database instances have detailed monitoring enabled Ensure RDS database instances have detailed monitoring enabled. RDS
RDSInstance should not have MonitoringInterval eq 0
Data-at-rest is protected: Ensure RDS instance snapshots are encrypted Ensure RDS instance snapshots are encrypted. RDS
RDSInstance should have every Snapshots with [ Encrypted eq true ]
Backups of information: Ensure DynamoDB tables are backed up Ensure DynamoDB tables are backed up. Dynamo
DynamoDBTable should have BackedUp eq true
Backups of information: Ensure DynamoDB tables have point in time recovery enabled Ensure DynamoDB tables have point in time recovery enabled. Dynamo
DynamoDBTable should have PointInTimeRecovery eq "ENABLED"
Data-at-rest is protected: Ensure DynamoDB tables are encrypted at rest Ensure DynamoDB tables are encrypted at rest. Dynamo
DynamoDBTable should have SSEDescription . Status eq "ENABLED"
Ensure Amazon Redshift clusters are launched within a Virtual Private Cloud (VPC) Ensure Amazon Redshift clusters are launched within a Virtual Private Cloud (VPC). RedShift
RedShiftCluster should have VPC len ( ) gt 0
Ensure automated snapshots are enabled for Redshift clusters Ensure automated snapshots are enabled for Redshift clusters. RedShift
RedShiftCluster should have AutomatedSnapshotRetentionPeriod gt 0
Ensure Amazon Redshift clusters are not using port 5439 (default port) for database access. Ensure Amazon Redshift clusters are not using port 5439 (default port) for database access. RedShift
RedShiftCluster should not have Port eq 5439
Data-in-transit is protected: Ensure encryption in transit is enabled for lambda functions using environmental variables. Ensure encryption in transit is enabled for lambda functions using environmental variables. Lambda
Lambda where ( Environment len() > 0 ) should have KMSKey.id
Ensure Lambda functions do not have administrative level execution privileges. Ensure Lambda functions do not have administrative level execution privileges Lambda
Lambda should not have AdminPrivileges eq True
Ensure EKS Clusters have logging enabled. Ensure EKS Clusters have logging enabled EKSCluster
EKSCluster should have Logging . ClusterLogging with [ Type has ( "api", "audit", "authenticator", "controllerManager", "scheduler") and Enabled eq true ]
Ensure unattached EBS volumes are removed. Ensure unattached EBS volumes are removed. EC2Instance
Volume should not have Attachments len ( ) eq 0
Ensure EBS Snapshots are encrypted. Ensure EBS Snapshots are encrypted EC2Instance
Volume should have Snapshot . Encrypted eq true
Ensure Lambda functions have an associated Tag. Ensure Lambda functions have an associated Tag. Lambda
Lambda should not have Tags len( ) eq 0
Ensure Lambda execution role has permissions to log to CloudWatch. Ensure Lambda execution role has permissions to log to CloudWatch. Lambda
Lambda should have IAMRole . Policies . Inline with [ PolicyDocument . Statements with [ Effect eq "Allow" and Resource with [ value eq "*" ] and Action with [ value eq "logs:CreateLogGroup" ] and Action with [ value eq "logs:CreateLogStream" ] and Action with [ value eq "logs:PutLogEvents" ] ] ] or IAMRole . Policies . Managed with [ id like "AWSLambdaBasicExecutionRole" ]
Ensure Lambda execution role does not have IAM admin permissions. Ensure Lambda execution role does not have IAM admin permissions. Lambda
Lambda should not have IAMRole . Policies . Inline with [ PolicyDocument . Statements with [ Effect eq "Allow" and Resource with [ value eq "*" ] and Action with [ value eq "iam:*" ] ] ] or IAMRole . Policies . Managed with [ id like "IAMFullAccess" ]
Ensure Lambda execution role does not have full admin permissions. Ensure Lambda execution role does not have full admin permissions. Lambda
Lambda should not have IAMRole . Policies . Inline with [ PolicyDocument . Statements with [ Effect eq "Allow" and Resource with [ value eq "*" ] and Action with [ value eq "*" ] ] ] or IAMRole . Policies . Managed with [ id like "AdministratorAccess" ]
Ensure CloudTrail logs to S3Bucket without any failures. Alert if any Error is encountered by CloudTrail while logging to the designated S3Bucket. S3
CloudTrail
CloudTrail should have LatestDeliveryError eq "None"
Ensure CloudTrail sends SNS notifications without any failures. Alert if any Error is encountered by CloudTrail when attempting to send a SNS notification. SNS
CloudTrail
CloudTrail should have LatestNotificationError eq "None"
Ensure CloudTrail logging bucket has Multi-Factor Authentication (MFA) Enabled. Ensure that your AWS CloudTrail logging bucket use Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned log files. S3
CloudTrail
CloudTrail should have S3Bucket . BucketVersioning . MFADelete eq "Enabled"
Ensure VPC Flow Log records are successfully published to a CloudWatch log group or an Amazon S3 bucket. Ensure VPC Flow Log records are successfully published to a CloudWatch log group or an Amazon S3 bucket. EC2
VPCFlow where Status eq "ACTIVE" should have DeliverLogsStatus eq "SUCCESS"
Ensure S3 Bucket is not publicly accessible. Ensure S3 Bucket is not publicly accessible S3
S3Bucket should not have Access eq "Public"
Ensure no user has the AdministratorAccess policy Ensure users are not attached to the overly-privileged AdministratorAccess IAM policy. IAM
IAMUser should not have Policies . Managed with [ id eq "arn:aws:iam::aws:policy/AdministratorAccess" ]
Ensure EC2 Instance does not have open TCP ports TCP Ports 22, 80, 443, 1433, 1521, 3306, 3389, 5432, 27017, 27018, 27019 of an EC2 Instance, should not be open to public. EC2
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1", "tcp") and ( ( FromPort lte 22 and ToPort gte 22) or ( FromPort lte 80 and ToPort gte 80) or ( FromPort lte 443 and ToPort gte 443) or ( FromPort lte 1433 and ToPort gte 1433) or ( FromPort lte 1521 and ToPort gte 1521) or ( FromPort lte 3306 and ToPort gte 3306) or ( FromPort lte 3389 and ToPort gte 3389) or ( FromPort lte 5432 and ToPort gte 5432) or ( FromPort lte 27019 and ToPort gte 27017) ) ] ]
Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. IAM
AWS should have atleast one IAMPolicies with [ id eq "arn:aws:iam::aws:policy/AWSSupportAccess" and ( AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 or AttachedEntities . Groups len ( ) gt 0 ) ]
Establish an access control system(s) : IAM Policies with Effect as Allow and Action with sts:AssumeRole for CrossAccountArn Establish an access control system(s) for IAM AssumeRole Policies having cross account ARN to have condition specifying “sts:ExternalId” IAM
IAMRole where AssumeRolePolicy . CrossAccountArn eq True should have AssumeRolePolicy . Statement with [ Conditions with [ Condition eq "StringEquals" and Name eq "sts:ExternalId" and Value len() gt 0 ]]
Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider. Scan images being deployed to Amazon EKS for vulnerabilities. ECRRepository
ECRRepository should have ImageScanningConfiguration.ScanOnPush
Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS. Encrypt Kubernetes secrets, stored in etcd, using secrets encryption feature during Amazon EKS cluster creation. EKSCluster
EKSCluster should have EncryptionConfig len() gt 0
Restrict Access to the Control Plane Endpoint Enable Endpoint Private Access to restrict access to the cluster's control plane to only an allowlist of authorized IPs. EKSCluster
EKSCluster where EndPointPublicAccess should not have PublicAccessCidrs with [ CidrBlock eq 0.0.0.0/0]
Ensure EKS Clusters are created with Private Endpoint Enabled and Public Access Disabled Disable access to the Kubernetes API from outside the node network if it is not required. EKSCluster
EKSCluster should have EndPointPrivateAccess and not EndPointPublicAccess
Consider Fargate for running untrusted workloads It is Best Practice to restrict or fence untrusted workloads when running in a multi-tenant environment. EKSCluster
EKSCluster should not have FargateProfileNames len() eq 0
Name Description Service Rule
Identities and credentials: Avoid the use of the "root" account: check for recent logins. The 'root' account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided. IAM
IAMUser where RootUser eq True should not have Password . LastUsedTime isLaterThan ( -1, "days" )
Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. IAM
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true
Identities and credentials: Ensure passwords unused for 90 days or greater are disabled AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all passwords that have been unused in 90 or greater days be disabled. IAM
IAMUser where RootUser eq False should not have ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) )
Remote access: Ensure access keys unused for 90 days or greater are disabled AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. IAM
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ]
Remote access: Ensure access keys are rotated every 90 days or less. Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. IAM
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ]
Identities and credentials: Ensure IAM password policy requires at least one uppercase letter. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter. IAM
IAMPasswordPolicy should have Configured and RequireUppercaseCharacters
Identities and credentials: Ensure IAM password policy require at least one lowercase letter. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter. IAM
IAMPasswordPolicy should have Configured and RequireLowercaseCharacters
Identities and credentials: Ensure IAM password policy require at least one symbol. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol. IAM
IAMPasswordPolicy should have Configured and RequireSymbols
Identities and credentials: Ensure IAM password policy require at least one number. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number. IAM
IAMPasswordPolicy should have Configured and RequireNumbers
Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. IAM
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14
Identities and credentials: Ensure IAM password policy prevents password reuse IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. IAM
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24
Identities and credentials: Ensure IAM password policy expires passwords within 90 days or less. IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. IAM
IAMPasswordPolicy should have Configured and ExpirePasswords and MaxPasswordAge <= 90
Remote access: Ensure no root account access key exists. The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. IAM
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ]
Authentication: Ensure MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. IAM
IAMUser where RootUser eq True should have MFAActive eq true
Authentication: Ensure hardware MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. IAM
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0
Access permissions and authorizations: Ensure IAM policies are attached only to groups or roles. By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. IAM
IAMUser should have ( Policies . Managed len ( ) eq 0 and Policies . Inline len ( ) eq 0 )
Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. IAM
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ]
Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. IAM
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 )
Audit/log records: Ensure CloudTrail is enabled. AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) CloudTrail
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ]
Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). CloudTrail
CloudTrail should have LogFileValidationEnabled
Audit/log records: Ensure the S3 bucket CloudTrail logs to is not publicly accessible CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs S3
CloudTrail
CloudTrail should not have S3Bucket . ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee. URI eq "http://acs.amazonaws.com/groups/global/AllUsers" ] or S3Bucket . BucketPolicy with [ Statement with [ Effect eq "Allow" and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. CloudTrail
CloudTrail should have LogGroup
Audit/log records: Ensure AWS Config is enabled in all regions AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. Config
CloudTrail
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ]
Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. S3
CloudTrail
CloudTrail should have S3Bucket . LoggingEnabled
Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS CloudTrail
CloudTrail should have KMSKey . id len ( ) > 0
Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled KMS
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled
Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. EC2
VPC should have atleast one FlowLogs with [ id ]
