CIS AWS 1.4.0 | Lacework Documentation

📄️ 1.1

1.1 Maintain current contact details (Manual)

📄️ 1.2

1.2 Ensure security contact information is registered (Manual)

📄️ 1.3

1.3 Ensure security questions are registered in the AWS account (Manual)

📄️ 1.4

1.4 Ensure no 'root' user account access key exists (Automated)

📄️ 1.5

1.5 Ensure MFA is enabled for the 'root' user account (Automated)

📄️ 1.6

1.6 Ensure hardware MFA is enabled for the 'root' user account (Manual)

📄️ 1.7

1.7 Eliminate use of the 'root' user for administrative and daily tasks (Automated)

📄️ 1.8

1.8 Ensure IAM password policy requires minimum length of 14 or greater (Automated)

📄️ 1.9

1.9 Ensure IAM password policy prevents password reuse (Automated)

📄️ 1.10

1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Automated)

📄️ 1.11

1.11 Do not setup access keys during initial user setup for all IAM users that have a console password (Automated)

📄️ 1.12

1.12 Ensure credentials unused for 45 days or greater are disabled (Automated)

📄️ 1.13

1.13 Ensure there is only one active access key available for any single IAM user (Automated)

📄️ 1.14

1.14 Ensure access keys are rotated every 90 days or less (Automated)

📄️ 1.15

1.15 Ensure IAM Users Receive Permissions Only Through Groups (Automated)

📄️ 1.16

This rule also encompasses lacework-global-485 and lacework-global-486. See Adjusted Rules for CIS AWS 1.4.0 for further details.

📄️ 1.17

1.17 Ensure a support role has been created to manage incidents with AWS Support (Automated)

📄️ 1.18

1.18 Ensure IAM instance roles are used for AWS resource access from instances (Manual)

📄️ 1.19

1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed (Automated)

📄️ 1.20

1.20 Ensure that IAM Access analyzer is enabled for all regions (Automated)

📄️ 1.21

1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments (Manual)

📄️ 2.1.1

2.1.1 Ensure all S3 buckets employ encryption-at-rest (Automated)

📄️ 2.1.2

2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests (Automated)

📄️ 2.1.3

2.1.3 Ensure MFA Delete is enable on S3 buckets (Automated)

📄️ 2.1.4

2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required. (Manual)

📄️ 2.1.5

2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' (Automated)

📄️ 2.2.1

2.2.1 Ensure EBS volume encryption is enabled (Automated)

📄️ 2.3.1

2.3.1 Ensure that encryption is enabled for RDS Instances (Automated)

📄️ 3.1

3.1 Ensure CloudTrail is enabled in all regions (Automated)

📄️ 3.2

3.2 Ensure CloudTrail log file validation is enabled (Automated)

📄️ 3.3

3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (Automated)

📄️ 3.4

3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Automated)

📄️ 3.5

This rule also encompasses lacework-global-497. See Adjusted Rules for CIS AWS 1.4.0 for further details.

📄️ 3.6

3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Automated)

📄️ 3.7

3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Automated)

📄️ 3.8

3.8 Ensure rotation for customer created CMKs is enabled (Automated)

📄️ 3.9

3.9 Ensure VPC flow logging is enabled in all VPCs (Automated)

📄️ 3.10

3.10 Ensure that Object-level logging for write events is enabled for S3 bucket (Automated)

📄️ 3.11

3.11 Ensure that Object-level logging for read events is enabled for S3 bucket (Automated)

📄️ 4.1

4.1 Ensure a log metric filter and alarm exist for unauthorized API calls (Automated)

📄️ 4.2

4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Automated)

📄️ 4.3

4.3 Ensure a log metric filter and alarm exist for usage of 'root' account (Automated)

📄️ 4.4

4.4 Ensure a log metric filter and alarm exist for IAM policy changes (Automated)

📄️ 4.5

4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Automated)

📄️ 4.6

4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Automated)

📄️ 4.7

4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Automated)

📄️ 4.8

4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Automated)

📄️ 4.9

4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Automated)

📄️ 4.10

4.10 Ensure a log metric filter and alarm exist for security group changes (Automated)

📄️ 4.11

4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Automated)

📄️ 4.12

4.12 Ensure a log metric filter and alarm exist for changes to network gateways (Automated)

📄️ 4.13

4.13 Ensure a log metric filter and alarm exist for route table changes (Automated)

📄️ 4.14

4.14 Ensure a log metric filter and alarm exist for VPC changes (Automated)

📄️ 4.15

4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes (Automated)

📄️ 5.1

5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)

📄️ 5.2

5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)

📄️ 5.3

5.3 Ensure the default security group of every VPC restricts all traffic (Automated)

📄️ 5.4

5.4 Ensure routing tables for VPC peering are "least access" (Manual)