Skip to main content

CIS AWS 1.4.0 Benchmark Report

The CIS AWS 1.4.0 benchmark report co-exists with the CIS AWS 1.1.0 benchmark report. The CIS AWS 1.1.0 benchmark is deprecated and will eventually be removed. You should migrate to the latest report soon.

For information about compliance assessment behavior differences between CIS AWS 1.1.0 and 1.4.0, see Legacy Rules Mapping.

Changes to Benchmark Reports in the Lacework Console

Due to changes in the Lacework Console, visibility of and interaction with the CIS AWS 1.4.0 benchmark is different from previous CIS reports.

Notable changes include the following:

  • All CIS AWS 1.4.0 benchmark policies are enabled or disabled through the Policies page. See Enable the CIS AWS 1.4.0 Benchmark Policies for more information.
  • The Compliance > AWS > Reports page does not display the CIS AWS 1.4.0 benchmark report, but will continue to display the older CIS AWS 1.1.0 benchmark report.
  • The Cloud Compliance Dashboard shows detailed results from each assessment, including assessments of CIS AWS 1.4.0 benchmark policies.
  • The Reports page displays all reports that have run in your environment, including a 90-day history for each report type on all your integrated accounts. You can view a summary for each report in the Console, and download it in PDF format. See Reports for more information.

Prerequisites

The following articles describe how to integrate your AWS environment with the Lacework Compliance platform. Completing these will prepare your environment for the CIS AWS 1.4.0 benchmark.

Choose one of the following options:

  1. Integrate Lacework with AWS - Terraform
    • Choose one of the configuration options to enable AWS configuration compliance. These articles provide guidance on multiple deployment scenarios.
  2. Integrate Lacework with AWS - AWS CloudFormation
  3. Integrate Lacework with AWS - AWS GovCloud (US)

Enable the CIS AWS 1.4.0 Benchmark Policies

All policies in the CIS AWS 1.4.0 benchmark are enabled by default. You can disable or enable them as follows.

Enable or Disable Policies through the Lacework Console

On the Policies page, use the framework:cis-aws-1-4-0 tag to filter for CIS AWS 1.4.0 policies only.

You can enable or disable individual policies using its status toggle: policy-status-toggle.png

Alternatively, see Batch Update Policies to enable or disable multiple policies at once.

note

Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Rules.

Bulk Enable or Disable Policies through the Lacework CLI

Enable or disable all the CIS AWS 1.4.0 policies by using the following commands in the Lacework CLI:

Enable all policies
lacework policy enable --tag framework:cis-aws-1-4-0
Disable all policies
lacework policy disable --tag framework:cis-aws-1-4-0
tip

If you have not used the CLI before, see the Lacework CLI guide to get started.

Policy Mapping for CIS AWS 1.4.0

The CIS AWS 1.4.0 rules are mapped to Lacework policies, as listed in the following sections.

1. Identity and Access Management (IAM)

CIS AWS 1.4.0 Rule IDLacework Policy IDSeverity
1.1lacework-global-31Low
1.2lacework-global-32Low
1.3lacework-global-33Low
1.4lacework-global-34Critical
1.5lacework-global-35Critical
1.6lacework-global-69Critical
1.7lacework-global-36Low
1.8lacework-global-37Medium
1.9lacework-global-38Low
1.10lacework-global-39High
1.11lacework-global-40Medium
1.12lacework-global-41Medium
1.13lacework-global-42High
1.14lacework-global-43Medium
1.15lacework-global-44Low
1.16lacework-global-45 (Users)
lacework-global-485 (Groups)
lacework-global-486 (Roles)
High
1.17lacework-global-46Low
1.18lacework-global-70Medium
1.19lacework-global-47High
1.20lacework-global-48Medium
1.21lacework-global-71Medium

2. Storage

2.1 Simple Storage Service (S3)

CIS AWS 1.4.0 Rule IDLacework Policy IDSeverity
2.1.1lacework-global-72Medium
2.1.2lacework-global-73Medium
2.1.3lacework-global-49Medium
2.1.4lacework-global-74Medium
2.1.5lacework-global-50Medium

