CIS AWS 1.4.0 Benchmark Report
The CIS AWS 1.4.0 benchmark report co-exists with the CIS AWS 1.1.0 benchmark report. The CIS AWS 1.1.0 benchmark is deprecated and will eventually be removed. You should migrate to the latest report soon.
For information about compliance assessment behavior differences between CIS AWS 1.1.0 and 1.4.0, see Legacy Rules Mapping.
Changes to Benchmark Reports in the Lacework Console
Due to changes in the Lacework Console, visibility of and interaction with the CIS AWS 1.4.0 benchmark is different from previous CIS reports.
Notable changes include the following:
- All CIS AWS 1.4.0 benchmark policies are enabled or disabled through the Policies page. See Enable the CIS AWS 1.4.0 Benchmark Policies for more information.
- The Compliance > AWS > Reports page does not display the CIS AWS 1.4.0 benchmark report, but will continue to display the older CIS AWS 1.1.0 benchmark report.
- The Cloud Compliance Dashboard shows detailed results from each assessment, including assessments of CIS AWS 1.4.0 benchmark policies.
- The Reports page displays all reports that have run in your environment, including a 90-day history for each report type on all your integrated accounts. You can view a summary for each report in the Console, and download it in PDF format. See Reports for more information.
Prerequisites
The following articles describe how to integrate your AWS environment with the Lacework Compliance platform. Completing these will prepare your environment for the CIS AWS 1.4.0 benchmark.
Choose one of the following options:
- Integrate Lacework with AWS - Terraform
- Choose one of the configuration options to enable AWS configuration compliance. These articles provide guidance on multiple deployment scenarios.
- Integrate Lacework with AWS - AWS CloudFormation
- Choose one of the configuration options to enable AWS configuration compliance.
- If you have SSE-KMS enabled on your CloudTrail bucket, configure additional permissions.
- Integrate Lacework with AWS - AWS GovCloud (US)
- This guide is for AWS GovCloud (US) users specifically.
Enable the CIS AWS 1.4.0 Benchmark Policies
All policies in the CIS AWS 1.4.0 benchmark are enabled by default. You can disable or enable them as follows.
Enable or Disable Policies through the Lacework Console
On the Policies page, use the framework:cis-aws-1-4-0 tag to filter for CIS AWS 1.4.0 policies only.
You can enable or disable individual policies using its status toggle: 
Alternatively, see Batch Update Policies to enable or disable multiple policies at once.
note
Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Rules.
Bulk Enable or Disable Policies through the Lacework CLI
Enable or disable all the CIS AWS 1.4.0 policies by using the following commands in the Lacework CLI:
lacework policy enable --tag framework:cis-aws-1-4-0
lacework policy disable --tag framework:cis-aws-1-4-0
tip
If you have not used the CLI before, see the Lacework CLI guide to get started.
Policy Mapping for CIS AWS 1.4.0
The CIS AWS 1.4.0 rules are mapped to Lacework policies, as listed in the following sections.
1. Identity and Access Management (IAM)
| CIS AWS 1.4.0 Rule ID | Lacework Policy ID | Severity |
|---|---|---|
| 1.1 | lacework-global-31 | Low |
| 1.2 | lacework-global-32 | Low |
| 1.3 | lacework-global-33 | Low |
| 1.4 | lacework-global-34 | Critical |
| 1.5 | lacework-global-35 | Critical |
| 1.6 | lacework-global-69 | Critical |
| 1.7 | lacework-global-36 | Low |
| 1.8 | lacework-global-37 | Medium |
| 1.9 | lacework-global-38 | Low |
| 1.10 | lacework-global-39 | High |
| 1.11 | lacework-global-40 | Medium |
| 1.12 | lacework-global-41 | Medium |
| 1.13 | lacework-global-42 | High |
| 1.14 | lacework-global-43 | Medium |
| 1.15 | lacework-global-44 | Low |
| 1.16 | lacework-global-45 (Users) lacework-global-485 (Groups) lacework-global-486 (Roles) | High |
| 1.17 | lacework-global-46 | Low |
| 1.18 | lacework-global-70 | Medium |
| 1.19 | lacework-global-47 | High |
| 1.20 | lacework-global-48 | Medium |
| 1.21 | lacework-global-71 | Medium |
2. Storage
2.1 Simple Storage Service (S3)
| CIS AWS 1.4.0 Rule ID | Lacework Policy ID | Severity |
|---|---|---|
| 2.1.1 | lacework-global-72 | Medium |
| 2.1.2 | lacework-global-73 | Medium |
| 2.1.3 | lacework-global-49 | Medium |
| 2.1.4 | lacework-global-74 | Medium |
| 2.1.5 | lacework-global-50 | Medium |
2.2 Elastic Compute Cloud (EC2)
