CloudWiki
Compliance

CSA CCM

resize
Visit website

The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing. It is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance.

Compliance checks for Amazon Web Services

Low
Ensure Amazon MQ brokers Log Exports feature is enabled
APRA
CSA CCM
GDPR
HITRUST
ISO 27001
Low
Ensure Redshift clusters automated snapshot retention period is enabled
CCPA
CIS 8
CSA CCM
GDPR
HITRUST
Low
CloudTrail changes alarm
CIS
CISAWSF
APRA
MAS
NIST4
Medium
Ensure CloudTrail Log File Integrity Validation is enabled
CISAWSF
PCI-DSS
HIPAA
GDPR
APRA
High
Ensure CloudTrail trails have multi-region enabled
APRA
MAS
CISAWSF
PCI-DSS
HIPAA
Critical
Ensure DocumentDB database instances have storage encryption enabled
GDPR
NIST4
NIST 800-53
HIPAA
MAS
Medium
Ensure Kinesis Data Stream encryption is enabled
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
Critical
IAM User with Admin access (*:*)
SOC2
CIS
CIS 8
NIST 800-53
CSA CCM
Critical
Ensure root user has mfa enabled
CIS
ISO 27001
CSA CCM
SOC2
GDPR
Critical
IAM user can execute a Privilege Escalation by using inline PassRole
CIS 8
NIST 800-53
CSA CCM
HITRUST
GDPR
Low
EC2 large instance create alarm
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Ensure IAM password policy has expiration period
CIS 8
NIST 800-53
GDPR
HITRUST
CSA CCM
Low
Internet Gateway (IGW) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Critical
Ensure no root account access key exists
CIS
ISO 27001
CSA CCM
SOC2
GDPR
Low
Ensure RDS instances have Performance Insights feature enabled
HITRUST
NIST 800-53
GDPR
CSA CCM
Low
Ensure MSK (Kafka) cluster is not using an unsupported Kafka version (2.4.1)
SOC2
CIS 8
CSA CCM
Critical
Ensure there is no unrestricted inbound access to UDP port 11211 (Memcached)
AWS Well-Architected Framework
CSA CCM
Critical
Ensure there is no unrestricted inbound access to TCP port 27017 (MongoDB)
APRA
AWS Well-Architected Framework
CSA CCM
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to TCP port 9300 (ElasticSearch)
CSA CCM
CIS 8
ISO 27701
Critical
Ensure there is no unrestricted inbound access to TCP port 9200 (ElasticSearch)
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Critical
Ensure there is no unrestricted inbound access to TCP port 6379 (Redis)
AWS Well-Architected Framework
CSA CCM
HITRUST
NIST 800-53
CIS 8
Critical
Ensure there is no unrestricted inbound access to TCP port 1521 (OracleDB)
APRA
AWS Well-Architected Framework
CSA CCM
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to TCP port 2484 (Oracle DB SSL)
CSA CCM
Critical
Ensure there is no unrestricted inbound access to TCP port 8888 (Cassandra)
CSA CCM
ISO 27701
CIS 8
Critical
Ensure there is no unrestricted inbound access to TCP port 11211 (Memcached)
AWS Well-Architected Framework
CSA CCM
CIS 8
ISO 27701
Critical
Ensure there is no unrestricted inbound access to TCP port 61621 (Cassandra)
ISO 27701
CIS 8
CSA CCM
Critical
Ensure there is no unrestricted inbound access to TCP port 7000 (Cassandra Internode)
CSA CCM
ISO 27701
CIS 8
Critical
Ensure there is no unrestricted inbound access to TCP port 61620 (OpsCenter)
CSA CCM
CIS 8
ISO 27701
Low
Route Table changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
IAM Policy changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
S3 Bucket changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
Security Group (SG) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
Network ACL (NACL) changes alarm
CIS
CIS 8
GDPR
CSA CCM
HITRUST
Low
NAT Gateway changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
VPC changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Critical
IAM user can execute a Privilege Escalation by using inline AssumeRole
CIS 8
CSA CCM
Critical
IAM user can execute a Privilege Escalation by using AttachUserPolicy
CIS 8
NIST 800-53
GDPR
HITRUST
CSA CCM
Critical
IAM user can execute a Privilege Escalation by using CreatePolicyVersion
CIS 8
NIST 800-53
CSA CCM
GDPR
