CloudWiki

The CIS AWS Foundations Benchmark is a compliance standard for securing Amazon Web Services resources. The Center for Internet Security (CIS) is a nonprofit organization that its mission is to make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats. CIS has several program areas, including MS-ISAC, CIS Controls, CIS Benchmarks, CIS Communities, and CIS CyberMarket. Through these program areas, CIS works with a wide range of entities to increase their online security by providing them with products and services that improve security efficiency and effectiveness.

Compliance checks for Amazon Web Services

Critical
IAM User with Admin access (*:*)
Critical
Ensure root user has mfa enabled
Info
Internet Gateway (IGW) changes alarm
Critical
Ensure no root account access key exists
Info
Ensure EKS Private access is enabled
Critical
Ensure default security groups are not in use by VPC Endpoints
Critical
Ensure default security groups are not in use by Lambda
Critical
Ensure there is no unrestricted inbound access to TCP port 22 (SSH)
Critical
Ensure there is no unrestricted inbound access to TCP port 3389 (RDP)
Critical
Ensure there is no unrestricted inbound access to TCP port 80 (HTTP)
Info
Route Table changes alarm
Info
IAM Policy changes alarm
Info
S3 Bucket changes alarm
Info
Security Group (SG) changes alarm
Info
Network ACL (NACL) changes alarm
Info
VPC Peering changes alarm
Info
Transit Gateway (TGW) changes alarm
Info
NAT Gateway changes alarm
Info
VPC changes alarm
Critical
IAM Role with inline Admin access (*:*)
Warning
Ensure IAM password policy prevents password reuse
Critical
ECS task with Admin access (*:*)
Critical
Pod with Admin access (*:*)
Critical
Lambda Admin access (*:*)
Critical
EC2 with Admin access (*:*)
Critical
IAM User with Admin access (*:*)
Critical
Ensure there is no unrestricted inbound access to all TCP ports
Warning
Ensure security groups do not have ingress open to any (0.0.0.0/0)
Warning
Ensure that S3 Buckets are configured with "Block public access"
Critical
S3 bucket is public
Warning
Ensure AWS EKS cluster has secrets encryption enabled
Warning
Ensure IAM users receive permissions only through groups
Critical
Ensure RDS database instances are not accessible via Internet (Network and API)
Warning
Ensure VPC flow logging is enabled in all VPCs
Critical
Ensure all IAM users with console access have MFA enabled
Warning
Ensure EBS volumes are encrypted
Critical
Ensure the S3 bucket for CloudTrail logs is not publicly accessible
Warning
Ensure EKS Public access is disabled
Warning
Ensure data stored in the S3 bucket is securely encrypted at rest
Critical
Ensure default security groups are not in use by EC2