CloudWiki
Compliance

CIS 8

resize
Visit website

The CIS Critical Security Controls v8 offers prescriptive, prioritized, and simplified cybersecurity best practices that provide a clear path to improve an organization’s cyber defense program.

Compliance checks for Amazon Web Services

Medium
Ensure Amazon MQ brokers are not publicly accessible
APRA
CCPA
CIS 8
GDPR
HIPAA
Critical
Ensure Amazon MQ brokers are not publicly accessible
APRA
CCPA
CIS 8
GDPR
HIPAA
Low
Ensure Redshift clusters automated snapshot retention period is enabled
CCPA
CIS 8
CSA CCM
GDPR
HITRUST
Low
Ensure Redshift clusters are using a custom master user name instead of the default master user name
APRA
CCPA
CIS 8
GDPR
HITRUST
Low
CloudTrail changes alarm
CIS
CISAWSF
APRA
MAS
NIST4
Medium
Ensure CloudTrail Log File Integrity Validation is enabled
CISAWSF
PCI-DSS
HIPAA
GDPR
APRA
Critical
IAM User with Admin access (*:*)
SOC2
CIS
CIS 8
NIST 800-53
CSA CCM
Critical
IAM user can execute a Privilege Escalation by using inline PassRole
CIS 8
NIST 800-53
CSA CCM
HITRUST
GDPR
Low
EC2 large instance create alarm
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Ensure IAM password policy has expiration period
CIS 8
NIST 800-53
GDPR
HITRUST
CSA CCM
Low
Internet Gateway (IGW) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
Ensure MSK (Kafka) cluster is not using an unsupported Kafka version (2.4.1)
SOC2
CIS 8
CSA CCM
Critical
Ensure there is no unrestricted inbound access to TCP port 27017 (MongoDB)
APRA
AWS Well-Architected Framework
CSA CCM
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to TCP port 9300 (ElasticSearch)
CSA CCM
CIS 8
ISO 27701
Critical
Ensure there is no unrestricted inbound access to TCP port 9200 (ElasticSearch)
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Critical
Ensure there is no unrestricted inbound access to TCP port 6379 (Redis)
AWS Well-Architected Framework
CSA CCM
HITRUST
NIST 800-53
CIS 8
Critical
Ensure there is no unrestricted inbound access to TCP port 1521 (OracleDB)
APRA
AWS Well-Architected Framework
CSA CCM
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to TCP port 8888 (Cassandra)
CSA CCM
ISO 27701
CIS 8
Critical
Ensure there is no unrestricted inbound access to TCP port 11211 (Memcached)
AWS Well-Architected Framework
CSA CCM
CIS 8
ISO 27701
Critical
Ensure there is no unrestricted inbound access to TCP port 61621 (Cassandra)
ISO 27701
CIS 8
CSA CCM
Critical
Ensure there is no unrestricted inbound access to TCP port 7000 (Cassandra Internode)
CSA CCM
ISO 27701
CIS 8
Critical
Ensure there is no unrestricted inbound access to TCP port 61620 (OpsCenter)
CSA CCM
CIS 8
ISO 27701
Low
Route Table changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
IAM Policy changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
S3 Bucket changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
Security Group (SG) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
Network ACL (NACL) changes alarm
CIS
CIS 8
GDPR
CSA CCM
HITRUST
Low
NAT Gateway changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
VPC changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Critical
IAM user can execute a Privilege Escalation by using inline AssumeRole
CIS 8
CSA CCM
Critical
IAM user can execute a Privilege Escalation by using AttachUserPolicy
CIS 8
NIST 800-53
GDPR
HITRUST
CSA CCM
Critical
IAM user can execute a Privilege Escalation by using CreatePolicyVersion
CIS 8
NIST 800-53
CSA CCM
GDPR
Critical
IAM user can execute a Privilege Escalation by using UpdateAssumeRolePolicy and sts:AssumeRole
CIS 8
CSA CCM
Critical
Ensure EC2 AMIs are not publicly accessible