2.2 Elastic Compute Cloud (EC2)

CIS AWS 1.4.0 Rule IDLacework Policy IDSeverity
2.2.1lacework-global-51Medium

2.3 Relational Database Service (RDS)

CIS AWS 1.4.0 Rule IDLacework PolicySeverity
2.3.1lacework-global-52Medium

3. Logging

CIS AWS 1.4.0 Rule IDLacework Policy IDSeverity
3.1lacework-global-53Medium
3.2lacework-global-75Low
3.3lacework-global-54High
3.4lacework-global-55Low
3.5lacework-global-76 (all regions)
lacework-global-497 (global resources)
High
3.6lacework-global-56High
3.7lacework-global-77High
3.8lacework-global-78High
3.9lacework-global-79Medium
3.10lacework-global-80Medium
3.11lacework-global-81Medium

4. Monitoring

CIS AWS 1.4.0 Rule IDLacework Policy IDSeverity
4.1lacework-global-57Medium
4.2lacework-global-58Medium
4.3lacework-global-59Low
4.4lacework-global-60Medium
4.5lacework-global-61Low
4.6lacework-global-82Medium
4.7lacework-global-83Medium
4.8lacework-global-62Medium
4.9lacework-global-84Medium
4.10lacework-global-85Medium
4.11lacework-global-86Medium
4.12lacework-global-63Medium
4.13lacework-global-64Medium
4.14lacework-global-65Medium
4.15lacework-global-66Low

5. Networking

CIS AWS 1.4.0 Rule IDLacework Policy IDSeverity
5.1lacework-global-67High
5.2lacework-global-68High
5.3lacework-global-87High
5.4lacework-global-88High

Automated vs Manual Rules

Lacework automates compliance rules where possible. For some of the benchmark rules, it is not possible to automate the rule check in an AWS environment. These rules are called manual rules. You must verify such rules manually.

Automated Rules (that were deemed manual)

In some cases, Lacework is able to automate certain CIS AWS 1.4.0 benchmark rules that were deemed as manual by CIS. The following table outlines these rules:

CIS AWS 1.4.0 Rule IDLacework Policy IDTitle
2.1.2lacework-global-73Ensure S3 Bucket Policy is set to deny HTTP requests.

Adjusted Rules

1.6 Ensure hardware MFA is enabled for the 'root' user account

This rule has been changed from automatic to manual.

As per CIS guidelines for this policy, Lacework was originally checking if 0 MFA devices were assigned to the 'root' user account, or if a virtual MFA device was present.

However, it is now possible to have more than one MFA device for the 'root' user account, and MFA devices for the 'root' user can not be listed programatically.

As such, a manual inspection of your 'root' user account in AWS is required. CIS have also been informed of this behavior and will be adjusting the rule to Manual in the future.

1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached

This rule has been split into three policies to monitor users, groups, and roles.

The following table lists each policy and their corresponding title:

CIS AWS 1.4.0 Rule IDLacework Policy IDTitle
1.16lacework-global-45Ensure IAM policies that allow full "*:*" administrative privileges are not attached to users.
1.16lacework-global-485Ensure IAM policies that allow full "*:*" administrative privileges are not attached to groups.
1.16laceworkglobal486Ensure IAM policies that allow full "*:*" administrative privileges are not attached to roles.
note

The policy catalog only retains one entry for this rule, which is lacework-global-45.

3.5 Ensure AWS Config is enabled in all regions

This rule has been split into two different policies to check the following regarding AWS Config:

  1. Ensure that AWS Config is enabled in all regions and configured to record all resources.
  2. Ensure at least one region has AWS Config configured to record all global resources (for example: IAM).

The table below outlines each rule and their new title:

CIS AWS 1.4.0 Rule IDLacework Policy IDDescription
3.5lacework-global-76Ensure AWS Config is enabled in all regions
3.5lacework-global-497Ensure AWS Config is recording Global Resources in at least one region
note

The policy catalog only retains one entry for this rule, which is lacework-global-76.