| CIS AWS 1.4.0 Rule ID | Lacework Policy ID | Severity |
|---|---|---|
| 2.2.1 | lacework-global-51 | Medium |
2.3 Relational Database Service (RDS)
| CIS AWS 1.4.0 Rule ID | Lacework Policy | Severity |
|---|---|---|
| 2.3.1 | lacework-global-52 | Medium |
3. Logging
| CIS AWS 1.4.0 Rule ID | Lacework Policy ID | Severity |
|---|---|---|
| 3.1 | lacework-global-53 | Medium |
| 3.2 | lacework-global-75 | Low |
| 3.3 | lacework-global-54 | High |
| 3.4 | lacework-global-55 | Low |
| 3.5 | lacework-global-76 (all regions) lacework-global-497 (global resources) | High |
| 3.6 | lacework-global-56 | High |
| 3.7 | lacework-global-77 | High |
| 3.8 | lacework-global-78 | High |
| 3.9 | lacework-global-79 | Medium |
| 3.10 | lacework-global-80 | Medium |
| 3.11 | lacework-global-81 | Medium |
4. Monitoring
| CIS AWS 1.4.0 Rule ID | Lacework Policy ID | Severity |
|---|---|---|
| 4.1 | lacework-global-57 | Medium |
| 4.2 | lacework-global-58 | Medium |
| 4.3 | lacework-global-59 | Low |
| 4.4 | lacework-global-60 | Medium |
| 4.5 | lacework-global-61 | Low |
| 4.6 | lacework-global-82 | Medium |
| 4.7 | lacework-global-83 | Medium |
| 4.8 | lacework-global-62 | Medium |
| 4.9 | lacework-global-84 | Medium |
| 4.10 | lacework-global-85 | Medium |
| 4.11 | lacework-global-86 | Medium |
| 4.12 | lacework-global-63 | Medium |
| 4.13 | lacework-global-64 | Medium |
| 4.14 | lacework-global-65 | Medium |
| 4.15 | lacework-global-66 | Low |
5. Networking
| CIS AWS 1.4.0 Rule ID | Lacework Policy ID | Severity |
|---|---|---|
| 5.1 | lacework-global-67 | High |
| 5.2 | lacework-global-68 | High |
| 5.3 | lacework-global-87 | High |
| 5.4 | lacework-global-88 | High |
Automated vs Manual Rules
Lacework automates compliance rules where possible. For some of the benchmark rules, it is not possible to automate the rule check in an AWS environment. These rules are called manual rules. You must verify such rules manually.
Automated Rules (that were deemed manual)
In some cases, Lacework is able to automate certain CIS AWS 1.4.0 benchmark rules that were deemed as manual by CIS. The following table outlines these rules:
| CIS AWS 1.4.0 Rule ID | Lacework Policy ID | Title |
|---|---|---|
| 2.1.2 | lacework-global-73 | Ensure S3 Bucket Policy is set to deny HTTP requests. |
Adjusted Rules
1.6 Ensure hardware MFA is enabled for the 'root' user account
This rule has been changed from automatic to manual.
As per CIS guidelines for this policy, Lacework was originally checking if 0 MFA devices were assigned to the 'root' user account, or if a virtual MFA device was present.
However, it is now possible to have more than one MFA device for the 'root' user account, and MFA devices for the 'root' user can not be listed programatically.
As such, a manual inspection of your 'root' user account in AWS is required. CIS have also been informed of this behavior and will be adjusting the rule to Manual in the future.
1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached
This rule has been split into three policies to monitor users, groups, and roles.
The following table lists each policy and their corresponding title:
| CIS AWS 1.4.0 Rule ID | Lacework Policy ID | Title |
|---|---|---|
| 1.16 | lacework-global-45 | Ensure IAM policies that allow full "*:*" administrative privileges are not attached to users. |
| 1.16 | lacework-global-485 | Ensure IAM policies that allow full "*:*" administrative privileges are not attached to groups. |
| 1.16 | lacework‑global‑486 | Ensure IAM policies that allow full "*:*" administrative privileges are not attached to roles. |
note
The policy catalog only retains one entry for this rule, which is lacework-global-45.
3.5 Ensure AWS Config is enabled in all regions
This rule has been split into two different policies to check the following regarding AWS Config:
- Ensure that AWS Config is enabled in all regions and configured to record all resources.
- Ensure at least one region has AWS Config configured to record all global resources (for example: IAM).
The table below outlines each rule and their new title:
| CIS AWS 1.4.0 Rule ID | Lacework Policy ID | Description |
|---|---|---|
| 3.5 | lacework-global-76 | Ensure AWS Config is enabled in all regions |
| 3.5 | lacework-global-497 | Ensure AWS Config is recording Global Resources in at least one region |
note
The policy catalog only retains one entry for this rule, which is lacework-global-76.