GDPR
APRA
MAS
NIST4
CIS 8
Medium
Ensure EMR clusters are encrypted in-transit and at-rest
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
Critical
Ensure IAM password policy expires passwords within 90 days or less
ISO 27001
CSA CCM
SOC2
PCI-DSS
APRA
Medium
Ensure IAM password policy requires minimum length of 14 or greater
CISAWSF
SOC2
PCI-DSS
GDPR
HIPAA
Medium
Ensure IAM password policy require at least one symbol
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
GDPR
Medium
Ensure IAM password policy requires at least one uppercase letter
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
HIPAA
Medium
Ensure IAM password policy require at least one number
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
GDPR
Medium
Ensure IAM password policy require at least one lowercase letter
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
ISO 27001
Medium
Ensure IAM password policy prevents password reuse
CIS
ISO 27001
SOC2
GDPR
PCI-DSS
Critical
IAM Role with Admin access (*:*)
CISAWSF
APRA
MAS
NIST4
AWS Well-Architected Framework
Critical
Lambda with Admin access (*:*)
CIS
CIS 8
NIST 800-53
CSA CCM
GDPR
Critical
EC2 with Admin access (*:*)
CIS
GDPR
HITRUST
NIST 800-53
ISO 27701
Critical
IAM User with Admin access (*:*)
SOC2
CIS
CIS 8
NIST 800-53
CSA CCM
Medium
Ensure that S3 Buckets are configured with "Block public access"
GDPR
ISO 27001
PCI-DSS
SOC2
HITRUST
Low
Lambda functions should be in a VPC
PCI-DSS
CIS 8
NIST 800-53
HITRUST
Medium
Ensure VPC flow logging is enabled in all VPCs
CIS
SOC2
GDPR
ISO 27001
PCI-DSS
Medium
Ensure OpenSearch data at rest encryption is enabled
AWS Foundational Security Best Practices Controls
PCI-DSS
CIS 8
NIST 800-53
CSA CCM
Medium
IAM Group inline policy is over permissive
PCI-DSS
FTR
CIS 8
NIST 800-53
HITRUST
Medium
Ensure MSK (Kafka) clusters have encryption in transit enabled between clients and brokers using TLS
CIS 8
NIST 800-53
CSA CCM
HITRUST
GDPR
Medium
Ensure MSK (Kafka) clusters have encryption in transit enabled between brokers within a cluster
CIS 8
NIST 800-53
CSA CCM
HITRUST
GDPR
Medium
Ensure CloudFront distribution enforce HTTPS protocol for data in-transit
AWS Well-Architected Framework
HIPAA
NIST4
PCI-DSS
CIS 8
Critical
Ensure ElastiCache Redis clusters are encrypted at-rest
HIPAA
GDPR
NIST4
APRA
HITRUST
Medium
DynamoDB tables not in use
AWS Well-Architected Framework
CIS 8
HITRUST
GDPR
Medium
Ensure that Cloudfront distribution is not using insecure SSL protocols
APRA
HIPAA
MAS
NIST4
PCI-DSS
Medium
VPC endpoint is publicly accessible
APRA
AWS Well-Architected Framework
GDPR
MAS
NIST4
Critical
Ensure all IAM users with console access have MFA enabled
CIS
SOC2
GDPR
ISO 27001
FTR
Medium
Ensure OpenSearch domains are in a VPC
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
PCI-DSS
GDPR
Critical
Ensure the S3 bucket for CloudTrail logs is not publicly accessible
CIS
HIPAA
GDPR
APRA
MAS
Medium
Elastic IP not in use
AWS Well-Architected Framework
CISAWSF
PCI-DSS
MAS
NIST4
Medium
Ensure SQS encryption is enabled
APRA
AWS Well-Architected Framework
PCI-DSS
GDPR
HIPAA
Medium
Ensure SNS encryption is enabled
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
Medium
Ensure S3 buckets have server access logging enabled to track access requests
GDPR
PCI-DSS
APRA
MAS
NIST4
Low
Ensure RDS database instances have Copy Tags to Snapshots enabled
APRA
AWS Well-Architected Framework
MAS
CIS 8
NIST 800-53
All Compliances
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
CCPA
CIS
CIS 8
CIS EKS
CISAWSF
CSA CCM
FTR
FedRAMP
GDPR
HIPAA
HITRUST
ISO 27001
ISO 27701
MAS
NIST 800-53
NIST4
PCI-DSS
SOC2