Remote access: Ensure a log metric filter and alarm exist for unauthorized API calls Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.errorCode\s*=\s*\"\*UnauthorizedOperation\"\)\s*\|\|\s*\(\$\.errorCode\s*=\s*\"AccessDenied\*\"\)\s*\|\|\s*\(\$\.sourceIPAddress\s*!=\s*\"delivery\.logs\.amazonaws\.com\"\)\s*\|\|\s*\(\$\.eventName\s*!=\s*\"HeadBucket\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA) CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*\"ConsoleLogin\"\)\s*\&\&\s*\(\$\.additionalEventData\.MFAUsed\s*!=\s*\"Yes\"\)\s*\&\&\s*\(\$\.userIdentity\.type\s*=\s*\"IAMUser\"\)\s*\&\&\s*\(\$\.responseElements\.ConsoleLogin\s*=\s*\"Success\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for usage of "root" account Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "{\s*\$\.userIdentity\.type\s*=\s*\"Root\"\s*\&\&\s*\$\.userIdentity\.invokedBy\s*NOT\s*EXISTS\s*\&\&\s*\$\.eventType\s*!=\s*\"AwsServiceEvent\"\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for IAM policy changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*DeleteGroupPolicy\)\|\|\(\$\.eventName\s*=\s*DeleteRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachGroupPolicy\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Audit/log records: Ensure a log metric filter and alarm exist for CloudTrail configuration changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*UpdateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*StartLogging\)\s*\|\|\s*\(\$\.eventName\s*=\s*StopLogging\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*ConsoleLogin\)\s*\&\&\s*\(\$\.errorMessage\s*=\s*\"Failed\s*authentication\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Data-at-rest is protected: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*kms\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=DisableKey\)\s*\|\|\s*\(\$\.eventName=ScheduleKeyDeletion\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Ensure a log metric filter and alarm exist for S3 bucket policy changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*s3\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName\s*=\s*PutBucketAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketReplication\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketReplication\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Audit/log records: Ensure a log metric filter and alarm exist for AWS Config configuration changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*config\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=StopConfigurationRecorder\)\s*\|\|\s*\(\$\.eventName=DeleteDeliveryChannel\)\s*\|\|\(\$\.eventName=PutDeliveryChannel\)\s*\|\|\s*\(\$\.eventName=PutConfigurationRecorder\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclAssociation\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for changes to network gateways Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachInternetGateway\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for route table changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRouteTableAssociation\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisassociateRouteTable\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for VPC changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*ModifyVpcAttribute\)\s*\|\|\s*\(\$\.eventName\s*=\s*AcceptVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*RejectVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisableVpcClassicLink\)\s*\|\|\s*\(\$\.eventName\s*=\s*EnableVpcClassicLink\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22. EC2
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 22 and ToPort gte 22 ) and Protocol in ("-1", "tcp") ]
Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389. EC2
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 3389 and ToPort gte 3389 ) and Protocol in ("-1", "udp", "tcp") ]
Ensure the default security group of every VPC restricts all traffic A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. EC2
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0
Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. IAM
IAMPolicy where id eq "arn:aws:iam::aws:policy/AWSSupportAccess" should have ( AttachedEntities . Groups len ( ) > 0 or AttachedEntities . Roles len ( ) > 0 or AttachedEntities . Users len ( ) > 0 )
Name Description Service Rule
Identities and credentials: Avoid the use of the "root" account: check for recent logins. The 'root' account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided. IAM
IAMUser where RootUser eq True should not have Password . LastUsedTime isLaterThan ( -1, "days" )
Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. IAM
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true
Identities and credentials: Ensure passwords unused for 90 days or greater are disabled AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all passwords that have been unused in 90 or greater days be disabled. IAM
IAMUser where RootUser eq False should not have ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) )
Remote access: Ensure access keys unused for 90 days or greater are disabled AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. IAM
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ]
Remote access: Ensure access keys are rotated every 90 days or less. Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. IAM
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ]
Identities and credentials: Ensure IAM password policy requires at least one uppercase letter. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter. IAM
IAMPasswordPolicy should have Configured and RequireUppercaseCharacters
Identities and credentials: Ensure IAM password policy require at least one lowercase letter. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter. IAM
IAMPasswordPolicy should have Configured and RequireLowercaseCharacters
Identities and credentials: Ensure IAM password policy require at least one symbol. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol. IAM
IAMPasswordPolicy should have Configured and RequireSymbols
Identities and credentials: Ensure IAM password policy require at least one number. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number. IAM
IAMPasswordPolicy should have Configured and RequireNumbers
Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. IAM
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14
Identities and credentials: Ensure IAM password policy prevents password reuse IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. IAM
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24
Identities and credentials: Ensure IAM password policy expires passwords within 90 days or less. IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. IAM
IAMPasswordPolicy should have Configured and ExpirePasswords and MaxPasswordAge <= 90
Remote access: Ensure no root account access key exists. The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. IAM
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ]
Authentication: Ensure MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. IAM
IAMUser where RootUser eq True should have MFAActive eq true
Authentication: Ensure hardware MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. IAM
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0
Access permissions and authorizations: Ensure IAM policies are attached only to groups or roles. By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. IAM
IAMUser should have ( Policies . Managed len ( ) eq 0 and Policies . Inline len ( ) eq 0 )
Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. IAM
IAMPolicy where id eq "arn:aws:iam::aws:policy/AWSSupportAccess" should have ( AttachedEntities . Groups len ( ) > 0 or AttachedEntities . Roles len ( ) > 0 or AttachedEntities . Users len ( ) > 0 )
Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. IAM
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ]
Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. IAM
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 )
Audit/log records: Ensure CloudTrail is enabled. AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) CloudTrail
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ]
Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). CloudTrail
CloudTrail should have LogFileValidationEnabled
Ensure the S3 bucket CloudTrail logs to is not publicly accessible CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs S3
CloudTrail
CloudTrail should not have S3Bucket . Access eq "Public"
Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. CloudTrail
CloudTrail should have LogGroup
Audit/log records: Ensure AWS Config is enabled in all regions AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. Config
CloudTrail
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ]
Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. S3
CloudTrail
CloudTrail should have S3Bucket . LoggingEnabled
Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS CloudTrail
CloudTrail should have KMSKey . id len ( ) > 0
Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled KMS
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled
Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. EC2
VPC should have atleast one FlowLogs with [ id ]
Remote access: Ensure a log metric filter and alarm exist for unauthorized API calls Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.errorCode\s*=\s*\"\*UnauthorizedOperation\"\)\s*\|\|\s*\(\$\.errorCode\s*=\s*\"AccessDenied\*\"\)\s*\|\|\s*\(\$\.sourceIPAddress\s*!=\s*\"delivery\.logs\.amazonaws\.com\"\)\s*\|\|\s*\(\$\.eventName\s*!=\s*\"HeadBucket\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA) CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*\"ConsoleLogin\"\)\s*\&\&\s*\(\$\.additionalEventData\.MFAUsed\s*!=\s*\"Yes\"\)\s*\&\&\s*\(\$\.userIdentity\.type\s*=\s*\"IAMUser\"\)\s*\&\&\s*\(\$\.responseElements\.ConsoleLogin\s*=\s*\"Success\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for usage of "root" account Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "{\s*\$\.userIdentity\.type\s*=\s*\"Root\"\s*\&\&\s*\$\.userIdentity\.invokedBy\s*NOT\s*EXISTS\s*\&\&\s*\$\.eventType\s*!=\s*\"AwsServiceEvent\"\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for IAM policy changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*DeleteGroupPolicy\)\|\|\(\$\.eventName\s*=\s*DeleteRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachGroupPolicy\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Audit/log records: Ensure a log metric filter and alarm exist for CloudTrail configuration changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*UpdateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*StartLogging\)\s*\|\|\s*\(\$\.eventName\s*=\s*StopLogging\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*ConsoleLogin\)\s*\&\&\s*\(\$\.errorMessage\s*=\s*\"Failed\s*authentication\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Data-at-rest is protected: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*kms\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=DisableKey\)\s*\|\|\s*\(\$\.eventName=ScheduleKeyDeletion\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Ensure a log metric filter and alarm exist for S3 bucket policy changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*s3\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName\s*=\s*PutBucketAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketReplication\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketReplication\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Audit/log records: Ensure a log metric filter and alarm exist for AWS Config configuration changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*config\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=StopConfigurationRecorder\)\s*\|\|\s*\(\$\.eventName=DeleteDeliveryChannel\)\s*\|\|\(\$\.eventName=PutDeliveryChannel\)\s*\|\|\s*\(\$\.eventName=PutConfigurationRecorder\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclAssociation\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for changes to network gateways Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachInternetGateway\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for route table changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRouteTableAssociation\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisassociateRouteTable\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for VPC changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*ModifyVpcAttribute\)\s*\|\|\s*\(\$\.eventName\s*=\s*AcceptVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*RejectVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisableVpcClassicLink\)\s*\|\|\s*\(\$\.eventName\s*=\s*EnableVpcClassicLink\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22. EC2
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 22 and ToPort gte 22 ) and Protocol in ("-1", "tcp") ]
Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389. EC2
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 3389 and ToPort gte 3389 ) and Protocol in ("-1", "udp", "tcp") ]
Ensure the default security group of every VPC restricts all traffic A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. EC2
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0
Name Description Service Rule
Remote access: Ensure no root account access key exists. The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. IAM
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ]
Authentication: Ensure MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. IAM
IAMUser where RootUser eq True should have MFAActive eq true
Authentication: Ensure hardware MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. IAM
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0
Identities and credentials: Eliminate use of the 'root' user for administrative and daily tasks With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks. IAM
IAMUser where RootUser eq True should not have ( ( AccessKey with [ Active and LastUsedTime isLaterThan ( -1, "days" ) ] ) or ( Password . Enabled and Password . LastUsedTime isLaterThan ( -1, "days" ) ) )
Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. IAM
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14
Identities and credentials: Ensure IAM password policy prevents password reuse IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. IAM
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24
Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. IAM
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true
Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. IAM
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ]
Remote access: Ensure access keys are rotated every 90 days or less. Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. IAM
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ]
Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. IAM
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 )
Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. IAM
IAMPolicy where id eq "arn:aws:iam::aws:policy/AWSSupportAccess" should have ( AttachedEntities . Groups len ( ) > 0 or AttachedEntities . Roles len ( ) > 0 or AttachedEntities . Users len ( ) > 0 )
Audit/log records: Ensure CloudTrail is enabled. AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) CloudTrail
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ]
Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). CloudTrail
CloudTrail should have LogFileValidationEnabled
Ensure the S3 bucket CloudTrail logs to is not publicly accessible CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs S3
CloudTrail
CloudTrail should not have S3Bucket . Access eq "Public"
Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. CloudTrail
CloudTrail should have LogGroup
Audit/log records: Ensure AWS Config is enabled in all regions AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. Config
CloudTrail
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ]
Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. S3
