CloudWiki

The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing. It is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance.

Compliance checks for Amazon Web Services

Warning
Ensure Kinesis Data Stream encryption is enabled
Critical
IAM Role with Admin access (*:*)
Critical
IAM User with Admin access (*:*)
Critical
Ensure root user has mfa enabled
Critical
IAM user can execute a Privilege Escalation by using inline PassRole
Info
EC2 large instance create alarm
Info
Ensure IAM password policy has expiration period
Info
Internet Gateway (IGW) changes alarm
Critical
Ensure no root account access key exists
Info
Ensure RDS instances have Performance Insights feature enabled
Info
Ensure MSK (Kafka) cluster is not using an unsupported Kafka version (2.4.1)
Critical
Ensure there is no unrestricted inbound access to UDP port 11211 (Memcached)
Critical
Ensure there is no unrestricted inbound access to TCP port 27017 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 9300 (ElasticSearch)
Critical
Ensure there is no unrestricted inbound access to TCP port 9200 (ElasticSearch)
Critical
Ensure there is no unrestricted inbound access to TCP port 6379 (Redis)
Critical
Ensure there is no unrestricted inbound access to TCP port 1521 (OracleDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 2484 (Oracle DB SSL)
Critical
Ensure there is no unrestricted inbound access to TCP port 8888 (Cassandra)
Critical
Ensure there is no unrestricted inbound access to TCP port 11211 (Memcached)
Critical
Ensure there is no unrestricted inbound access to TCP port 61621 (Cassandra)
Critical
Ensure there is no unrestricted inbound access to TCP port 7000 (Cassandra Internode)
Critical
Ensure there is no unrestricted inbound access to TCP port 61620 (OpsCenter)
Info
Route Table changes alarm
Info
IAM Policy changes alarm
Info
S3 Bucket changes alarm
Info
Security Group (SG) changes alarm
Info
Network ACL (NACL) changes alarm
Info
NAT Gateway changes alarm
Info
VPC changes alarm
Critical
IAM user can execute a Privilege Escalation by using inline AssumeRole
Critical
IAM user can execute a Privilege Escalation by using AttachUserPolicy
Critical
IAM user can execute a Privilege Escalation by using CreatePolicyVersion
Critical
IAM user can execute a Privilege Escalation by using UpdateAssumeRolePolicy and sts:AssumeRole
Warning
Ensure EMR clusters are encrypted in-transit and at-rest
Critical
Ensure IAM password policy expires passwords within 90 days or less
Warning
Ensure IAM password policy requires minimum length of 14 or greater
Warning
Ensure IAM password policy require at least one symbol
Warning
Ensure IAM password policy requires at least one uppercase letter
Warning
Ensure IAM password policy require at least one number
Warning
Ensure IAM password policy prevents password reuse
Critical
Ensure MSK (Kafka) broker instances are not publicly accessible
Critical
IAM Role with Admin access (*:*)
Critical
Lambda Admin access (*:*)
Critical
EC2 with Admin access (*:*)
Critical
IAM User with Admin access (*:*)
Warning
Ensure security groups do not have ingress open to any (0.0.0.0/0)
Warning
Ensure that EKS security groups are configured to allow incoming traffic only on TCP port 443
Warning
Ensure Application Load Balancers (ALB) are configured to drop HTTP headers
Warning
Ensure RDS database instances are not publicly accessible
Warning
Ensure VPC flow logging is enabled in all VPCs
Warning
Ensure OpenSearch data at rest encryption is enabled
Warning
IAM Group inline policy is over permissive
Warning
Ensure MSK (Kafka) clusters have encryption in transit enabled between clients and brokers using TLS
Warning
Ensure MSK (Kafka) clusters have encryption in transit enabled between brokers within a cluster
Warning
Ensure CloudFront distribution enforce HTTPS protocol for data in-transit
Critical
Ensure ElastiCache Redis clusters are encrypted at-rest
Warning
Ensure that Cloudfront distribution is not using insecure SSL protocols
Warning
Ensure IAM User has no inline policy
Warning
Ensure Zone Awareness is enabled for OpenSearch clusters
Warning
Ensure that Origin Failover feature is enabled for CloudFront web distributions
Warning
Ensure SQS encryption is enabled
Warning
Ensure SNS encryption is enabled
Warning
Ensure S3 buckets have server access logging enabled to track access requests
Warning
Ensure data stored in the S3 bucket is securely encrypted at rest
Critical
Ensure RDS database instances have storage encryption enabled
Info
Ensure RDS database instances have Copy Tags to Snapshots enabled