CloudWiki

The CIS Critical Security Controls v8 offers prescriptive, prioritized, and simplified cybersecurity best practices that provide a clear path to improve an organization’s cyber defense program.

Compliance checks for Amazon Web Services

Critical
IAM Role with Admin access (*:*)
Critical
IAM User with Admin access (*:*)
Critical
IAM user can execute a Privilege Escalation by using inline PassRole
Info
EC2 large instance create alarm
Info
Ensure IAM password policy has expiration period
Info
Internet Gateway (IGW) changes alarm
Info
Ensure MSK (Kafka) cluster is not using an unsupported Kafka version (2.4.1)
Critical
Ensure there is no unrestricted inbound access to TCP port 27017 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 9300 (ElasticSearch)
Critical
Ensure there is no unrestricted inbound access to TCP port 9200 (ElasticSearch)
Critical
Ensure there is no unrestricted inbound access to TCP port 6379 (Redis)
Critical
Ensure there is no unrestricted inbound access to TCP port 1521 (OracleDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 8888 (Cassandra)
Critical
Ensure there is no unrestricted inbound access to TCP port 11211 (Memcached)
Critical
Ensure there is no unrestricted inbound access to TCP port 61621 (Cassandra)
Critical
Ensure there is no unrestricted inbound access to TCP port 7000 (Cassandra Internode)
Critical
Ensure there is no unrestricted inbound access to TCP port 61620 (OpsCenter)
Info
Route Table changes alarm
Info
IAM Policy changes alarm
Info
S3 Bucket changes alarm
Info
Security Group (SG) changes alarm
Info
Network ACL (NACL) changes alarm
Info
NAT Gateway changes alarm
Info
VPC changes alarm
Critical
IAM user can execute a Privilege Escalation by using inline AssumeRole
Critical
IAM user can execute a Privilege Escalation by using AttachUserPolicy
Critical
IAM user can execute a Privilege Escalation by using CreatePolicyVersion
Critical
IAM user can execute a Privilege Escalation by using UpdateAssumeRolePolicy and sts:AssumeRole
Critical
Ensure EC2 AMIs are not publicly accessible
Warning
Ensure EMR clusters are encrypted in-transit and at-rest
Critical
Ensure IAM password policy expires passwords within 90 days or less
Warning
Ensure IAM password policy requires minimum length of 14 or greater
Warning
Ensure IAM password policy require at least one symbol
Warning
Ensure IAM password policy requires at least one uppercase letter
Warning
Ensure IAM password policy require at least one number
Warning
Ensure IAM password policy require at least one lowercase letter
Warning
Ensure IAM password policy prevents password reuse
Critical
IAM Role with Admin access (*:*)
Critical
Lambda Admin access (*:*)
Critical
EC2 with Admin access (*:*)
Critical
IAM User with Admin access (*:*)
Warning
Ensure that S3 Buckets are configured with "Block public access"
Info
Lambda functions should be in a VPC
Warning
Ensure VPC flow logging is enabled in all VPCs
Warning
Ensure OpenSearch data at rest encryption is enabled
Warning
IAM Group inline policy is over permissive
Warning
Ensure MSK (Kafka) clusters have encryption in transit enabled between clients and brokers using TLS
Warning
Ensure MSK (Kafka) clusters have encryption in transit enabled between brokers within a cluster
Warning
Ensure CloudFront distribution enforce HTTPS protocol for data in-transit
Critical
Ensure ElastiCache Redis clusters are encrypted at-rest
Warning
DynamoDB tables not in use
Warning
Ensure that Cloudfront distribution is not using insecure SSL protocols
Warning
VPC endpoint is publicly accessible
Critical
Ensure all IAM users with console access have MFA enabled
Critical
Ensure the S3 bucket for CloudTrail logs is not publicly accessible
Warning
Ensure SQS encryption is enabled
Warning
Ensure SNS encryption is enabled
Warning
Ensure S3 buckets have server access logging enabled to track access requests
Info
Ensure RDS database instances have Copy Tags to Snapshots enabled