CloudTrail
CloudTrail should have S3Bucket . LoggingEnabled
Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS CloudTrail
CloudTrail should have KMSKey . id len ( ) > 0
Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled KMS
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled
Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. EC2
VPC should have atleast one FlowLogs with [ id ]
Remote access: Ensure a log metric filter and alarm exist for unauthorized API calls Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.errorCode\s*=\s*\"\*UnauthorizedOperation\"\)\s*\|\|\s*\(\$\.errorCode\s*=\s*\"AccessDenied\*\"\)\s*\|\|\s*\(\$\.sourceIPAddress\s*!=\s*\"delivery\.logs\.amazonaws\.com\"\)\s*\|\|\s*\(\$\.eventName\s*!=\s*\"HeadBucket\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA) CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*\"ConsoleLogin\"\)\s*\&\&\s*\(\$\.additionalEventData\.MFAUsed\s*!=\s*\"Yes\"\)\s*\&\&\s*\(\$\.userIdentity\.type\s*=\s*\"IAMUser\"\)\s*\&\&\s*\(\$\.responseElements\.ConsoleLogin\s*=\s*\"Success\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for usage of "root" account Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "{\s*\$\.userIdentity\.type\s*=\s*\"Root\"\s*\&\&\s*\$\.userIdentity\.invokedBy\s*NOT\s*EXISTS\s*\&\&\s*\$\.eventType\s*!=\s*\"AwsServiceEvent\"\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for IAM policy changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*DeleteGroupPolicy\)\|\|\(\$\.eventName\s*=\s*DeleteRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachGroupPolicy\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Audit/log records: Ensure a log metric filter and alarm exist for CloudTrail configuration changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*UpdateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*StartLogging\)\s*\|\|\s*\(\$\.eventName\s*=\s*StopLogging\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*ConsoleLogin\)\s*\&\&\s*\(\$\.errorMessage\s*=\s*\"Failed\s*authentication\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Data-at-rest is protected: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*kms\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=DisableKey\)\s*\|\|\s*\(\$\.eventName=ScheduleKeyDeletion\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Ensure a log metric filter and alarm exist for S3 bucket policy changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*s3\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName\s*=\s*PutBucketAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketReplication\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketReplication\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Audit/log records: Ensure a log metric filter and alarm exist for AWS Config configuration changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*config\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=StopConfigurationRecorder\)\s*\|\|\s*\(\$\.eventName=DeleteDeliveryChannel\)\s*\|\|\(\$\.eventName=PutDeliveryChannel\)\s*\|\|\s*\(\$\.eventName=PutConfigurationRecorder\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclAssociation\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for changes to network gateways Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachInternetGateway\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for route table changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRouteTableAssociation\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisassociateRouteTable\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for VPC changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*ModifyVpcAttribute\)\s*\|\|\s*\(\$\.eventName\s*=\s*AcceptVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*RejectVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisableVpcClassicLink\)\s*\|\|\s*\(\$\.eventName\s*=\s*EnableVpcClassicLink\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Ensure the default security group of every VPC restricts all traffic A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. EC2
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0
Data-at-rest is protected: Ensure RDS encryption is enabled Ensure RDS encryption is enabled. RDS
RDSInstance should have StorageEncrypted eq true
Ensure MFA Delete is enable on S3 buckets Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication S3
S3Bucket should have BucketVersioning . Status eq "Enabled" and BucketVersioning . MFADelete eq "Enabled"
Ensure S3 Bucket Policy is set to deny HTTP requests At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS S3
S3Bucket should have BucketPolicy with [Statement with [Effect eq "Deny" and Conditions with [Name eq "aws:SecureTransport" and Value has ("false") ]]]
Network integrity: Ensure a log metric filter and alarm exists for AWS Organizations changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*organizations\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName\s*=\s*AcceptHandshake\)\s*||\s*\(\$\.eventName\s*=\s*AttachPolicy\)\s*||\s*\(\$\.eventName\s*=\s*CreateAccount\)\s*||\s*\(\$\.eventName\s*=\s*CreateOrganizationalUnit\)\s*||\s*\(\$\.eventName\s*=\s*CreatePolicy\)\s*||\s*\(\$\.eventName\s*=\s*DeclineHandshake\)\s*||\s*\(\$\.eventName\s*=\s*DeleteOrganization\)\s*||\s*\(\$\.eventName\s*=\s*DeleteOrganizationalUnit\)\s*||\s*\(\$\.eventName\s*=\s*DeletePolicy\)\s*||\s*\(\$\.eventName\s*=\s*DetachPolicy\)\s*||\s*\(\$\.eventName\s*=\s*DisablePolicyType\)\s*||\s*\(\$\.eventName\s*=\s*EnablePolicyType\)\s*||\s*\(\$\.eventName\s*=\s*InviteAccountToOrganization\)\s*||\s*\(\$\.eventName\s*=\s*LeaveOrganization\)\s*||\s*\(\$\.eventName\s*=\s*MoveAccount\)\s*||\s*\(\$\.eventName\s*=\s*RemoveAccountFromOrganization\)\s*||\s*\(\$\.eventName\s*=\s*UpdatePolicy\)\s*||\s*\(\$\.eventName\s*=\s*UpdateOrganizationalUnit\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for security group changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress\)\s*\|\|\s*\(\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress\)\s*\|\|\s*\(\$\.eventName\s*=\s*RevokeSecurityGroupIngress\)\s*\|\|\s*\(\$\.eventName\s*=\s*RevokeSecurityGroupEgress\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateSecurityGroup\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteSecurityGroup\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Ensure all S3 buckets employ encryption-at-rest Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest S3
S3Bucket should not have DefaultEncryption eq "Disabled"
Ensure credentials unused for 45 days or greater are disabled AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed IAM
IAMUser where RootUser eq False should not have ( ( AccessKey with [ Active and LastUsedTime isEarlierThan ( -45, "days" ) ] ) or ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -45, "days" ) ) )
Ensure there is only one active access key available for any single IAM user Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK) IAM
IAMUser should not have every AccessKey with [ Active eq true] and AccessKey len() gt 1
Ensure IAM Users Receive Permissions Only Through Groups IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended. Identity
IAMUser should have Policies . Managed len () eq 0 and Policies . Inline len () eq 0
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console. Identity
ServerCertificate should not have Expiration isEarlierThan (0, "seconds")
Ensure that IAM Access analyzer is enabled IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Security
AccessAnalyzer should have Status eq "ACTIVE"
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principle with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account. Storage
S3Bucket should have BlockPublicAccess . BlockPublicAcls and BlockPublicAccess . IgnorePublicAcls and BlockPublicAccess . BlockPublicPolicy and BlockPublicAccess . RestrictPublicBuckets
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389. Network
NetworkACL should not have Rules with [ Egress eq False and RuleAction eq "allow" and CidrBlock eq 0.0.0.0/0 and ( (FromPort lte 22 and ToPort gte 22) or (FromPort lte 3389 and ToPort gte 3389) ) ]
Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports Network
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( (FromPort lte 22 and ToPort gte 22) or (FromPort lte 3389 and ToPort gte 3389) ) ]
Name Description Service Rule
Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. IAM
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true
Identities and credentials: Ensure passwords unused for 90 days or greater are disabled AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all passwords that have been unused in 90 or greater days be disabled. IAM
IAMUser where RootUser eq False should not have ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) )
Remote access: Ensure access keys unused for 90 days or greater are disabled AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. IAM
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ]
Remote access: Ensure access keys are rotated every 90 days or less. Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. IAM
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ]
Identities and credentials: Ensure IAM password policy requires at least one uppercase letter. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter. IAM
IAMPasswordPolicy should have Configured and RequireUppercaseCharacters
Identities and credentials: Ensure IAM password policy require at least one lowercase letter. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter. IAM
IAMPasswordPolicy should have Configured and RequireLowercaseCharacters
Identities and credentials: Ensure IAM password policy require at least one symbol. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol. IAM
IAMPasswordPolicy should have Configured and RequireSymbols
Identities and credentials: Ensure IAM password policy require at least one number. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number. IAM
IAMPasswordPolicy should have Configured and RequireNumbers
Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. IAM
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14
Identities and credentials: Ensure IAM password policy prevents password reuse IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. IAM
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24
Identities and credentials: Ensure IAM password policy expires passwords within 90 days or less. IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. IAM
IAMPasswordPolicy should have Configured and ExpirePasswords and MaxPasswordAge <= 90
Remote access: Ensure no root account access key exists. The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. IAM
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ]
Authentication: Ensure MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. IAM
IAMUser where RootUser eq True should have MFAActive eq true
Authentication: Ensure hardware MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. IAM
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0
Access permissions and authorizations: Ensure IAM policies are attached only to groups or roles. By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. IAM
IAMUser should have ( Policies . Managed len ( ) eq 0 and Policies . Inline len ( ) eq 0 )
Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. IAM
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ]
Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. IAM
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 )
Audit/log records: Ensure CloudTrail is enabled. AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) CloudTrail
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ]
Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). CloudTrail
CloudTrail should have LogFileValidationEnabled
Audit/log records: Ensure the S3 bucket CloudTrail logs to is not publicly accessible CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs S3
CloudTrail
CloudTrail should not have S3Bucket . ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee. URI eq "http://acs.amazonaws.com/groups/global/AllUsers" ] or S3Bucket . BucketPolicy with [ Statement with [ Effect eq "Allow" and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. CloudTrail
CloudTrail should have LogGroup
Audit/log records: Ensure AWS Config is enabled in all regions AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. Config
CloudTrail
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ]
Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. S3
CloudTrail
CloudTrail should have S3Bucket . LoggingEnabled
Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS CloudTrail
CloudTrail should have KMSKey . id len ( ) > 0
Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled KMS
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled
Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. EC2
VPC should have atleast one FlowLogs with [ id ]
Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22. EC2
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 22 and ToPort gte 22 ) and Protocol in ("-1", "tcp") ]
Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389. EC2
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 3389 and ToPort gte 3389 ) and Protocol in ("-1", "udp", "tcp") ]
Ensure the default security group of every VPC restricts all traffic A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. EC2
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0
Name Description Service Rule
Identities and credentials: Avoid the use of the "root" account: check for recent logins. The 'root' account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided. IAM
IAMUser where RootUser eq True should not have Password . LastUsedTime isLaterThan ( -1, "days" )
Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. IAM
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true
Identities and credentials: Ensure passwords unused for 90 days or greater are disabled AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all passwords that have been unused in 90 or greater days be disabled. IAM
IAMUser where RootUser eq False should not have ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) )
Remote access: Ensure access keys unused for 90 days or greater are disabled AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. IAM
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ]
