CloudWiki

The CIS AWS Foundations (CISAWSF) benchmark is a compliance standard for securing Amazon Web Services (AWS) resources. It offers prescriptive guidance for configuring security options on AWS services in accordance with industry best practices.

Compliance checks for Amazon Web Services

Critical
IAM Role with Admin access (*:*)
Warning
IAM Group allows inline Admin access (*:*)
Warning
Ensure IAM policies that allow over privileges access to data are not created
Info
Internet Gateway (IGW) changes alarm
Info
Ensure EKS Private access is enabled
Critical
Ensure there is no unrestricted inbound access to TCP port 23 (Telnet)
Critical
Ensure default security groups are not in use by ElastiCache
Critical
Ensure default security groups are not in use by OpenSearch
Critical
Ensure default security groups are not in use by ECS
Critical
Ensure default security groups are not in use by ELB
Critical
Ensure default security groups are not in use by RDS
Critical
Ensure default security groups are not in use by ALB
Critical
Ensure default security groups are not in use by MSK
Critical
Ensure there is no unrestricted inbound access to TCP port 22 (SSH)
Critical
Ensure there is no unrestricted inbound access to TCP port 3389 (RDP)
Info
Route Table changes alarm
Info
IAM Policy changes alarm
Info
S3 Bucket changes alarm
Info
Security Group (SG) changes alarm
Info
VPC Peering changes alarm
Info
Transit Gateway (TGW) changes alarm
Info
NAT Gateway changes alarm
Info
VPC changes alarm
Critical
IAM User with inline Admin access (*:*)
Critical
IAM Role with inline Admin access (*:*)
Critical
Ensure IAM password policy expires passwords within 90 days or less
Warning
Ensure IAM password policy requires minimum length of 14 or greater
Warning
Ensure IAM password policy require at least one symbol
Warning
Ensure IAM password policy requires at least one uppercase letter
Warning
Ensure IAM password policy require at least one number
Warning
Ensure IAM password policy require at least one lowercase letter
Warning
Ensure IAM password policy prevents password reuse
Critical
IAM Role with Admin access (*:*)
Info
Cross transit connectivity is allowed by Pod
Info
Cross transit connectivity is allowed by EC2
Info
Cross transit connectivity is allowed by ECS
Info
Cross transit connectivity is allowed by Lambda
Critical
Ensure IAM policies that allow full "*:*" administrative privileges are not created
Warning
Ensure stopped RDS instances are removed
Warning
Ensure EC2 instance uses an IAM profile
Warning
Ensure AWS EKS cluster has secrets encryption enabled
Warning
Ensure IAM users receive permissions only through groups
Warning
Ensure VPC flow logging is enabled in all VPCs
Info
Cross peering connectivity is allowed by Lambda
Warning
Ensure default security groups do not allow unrestricted traffic
Info
Cross peering connectivity is allowed by Pod
Info
Cross peering connectivity is allowed by ECS Task
Info
Cross peering connectivity is allowed by EC2
Warning
Ensure IAM users are members of at least one IAM group
Warning
Ensure IAM User has no inline policy
Critical
Ensure all IAM users with console access have MFA enabled
Warning
Ensure CloudTrail logs are encrypted at rest
Warning
Ensure EKS Public access is disabled
Warning
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Warning
Ensure stopped EC2 instances are removed
Warning
Ensure data stored in the S3 bucket is securely encrypted at rest
Warning
Ensure launch wizard security groups are not in use by EC2
Critical
Ensure RDS database instances have storage encryption enabled