Critical
IAM user can execute a Privilege Escalation by using UpdateAssumeRolePolicy and sts:AssumeRole
CIS 8
CSA CCM
Medium
Ensure EMR clusters are encrypted in-transit and at-rest
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
Critical
Ensure IAM password policy expires passwords within 90 days or less
ISO 27001
CSA CCM
SOC2
PCI-DSS
APRA
Medium
Ensure IAM password policy requires minimum length of 14 or greater
CISAWSF
SOC2
PCI-DSS
GDPR
HIPAA
Medium
Ensure IAM password policy require at least one symbol
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
GDPR
Medium
Ensure IAM password policy requires at least one uppercase letter
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
HIPAA
Medium
Ensure IAM password policy require at least one number
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
GDPR
Medium
Ensure IAM password policy prevents password reuse
CIS
ISO 27001
SOC2
GDPR
PCI-DSS
Critical
Ensure MSK (Kafka) broker instances are not publicly accessible
CSA CCM
ISO 27701
Critical
IAM Role with Admin access (*:*)
CISAWSF
APRA
MAS
NIST4
AWS Well-Architected Framework
Critical
Lambda with Admin access (*:*)
CIS
CIS 8
NIST 800-53
CSA CCM
GDPR
Critical
EC2 with Admin access (*:*)
CIS
GDPR
HITRUST
NIST 800-53
ISO 27701
Critical
IAM User with Admin access (*:*)
SOC2
CIS
CIS 8
NIST 800-53
CSA CCM
Medium
Ensure security groups do not have ingress open to any (0.0.0.0/0)
CIS
PCI-DSS
APRA
MAS
NIST4
Medium
Ensure that EKS security groups are configured to allow incoming traffic only on TCP port 443
NIST 800-53
CSA CCM
HITRUST
Medium
Ensure Application Load Balancers (ALB) are configured to drop HTTP headers
NIST 800-53
CSA CCM
AWS Foundational Security Best Practices Controls
Medium
Ensure RDS database instances are not publicly accessible
NIST 800-53
HITRUST
GDPR
CSA CCM
ISO 27701
Medium
Ensure VPC flow logging is enabled in all VPCs
CIS
SOC2
GDPR
ISO 27001
PCI-DSS
Medium
Ensure OpenSearch data at rest encryption is enabled
AWS Foundational Security Best Practices Controls
PCI-DSS
CIS 8
NIST 800-53
CSA CCM
Medium
IAM Group inline policy is over permissive
PCI-DSS
FTR
CIS 8
NIST 800-53
HITRUST
Medium
Ensure MSK (Kafka) clusters have encryption in transit enabled between clients and brokers using TLS
CIS 8
NIST 800-53
CSA CCM
HITRUST
GDPR
Medium
Ensure MSK (Kafka) clusters have encryption in transit enabled between brokers within a cluster
CIS 8
NIST 800-53
CSA CCM
HITRUST
GDPR
Medium
Ensure CloudFront distribution enforce HTTPS protocol for data in-transit
AWS Well-Architected Framework
HIPAA
NIST4
PCI-DSS
CIS 8
Critical
Ensure ElastiCache Redis clusters are encrypted at-rest
HIPAA
GDPR
NIST4
APRA
HITRUST
Medium
Ensure that Cloudfront distribution is not using insecure SSL protocols
APRA
HIPAA
MAS
NIST4
PCI-DSS
Medium
Ensure IAM User has no inline policy
APRA
AWS Well-Architected Framework
CISAWSF
SOC2
MAS
Medium
Ensure Zone Awareness is enabled for OpenSearch clusters
AWS Well-Architected Framework
NIST 800-53
NIST4
CSA CCM
Medium
Ensure that Origin Failover feature is enabled for CloudFront web distributions
AWS Foundational Security Best Practices Controls
NIST 800-53
CSA CCM
Medium
Ensure SQS encryption is enabled
APRA
AWS Well-Architected Framework
PCI-DSS
GDPR
HIPAA
Medium
Ensure SNS encryption is enabled
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
Medium
Ensure S3 buckets have server access logging enabled to track access requests
GDPR
PCI-DSS
APRA
MAS
NIST4
Medium
Ensure data stored in the S3 bucket is securely encrypted at rest
CIS
SOC2
PCI-DSS
GDPR
APRA
Critical
Ensure RDS database instances have storage encryption enabled
GDPR
NIST4
HIPAA
MAS
PCI-DSS
Low
Ensure RDS database instances have Copy Tags to Snapshots enabled
APRA
AWS Well-Architected Framework
MAS
CIS 8
NIST 800-53
All Compliances
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
CCPA
CIS
CIS 8
CIS EKS
CISAWSF
CSA CCM
FTR
FedRAMP
GDPR
HIPAA
HITRUST
ISO 27001
ISO 27701
MAS
NIST 800-53
NIST4
PCI-DSS
SOC2