Remote access: Ensure access keys are rotated every 90 days or less. Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. IAM
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ]
Identities and credentials: Ensure IAM password policy requires at least one uppercase letter. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter. IAM
IAMPasswordPolicy should have Configured and RequireUppercaseCharacters
Identities and credentials: Ensure IAM password policy require at least one lowercase letter. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter. IAM
IAMPasswordPolicy should have Configured and RequireLowercaseCharacters
Identities and credentials: Ensure IAM password policy require at least one symbol. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol. IAM
IAMPasswordPolicy should have Configured and RequireSymbols
Identities and credentials: Ensure IAM password policy require at least one number. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number. IAM
IAMPasswordPolicy should have Configured and RequireNumbers
Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. IAM
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14
Identities and credentials: Ensure IAM password policy prevents password reuse IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. IAM
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24
Identities and credentials: Ensure IAM password policy expires passwords within 90 days or less. IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. IAM
IAMPasswordPolicy should have Configured and ExpirePasswords and MaxPasswordAge <= 90
Remote access: Ensure no root account access key exists. The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. IAM
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ]
Authentication: Ensure MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. IAM
IAMUser where RootUser eq True should have MFAActive eq true
Authentication: Ensure hardware MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. IAM
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0
Access permissions and authorizations: Ensure IAM policies are attached only to groups or roles. By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. IAM
IAMUser should have ( Policies . Managed len ( ) eq 0 and Policies . Inline len ( ) eq 0 )
Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. IAM
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ]
Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. IAM
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 )
Audit/log records: Ensure CloudTrail is enabled. AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) CloudTrail
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ]
Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). CloudTrail
CloudTrail should have LogFileValidationEnabled
Audit/log records: Ensure the S3 bucket CloudTrail logs to is not publicly accessible CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs S3
CloudTrail
CloudTrail should not have S3Bucket . ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee. URI eq "http://acs.amazonaws.com/groups/global/AllUsers" ] or S3Bucket . BucketPolicy with [ Statement with [ Effect eq "Allow" and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. CloudTrail
CloudTrail should have LogGroup
Audit/log records: Ensure AWS Config is enabled in all regions AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. Config
CloudTrail
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ]
Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. S3
CloudTrail
CloudTrail should have S3Bucket . LoggingEnabled
Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS CloudTrail
CloudTrail should have KMSKey . id len ( ) > 0
Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled KMS
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled
Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. EC2
VPC should have atleast one FlowLogs with [ id ]
Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. IAM
IAMPolicy where id eq "arn:aws:iam::aws:policy/AWSSupportAccess" should have ( AttachedEntities . Groups len ( ) > 0 or AttachedEntities . Roles len ( ) > 0 or AttachedEntities . Users len ( ) > 0 )
Name Description Service Rule
Identities and credentials: Avoid the use of the "root" account: check for recent logins. The 'root' account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided. IAM
IAMUser where RootUser eq True should not have Password . LastUsedTime isLaterThan ( -1, "days" )
Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. IAM
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true
Identities and credentials: Ensure passwords unused for 90 days or greater are disabled AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all passwords that have been unused in 90 or greater days be disabled. IAM
IAMUser where RootUser eq False should not have ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) )
Remote access: Ensure access keys unused for 90 days or greater are disabled AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. IAM
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ]
Remote access: Ensure access keys are rotated every 90 days or less. Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. IAM
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ]
Identities and credentials: Ensure IAM password policy requires at least one uppercase letter. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter. IAM
IAMPasswordPolicy should have Configured and RequireUppercaseCharacters
Identities and credentials: Ensure IAM password policy require at least one lowercase letter. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter. IAM
IAMPasswordPolicy should have Configured and RequireLowercaseCharacters
Identities and credentials: Ensure IAM password policy require at least one symbol. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol. IAM
IAMPasswordPolicy should have Configured and RequireSymbols
Identities and credentials: Ensure IAM password policy require at least one number. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number. IAM
IAMPasswordPolicy should have Configured and RequireNumbers
Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. IAM
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14
Identities and credentials: Ensure IAM password policy prevents password reuse IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. IAM
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24
Identities and credentials: Ensure IAM password policy expires passwords within 90 days or less. IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. IAM
IAMPasswordPolicy should have Configured and ExpirePasswords and MaxPasswordAge <= 90
Remote access: Ensure no root account access key exists. The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. IAM
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ]
Authentication: Ensure MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. IAM
IAMUser where RootUser eq True should have MFAActive eq true
Authentication: Ensure hardware MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. IAM
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0
Access permissions and authorizations: Ensure IAM policies are attached only to groups or roles. By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. IAM
IAMUser should have ( Policies . Managed len ( ) eq 0 and Policies . Inline len ( ) eq 0 )
Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. IAM
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ]
Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. IAM
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 )
Audit/log records: Ensure CloudTrail is enabled. AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) CloudTrail
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ]
Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). CloudTrail
CloudTrail should have LogFileValidationEnabled
Audit/log records: Ensure the S3 bucket CloudTrail logs to is not publicly accessible CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs S3
CloudTrail
CloudTrail should not have S3Bucket . ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee. URI eq "http://acs.amazonaws.com/groups/global/AllUsers" ] or S3Bucket . BucketPolicy with [ Statement with [ Effect eq "Allow" and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. CloudTrail
CloudTrail should have LogGroup
Audit/log records: Ensure AWS Config is enabled in all regions AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. Config
CloudTrail
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ]
Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. S3
CloudTrail
CloudTrail should have S3Bucket . LoggingEnabled
Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS CloudTrail
CloudTrail should have KMSKey . id len ( ) > 0
Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled KMS
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled
Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. EC2
VPC should have atleast one FlowLogs with [ id ]
Remote access: Ensure a log metric filter and alarm exist for unauthorized API calls Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.errorCode\s*=\s*\"\*UnauthorizedOperation\"\)\s*\|\|\s*\(\$\.errorCode\s*=\s*\"AccessDenied\*\"\)\s*\|\|\s*\(\$\.sourceIPAddress\s*!=\s*\"delivery\.logs\.amazonaws\.com\"\)\s*\|\|\s*\(\$\.eventName\s*!=\s*\"HeadBucket\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA) CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*\"ConsoleLogin\"\)\s*\&\&\s*\(\$\.additionalEventData\.MFAUsed\s*!=\s*\"Yes\"\)\s*\&\&\s*\(\$\.userIdentity\.type\s*=\s*\"IAMUser\"\)\s*\&\&\s*\(\$\.responseElements\.ConsoleLogin\s*=\s*\"Success\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for usage of "root" account Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "{\s*\$\.userIdentity\.type\s*=\s*\"Root\"\s*\&\&\s*\$\.userIdentity\.invokedBy\s*NOT\s*EXISTS\s*\&\&\s*\$\.eventType\s*!=\s*\"AwsServiceEvent\"\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for IAM policy changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*DeleteGroupPolicy\)\|\|\(\$\.eventName\s*=\s*DeleteRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachGroupPolicy\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Audit/log records: Ensure a log metric filter and alarm exist for CloudTrail configuration changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*UpdateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*StartLogging\)\s*\|\|\s*\(\$\.eventName\s*=\s*StopLogging\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*ConsoleLogin\)\s*\&\&\s*\(\$\.errorMessage\s*=\s*\"Failed\s*authentication\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Data-at-rest is protected: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*kms\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=DisableKey\)\s*\|\|\s*\(\$\.eventName=ScheduleKeyDeletion\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Ensure a log metric filter and alarm exist for S3 bucket policy changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*s3\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName\s*=\s*PutBucketAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketReplication\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketReplication\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Audit/log records: Ensure a log metric filter and alarm exist for AWS Config configuration changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*config\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=StopConfigurationRecorder\)\s*\|\|\s*\(\$\.eventName=DeleteDeliveryChannel\)\s*\|\|\(\$\.eventName=PutDeliveryChannel\)\s*\|\|\s*\(\$\.eventName=PutConfigurationRecorder\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclAssociation\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for changes to network gateways Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachInternetGateway\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for route table changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRouteTableAssociation\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisassociateRouteTable\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for VPC changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*ModifyVpcAttribute\)\s*\|\|\s*\(\$\.eventName\s*=\s*AcceptVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*RejectVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisableVpcClassicLink\)\s*\|\|\s*\(\$\.eventName\s*=\s*EnableVpcClassicLink\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22. EC2
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 22 and ToPort gte 22 ) and Protocol in ("-1", "tcp") ]
Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389. EC2
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 3389 and ToPort gte 3389 ) and Protocol in ("-1", "udp", "tcp") ]
Ensure the default security group of every VPC restricts all traffic A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. EC2
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0
Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. IAM
IAMPolicy where id eq "arn:aws:iam::aws:policy/AWSSupportAccess" should have ( AttachedEntities . Groups len ( ) > 0 or AttachedEntities . Roles len ( ) > 0 or AttachedEntities . Users len ( ) > 0 )
Name Description Service Rule
Identities and credentials: Avoid the use of the "root" account: check for recent logins. The 'root' account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided. IAM
IAMUser where RootUser eq True should not have Password . LastUsedTime isLaterThan ( -1, "days" )
Identities and credentials: Ensure passwords unused for 90 days or greater are disabled AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all passwords that have been unused in 90 or greater days be disabled. IAM
IAMUser where RootUser eq False should not have ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) )
Identities and credentials: Ensure IAM password policy requires at least one uppercase letter. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter. IAM
IAMPasswordPolicy should have Configured and RequireUppercaseCharacters
Identities and credentials: Ensure IAM password policy require at least one lowercase letter. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter. IAM
IAMPasswordPolicy should have Configured and RequireLowercaseCharacters
