CloudWiki
Compliance
Detect, troubleshoot & optimize AWS environments in real-time ->

CISAWSF

resize
Visit website

The CIS AWS Foundations (CISAWSF) benchmark is a compliance standard for securing Amazon Web Services (AWS) resources. It offers prescriptive guidance for configuring security options on AWS services in accordance with industry best practices.

Compliance checks for Amazon Web Services

High
Ensure stopped DocumentDB instances are removed
CISAWSF
Critical
Ensure DocumentDB database instances have storage encryption enabled
GDPR
NIST4
NIST 800-53
HIPAA
MAS
High
IAM Group allows inline Admin access (*:*)
CISAWSF
Medium
Ensure IAM policies that allow over privileges access to data are not created
AWS Well-Architected Framework
CISAWSF
GDPR
FTR
ISO 27001
Low
Internet Gateway (IGW) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
Ensure EKS Private access is enabled
APRA
CIS
CISAWSF
CIS EKS
GDPR
Critical
Ensure there is no unrestricted inbound access to TCP port 23 (Telnet)
APRA
AWS Well-Architected Framework
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by ElastiCache
APRA
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by OpenSearch
APRA
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by ECS
APRA
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by ELB
APRA
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by RDS
APRA
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by ALB
APRA
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by MSK
APRA
CISAWSF
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to TCP port 22 (SSH)
ISO 27001
PCI-DSS
HITRUST
NIST 800-53
CIS
Critical
Ensure there is no unrestricted inbound access to TCP port 3389 (RDP)
ISO 27001
GDPR
PCI-DSS
CIS
CISAWSF
Low
Route Table changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
IAM Policy changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
S3 Bucket changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
Security Group (SG) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
VPC Peering changes alarm
CIS
PCI-DSS
APRA
MAS
NIST4
Low
Transit Gateway (TGW) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
NAT Gateway changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
VPC changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Critical
IAM User with inline Admin access (*:*)
CISAWSF
Critical
IAM Role with inline Admin access (*:*)
CIS
CISAWSF
APRA
AWS Well-Architected Framework
NIST 800-53
Critical
Ensure IAM password policy expires passwords within 90 days or less
ISO 27001
CSA CCM
SOC2
PCI-DSS
APRA
Medium
Ensure IAM password policy requires minimum length of 14 or greater
CISAWSF
SOC2
PCI-DSS
GDPR
HIPAA
Medium
Ensure IAM password policy require at least one symbol
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
GDPR
Medium
Ensure IAM password policy requires at least one uppercase letter
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
HIPAA
Medium
Ensure IAM password policy require at least one number
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
GDPR
Medium
Ensure IAM password policy require at least one lowercase letter
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
ISO 27001
Medium
Ensure IAM password policy prevents password reuse
CIS
ISO 27001
SOC2
GDPR
PCI-DSS
Critical
IAM Role with Admin access (*:*)
CISAWSF
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Cross transit connectivity is allowed by Pod
CISAWSF
Low
Cross transit connectivity is allowed by EC2
CISAWSF
Low
Cross transit connectivity is allowed by ECS
CISAWSF
Low
Cross transit connectivity is allowed by Lambda
CISAWSF
Critical
Ensure IAM policies that allow full "*:*" administrative privileges are not created
APRA
AWS Well-Architected Framework
CISAWSF
GDPR
FTR
Medium
Ensure stopped RDS instances are removed
CISAWSF
Medium
Ensure EC2 instance uses an IAM profile
APRA
CISAWSF
MAS
NIST4
Medium
Ensure AWS EKS cluster has secrets encryption enabled
CIS
CISAWSF
CIS EKS
HITRUST
NIST 800-53
Medium
Ensure IAM users receive permissions only through groups
AWS Well-Architected Framework
CIS
CISAWSF
SOC2
PCI-DSS
Medium
Ensure VPC flow logging is enabled in all VPCs
CIS
SOC2
GDPR
ISO 27001
PCI-DSS
Low
Cross peering connectivity is allowed by Lambda
CISAWSF
Medium
Ensure default security groups do not allow unrestricted traffic
APRA
CISAWSF
SOC2
PCI-DSS
GDPR
Low
Cross peering connectivity is allowed by Pod
CISAWSF
Low
Cross peering connectivity is allowed by ECS Task
CISAWSF
Low
Cross peering connectivity is allowed by EC2
CISAWSF
Medium
Ensure IAM users are members of at least one IAM group
AWS Well-Architected Framework
CISAWSF
Medium
Ensure IAM User has no inline policy
APRA
AWS Well-Architected Framework
CISAWSF
SOC2
MAS
Critical
Ensure all IAM users with console access have MFA enabled
CIS
SOC2
GDPR
ISO 27001
FTR
Medium
Ensure CloudTrail logs are encrypted at rest
CISAWSF
SOC2
PCI-DSS
GDPR
HIPAA
Medium
Ensure EKS Public access is disabled
APRA
CIS
CISAWSF
CIS EKS
GDPR
Medium
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
APRA
CISAWSF
SOC2
PCI-DSS
GDPR
Medium
Elastic IP not in use
AWS Well-Architected Framework
CISAWSF
PCI-DSS
MAS
NIST4
Medium
Ensure stopped EC2 instances are removed
CISAWSF
AWS Foundational Security Best Practices Controls
Medium
Ensure data stored in the S3 bucket is securely encrypted at rest
CIS
SOC2
PCI-DSS
GDPR
APRA
Medium
Ensure launch wizard security groups are not in use by EC2
CISAWSF
Critical
Ensure RDS database instances have storage encryption enabled
GDPR
NIST4
HIPAA
MAS
PCI-DSS
All Compliances
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
CCPA
CIS
CIS 8
CIS EKS
CISAWSF
CSA CCM
FTR
FedRAMP
GDPR
HIPAA
HITRUST
ISO 27001
ISO 27701
MAS
NIST 800-53
NIST4
PCI-DSS
SOC2