Identities and credentials: Ensure IAM password policy require at least one symbol. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol. IAM
IAMPasswordPolicy should have Configured and RequireSymbols
Identities and credentials: Ensure IAM password policy require at least one number. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number. IAM
IAMPasswordPolicy should have Configured and RequireNumbers
Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. IAM
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14
Identities and credentials: Ensure IAM password policy prevents password reuse IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. IAM
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24
Identities and credentials: Ensure IAM password policy expires passwords within 90 days or less. IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. IAM
IAMPasswordPolicy should have Configured and ExpirePasswords and MaxPasswordAge <= 90
Identities and credentials: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA) CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*\"ConsoleLogin\"\)\s*\&\&\s*\(\$\.additionalEventData\.MFAUsed\s*!=\s*\"Yes\"\)\s*\&\&\s*\(\$\.userIdentity\.type\s*=\s*\"IAMUser\"\)\s*\&\&\s*\(\$\.responseElements\.ConsoleLogin\s*=\s*\"Success\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for usage of "root" account Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "{\s*\$\.userIdentity\.type\s*=\s*\"Root\"\s*\&\&\s*\$\.userIdentity\.invokedBy\s*NOT\s*EXISTS\s*\&\&\s*\$\.eventType\s*!=\s*\"AwsServiceEvent\"\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for IAM policy changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*DeleteGroupPolicy\)\|\|\(\$\.eventName\s*=\s*DeleteRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachGroupPolicy\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*ConsoleLogin\)\s*\&\&\s*\(\$\.errorMessage\s*=\s*\"Failed\s*authentication\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Remote access: Ensure access keys unused for 90 days or greater are disabled AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. IAM
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ]
Remote access: Ensure access keys are rotated every 90 days or less. Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. IAM
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ]
Remote access: Ensure no root account access key exists. The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. IAM
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ]
Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. IAM
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ]
Remote access: Ensure a log metric filter and alarm exist for unauthorized API calls Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.errorCode\s*=\s*\"\*UnauthorizedOperation\"\)\s*\|\|\s*\(\$\.errorCode\s*=\s*\"AccessDenied\*\"\)\s*\|\|\s*\(\$\.sourceIPAddress\s*!=\s*\"delivery\.logs\.amazonaws\.com\"\)\s*\|\|\s*\(\$\.eventName\s*!=\s*\"HeadBucket\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Access permissions and authorizations: Ensure IAM policies are attached only to groups or roles. By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. IAM
IAMUser should have ( Policies . Managed len ( ) eq 0 and Policies . Inline len ( ) eq 0 )
Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. IAM
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 )
Establish an access control system(s) : IAM Policies with Effect as Allow and Action with iam:PassRole for All Roles Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. IAM
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "iam:PassRole" ] and Resource with [ value eq "*" ] ]
Establish an access control system(s) : IAM Policies with Effect as Allow and Action with sts:AssumeRole for All Roles Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. IAM
IAMRole should not have AssumeRolePolicy . Statement with [ Action eq "sts:AssumeRole" and Principal . AWS has ("*") ]
Establish an access control system(s) : S3 Bucket ACLs with Grant Access to All Users Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. S3
S3Bucket should not have ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee . URI eq "http://acs.amazonaws.com/groups/global/AllUsers" ]
Establish an access control system(s) : S3 Bucket ACLs with Grant Access to Authenticated Users Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. S3
S3Bucket should not have ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee . Type eq "Group" and Grantee . URI eq "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" ]
Access permissions and authorizations: Ensure Redshift Clusters are not Publicly accessible Redshift Clusters should not be accessible to the public. Redshift
RedShiftCluster should not have Access eq "Public"
Access permissions and authorizations: Ensure RDS Instances do not have Publicly Accessible Snapshots RDS Instances should not have publicly accessible snapshots. RDS
RDSInstance should not have Snapshots with [ PubliclyAccessible ]
Network integrity: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclAssociation\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for changes to network gateways Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachInternetGateway\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for route table changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRouteTableAssociation\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisassociateRouteTable\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for VPC changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*ModifyVpcAttribute\)\s*\|\|\s*\(\$\.eventName\s*=\s*AcceptVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*RejectVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisableVpcClassicLink\)\s*\|\|\s*\(\$\.eventName\s*=\s*EnableVpcClassicLink\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. IAM
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true
Authentication: Ensure MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. IAM
IAMUser where RootUser eq True should have MFAActive eq true
Authentication: Ensure hardware MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. IAM
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0
Establish an access control system(s) : Inadequate Access Controls on S3 Buckets Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. S3
S3Bucket where BucketVersioning . Status eq "Enabled" should not have BucketVersioning . MFADelete eq "Disabled"
Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled KMS
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled
Data-at-rest is protected: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*kms\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=DisableKey\)\s*\|\|\s*\(\$\.eventName=ScheduleKeyDeletion\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Data-at-rest is protected: Ensure RDS encryption is enabled Ensure RDS encryption is enabled. RDS
RDSInstance should have StorageEncrypted eq true
Data-at-rest is protected: Ensure RDS instance snapshots are encrypted Ensure RDS instance snapshots are encrypted. RDS
RDSInstance should have every Snapshots with [ Encrypted eq true ]
Data-at-rest is protected: Ensure DynamoDB tables are encrypted at rest Ensure DynamoDB tables are encrypted at rest. Dynamo
DynamoDBTable should have SSEDescription . Status eq "ENABLED"
Render PAN unreadable anywhere it is stored : Redshift Cluster Not Encrypted At Rest Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography, (hash must be of the entire PAN). ; Truncation (hashing cannot be used to replace the truncated segment of PAN). ; Index tokens and pads (pads must be securely stored). ; Strong cryptography with associated key-management processes and procedures. ; Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN date if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity’s environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN RedShift
RedShiftCluster should have Encrypted eq true
Data-in-transit is protected: Ensure older SSL/TLS policies are not used with Elastic Load Balancers Older SSL/TLS policy should not be used with Elastic Load Balancer Security Policy. ElasticLoadBalancer
ElasticLoadBalancer should have SslPolicy in ( "ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-TLS-1-2-2017-01", "ELBSecurityPolicy-TLS-1-1-2017-01" )
Data-in-transit is protected: Ensure encryption in transit is enabled for lambda functions using environmental variables. Ensure encryption in transit is enabled for lambda functions using environmental variables. Lambda
Lambda where ( Environment len() > 0 ) should have KMSKey.id
Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission: Redshift Cluster has require_ssl disabled Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. RedShift
RedShiftCluster should have ClusterParameterGroups with [ ClusterParameterGroup with [ ParameterName eq "require_ssl" and ParameterValue eq "true" ] ]
Backups of information: Ensure Backup Retention Period is set greater than or equal to 30 days. Setting Backup Retention Period of RDS Instance to a value greater than or equal to 30 ensures safety of data. RDS
RDSInstance should not have BackupRetentionPeriod lt 30
Backups of information: Ensure DynamoDB tables are backed up Ensure DynamoDB tables are backed up. Dynamo
DynamoDBTable should have BackedUp eq true
Backups of information: Ensure DynamoDB tables have point in time recovery enabled Ensure DynamoDB tables have point in time recovery enabled. Dynamo
DynamoDBTable should have PointInTimeRecovery eq "ENABLED"
Install critical security patches within one month of release. : Auto Minor Version Upgrade Disabled for RDS Instances Ensure that all system components and software are protected from known vulnerabilities by installing applicable AWS RDSInstance security patches. Install critical security patches within one month of release. RDS
RDSInstance should have AutoMinorVersionUpgrade eq true
Vulnerability management plan: Ensure Allow Version Upgrade is set to yes for Redshift Cluster Redshift Clusters should have Version Upgrade set to avoid missing important security updates. Redshift
RedShiftCluster should have AllowVersionUpgrade
Audit/log records: Ensure CloudTrail is enabled. AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) CloudTrail
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ]
Ensure the S3 bucket CloudTrail logs to is not publicly accessible CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs S3
CloudTrail
CloudTrail should not have S3Bucket . Access eq "Public"
Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. CloudTrail
CloudTrail should have LogGroup
Audit/log records: Ensure AWS Config is enabled in all regions AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. Config
CloudTrail
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ]
Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. S3
CloudTrail
CloudTrail should have S3Bucket . LoggingEnabled
Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS CloudTrail
CloudTrail should have KMSKey . id len ( ) > 0
Audit/log records: Ensure a log metric filter and alarm exist for CloudTrail configuration changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*UpdateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*StartLogging\)\s*\|\|\s*\(\$\.eventName\s*=\s*StopLogging\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Audit/log records: Ensure a log metric filter and alarm exist for AWS Config configuration changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*config\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=StopConfigurationRecorder\)\s*\|\|\s*\(\$\.eventName=DeleteDeliveryChannel\)\s*\|\|\(\$\.eventName=PutDeliveryChannel\)\s*\|\|\s*\(\$\.eventName=PutConfigurationRecorder\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Implement automated audit trails for all system components : CloudTrail - Lack of Global Service Event Logging Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. CloudTrail
CloudTrail should have GlobalServiceEvents eq true
Implement automated audit trails for all system components : Lack of Logging For Access to S3 Buckets Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. S3
S3Bucket should have LoggingEnabled
Implement automated audit trails for all system components : S3 Buckets Lack Versioning Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. S3
S3Bucket should not have BucketVersioning . Status eq "Suspended" or BucketVersioning . Status eq "Disabled"
Implement automated audit trails for all system components : Redshift Parameter Groups Disable Logging Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. RedShift
RedShiftCluster should have LoggingEnabled eq true
Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). CloudTrail
CloudTrail should have LogFileValidationEnabled
Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22. EC2
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 22 and ToPort gte 22 ) and Protocol in ("-1", "tcp") ]
Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389. EC2
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 3389 and ToPort gte 3389 ) and Protocol in ("-1", "udp", "tcp") ]
Ensure the default security group of every VPC restricts all traffic A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. EC2
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0
Review firewall and router rule sets at least every six months : Numerous Unused EC2 Security Groups Establish and implement firewall and router configuration standards that include the requirement to review firewall and router rule sets at least every six months. EC2
SecurityGroup where Name neq "default" should have NetworkInterfaces len ( ) neq 0
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic : Do not use the default security group. Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. Note: An untrusted network is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage EC2
NetworkInterface should not have any SecurityGroups with [ Name eq "default" ]
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet : Outbound Internet unrestricted is not allowed. Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. Note: An untrusted network is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage EC2
NetworkInterface should not have any SecurityGroups with [ OutboundRules with [ IPv6Ranges with [ IPv6 in ( "::/0" ) ] or IPRanges with [ IP in ( "0.0.0.0/0" ) ] ] ]
Communications and control network protection: Ensure no rule exists which allows all ingress traffic in default Network ACL Network ACLs are designed to provide a secondary layer of security. Adding a rule that allows all network traffic (all protocols, IPs, and source) prior to any deny rule defeats the purpose of network ACLs. EC2
NetworkACL should not have IsDefault eq true and Rules with [ RuleAction eq "allow" and Protocol eq "-1" and Egress eq False and CidrBlock eq 0.0.0.0/0 ]
Communications and control network protection: Ensure no rule exists which allows all ingress traffic in Network ACL which is associated with a subnet Network ACLs are designed to provide a secondary layer of security. Adding a rule that allows all network traffic (all protocols, IPs, and source) prior to any deny rule defeats the purpose of network ACLs. Network ACLs associated with subnets and VPCs should not allow all ingress traffic. EC2
NetworkACL where Subnets len( ) gt 0 should not have Rules with [ Egress eq False and RuleAction eq "allow" and Protocol eq "-1" and CidrBlock eq 0.0.0.0/0 ]
Communications and control network protection: Ensure RDS instances are not in public subnets Ensure RDS instances are not in public subnets. RDS
RDSInstance should not have Access eq "Public"
Implement an incident response plan : Lack of Multi-AZ Deployment for RDS Instances Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum. ; Specific incident response procedures. ; Business recovery and continuity procedures. ; Data backup processes. ; Analysis of legal requirements for reporting compromises. ; Coverage and responses of all critical system components. ; Reference or inclusion of incident response procedures from the payment brands RDS
RDSInstance should have MultiAZ eq true
Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. EC2
VPC should have atleast one FlowLogs with [ id ]
Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. IAM
IAMPolicy where id eq "arn:aws:iam::aws:policy/AWSSupportAccess" should have ( AttachedEntities . Groups len ( ) > 0 or AttachedEntities . Roles len ( ) > 0 or AttachedEntities . Users len ( ) > 0 )
Name Description Service Rule
Identities and credentials: Avoid the use of the "root" account: check for recent logins. The 'root' account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided. IAM
IAMUser where RootUser eq True should not have Password . LastUsedTime isLaterThan ( -1, "days" )
Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. IAM
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true
Identities and credentials: Ensure passwords unused for 90 days or greater are disabled AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all passwords that have been unused in 90 or greater days be disabled. IAM
IAMUser where RootUser eq False should not have ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) )
Remote access: Ensure access keys unused for 90 days or greater are disabled AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. IAM
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ]
Remote access: Ensure access keys are rotated every 90 days or less. Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. IAM
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ]
Identities and credentials: Ensure IAM password policy requires at least one uppercase letter. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter. IAM
IAMPasswordPolicy should have Configured and RequireUppercaseCharacters
Identities and credentials: Ensure IAM password policy require at least one lowercase letter. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter. IAM
IAMPasswordPolicy should have Configured and RequireLowercaseCharacters
Identities and credentials: Ensure IAM password policy require at least one symbol. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol. IAM
IAMPasswordPolicy should have Configured and RequireSymbols
Identities and credentials: Ensure IAM password policy require at least one number. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number. IAM
IAMPasswordPolicy should have Configured and RequireNumbers
Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. IAM
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14
Identities and credentials: Ensure IAM password policy prevents password reuse IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. IAM
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24
Identities and credentials: Ensure IAM password policy expires passwords within 90 days or less. IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. IAM
IAMPasswordPolicy should have Configured and ExpirePasswords and MaxPasswordAge <= 90
Remote access: Ensure no root account access key exists. The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. IAM
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ]
Authentication: Ensure MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. IAM
IAMUser where RootUser eq True should have MFAActive eq true
Authentication: Ensure hardware MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. IAM
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0
Access permissions and authorizations: Ensure IAM policies are attached only to groups or roles. By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. IAM
IAMUser should have ( Policies . Managed len ( ) eq 0 and Policies . Inline len ( ) eq 0 )
Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. IAM
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ]
Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. IAM
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 )
Audit/log records: Ensure CloudTrail is enabled. AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) CloudTrail
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ]
Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). CloudTrail
CloudTrail should have LogFileValidationEnabled
Audit/log records: Ensure the S3 bucket CloudTrail logs to is not publicly accessible CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs S3
CloudTrail
CloudTrail should not have S3Bucket . ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee. URI eq "http://acs.amazonaws.com/groups/global/AllUsers" ] or S3Bucket . BucketPolicy with [ Statement with [ Effect eq "Allow" and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. CloudTrail
CloudTrail should have LogGroup
Audit/log records: Ensure AWS Config is enabled in all regions AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. Config
CloudTrail
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ]
Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. S3
CloudTrail
CloudTrail should have S3Bucket . LoggingEnabled
Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS CloudTrail
CloudTrail should have KMSKey . id len ( ) > 0
Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled KMS
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled
Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. EC2
VPC should have atleast one FlowLogs with [ id ]
Remote access: Ensure a log metric filter and alarm exist for unauthorized API calls Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.errorCode\s*=\s*\"\*UnauthorizedOperation\"\)\s*\|\|\s*\(\$\.errorCode\s*=\s*\"AccessDenied\*\"\)\s*\|\|\s*\(\$\.sourceIPAddress\s*!=\s*\"delivery\.logs\.amazonaws\.com\"\)\s*\|\|\s*\(\$\.eventName\s*!=\s*\"HeadBucket\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA) CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*\"ConsoleLogin\"\)\s*\&\&\s*\(\$\.additionalEventData\.MFAUsed\s*!=\s*\"Yes\"\)\s*\&\&\s*\(\$\.userIdentity\.type\s*=\s*\"IAMUser\"\)\s*\&\&\s*\(\$\.responseElements\.ConsoleLogin\s*=\s*\"Success\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for usage of "root" account Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "{\s*\$\.userIdentity\.type\s*=\s*\"Root\"\s*\&\&\s*\$\.userIdentity\.invokedBy\s*NOT\s*EXISTS\s*\&\&\s*\$\.eventType\s*!=\s*\"AwsServiceEvent\"\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for IAM policy changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*DeleteGroupPolicy\)\|\|\(\$\.eventName\s*=\s*DeleteRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachGroupPolicy\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Audit/log records: Ensure a log metric filter and alarm exist for CloudTrail configuration changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*UpdateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*StartLogging\)\s*\|\|\s*\(\$\.eventName\s*=\s*StopLogging\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*ConsoleLogin\)\s*\&\&\s*\(\$\.errorMessage\s*=\s*\"Failed\s*authentication\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Data-at-rest is protected: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*kms\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=DisableKey\)\s*\|\|\s*\(\$\.eventName=ScheduleKeyDeletion\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Ensure a log metric filter and alarm exist for S3 bucket policy changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*s3\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName\s*=\s*PutBucketAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketReplication\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketReplication\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Audit/log records: Ensure a log metric filter and alarm exist for AWS Config configuration changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*config\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=StopConfigurationRecorder\)\s*\|\|\s*\(\$\.eventName=DeleteDeliveryChannel\)\s*\|\|\(\$\.eventName=PutDeliveryChannel\)\s*\|\|\s*\(\$\.eventName=PutConfigurationRecorder\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclAssociation\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for changes to network gateways Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachInternetGateway\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for route table changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRouteTableAssociation\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisassociateRouteTable\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for VPC changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*ModifyVpcAttribute\)\s*\|\|\s*\(\$\.eventName\s*=\s*AcceptVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*RejectVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisableVpcClassicLink\)\s*\|\|\s*\(\$\.eventName\s*=\s*EnableVpcClassicLink\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22. EC2
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 22 and ToPort gte 22 ) and Protocol in ("-1", "tcp") ]
Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389. EC2
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 3389 and ToPort gte 3389 ) and Protocol in ("-1", "udp", "tcp") ]
Ensure the default security group of every VPC restricts all traffic A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. EC2
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0
Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. IAM
IAMPolicy where id eq "arn:aws:iam::aws:policy/AWSSupportAccess" should have ( AttachedEntities . Groups len ( ) > 0 or AttachedEntities . Roles len ( ) > 0 or AttachedEntities . Users len ( ) > 0 )
Name Description Service Rule
Review firewall and router rule sets at least every six months : Numerous Unused EC2 Security Groups Establish and implement firewall and router configuration standards that include the requirement to review firewall and router rule sets at least every six months. EC2
SecurityGroup where Name neq "default" should have NetworkInterfaces len ( ) neq 0
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic : Do not use the default security group. Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. Note: An untrusted network is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage EC2
NetworkInterface should not have any SecurityGroups with [ Name eq "default" ]
Inbound Internet traffic is not allowed Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. Note: An untrusted network is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage. This rule specifically checks for public IPs in inbound rules of Security Group. EC2
NetworkInterface should not have any SecurityGroups with [ InboundRules with [ IPv6Ranges with [ IPv6 isPublic ( ) ] or IPRanges with [ IP isPublic ( ) ] ] ]
Inbound All ports/protocols is not allowed Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. Note: An untrusted network is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage. This rule specifically checks for security group inbound rule with all ports open. EC2
SecurityGroup should not have InboundRules with [ Protocol eq "-1" and ( FromPort eq 0 and ToPort eq 65535 ) ]
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet : Outbound Internet unrestricted is not allowed. Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. Note: An untrusted network is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage EC2
NetworkInterface should not have any SecurityGroups with [ OutboundRules with [ IPv6Ranges with [ IPv6 in ( "::/0" ) ] or IPRanges with [ IP in ( "0.0.0.0/0" ) ] ] ]
Render PAN unreadable anywhere it is stored : Weak RDS backup policy Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography, (hash must be of the entire PAN). ; Truncation (hashing cannot be used to replace the truncated segment of PAN). ; Index tokens and pads (pads must be securely stored). ; Strong cryptography with associated key-management processes and procedures. ; Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN date if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity’s environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN RDS
RDSInstance should have BackupRetentionPeriod neq 0
Render PAN unreadable anywhere it is stored : Redshift Cluster Not Encrypted At Rest Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography, (hash must be of the entire PAN). ; Truncation (hashing cannot be used to replace the truncated segment of PAN). ; Index tokens and pads (pads must be securely stored). ; Strong cryptography with associated key-management processes and procedures. ; Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN date if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity’s environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN RedShift
RedShiftCluster should have Encrypted eq true
Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data : Lack of Access Key Rotation Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the AWS or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57). IAM
IAMUser should not have AccessKey with [ Active and CreatedTime isEarlierThan ( -90, "days" ) ]
Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission: Redshift Cluster has require_ssl disabled Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. RedShift
RedShiftCluster should have ClusterParameterGroups with [ ClusterParameterGroup with [ ParameterName eq "require_ssl" and ParameterValue eq "true" ] ]
Install critical security patches within one month of release. : Auto Minor Version Upgrade Disabled for RDS Instances Ensure that all system components and software are protected from known vulnerabilities by installing applicable AWS RDSInstance security patches. Install critical security patches within one month of release. RDS
RDSInstance should have AutoMinorVersionUpgrade eq true
Restrict access to cardholder data : IAM Policies with Effect as Allow and Action with iam:PassRole for All Roles Limit access to system components and cardholder data to only those individuals whose job requires such access. IAM
IAMRole should not have Policies . Inline with [ PolicyDocument . Statements with [ Action with [ value eq "iam:PassRole" ]]]
Establish an access control system(s) : IAM Policies with Effect as Allow and Action with iam:PassRole for All Roles Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. IAM
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "iam:PassRole" ] and Resource with [ value eq "*" ] ]
Establish an access control system(s) : Inadequate Access Controls on S3 Buckets Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. S3
S3Bucket where BucketVersioning . Status eq "Enabled" should not have BucketVersioning . MFADelete eq "Disabled"
Establish an access control system(s) : IAM Policies with Effect as Allow and Action with sts:AssumeRole for All Roles Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. IAM
IAMRole should not have AssumeRolePolicy . Statement with [ Action eq "sts:AssumeRole" and Principal . AWS has ("*") ]
Establish an access control system(s) : IAM Headless User Account with Password Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. IAM
IAMUser should not have ( atleast one AccessKey with [ Active eq true ] and Password . Enabled eq True )
Establish an access control system(s) : S3 Bucket ACLs with Grant Access to All Users Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. S3
S3Bucket should not have ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee . URI eq "http://acs.amazonaws.com/groups/global/AllUsers" ]
Establish an access control system(s) : S3 Bucket ACLs with Grant Access to Authenticated Users Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. S3
S3Bucket should not have ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee . Type eq "Group" and Grantee . URI eq "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" ]
Establish an access control system(s) : IAM Policies with Effect Allow and NotActions Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. IAM
IAMPolicy should not have Permissions . Statements with [ Effect eq "Allow" and ( NotAction len ( ) gt 0 or Action with [ value eq "*" ] ) ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 )
Remove/disable inactive user accounts within 90 days Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components. IAM
IAMUser where RootUser eq false should not have ( ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) ) or ( AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ] ) )
Ensure proper user-authentication management for non-consumer users and administrators : IAM Weak Password Policy Passwords/passphrases must meet the following: Require a minimum length of at least seven characters. Contain both numeric and alphabetic characters. Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above IAM
IAMPasswordPolicy should have RequireUppercaseCharacters and RequireLowercaseCharacters and (MinimumPasswordLength gte 8 or RequireSymbols )
Secure all individual non-console administrative access and all remote access using multi-factor authentication : IAM Users Lack Multi-Factor Authentication Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third party access for support or maintenance) originating from outside the entity’s network IAM
IAMUser where Password . Enabled eq true should have MFAActive eq true
Implement automated audit trails for all system components : CloudTrail - Lack of Global Service Event Logging Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. CloudTrail
CloudTrail should have GlobalServiceEvents eq true
Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. S3
CloudTrail
CloudTrail should have S3Bucket . LoggingEnabled
Implement automated audit trails for all system components : Lack of Logging For Access to S3 Buckets Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. S3
S3Bucket should have LoggingEnabled
Implement automated audit trails for all system components : S3 Buckets Lack Versioning Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. S3
S3Bucket should not have BucketVersioning . Status eq "Suspended" or BucketVersioning . Status eq "Disabled"
Implement automated audit trails for all system components : Redshift Parameter Groups Disable Logging Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. RedShift
RedShiftCluster should have LoggingEnabled eq true
Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). CloudTrail
CloudTrail should have LogFileValidationEnabled
Implement an incident response plan : Lack of Multi-AZ Deployment for RDS Instances Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum. ; Specific incident response procedures. ; Business recovery and continuity procedures. ; Data backup processes. ; Analysis of legal requirements for reporting compromises. ; Coverage and responses of all critical system components. ; Reference or inclusion of incident response procedures from the payment brands RDS
RDSInstance should have MultiAZ eq true
Identities and credentials: Avoid the use of the "root" account: check for recent logins. The 'root' account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided. IAM
IAMUser where RootUser eq True should not have Password . LastUsedTime isLaterThan ( -1, "days" )
Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. IAM
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true
Identities and credentials: Ensure passwords unused for 90 days or greater are disabled AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all passwords that have been unused in 90 or greater days be disabled. IAM
IAMUser where RootUser eq False should not have ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) )
Remote access: Ensure access keys unused for 90 days or greater are disabled AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. IAM
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ]
Remote access: Ensure access keys are rotated every 90 days or less. Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. IAM
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ]
Identities and credentials: Ensure IAM password policy requires at least one uppercase letter. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter. IAM
IAMPasswordPolicy should have Configured and RequireUppercaseCharacters
Identities and credentials: Ensure IAM password policy require at least one lowercase letter. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter. IAM
IAMPasswordPolicy should have Configured and RequireLowercaseCharacters
Identities and credentials: Ensure IAM password policy require at least one symbol. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol. IAM
IAMPasswordPolicy should have Configured and RequireSymbols
Identities and credentials: Ensure IAM password policy require at least one number. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number. IAM
IAMPasswordPolicy should have Configured and RequireNumbers
Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. IAM
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14
Identities and credentials: Ensure IAM password policy prevents password reuse IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. IAM
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24
Identities and credentials: Ensure IAM password policy expires passwords within 90 days or less. IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. IAM
IAMPasswordPolicy should have Configured and ExpirePasswords and MaxPasswordAge <= 90
Remote access: Ensure no root account access key exists. The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. IAM
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ]
Authentication: Ensure MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. IAM
IAMUser where RootUser eq True should have MFAActive eq true
Authentication: Ensure hardware MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. IAM
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0
Access permissions and authorizations: Ensure IAM policies are attached only to groups or roles. By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. IAM
IAMUser should have ( Policies . Managed len ( ) eq 0 and Policies . Inline len ( ) eq 0 )
Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. IAM
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ]
Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. IAM
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 )
Audit/log records: Ensure CloudTrail is enabled. AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) CloudTrail
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ]
Audit/log records: Ensure the S3 bucket CloudTrail logs to is not publicly accessible CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs S3
CloudTrail
CloudTrail should not have S3Bucket . ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee. URI eq "http://acs.amazonaws.com/groups/global/AllUsers" ] or S3Bucket . BucketPolicy with [ Statement with [ Effect eq "Allow" and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. CloudTrail
CloudTrail should have LogGroup
Audit/log records: Ensure AWS Config is enabled in all regions AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. Config
CloudTrail
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ]
Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS CloudTrail
CloudTrail should have KMSKey . id len ( ) > 0
Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled KMS
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled
Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. EC2
VPC should have atleast one FlowLogs with [ id ]
Remote access: Ensure a log metric filter and alarm exist for unauthorized API calls Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.errorCode\s*=\s*\"\*UnauthorizedOperation\"\)\s*\|\|\s*\(\$\.errorCode\s*=\s*\"AccessDenied\*\"\)\s*\|\|\s*\(\$\.sourceIPAddress\s*!=\s*\"delivery\.logs\.amazonaws\.com\"\)\s*\|\|\s*\(\$\.eventName\s*!=\s*\"HeadBucket\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA) CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*\"ConsoleLogin\"\)\s*\&\&\s*\(\$\.additionalEventData\.MFAUsed\s*!=\s*\"Yes\"\)\s*\&\&\s*\(\$\.userIdentity\.type\s*=\s*\"IAMUser\"\)\s*\&\&\s*\(\$\.responseElements\.ConsoleLogin\s*=\s*\"Success\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for usage of "root" account Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "{\s*\$\.userIdentity\.type\s*=\s*\"Root\"\s*\&\&\s*\$\.userIdentity\.invokedBy\s*NOT\s*EXISTS\s*\&\&\s*\$\.eventType\s*!=\s*\"AwsServiceEvent\"\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for IAM policy changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*DeleteGroupPolicy\)\|\|\(\$\.eventName\s*=\s*DeleteRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachGroupPolicy\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Audit/log records: Ensure a log metric filter and alarm exist for CloudTrail configuration changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*UpdateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*StartLogging\)\s*\|\|\s*\(\$\.eventName\s*=\s*StopLogging\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*ConsoleLogin\)\s*\&\&\s*\(\$\.errorMessage\s*=\s*\"Failed\s*authentication\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Data-at-rest is protected: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*kms\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=DisableKey\)\s*\|\|\s*\(\$\.eventName=ScheduleKeyDeletion\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Ensure a log metric filter and alarm exist for S3 bucket policy changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*s3\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName\s*=\s*PutBucketAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketReplication\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketReplication\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Audit/log records: Ensure a log metric filter and alarm exist for AWS Config configuration changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*config\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=StopConfigurationRecorder\)\s*\|\|\s*\(\$\.eventName=DeleteDeliveryChannel\)\s*\|\|\(\$\.eventName=PutDeliveryChannel\)\s*\|\|\s*\(\$\.eventName=PutConfigurationRecorder\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclAssociation\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for changes to network gateways Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachInternetGateway\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for route table changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRouteTableAssociation\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisassociateRouteTable\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for VPC changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*ModifyVpcAttribute\)\s*\|\|\s*\(\$\.eventName\s*=\s*AcceptVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*RejectVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisableVpcClassicLink\)\s*\|\|\s*\(\$\.eventName\s*=\s*EnableVpcClassicLink\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22. EC2
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 22 and ToPort gte 22 ) and Protocol in ("-1", "tcp") ]
Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389. EC2
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 3389 and ToPort gte 3389 ) and Protocol in ("-1", "udp", "tcp") ]
Ensure the default security group of every VPC restricts all traffic A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. EC2
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0
Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. IAM
IAMPolicy where id eq "arn:aws:iam::aws:policy/AWSSupportAccess" should have ( AttachedEntities . Groups len ( ) > 0 or AttachedEntities . Roles len ( ) > 0 or AttachedEntities . Users len ( ) > 0 )
Name Description Service Rule
Identities and credentials: Avoid the use of the "root" account: check for recent logins. The 'root' account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided. IAM
IAMUser where RootUser eq True should not have Password . LastUsedTime isLaterThan ( -1, "days" )
Authentication: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. IAM
IAMUser where ( RootUser eq false and Password . Enabled eq true ) should have MFAActive eq true
Identities and credentials: Ensure passwords unused for 90 days or greater are disabled AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all passwords that have been unused in 90 or greater days be disabled. IAM
IAMUser where RootUser eq False should not have ( Password . Enabled and Password . LastUsedTime isEarlierThan ( -90, "days" ) )
Remote access: Ensure access keys unused for 90 days or greater are disabled AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all access keys that have been unused in 90 or greater days be disabled. IAM
IAMUser where RootUser eq False should not have AccessKey with [ Active and LastUsedTime isEarlierThan ( -90, "days" ) ]
Remote access: Ensure access keys are rotated every 90 days or less. Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. IAM
IAMUser should not have AccessKey with [ Active and LastRotatedTime isEarlierThan ( -90 , "days" ) ]
Identities and credentials: Ensure IAM password policy requires at least one uppercase letter. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter. IAM
IAMPasswordPolicy should have Configured and RequireUppercaseCharacters
Identities and credentials: Ensure IAM password policy require at least one lowercase letter. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter. IAM
IAMPasswordPolicy should have Configured and RequireLowercaseCharacters
Identities and credentials: Ensure IAM password policy require at least one symbol. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol. IAM
IAMPasswordPolicy should have Configured and RequireSymbols
Identities and credentials: Ensure IAM password policy require at least one number. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number. IAM
IAMPasswordPolicy should have Configured and RequireNumbers
Identities and credentials: Ensure IAM password policy requires minimum length of 14 or greater. Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. IAM
IAMPasswordPolicy should have Configured and MinimumPasswordLength >= 14
Identities and credentials: Ensure IAM password policy prevents password reuse IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. IAM
IAMPasswordPolicy should have Configured and PasswordReusePrevention >= 24
Identities and credentials: Ensure IAM password policy expires passwords within 90 days or less. IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. IAM
IAMPasswordPolicy should have Configured and ExpirePasswords and MaxPasswordAge <= 90
Remote access: Ensure no root account access key exists. The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. IAM
IAMUser where RootUser eq True should not have AccessKey with [ Active eq True ]
Authentication: Ensure MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. IAM
IAMUser where RootUser eq True should have MFAActive eq true
Authentication: Ensure hardware MFA is enabled for the "root" account. The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA. IAM
IAMUser where RootUser eq True should have MFAActive eq true and MFADevices . Physical len ( ) gt 0
Access permissions and authorizations: Ensure IAM policies are attached only to groups or roles. By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. IAM
IAMUser should have ( Policies . Managed len ( ) eq 0 and Policies . Inline len ( ) eq 0 )
Remote access: Do not setup access keys during initial user setup for all IAM users that have a console password AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. IAM
IAMUser where Password . Enabled eq true should not have AccessKey with [ Active and CreatedByDefault ]
Access permissions and authorizations: Ensure IAM policies that allow full "*:*" administrative privileges are not created. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege — that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. IAM
IAMPolicy should not have Permissions . Statements with [ Action with [ value eq "*" ] and Resource with [ value eq "*" ] and Effect eq "Allow" ] and ( AttachedEntities . Groups len ( ) gt 0 or AttachedEntities . Roles len ( ) gt 0 or AttachedEntities . Users len ( ) gt 0 )
Audit/log records: Ensure CloudTrail is enabled. AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation) CloudTrail
AWS should have atleast one CloudTrails with [ MultiRegionTrailEnabled and LoggingEnabled eq True ]
Secure audit trails so they cannot be altered : CloudTrail Log Files Lack Integrity Validation Use file-integrity monitoring or change-detection on CloudTrail logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). CloudTrail
CloudTrail should have LogFileValidationEnabled
Audit/log records: Ensure the S3 bucket CloudTrail logs to is not publicly accessible CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs S3
CloudTrail
CloudTrail should not have S3Bucket . ACL with [ ( Permission eq "WRITE" or Permission eq "WRITE_ACP" or Permission eq "READ" or Permission eq "READ_ACP" or Permission eq "FULL_CONTROL" ) and Grantee. URI eq "http://acs.amazonaws.com/groups/global/AllUsers" ] or S3Bucket . BucketPolicy with [ Statement with [ Effect eq "Allow" and Principal has ( "*" ) and Conditions len ( ) eq 0 ] ]
Audit/log records: Ensure CloudTrail trails are integrated with CloudWatch Logs AWS CloudTrail is a web service that records AWS API calls made in a given AWS account.The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. CloudTrail
CloudTrail should have LogGroup
Audit/log records: Ensure AWS Config is enabled in all regions AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. It is recommended to enable AWS Config be enabled in all regions. Config
CloudTrail
AWS should have ( ConfigRecorders with [ Status and RecordingGroup . AllSupported ] ) and ConfigDeliveryChannels with [ StreamDelivery . LastSuccess and HistoryDelivery . LastSuccess ]
Implement automated audit trails for all system components : CloudTrail - Lack of API Access Logging Implement automated audit trails for all system components to reconstruct the following events : All individual user accesses to cardholder data ; All actions taken by any individual with root or administrative privileges ; Access to all audit trails ; Invalid logical access attempts ; Use of and changes to identification and authentication mechanisms ; Initialization, stopping, or pausing of the audit logs ; Creation and deletion of system-level objects. S3
CloudTrail
CloudTrail should have S3Bucket . LoggingEnabled
Audit/log records: Ensure CloudTrail logs are encrypted at rest using KMS CMKs AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS CloudTrail
CloudTrail should have KMSKey . id len ( ) > 0
Data-at-rest is protected: Ensure rotation for customer created CMKs is enabled AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled KMS
KMSKey where Description notlike "Default master key that protects my.*" should have RotationEnabled
Baseline network operations and data flows: Ensure VPC flow logging is enabled in all VPCs VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. EC2
VPC should have atleast one FlowLogs with [ id ]
Remote access: Ensure a log metric filter and alarm exist for unauthorized API calls Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.errorCode\s*=\s*\"\*UnauthorizedOperation\"\)\s*\|\|\s*\(\$\.errorCode\s*=\s*\"AccessDenied\*\"\)\s*\|\|\s*\(\$\.sourceIPAddress\s*!=\s*\"delivery\.logs\.amazonaws\.com\"\)\s*\|\|\s*\(\$\.eventName\s*!=\s*\"HeadBucket\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA) CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*\"ConsoleLogin\"\)\s*\&\&\s*\(\$\.additionalEventData\.MFAUsed\s*!=\s*\"Yes\"\)\s*\&\&\s*\(\$\.userIdentity\.type\s*=\s*\"IAMUser\"\)\s*\&\&\s*\(\$\.responseElements\.ConsoleLogin\s*=\s*\"Success\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for usage of "root" account Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "{\s*\$\.userIdentity\.type\s*=\s*\"Root\"\s*\&\&\s*\$\.userIdentity\.invokedBy\s*NOT\s*EXISTS\s*\&\&\s*\$\.eventType\s*!=\s*\"AwsServiceEvent\"\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for IAM policy changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*DeleteGroupPolicy\)\|\|\(\$\.eventName\s*=\s*DeleteRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreatePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeletePolicyVersion\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachRolePolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachUserPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachGroupPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachGroupPolicy\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Audit/log records: Ensure a log metric filter and alarm exist for CloudTrail configuration changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*UpdateTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteTrail\)\s*\|\|\s*\(\$\.eventName\s*=\s*StartLogging\)\s*\|\|\s*\(\$\.eventName\s*=\s*StopLogging\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Identities and credentials: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*ConsoleLogin\)\s*\&\&\s*\(\$\.errorMessage\s*=\s*\"Failed\s*authentication\"\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Data-at-rest is protected: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*kms\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=DisableKey\)\s*\|\|\s*\(\$\.eventName=ScheduleKeyDeletion\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Ensure a log metric filter and alarm exist for S3 bucket policy changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*s3\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName\s*=\s*PutBucketAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*PutBucketReplication\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketPolicy\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketCors\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketLifecycle\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteBucketReplication\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Audit/log records: Ensure a log metric filter and alarm exist for AWS Config configuration changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventSource\s*=\s*config\.amazonaws\.com\)\s*\&\&\s*\(\(\$\.eventName=StopConfigurationRecorder\)\s*\|\|\s*\(\$\.eventName=DeleteDeliveryChannel\)\s*\|\|\(\$\.eventName=PutDeliveryChannel\)\s*\|\|\s*\(\$\.eventName=PutConfigurationRecorder\)\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAcl\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclEntry\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceNetworkAclAssociation\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for changes to network gateways Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteCustomerGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteInternetGateway\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachInternetGateway\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for route table changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*ReplaceRouteTableAssociation\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRouteTable\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteRoute\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisassociateRouteTable\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Network integrity: Ensure a log metric filter and alarm exist for VPC changes Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. CloudWatch
CloudTrail
AWS should have atleast one CloudTrails with [ LogGroup . MetricFilters with [ FilterPattern like "\{\s*\(\$\.eventName\s*=\s*CreateVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*ModifyVpcAttribute\)\s*\|\|\s*\(\$\.eventName\s*=\s*AcceptVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*CreateVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*DeleteVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*RejectVpcPeeringConnection\)\s*\|\|\s*\(\$\.eventName\s*=\s*AttachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DetachClassicLinkVpc\)\s*\|\|\s*\(\$\.eventName\s*=\s*DisableVpcClassicLink\)\s*\|\|\s*\(\$\.eventName\s*=\s*EnableVpcClassicLink\)\s*\}" and Transformations with [ MetricAlarms with [ AlarmActions with [ SNSTopic . Subscriptions len () > 0 ] ] ] ] ]
Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22. EC2
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 22 and ToPort gte 22 ) and Protocol in ("-1", "tcp") ]
Communications and control network protection: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389. EC2
SecurityGroup should not have InboundRules with [ IPRanges with [ IP eq 0.0.0.0/0 ] and ( FromPort lte 3389 and ToPort gte 3389 ) and Protocol in ("-1", "udp", "tcp") ]
Ensure the default security group of every VPC restricts all traffic A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have it's default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. EC2
SecurityGroup where Name eq "default" should have InboundRules len ( ) eq 0 and OutboundRules len ( ) eq 0
Personnel know response roles/operations: Ensure a support role has been created to manage incidents with AWS Support AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. IAM
IAMPolicy where id eq "arn:aws:iam::aws:policy/AWSSupportAccess" should have ( AttachedEntities . Groups len ( ) > 0 or AttachedEntities . Roles len ( ) > 0 or AttachedEntities . Users len ( ) > 0 )